Understanding Kerio Control Firewall Licensing

How Kerio Control firewall consumes user licenses has been a source of some confusion. I hope to help make it a bit more clear here.

First, let's look at what Kerio says. This is from the Kerio Control Administrators Guide:

Kerio Control 7 uses a new system of Internet access monitoring,
better corresponding to the product's licensing and usage
policy. Kerio Technologies licenses this software as a server with
the Admin account and 5 user accounts in the basic license. Users
can be added in packages of five users.

User is defined as a person who is permitted to connect to Kerio
Control and its services. Each user can connect from up to five
different devices represented by IP addresses, including VPN clients.

If any user tries to connect from more than five devices at a time,
another user license is used for this purpose. Although the product
formerly did not limit number of connected users, it used to consider
each IP address connected to the server as one user which might
have caused situations where one user used up available licenses
even by connecting from two device at a time.


Kerio Control does not limit number of defined user accounts (see
chapter 18, User Accounts and Groups). However, if the maximal
number of currently authenticated users is reached, no other user
can connect.

However, their Licensing and Software Maintenance FAQ says something slightly different:

Kerio Control

A user is an account with login access to Kerio Control and its
services. An individual user can connect from as many as 5 devices
represented by an IP address, including VPN clients, mobile devices,
IP phones, desktop computers, etc.

If an individual user needs to connect from more than 5 devices, an
additional user license will be required to support the additional

To ensure all users are able to access the network securely and be
adequately protected, it is required that a license be purchased
for each user that will need to login to Kerio Control, including
guests to the network.The admin account does not count as a user.

Define or not defined

The difference is between how a user is defined:

is an account with login access to Kerio Control and

is defined as a person who is permitted to connect to Kerio Control.

That's not quite the same thing, because users (for example, people browsing the Internet) don't necessarily have to login - they don't necessarily even have to have accounts that COULD login!

Actually, that's up to you as the administrator or owner: if you don't care about tracking individual users and don't have any situation where some people are allowed to access web sites denied to others, then nobody has to login and no users (other than Admin) need to be defined in the firewall.

That doesn't mean that they don't need licenses. Kerio regularly says that every "human" using the firewall requires a license. But note that each human is permitted "as many as 5 devices represented by an IP address". What are they getting at here?

Life used to be simpler

Previous versions of Kerio firewall were licensed by devices - here's the manual from the older Kerio WinRoute Firewall:

WinRoute's license key includes information about maximal number of
users allowed to use the product. In accordance with the licensing
policy, number of users is number of hosts protected by WinRoute,
i.e. sum of the following items:

o All hosts in the local network (workstations and servers),

o all possible VPN clients connecting from the Internet to the local network.

The host where WinRoute is installed in not included in the total number
of users.

If the maximal number of licensed users is exceeded, WinRoute may block
traffic of some hosts!

So why the change? It's because users - human users - are apt to use multiple devices today. They may have a smart phone or tablet, they may need to connect from a VPN at home : it's a different world today.

That's why the new licensing says that each user can use five different devices, allowing for desktop computers, smart phones, tablets and VPN connections and who knows what that might exist in the future.

So what does all this mean to you as the administrator? You CAN define the users (or draw them from a directory service) and you can optionally assign ip addresses to each user - this allows a user to be recognized without logging in, but it's not anything you need to do - you don't have to define users and if you do, you don't have to define ip addresses the users will use.

If you don't define users, you can still block websites. For example, here's a rule that blocks this website (HTTP Policy rule):

Kerio Control HTTP Policy Rule

No matter if you have defined a single user, nobody can access aplawrence.com. They'll see a block message that invites them to login, but as you have not given them an account, of course they cannot.

Kerio Control HTTP denied

If you want to allow SOME people access to this page, then you will have to add them as users and put an allow rule above the deny rule:

Kerio Control HTTP Policy Allowed

With that in place, "tony" can either login and be allowed access, or be automatically logged in if you have defined the IP he is using as belonging to him.

So far, so good

So that's easy enough to understand, right? But what about that "5 IP per user" rule? If the users aren't defined, what happens with the "unrecognized" usrs who don't login? Do they all get treated as one user and are therefore limited to five IP's?

No, they do not. If you have a 5 user license and nobody is logging in, then 25 machines (IP addresses) could use the firewall. Fair enough? Sure, but that raises more questions.

For example, let's say that we did define "tony", but not any other users. Does "tony" consume 5 IP's even if he really only uses one? In other words, if "tony" logs in from his desktop computer and from nowhere else, do we still have 24 "unrecognized" machines allowed or has it dropped to 20?

This matters for licensing because there will always be things like scanners, remote printers and server machines that use the firewall but don't login. If you've defined 5 users and they all login, are all your licenses gone even if they aren't using their allotted 5 addresses? Will there still be room for the undefined machines like scanners and servers?

It could also matter for people like "Sam" who is our imaginary IT guy. Sam might sometimes have to use other people's computers and might have to login to access pages those users cannot. Sam might easily use more than 5 IP addresses in a day - will this matter? Sam is going to run into that "If any user tries to connect from more than five devices at a time" rule and consume another license, so you may need extra licenses because of his job needs. But does that mean he has used up one more IP from the "unrecognized" pool or five?

To find out, I set up multiple Ubuntu Linux machines and added 7 users to my (5 user) firewall. I set up a block as described above that could be overridden by any of those logins. I then tried to access the blocked page and logged in when I was rejected.

As I expected, I was only able to login 5 times (different users) - the sixth login was rejected. With all five users logged in, I was still able to access other (unblocked) URL's using machines that were not logged in.

I was also able to login from more than five machines using one login (the "Sam" case above).

That shows that logging in does not consume 5 IP addresses instantly. Therefore, if you have users who use less than their allotted 5 IP addresses, you will be able to handle other users who use more or other machines that do not login at all.

That all means that in a case where say 12 users mostly use one or two machines, you are quite safe with a fifteen user license - there will be plenty of spare licenses for servers, printers and any roving user who runs over 5 iP's now and then.

I hope this helps clear up some confusion. If you still have questions, leave them in the comments and I will get an answer ASAP.

Also be aware of the Guest Network capability introduced recently.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Understanding Kerio Control Firewall Licensing


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Wed Apr 18 04:03:57 2012: 10859   ridhuanamri


How about if my license is for 200 users, but I can still add new users even though the user count is already more than 200? The new users can still authenticate, browse and filtered without any problem.

Do you mean if all of the 200 users login concurrently, the user 201 cannot login and authenticate?

Wed Apr 18 08:35:20 2012: 10860   TonyLawrence


If 200 users authenticated, a 201st could not (not until one or more of the others logged out or timed out).

But if none authenticate, that's different - 1,000 devices could be passing through the firewall.

Wed Apr 18 09:15:54 2012: 10862   Ridhuan


WOW! Quite a flexible licensing, right? OK so means that if none authenticated, 200 users license will allow 1000 concurrent connections. Does the 1001st user connection rejected as well?

Wed Apr 18 09:20:05 2012: 10863   TonyLawrence


I've never tested that, actually..

Wed Apr 18 09:31:08 2012: 10864   TonyLawrence


One thing I do want to stress:

Kerio licensing is PER USER. Yes, you can "beat" that by not authenticating, but what's the point? If you want a cheap firewall, go buy one - there are plenty of choices.

Wed Apr 18 09:41:11 2012: 10865   Ridhuan


lol..of course..I am selling Kerio, too. That's why I need to be aware of such licensing policy so that my client will not misuse them.. :) thanks for the explanation!

Wed Apr 18 09:46:53 2012: 10866   TonyLawrence


Well, they certainly can :-)

But, as I said, why bother? If they don't care about the control that authentication provides, they should go buy something less expensive.

Wed Apr 18 10:24:55 2012: 10868   Ridhuan


Yup, you are right..perhaps open source firewall such as PFSense would serve them well enough...

Sat May 19 11:20:15 2012: 10969   anonymous


I am using Kerio Control 7.3.1 at home. But when I log in admin page, I saw that: Product expiration date: 2012-06-12. I changed the Time of PC to 2012-09-12 after disable synchronize time. I can not log in admin page again without buying license. But my friend said that he has been v 7.0.1 for a long time without any logging trouble. Did Kerio change their license policy? And from which version?

Sat May 19 11:31:35 2012: 10970   TonyLawrence


It sounds to me like you downloaded a demo?

When demos expire, they are unusable. If you had actually bought a license, you'd lose some functionality by not renewing (as noted above), but you would be able to login.

I'd be happy to assist you with a license if you are in the U.S. However, I really don't want to sell a license unless you plan on renewing yearly (which is less than $100 for a base 5 user currently). Product upgrade is important for safety and features - I simply don't want customers who run old products.

My prices are competitive and include my support. Email me if I can help you.

Sat May 19 11:34:19 2012: 10971   TonyLawrence


Also see
(link) which explains:

What happens if my Software Maintenance expires?

It is still possible to use the product, but you will not be able to upgrade past the last version released when your Software Maintenance was still valid.
Integrated Anti-Virus versions will not receive new virus definition updates. Anti-Virus can still be used, but only with the last virus definitions released before your expiration date.
Kerio Web Filter will stop working.
IPS/IDS engine in Kerio Control will not receive new rule updates.
Expired Software Maintenance can be brought up to date by purchasing missed years.
We strongly recommend renewing your Software Maintenance to be protected from all security threats, including the newest and most dangerous ones.

Tue Jun 17 09:22:15 2014: http://www.nardisco.com 12484   anonymous


Hi dear
how can I restrict users to one login ?
i.e I have user1 with pass 123
this user can share his/her ACC with people so they can use this account in the same time !
not good for me

Tue Jun 17 09:44:41 2014: 12485   TonyLawrence


The only thing I can think of would be a traffic rule that locks each user to a specific IP address.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy