RSS FeedsUnderstanding Kerio Control Firewall Licensing
How Kerio® Control firewall consumes user licenses has been a source of some confusion. I hope to help make it a bit more clear here.
First, let's look at what Kerio says. This is from the Kerio Control Administrators Guide:
Kerio Control 7 uses a new system of Internet access monitoring, better corresponding to the product's licensing and usage policy. Kerio Technologies licenses this software as a server with the Admin account and 5 user accounts in the basic license. Users can be added in packages of five users. User is defined as a person who is permitted to connect to Kerio Control and its services. Each user can connect from up to five different devices represented by IP addresses, including VPN clients. If any user tries to connect from more than five devices at a time, another user license is used for this purpose. Although the product formerly did not limit number of connected users, it used to consider each IP address connected to the server as one user which might have caused situations where one user used up available licenses even by connecting from two device at a time. Warning Kerio Control does not limit number of defined user accounts (see chapter 18, User Accounts and Groups). However, if the maximal number of currently authenticated users is reached, no other user can connect.
However, their Licensing and Software Maintenance FAQ says something slightly different:
Kerio Control A user is an account with login access to Kerio Control and its services. An individual user can connect from as many as 5 devices represented by an IP address, including VPN clients, mobile devices, IP phones, desktop computers, etc. If an individual user needs to connect from more than 5 devices, an additional user license will be required to support the additional devices. To ensure all users are able to access the network securely and be adequately protected, it is required that a license be purchased for each user that will need to login to Kerio Control, including guests to the network.The admin account does not count as a user.
Define or not defined
The difference is between how a user is defined:
is an account with login access to Kerio Control and
is defined as a person who is permitted to connect to Kerio Control.
That's not quite the same thing, because users (for example, people browsing the Internet) don't necessarily have to login - they don't necessarily even have to have accounts that COULD login!
Actually, that's up to you as the administrator or owner: if you don't care about tracking individual users and don't have any situation where some people are allowed to access web sites denied to others, then nobody has to login and no users (other than Admin) need to be defined in the firewall.
That doesn't mean that they don't need licenses. Kerio regularly says that every "human" using the firewall requires a license. But note that each human is permitted "as many as 5 devices represented by an IP address". What are they getting at here?
Life used to be simpler
Previous versions of Kerio firewall were licensed by devices - here's the manual from the older Kerio WinRoute Firewall:
WinRoute's license key includes information about maximal number of users allowed to use the product. In accordance with the licensing policy, number of users is number of hosts protected by WinRoute, i.e. sum of the following items: o All hosts in the local network (workstations and servers), o all possible VPN clients connecting from the Internet to the local network. The host where WinRoute is installed in not included in the total number of users. Warning If the maximal number of licensed users is exceeded, WinRoute may block traffic of some hosts!
So why the change? It's because users - human users - are apt to use multiple devices today. They may have a smart phone or tablet, they may need to connect from a VPN at home : it's a different world today.
That's why the new licensing says that each user can use five different devices, allowing for desktop computers, smart phones, tablets and VPN connections and who knows what that might exist in the future.
So what does all this mean to you as the administrator? You CAN define the users (or draw them from a directory service) and you can optionally assign ip addresses to each user - this allows a user to be recognized without logging in, but it's not anything you need to do - you don't have to define users and if you do, you don't have to define ip addresses the users will use.
If you don't define users, you can still block websites. For example, here's a rule that blocks this website (HTTP Policy rule):
No matter if you have defined a single user, nobody can access aplawrence.com. They'll see a block message that invites them to login, but as you have not given them an account, of course they cannot.
If you want to allow SOME people access to this page, then you will have to add them as users and put an allow rule above the deny rule:
With that in place, "tony" can either login and be allowed access, or be automatically logged in if you have defined the IP he is using as belonging to him.
So far, so good
So that's easy enough to understand, right? But what about that "5 IP per user" rule? If the users aren't defined, what happens with the "unrecognized" usrs who don't login? Do they all get treated as one user and are therefore limited to five IP's?
No, they do not. If you have a 5 user license and nobody is logging in, then 25 machines (IP addresses) could use the firewall. Fair enough? Sure, but that raises more questions.
For example, let's say that we did define "tony", but not any other users. Does "tony" consume 5 IP's even if he really only uses one? In other words, if "tony" logs in from his desktop computer and from nowhere else, do we still have 24 "unrecognized" machines allowed or has it dropped to 20?
This matters for licensing because there will always be things like scanners, remote printers and server machines that use the firewall but don't login. If you've defined 5 users and they all login, are all your licenses gone even if they aren't using their allotted 5 addresses? Will there still be room for the undefined machines like scanners and servers?
It could also matter for people like "Sam" who is our imaginary IT guy. Sam might sometimes have to use other people's computers and might have to login to access pages those users cannot. Sam might easily use more than 5 IP addresses in a day - will this matter? Sam is going to run into that "If any user tries to connect from more than five devices at a time" rule and consume another license, so you may need extra licenses because of his job needs. But does that mean he has used up one more IP from the "unrecognized" pool or five?
To find out, I set up multiple Ubuntu Linux machines and added 7 users to my (5 user) firewall. I set up a block as described above that could be overridden by any of those logins. I then tried to access the blocked page and logged in when I was rejected.
As I expected, I was only able to login 5 times (different users) - the sixth login was rejected. With all five users logged in, I was still able to access other (unblocked) URL's using machines that were not logged in.
I was also able to login from more than five machines using one login (the "Sam" case above).
That shows that logging in does not consume 5 IP addresses instantly. Therefore, if you have users who use less than their allotted 5 IP addresses, you will be able to handle other users who use more or other machines that do not login at all.
That all means that in a case where say 12 users mostly use one or two machines, you are quite safe with a fifteen user license - there will be plenty of spare licenses for servers, printers and any roving user who runs over 5 iP's now and then.
I hope this helps clear up some confusion. If you still have questions, leave them in the comments and I will get an answer ASAP.
Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.
If this page was useful to you, please help others find it:
Inexpensive and informative Apple related e-books:
Take Control of Using Lion
Maintaining Your Mac
Syncing Data in Leopard
Take Control of Speeding Up Your Mac
Take Control of iCloud
More Articles by Anthony Lawrence - Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
This post tagged:
Buy Kerio from a dealer
who knows tech:
I sell and support
Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals
Click here to add your comments
Wed Apr 18 04:03:57 2012: 10859 ridhuanamri
How about if my license is for 200 users, but I can still add new users even though the user count is already more than 200? The new users can still authenticate, browse and filtered without any problem.
Do you mean if all of the 200 users login concurrently, the user 201 cannot login and authenticate?
Wed Apr 18 08:35:20 2012: 10860 TonyLawrence
If 200 users authenticated, a 201st could not (not until one or more of the others logged out or timed out).
But if none authenticate, that's different - 1,000 devices could be passing through the firewall.
Wed Apr 18 09:15:54 2012: 10862 Ridhuan
WOW! Quite a flexible licensing, right? OK so means that if none authenticated, 200 users license will allow 1000 concurrent connections. Does the 1001st user connection rejected as well?
Wed Apr 18 09:20:05 2012: 10863 TonyLawrence
I've never tested that, actually..
Wed Apr 18 09:31:08 2012: 10864 TonyLawrence
One thing I do want to stress:
Kerio licensing is PER USER. Yes, you can "beat" that by not authenticating, but what's the point? If you want a cheap firewall, go buy one - there are plenty of choices.
Wed Apr 18 09:41:11 2012: 10865 Ridhuan
lol..of course..I am selling Kerio, too. That's why I need to be aware of such licensing policy so that my client will not misuse them.. :) thanks for the explanation!
Wed Apr 18 09:46:53 2012: 10866 TonyLawrence
Well, they certainly can :-)
But, as I said, why bother? If they don't care about the control that authentication provides, they should go buy something less expensive.
Wed Apr 18 10:24:55 2012: 10868 Ridhuan
Yup, you are right..perhaps open source firewall such as PFSense would serve them well enough...
Sat May 19 11:20:15 2012: 10969 anonymous
I am using Kerio Control 7.3.1 at home. But when I log in admin page, I saw that: Product expiration date: 2012-06-12. I changed the Time of PC to 2012-09-12 after disable synchronize time. I can not log in admin page again without buying license. But my friend said that he has been v 7.0.1 for a long time without any logging trouble. Did Kerio change their license policy? And from which version?
Sat May 19 11:31:35 2012: 10970 TonyLawrence
It sounds to me like you downloaded a demo?
When demos expire, they are unusable. If you had actually bought a license, you'd lose some functionality by not renewing (as noted above), but you would be able to login.
I'd be happy to assist you with a license if you are in the U.S. However, I really don't want to sell a license unless you plan on renewing yearly (which is less than $100 for a base 5 user currently). Product upgrade is important for safety and features - I simply don't want customers who run old products.
My prices are competitive and include my support. Email me if I can help you.
Sat May 19 11:34:19 2012: 10971 TonyLawrence
Also see http://www.kerio.com/support/software-maintenance which explains:
What happens if my Software Maintenance expires?
It is still possible to use the product, but you will not be able to upgrade past the last version released when your Software Maintenance was still valid.
Integrated Anti-Virus versions will not receive new virus definition updates. Anti-Virus can still be used, but only with the last virus definitions released before your expiration date.
Kerio Web Filter will stop working.
IPS/IDS engine in Kerio Control will not receive new rule updates.
Expired Software Maintenance can be brought up to date by purchasing missed years.
We strongly recommend renewing your Software Maintenance to be protected from all security threats, including the newest and most dangerous ones.
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar