Kerio Control Hardware Appliance firewall


Kerio Control has been available as a hardware appliance for some time now, but I hadn't actually directly worked on one until this week when I had two of them to pre-configure for customers. Both of these were the smaller model, the 1110 series.

I had never paid close attention to the physical specs, so the size of these surprised me a little when I took the first one out of its shipping box. I thought the unit was attractive (hardly important for a firewall, of course) and put it down on my kitchen counter for a snapshot.

As you can see here, this has a four port switch. For initial configuration, port 1 is assigned to the Internet connection and the rest are for the LAN. This can all be changed later, but for initial setup, that's what's expected.

The power switch is over to the right as indicated above. When you first plug in the box, a red LED in that switch turns on, indicating that power is applied but the firewall is not running.

Pushing the switch in powers up the firewall and the switch LED turns blue.

Did you notice the USB ports? They are for Kerio's USB tools, which can be used for forgotten admin passwords, total factory reset, failed upgrades and diagnostics. Normal upgrades are done through the web admin (update check failed here because I'm not connected to the Internet):

The serial port gives access to the Linux console (though I don't own anything that still has serial ports - I'd need to use a USB to serial adaptor).

Initial Configuration

I plugged my iMac into port 4 and let it get the default 10.10.10.x IP address and pointed my browser at as the instructions direct. This brought up the initial configuration dialog.

I thought I might have to temporarily let this box have my Internet connection to complete the installation as some of the prompts implied that configuration would continue only after connecting to Kerio, but in fact I was able to do everything with no working Internet at the box. I used my own connection to register and download the license file and installed that through the LAN connection to the box.

Configuration is basically no different than in the software versions of Control, so I quickly had everything set as I wanted it. I was pleasantly surprised to see this warning pop up:

That's a nice feature for those of us who fat-finger things every now and then. I hadn't painted myself into a corner this time, though, so was able to get logged back in with the new LAN IP. I also added an alias for an IP on my network so that I could do more configuration without my iMac being disconnected from the rest of my network.

Further configuration was routine. I added the users who will have VPN access, added a few known internal hosts to the DNS file and configured a DHCP scope to match his existing firewall. I disabled the DHCP temporarily so that the customer can plug this in to his network to become familiar with it and make any last minute changes before replacing the existing firewall.

I also enabled ssh (hold SHIFT while clicking on Tasks in System Health on older versions, newer version hold Shift when clicking on System Health and you'll see the "Enable SSH" at the bottom) just to take a look at the internals:

Poking around a bit showed nothing unusual or unexpected:

~ # df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                  497581    299785    172796  64% /
/dev/sda2               497581    299785    172796  64% /
tmp                    1033372       176   1033196   1% /tmp
dev                       2048       496      1552  25% /dev
/dev/sda1                24395     12714     10461  55% /boot
/dev/sda4              2893096    122120   2624012   5% /var
~ # cat /etc/inittab
# $Revision: 1.1 $

::sysinit:/usr/bin/run-parts2 -a start /etc/boxinit.d
::shutdown:/usr/bin/run-parts2 -r -a stop /etc/boxinit.d

tty2::respawn:/sbin/getty -L 9600 tty2
tty3::respawn:/sbin/getty -L 9600 tty3
ttyS0::respawn:/sbin/getty -L 9600 ttyS0

~ # ls /etc/boxinit.d
00udev	   06network-base  15kipf	      21postinst  59consoleApp
01kernel   07syslogd	   18acpid	      30custom	  60winroute
05basefs   09usbscript	   19parallels-tools  31ssh	  97setdefaultboot
05hwclock  10console	   19vmware	      40firebird
05sysctl   11factoryreset  20network	      50winbind

~ # lspci
00:00.0 Host bridge: Intel Corporation Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller (rev 04)
00:02.0 VGA compatible controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 04)
00:1c.1 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 2 (rev 04)
00:1c.2 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 3 (rev 04)
00:1c.3 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 4 (rev 04)
00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 04)
00:1d.1 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #2 (rev 04)
00:1d.7 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev d4)
00:1f.0 ISA bridge: Intel Corporation 82801FBM (ICH6M) LPC Interface Bridge (rev 04)
00:1f.1 IDE interface: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller (rev 04)
00:1f.2 IDE interface: Intel Corporation 82801FBM (ICH6M) SATA Controller (rev 04)
00:1f.3 SMBus: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) SMBus Controller (rev 04)
01:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
02:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
03:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
04:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller

Notice that each ethernet port has its own card? The default is that ports 2-4 are your LAN, but that can be changed:

The box is ready to go. I'll talk to the customer today to see if there is anything else he wants done before I pack it up to ship to him. He'll need to add any other users and machines he wants to track and we'll double check the rules once it is attached to his network, but it's basically ready to plug and play.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Control Hardware Appliance firewall


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Mon May 21 22:53:42 2012: 10981   NickBarron


I have still not really looked at Kerio Control, merely had a quick play on the demo and looked at a VM.

It does seem very capable though. Its tempting to get a little bit more familiar with it.

Is it good enough to go into a 50-150 user site without issues?

Mon May 21 22:59:56 2012: 10982   TonyLawrence


Of course that would depend upon the users.. and whether you went with the little box or the bigger one or your own hardware..

The spec sheet for the boxes is here: (link)

90 or 400 Mbit/s IPS, 50 or 150 A/V, 40 or 125 UTM - most of my customers Internet connections couldn't overload it anyway..

Mon May 21 23:07:17 2012: 10983   NickBarron


In reality neither would many of mine. A few would force the bigger box, i'd be inclined to go with the hardware box where possible I think. That is the route i've taken with Operator so far and its worked out well.

Its been the standard service you expect from Kerio, strong and stable?

It looks very easy to configure as opposed to a Fortigate/Cisco etc. Which could provide a welcome breath of fresh air. Its only its site to site VPN and VPN client abilites i'll need to lookup as certain options are rather essential.

Mon May 21 23:10:00 2012: 10985   TonyLawrence


Yes, stable. After all, it's the same software they've been developing for years..

As to VPN, they are promising IPsec soon. They know they need it..

Tue May 22 09:26:31 2012: 10991   NickBarron


Hmm. Worth a look, but certainly once IPsec is available.

Tue May 22 11:29:58 2012: 10996   TonyLawrence


Yeah, I don't know why it took them so long to understand that they need this. When a customer has branch offices, I may not be able to justify replacing all the firewalls at once and that's what I have to do without IPsec..

They have seen the light though - I don't know how far away it is but I think maybe this year.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

C++: an octopus made by nailing extra legs onto a dog. (Steve Taylor)

Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? (Brian Kernighan)

This post tagged: