1-888-77-Kerio
Home » Categories » Kerio Control » VPN
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring Kerio Control VPN Client

Kerio Control VPN Client overview

Kerio Control VPN Client is an application which enables connection from individual hosts (clients) to a remote private network via the Internet using an encrypted channel. These clients can access the private networks as if they were connected to them physically.

Kerio Control VPN Client exists in three variants:

  • Kerio Control VPN Client for Windows

  • Kerio Control VPN Client for Mac

  • Kerio Control VPN Client for Linux (read more in the readme file)

Kerio Control VPN Client is connected to the VPN server in Kerio Control. Kerio Control user accounts are used for authentication of clients.

Configuration is saved in the home folder of the user currently using the Kerio Control VPN Client. Each user of a host where Kerio Control VPN Client is installed can use a personal VPN connection.

Users with administrator rights can also established so called persistent connections. Such connections are also automatically recovered upon each workstation reboot.

System requirements

For up-to-date system requirements, please refer to:
http://www.kerio.com/control/technical-specifications

Licensing Policy

The Kerio Control VPN Client does not require any special license.

However, connected VPN clients are included in the total count of users (computers) during license checks in Kerio Control. This implies that the minimal number of licensed Kerio Control users needed for the particular server is the sum of hosts in LAN and number of VPN clients connected to the server at a moment.

Connecting to Kerio VPN Server

  1. Firstly you have to configure Kerio VPN server in Kerio Control.

  2. Install Kerio Control VPN Client to users' computers.

    For Kerio Control 8.5.0 and higher: Kerio Control VPN Client for Mac uses a PackageMaker installer and you can deploy it to users' computers silently through Apple Remote Desktop or similar application.

    Kerio Control VPN Client is started automatically upon user logon.

    Kerio Control VPN Client

    Kerio Control VPN Client

  3. Tell your users the login details:

    • username and password for login to Kerio Control

    • Kerio Control hostname (or IP address)

  4. Check Persistent connection, if your users have administrator rights for the client host.

    In persistent mode, once a user establishes a VPN connection, this connection is kept persistently. Thanks to this feature, e.g. connection of the user to a remote private network domain is enabled.

Windows: If Kerio Control VPN Client is running, an icon displaying its current status is available in the notification area of the Windows taskbar (Systray).

Mac: If Kerio Control VPN Client is running, a status icon displayed on the right side of the main menu bar.

Multiple endpoints can be defined to configure VPN failover in case the Kerio Control VPN server is load balancing with multiple Internet links. To separate entries, use a semicolon (for example, primary.example.com;secondary.example.com)

Removing connections

If you want to remove old or broken connections:

  1. Open Kerio Control VPN Client.

  2. In the Connection menu, select the connection.

  3. Click the Remove button on Mac.

    Click the Image icon on Windows.

  4. Kerio Control VPN Client asks you if you want to remove selected connection.

  5. Click Yes.

Kerio Control VPN Client removes your connection.

Configuring Kerio Control VPN Client (for Windows only)

You can configure:

  • localization (language) of Kerio Control VPN Client

  • balloon messages settings

  1. In the notification area of the Windows taskbar (Systray), go to Kerio Control VPN Client context menu.

  2. Click Settings.

When a language is changed, the user interface is switched to the language version immediately.

Enable balloon messages enables/disables informative balloon messages at the Kerio Control VPN Client icon located in the system notification area. These messages are optional and depend on user preferences.

Verification of the VPN server's SSL Certificate on Windows

Whenever a connection is being established, Kerio Control VPN Client performs verification of the VPN server's SSL certificate. If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.

If Yes is clicked, Kerio Control VPN Client considers the VPN server as trustworthy. The certificate is saved and no warning is displayed upon subsequent connections to the server.

Common certificate-related problems and their solutions

Certificate-related problems are often caused by one of the following issues:

The certificate was issued by an untrustworthy authority

Kerio Control VPN Client verifies whether a certificate was issued by an authority included in the list of trustworthy certificate publishers stored in the operating system (the Certificates section of the Content tab under Control Panel / Internet Options). Since a certificate is imported, any certificates issued by the same authority will be accepted automatically (unless any problem is detected).

The name referred in the certificate does not match with the server's name

Name of the server specified in the certificate does not correspond with the server name which Kerio Control VPN Client is connecting to. This problem might occur when the server uses an invalid certificate or when the server name has changed. However, it may also point at an intrusion attempt (a false DNS record with an invalid IP address is used).

Note: Certificates can be issued only for servers' DNS names, not for IP addresses.

Date of the certificate is not valid

For security reasons, validity of SSL certificates is limited by time. If an invalid date is reported, it means that the certificate's validity has already expired and it is necessary to update it. Contact the VPN server's administrator.

The security certificate has changed since the last check

When a user accepts connection to a VPN server, Kerio Control VPN Client saves the certificate of the server as trustworthy. For any later connections, Kerio Control VPN Client checks certificates with the saved one. If these certificates do not correspond, it might be caused by the fact that the certificate has been changed at the server (e.g. for expiration of the original certificate). However, this might also point at an intrusion attempt (another server using a different certificate).

Verification of the VPN server's SSL Certificate on Mac

Whenever a connection is being established, Kerio Control VPN Client performs verification of the VPN server's SSL certificate. If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.

A dialog informing about detected problems with the VPN
		  server's certificate

A dialog informing about detected problems with the VPN server's certificate

Click on the Details option to get detailed information about the VPN server's certificate (issuer, server for which it was issued, expiration date, etc.). If it is a certificate for Kerio Control, check Always trust and click Continue. The certificate will be saved in the system Keychain and from now on, no warning will be displayed.

Note: On Mac OS X 10.5 Leopard and higher, it is not allowed to set a self-signed certificate as always trusted. To break this restriction and set the certificate as always trusted anyway, it is necessary to insert the certificate in the keychain manually.

Setting a certificate as always trusted

It is not possible to set a self-signed certificate as always trusted:

  1. In the window warning you that the certificate is not trustworthy (see figure A dialog informing about detected problems with the VPN server's certificate), click on the certificate image and drag it to the desktop. This creates a file with the certificate on the desktop (e.g. server.example.com.cer).

    The Keychain Access application must NOT be running at the moment. If it is running, close it.

  2. Clicking on the certificate file on the desktop runs the Keychain Access application and displays a dialog asking for specification of the keychain to save the certificate in.

    Saving certificates in keychain

    Saving certificates in keychain

  3. Select the X509Anchors keychain. This keychain contains certificates that are allowed to sign other certificates (these are typically certificates of certification authorities).

    To add a certificate successfully, authentication with an administrator account is required.

  4. In the Keychain Access application, select the X509Anchors keychain, look up the new certificate (e.g. server.example.com) and click on it to open it.

  5. In the certificate window, scroll to the bottom, open the Trust Settings section and set the Always Trust option for the When using this certificate entry.

    Certificate properties — setting a certificate
					 as trusted

    Certificate properties — setting a certificate as trusted

  6. Close all running applications and log out of the system.

  7. Reboot the system and try to establish a VPN connection to the particular server. From now on, no untrustworthy certificate warning should display.

Troubleshooting

The Kerio Control VPN Client generates logs including information about its own activity and detected errors. The system service and the application's user interface work separately. Therefore, separate logs are generated for each of these components. Log files can be used for troubleshooting while communicating with the Kerio Technologies technical support department (especially the system service logs are critical and can be extremely helpful).

The system service logs

Logs of the Kerio VPN Client Service can be found in the logs subfolder of the folder where the Kerio Control VPN Client is installed, the following path is used by default:
Windows: C:\Program Files\Kerio\VPN Client\logs

Mac: /usr/local/kerio/vpnclient/logs

Linux: /var/lib/kerio-control-vpn/logs

Two log files are available here:

  • error.log — critical errors, such as information that the Kerio VPN Client Service failed to start, that the VPN server is not available, that user authentication failed, etc.

  • debug.log — detailed information on activities of the system service and detected errors.

The user interface logs

Logs of the user interface on Windows are stored in the corresponding folder of the user account of the user working with Kerio Control VPN Client. By default, the following path is used:

Application Data\Kerio\VPNClient\logs

Logs of the user interface on Mac are stored in the corresponding hidden subfolder of the home folder of the user working with the Kerio Control VPN Client, namely:
~/.kerio/vpnclient/logs

Like in case of the system service, two log files are available:

  • error.log — critical errors, such as information that it is not possible to establish connection to Kerio VPN Client Service.

  • debug.log — detailed information on activities of the application and detected errors.


comments powered by Disqus