How Kerio Control firewall consumes user licenses has been a source of some confusion. I hope to help make it a bit more clear here.
First, let's look at what Kerio says. This is from the Kerio Control Administrators Guide:
Kerio Control 7 uses a new system of Internet access monitoring,
better corresponding to the product's licensing and usage
policy. Kerio Technologies licenses this software as a server with
the Admin account and 5 user accounts in the basic license. Users
can be added in packages of five users.
User is defined as a person who is permitted to connect to Kerio
Control and its services. Each user can connect from up to five
different devices represented by IP addresses, including VPN clients.
If any user tries to connect from more than five devices at a time,
another user license is used for this purpose. Although the product
formerly did not limit number of connected users, it used to consider
each IP address connected to the server as one user which might
have caused situations where one user used up available licenses
even by connecting from two device at a time.
Kerio Control does not limit number of defined user accounts (see
chapter 18, User Accounts and Groups). However, if the maximal
number of currently authenticated users is reached, no other user
However, their Licensing and Software Maintenance FAQ says something slightly different:
A user is an account with login access to Kerio Control and its
services. An individual user can connect from as many as 5 devices
represented by an IP address, including VPN clients, mobile devices,
IP phones, desktop computers, etc.
If an individual user needs to connect from more than 5 devices, an
additional user license will be required to support the additional
To ensure all users are able to access the network securely and be
adequately protected, it is required that a license be purchased
for each user that will need to login to Kerio Control, including
guests to the network.The admin account does not count as a user.
Define or not defined
The difference is between how a user is defined:
is an account with login access to Kerio Control and
is defined as a person who is permitted to connect to Kerio Control.
That's not quite the same thing, because users (for example, people browsing the Internet) don't necessarily have to login - they don't necessarily even have to have accounts that COULD login!
Actually, that's up to you as the administrator or owner: if you don't care about tracking individual users and don't have any situation where some people are allowed to access web sites denied to others, then nobody has to login and no users (other than Admin) need to be defined in the firewall.
That doesn't mean that they don't need licenses. Kerio regularly says that every "human" using the firewall requires a license. But note that each human is permitted "as many as 5 devices represented by an IP address". What are they getting at here?
Life used to be simpler
Previous versions of Kerio firewall were licensed by devices - here's the manual from the older Kerio WinRoute Firewall:
WinRoute's license key includes information about maximal number of
users allowed to use the product. In accordance with the licensing
policy, number of users is number of hosts protected by WinRoute,
i.e. sum of the following items:
o All hosts in the local network (workstations and servers),
o all possible VPN clients connecting from the Internet to the local network.
The host where WinRoute is installed in not included in the total number
If the maximal number of licensed users is exceeded, WinRoute may block
traffic of some hosts!
So why the change? It's because users - human users - are apt to use multiple devices today. They may have a smart phone or tablet, they may need to connect from a VPN at home : it's a different world today.
That's why the new licensing says that each user can use five different devices, allowing for desktop computers, smart phones, tablets and VPN connections and who knows what that might exist in the future.
So what does all this mean to you as the administrator?
You CAN define the users (or draw them from a directory service) and you can optionally assign ip addresses to each user - this allows a user to be recognized without logging in, but it's not anything you need to do - you don't have to define users and if you do, you don't have to define ip addresses the users will use.
If you don't define users, you can still block websites. For example, here's a rule that blocks this website (HTTP Policy rule):
No matter if you have defined a single user, nobody can access aplawrence.com. They'll see a block message that invites them to login, but as you have not given them an account, of course they cannot.
If you want to allow SOME people access to this page, then you will have to add them as users and put an allow rule above the deny rule:
With that in place, "tony" can either login and be allowed access, or be automatically logged in if you have defined the IP he is using as belonging to him.
So far, so good
So that's easy enough to understand, right? But what about that "5 IP per user" rule? If the users aren't defined, what happens with the "unrecognized" usrs who don't login? Do they all get treated as one user and are therefore limited to five IP's?
No, they do not. If you have a 5 user license and nobody is logging in, then 25 machines (IP addresses) could use the firewall. Fair enough? Sure, but that raises more questions.
For example, let's say that we did define "tony", but not any other users. Does "tony" consume 5 IP's even if he really only uses one? In other words, if "tony" logs in from his desktop computer and from nowhere else, do we still have 24 "unrecognized" machines allowed or has it dropped to 20?
This matters for licensing because there will always be things like scanners, remote printers and server machines that use the firewall but don't login. If you've defined 5 users and they all login, are all your licenses gone even if they aren't using their allotted 5 addresses? Will there still be room for the undefined machines like scanners and servers?
It could also matter for people like "Sam" who is our imaginary IT guy. Sam might sometimes have to use other people's computers and might have to login to access pages those users cannot. Sam might easily use more than 5 IP addresses in a day - will this matter? Sam is going to run into that "If any user tries to connect from more than five devices at a time" rule and consume another license, so you may need extra licenses because of his job needs. But does that mean he has used up one more IP from the "unrecognized" pool or five?
To find out, I set up multiple Ubuntu Linux machines and added 7 users to my (5 user) firewall. I set up a block as described above that could be overridden by any of those logins. I then tried to access the blocked page and logged in when I was rejected.
As I expected, I was only able to login 5 times (different users) - the sixth login was rejected. With all five users logged in, I was still able to access other (unblocked) URL's using machines that were not logged in.
I was also able to login from more than five machines using one login (the "Sam" case above).
That shows that logging in does not consume 5 IP addresses instantly. Therefore, if you have users who use less than their allotted 5 IP addresses, you will be able to handle other users who use more or other machines that do not login at all.
That all means that in a case where say 12 users mostly use one or two machines, you are quite safe with a fifteen user license - there will be plenty of spare licenses for servers, printers and any roving user who runs over 5 iP's now and then.
I hope this helps clear up some confusion. If you still have questions, leave them in the comments and I will get an answer ASAP.
Also be aware of the Guest Network capability introduced recently.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2014-06-17 Anthony Lawrence