(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version

Kerio Control Hardware Appliance firewall

Kerio® Control has been available as a hardware appliance for some time now, but I hadn't actually directly worked on one until this week when I had two of them to pre-configure for customers. Both of these were the smaller model, the 1110 series.

I had never paid close attention to the physical specs, so the size of these surprised me a little when I took the first one out of its shipping box. I thought the unit was attractive (hardly important for a firewall, of course) and put it down on my kitchen counter for a snapshot.

As you can see here, this has a four port switch. For initial configuration, port 1 is assigned to the Internet connection and the rest are for the LAN. This can all be changed later, but for initial setup, that's what's expected.

The power switch is over to the right as indicated above. When you first plug in the box, a red LED in that switch turns on, indicating that power is applied but the firewall is not running.

Pushing the switch in powers up the firewall and the switch LED turns blue.

Did you notice the USB ports? They are for Kerio's USB tools, which can be used for forgotten admin passwords, total factory reset, failed upgrades and diagnostics. Normal upgrades are done through the web admin (update check failed here because I'm not connected to the Internet):

The serial port gives access to the Linux console (though I don't own anything that still has serial ports - I'd need to use a USB to serial adaptor).

(Article continues after the break)

Initial Configuration

I plugged my iMac into port 4 and let it get the default 10.10.10.x IP address and pointed my browser at https://10.10.10.1:4081/admin as the instructions direct. This brought up the initial configuration dialog.

I thought I might have to temporarily let this box have my Internet connection to complete the installation as some of the prompts implied that configuration would continue only after connecting to Kerio, but in fact I was able to do everything with no working Internet at the box. I used my own connection to register and download the license file and installed that through the LAN connection to the box.

Configuration is basically no different than in the software versions of Control, so I quickly had everything set as I wanted it. I was pleasantly surprised to see this warning pop up:

That's a nice feature for those of us who fat-finger things every now and then. I hadn't painted myself into a corner this time, though, so was able to get logged back in with the new LAN IP. I also added an alias for an IP on my network so that I could do more configuration without my iMac being disconnected from the rest of my network.

Further configuration was routine. I added the users who will have VPN access, added a few known internal hosts to the DNS file and configured a DHCP scope to match his existing firewall. I disabled the DHCP temporarily so that the customer can plug this in to his network to become familiar with it and make any last minute changes before replacing the existing firewall.

I also enabled ssh (hold SHIFT while clicking on Tasks in System Health) just to take a look at the internals:

Poking around a bit showed nothing unusual or unexpected:

~ # df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                  497581    299785    172796  64% /
/dev/sda2               497581    299785    172796  64% /
tmp                    1033372       176   1033196   1% /tmp
dev                       2048       496      1552  25% /dev
/dev/sda1                24395     12714     10461  55% /boot
/dev/sda4              2893096    122120   2624012   5% /var
~ # cat /etc/inittab
# $Revision: 1.1 $

::sysinit:/usr/bin/run-parts2 -a start /etc/boxinit.d
::ctrlaltdel:/sbin/reboot
::shutdown:/usr/bin/run-parts2 -r -a stop /etc/boxinit.d
::restart:/sbin/init


tty1::respawn:/usr/sbin/kerio-console.init
tty2::respawn:/sbin/getty -L 9600 tty2
tty3::respawn:/sbin/getty -L 9600 tty3
ttyS0::respawn:/sbin/getty -L 9600 ttyS0

~ # ls /etc/boxinit.d
00udev	   06network-base  15kipf	      21postinst  59consoleApp
01kernel   07syslogd	   18acpid	      30custom	  60winroute
05basefs   09usbscript	   19parallels-tools  31ssh	  97setdefaultboot
05hwclock  10console	   19vmware	      40firebird
05sysctl   11factoryreset  20network	      50winbind

~ # lspci
00:00.0 Host bridge: Intel Corporation Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller (rev 04)
00:02.0 VGA compatible controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 04)
00:1c.1 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 2 (rev 04)
00:1c.2 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 3 (rev 04)
00:1c.3 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 4 (rev 04)
00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 04)
00:1d.1 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #2 (rev 04)
00:1d.7 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev d4)
00:1f.0 ISA bridge: Intel Corporation 82801FBM (ICH6M) LPC Interface Bridge (rev 04)
00:1f.1 IDE interface: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller (rev 04)
00:1f.2 IDE interface: Intel Corporation 82801FBM (ICH6M) SATA Controller (rev 04)
00:1f.3 SMBus: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) SMBus Controller (rev 04)
01:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
02:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
03:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
04:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller

Notice that each ethernet port has its own card? The default is that ports 2-4 are your LAN, but that can be changed:

The box is ready to go. I'll talk to the customer today to see if there is anything else he wants done before I pack it up to ship to him. He'll need to add any other users and machines he wants to track and we'll double check the rules once it is attached to his network, but it's basically ready to plug and play.

Kerio®, and related trademarks, names and logos are the property of Kerio Technologies, Inc. and are registered and/or used in the U.S. and other countries. Used under license from Kerio Technologies, Inc.

We offer competitive pricing and complete, no extra charge support on all Kerio products.

If this page was useful to you, please help others find it:

6 comments

Inexpensive and informative Apple related e-books:

Take Control of iTunes 10: The FAQ
Font Problems in Leopard
Take Control of Troubleshooting Your Mac, Second Edition
Take Control of Dropbox
Making Music with GarageBand '08

More Articles by Anthony Lawrence - Find me on Google+ -Kerio-01

Click here to add your comments

Mon May 21 22:53:42 2012: 10981 NickBarron

I have still not really looked at Kerio Control, merely had a quick play on the demo and looked at a VM.

It does seem very capable though. Its tempting to get a little bit more familiar with it.

Is it good enough to go into a 50-150 user site without issues?

Mon May 21 22:59:56 2012: 10982 TonyLawrence

Of course that would depend upon the users.. and whether you went with the little box or the bigger one or your own hardware..

The spec sheet for the boxes is here: http://www.kerio.com/control/control-box

90 or 400 Mbit/s IPS, 50 or 150 A/V, 40 or 125 UTM - most of my customers Internet connections couldn't overload it anyway..

Mon May 21 23:07:17 2012: 10983 NickBarron

In reality neither would many of mine. A few would force the bigger box, i'd be inclined to go with the hardware box where possible I think. That is the route i've taken with Operator so far and its worked out well.

Its been the standard service you expect from Kerio, strong and stable?

It looks very easy to configure as opposed to a Fortigate/Cisco etc. Which could provide a welcome breath of fresh air. Its only its site to site VPN and VPN client abilites i'll need to lookup as certain options are rather essential.

Mon May 21 23:10:00 2012: 10985 TonyLawrence

Yes, stable. After all, it's the same software they've been developing for years..

As to VPN, they are promising IPsec soon. They know they need it..

Tue May 22 09:26:31 2012: 10991 NickBarron

Hmm. Worth a look, but certainly once IPsec is available.

Tue May 22 11:29:58 2012: 10996 TonyLawrence

Yeah, I don't know why it took them so long to understand that they need this. When a customer has branch offices, I may not be able to justify replacing all the firewalls at once and that's what I have to do without IPsec..

They have seen the light though - I don't know how far away it is but I think maybe this year.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Why no "Digg this!" etc.?

My Unix/Linux Troubleshooting Book

My Hard Truths about Easy Money Book

My Self Employment Book

Printer Friendly Version

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

Printer Friendly Version

Kerio posts

Linux posts

Mac OS X posts

Shell scripting posts

Troubleshooting posts

This post tagged:

- Control

- Kerio

- Kerio Info

- Kerio Pricing

- Kerio RSS Feed

- Security

Unix/Linux Consultants

Skills Tests

This site runs on Linode

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!

book graphic unix and linux troubleshooting guide

Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals