Troubleshooting Kerio Control installation


2012/10/13

If you have set up any firewall, even if it was only a simple home appliance, you are unlikely to experience any difficulties with the initial setup of Kerio Control. Of course you need to know your basic network configuration, but the setup wizard will ask you for that and do the necessary work.

But what if things are not working?

My first rule is to not get ahead of yourself. Before you start adding rules for special cases, let's just verify the basics.

First, you should have let the wizard configure basic traffic rules. If you didn't, you really should start there. With proper WAN address, mask, DNS and gateway, you should have Internet access. DON'T DO ANYTHING ELSE. You don't need any static routes, you don't need any more rules, nothing else needs to be turned on or configured. You should have Internet access right now.

If you did rush ahead and add other rules, I suggest you remove them. You can save the current configuration by exporting it if you feel that's necessary. Or, just take a screenshot before you re-run the traffic rules wizard.

Traffic rules wizard

You should now have at least outbound Internet access. No? Change the DNS to use Google at 8.8.8.8. Do you have it now?

If you are stuck here, and are sure of your addresses, it's probably MAC address caching or specifically expected MAC at your ISP connection. Maybe power cycling their equipment will fix it; call them if it does not.

If you have access, that's great, but let's just be sure. Google for "what's my IP" and Google will tell you your IP. Does it match the WAN address you put on the firewall? If it doesn't, your machine is not going out through this firewall - did you leave the old one in place and are trying to take one of your public IP's to this one? Or is it an unexpected address? Maybe you set the WAN for DHCP and should not have?

Test VPN Access

If you didn't tell the wizard to configure VPN access, run it again and do it now. I want you to do this because it is an easy test of inward connectivity. Kerio VPN clients are free and available for Windows, Mac and Debian and Ubuntu Linux. They are simple to install and configure - you could call an 8 year old at home and have them do the test (or, if you are one of my customers, call me).

The other reason I want you to configure VPN access is that this may allow you to skip configuring some inbound rules. For example, if the only people with RDP access are employees, give them VPN access and they can go directly to the internal machines - no port forwarding needed, and the machines are protected from random password guessing attempts.

So, turn on the VPN rule and enable the VPN access if it isn't already:

VPN rule must be present and enabled.

VPN server must be enabled.

The address you use for the VPN server network (172.27.4.0 in the picture above) must be in the private IP ranges and cannot be the same as your internal LAN.

If you are not using the Admin account for this test, be sure that you have given the user the right to use the VPN. You'll need to say that this user uses a separate configuration:

Separate configuration
Set VPN access right

See I can't connect to the VPN Server with my VPN Client! and Kerio VPN Client manual if you are still having trouble.

More rules

Once you have this much done and working, export your configuration as a safe starting point and begin to add your other rules. I doubt that you'll ever need that "safe" configuration, but it is comforting to have it and it gives you freedom to muck around and test things without fear.

A common need is to allow access to certain ports from the outside world. For example, you may have an internal mailserver or need to allow ssh access to some machine. This is very easy to do, but let's observe one basic protocol always:

Unless and until you really feel comfortable with the firewall, all you new rules should go ABOVE the rules that the traffic policy wizard created. Note that I've added two port forwarding rules here:

Traffic rules

Why above? Because rules testing starts at the top and goes down. When a rule matches, testing stops there. If we allow port 25 traffic as I have above in that first rule, no other rules are looked at when a port 25 packet arrives. If I had put that rule at the bottom, the packet would have run into the "Block other traffic" rule first and would have been stopped there. Keep these things in mind:

  • Rules are examined top to bottom
  • If a packet matches an Allow OR a Deny rule, that's where it either stops or is let through.
  • If it does not match, the next rule is examined on so on until the "Block other traffic" rule is reached at the bottom.

So, we've added two port forwarding rules. The SMTP and HTTPS rule allows any address to pass through, but the ssh rule only allows certain addresses; specifically my machine and anyone connected by VPN. The "MAP 10.11.55.98" comes from this dialog:

Setting DNAT (port mapping)

Note that this is Destination NAT (DNAT), not Source NAT. Almost always, that's what you want, but see Kerio Operator in a separate subnet behind Control Firewall for an example where Source NAT is needed.

Other configuration and rule examples can be found at the Kerio Control Step-by-Step Guide and in the Kerio Control Administrator's Guide. If you are a current customer or have registered a demo trial, I and Kerio Support can also assist you.

If that's not working for you and this firewall has replaced another, it could be MAC caching at the destination machine. Reboot it or flush its ARP cache. Note also that the destination machine needs to be able to (and know how to) send packets back to the Kerio Control firewall!

Authentication to a Domain

There are a few things that can go wrong here. When you test, you may see a "Connection error" and find the following in your logs:

[11/Dec/2013 08:16:56] (-11) Active Directory/LDAP error: domain.local: Connect error
 

In one case, I found that Connect was seeing the wrong server - you can specify which server it should look at.

Having the time off ("time skew" error in logs) will cause the test to work but authentication will still fail.

Was this just a test?

If you were just testing a demo version, you'll be happy to know that you can save your work and transfer it to a licensed firewall (even one of the Control boxes) should you decide to buy: Can I transfer my configuration?.


The configuration can be transferred between any type of Kerio Control installation (e.g. Windows -> Software Appliance). The process is simple, involving the configuration import/export wizard. Note that logs and the StaR database cannot be transferred.

If you are ready to buy, I can help you with that also: I offer competitive pricing and complete support. Call or write for more information.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Troubleshooting Kerio Control installation




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us