How Kerio® Control firewall consumes user licenses has been a source of some confusion. I hope to help make it a bit more clear here.
First, let's look at what Kerio says. This is from the Kerio Control Administrators Guide:
Kerio Control 7 uses a new system of Internet access monitoring,
better corresponding to the product's licensing and usage
policy. Kerio Technologies licenses this software as a server with
the Admin account and 5 user accounts in the basic license. Users
can be added in packages of five users.
User is defined as a person who is permitted to connect to Kerio
Control and its services. Each user can connect from up to five
different devices represented by IP addresses, including VPN clients.
If any user tries to connect from more than five devices at a time,
another user license is used for this purpose. Although the product
formerly did not limit number of connected users, it used to consider
each IP address connected to the server as one user which might
have caused situations where one user used up available licenses
even by connecting from two device at a time.
Kerio Control does not limit number of defined user accounts (see
chapter 18, User Accounts and Groups). However, if the maximal
number of currently authenticated users is reached, no other user
However, their Licensing and Software Maintenance FAQ says something slightly different:
A user is an account with login access to Kerio Control and its
services. An individual user can connect from as many as 5 devices
represented by an IP address, including VPN clients, mobile devices,
IP phones, desktop computers, etc.
If an individual user needs to connect from more than 5 devices, an
additional user license will be required to support the additional
To ensure all users are able to access the network securely and be
adequately protected, it is required that a license be purchased
for each user that will need to login to Kerio Control, including
guests to the network.The admin account does not count as a user.
Define or not defined
The difference is between how a user is defined:
is an account with login access to Kerio Control and
is defined as a person who is permitted to connect to Kerio Control.
That's not quite the same thing, because users (for example, people browsing the Internet) don't necessarily have to login - they don't necessarily even have to have accounts that COULD login!
Actually, that's up to you as the administrator or owner: if you don't care about tracking individual users and don't have any situation where some people are allowed to access web sites denied to others, then nobody has to login and no users (other than Admin) need to be defined in the firewall.
That doesn't mean that they don't need licenses. Kerio regularly says that every "human" using the firewall requires a license. But note that each human is permitted "as many as 5 devices represented by an IP address". What are they getting at here?
Life used to be simpler
Previous versions of Kerio firewall were licensed by devices - here's the manual from the older Kerio WinRoute Firewall:
WinRoute's license key includes information about maximal number of
users allowed to use the product. In accordance with the licensing
policy, number of users is number of hosts protected by WinRoute,
i.e. sum of the following items:
o All hosts in the local network (workstations and servers),
o all possible VPN clients connecting from the Internet to the local network.
The host where WinRoute is installed in not included in the total number
If the maximal number of licensed users is exceeded, WinRoute may block
traffic of some hosts!
So why the change? It's because users - human users - are apt to use multiple devices today. They may have a smart phone or tablet, they may need to connect from a VPN at home : it's a different world today.
That's why the new licensing says that each user can use five different devices, allowing for desktop computers, smart phones, tablets and VPN connections and who knows what that might exist in the future.
So what does all this mean to you as the administrator?
You CAN define the users (or draw them from a directory service) and you can optionally assign ip addresses to each user - this allows a user to be recognized without logging in, but it's not anything you need to do - you don't have to define users and if you do, you don't have to define ip addresses the users will use.
If you don't define users, you can still block websites. For example, here's a rule that blocks this website (HTTP Policy rule):
No matter if you have defined a single user, nobody can access aplawrence.com. They'll see a block message that invites them to login, but as you have not given them an account, of course they cannot.
If you want to allow SOME people access to this page, then you will have to add them as users and put an allow rule above the deny rule:
With that in place, "tony" can either login and be allowed access, or be automatically logged in if you have defined the IP he is using as belonging to him.
So far, so good
So that's easy enough to understand, right? But what about that "5 IP per user" rule? If the users aren't defined, what happens with the "unrecognized" usrs who don't login? Do they all get treated as one user and are therefore limited to five IP's?
No, they do not. If you have a 5 user license and nobody is logging in, then 25 machines (IP addresses) could use the firewall. Fair enough? Sure, but that raises more questions.
For example, let's say that we did define "tony", but not any other users. Does "tony" consume 5 IP's even if he really only uses one? In other words, if "tony" logs in from his desktop computer and from nowhere else, do we still have 24 "unrecognized" machines allowed or has it dropped to 20?
This matters for licensing because there will always be things like scanners, remote printers and server machines that use the firewall but don't login. If you've defined 5 users and they all login, are all your licenses gone even if they aren't using their allotted 5 addresses? Will there still be room for the undefined machines like scanners and servers?
It could also matter for people like "Sam" who is our imaginary IT guy. Sam might sometimes have to use other people's computers and might have to login to access pages those users cannot. Sam might easily use more than 5 IP addresses in a day - will this matter? Sam is going to run into that "If any user tries to connect from more than five devices at a time" rule and consume another license, so you may need extra licenses because of his job needs. But does that mean he has used up one more IP from the "unrecognized" pool or five?
To find out, I set up multiple Ubuntu Linux machines and added 7 users to my (5 user) firewall. I set up a block as described above that could be overridden by any of those logins. I then tried to access the blocked page and logged in when I was rejected.
As I expected, I was only able to login 5 times (different users) - the sixth login was rejected. With all five users logged in, I was still able to access other (unblocked) URL's using machines that were not logged in.
I was also able to login from more than five machines using one login (the "Sam" case above).
That shows that logging in does not consume 5 IP addresses instantly. Therefore, if you have users who use less than their allotted 5 IP addresses, you will be able to handle other users who use more or other machines that do not login at all.
That all means that in a case where say 12 users mostly use one or two machines, you are quite safe with a fifteen user license - there will be plenty of spare licenses for servers, printers and any roving user who runs over 5 iP's now and then.
I hope this helps clear up some confusion. If you still have questions, leave them in the comments and I will get an answer ASAP.
If this page was useful to you, please help others find it:
Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.
More Articles by Anthony Lawrence
- Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site:
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.