Kerio Control Rip and Replace

I'm very happy today. Yesterday I installed a brand new Kerio Control box at a customer I've known for almost 20 years now. We replaced an Astaro firewall that had been put in just two years ago and you probably think I'm happy because I made a sale, but no, that's not it at all.

I'm happy because my customer is now going to get decent support.

With the Astaro, he was getting awful support and at a damn high price, too. His phone calls and emails would often go ignored for days and sometimes weeks. There was nothing wrong with the Astaro itself and I suppose he could have gone searching for some better Astaro reseller to take over the support, but instead he and I decided to rip and replace - he'll be paying far less in the long run and I do NOT ignore my customers! That's why I'm happy.

Best laid plans

My plan was to replace the Astaro with Kerio Control on Wednesday. We knew the Astaro license would expire a few days before that, but I only got the unit the previous Wednesday, and of course I had other things on my schedule already. I expected that Astaro would have some reasonable policy on expired licenses. For example, Kerio Control has this policy:

If the License (or the trial period) expires, the functionality of the product will be limited. In particular, the following features will be turned off:

* IPS, integrated and external anti-virus engines
* VPN Server, all tunnels, SSL-VPN Server
* Accounting - gathering statistics,
* HTTP Policy, FTP Policy, HTTP Proxy Server, Forbidden words
* Bandwidth Limiter, is turned off
* 'Require user authentication', NTLM authentication
* UPnP server, P2P Eliminator, Anti-spoofing, MAC Filter
* Kerio Web Filter will stop working

I expected Astaro to have something similar.

On Saturday afternoon, however, someone from the customer called saying that the Internet was down. I wasn't where I could test anything at that particular moment, so I asked them to call their ISP (Verizon) to see what they said. An hour later the customer called back, telling me that Verizon said a line was "down" somewhere.

I shrugged my shoulders - there's not much I can do about that, although I knew that they also have a slower line and I thought that would have been configured for failover. The person I was talking to on Saturday would know nothing about that, though, so perhaps they had simply discontinued it.

On Monday morning, I had a call from my usual contact. Apparently Verizon had not yet fixed the problem. They were 'on their way', he said and had narrowed it down to something very close to the building. I commiserated, but then he said something odd.

"Email is still coming in. I can't send email, but I get it."

Excuse me? If the Verizon line is down, how could anything be coming in? Unless maybe it was coming through the failover line? But why wouldn't he be able to get out? I was at a computer now, so I ssh'ed to his Linux server and, sure enough, it let me in. But once in, I couldn't even ping outside sites. That made no sense to me and I suspected the Astaro licensing. I asked him to check what the Astaro said about its interfaces, but he couldn't see much: almost everything he looked at just said his license was expired.

I offered to reschedule and come in early Tuesday, but if Verizon was still looking for a broken line, that didn't seem to make sense. We decided to leave it for Wednesday.

Installation

Of course I preconfigured most of this before going on site, but I didn't add users or fully configure the secondary Internet line - it might not exist. When I arrived, Verizon had just completed the repairs and had asked him to reboot his routers. Good timing!

We headed down to the network closet and I found pretty much what I expected to find. The Astaro had three CAT5 cables plugged in. That would be one for the main ISP, one for the failover and one for the network switch. I pulled them out and started hooking up the new Kerio Control..

All hell broke lose a few minutes later. Cries of pain echoed down the halls. I had somehow disconnected them from their server!

That made no sense, but then we looked more closely at the line coming from the "failover" connection. It was disconnected and had been before we walked in. Huh?

"Oh yeah - I remember he [the Astaro guy] had me disconnect this. It was slowing us down.", my contact guy explained.

Slowing you down? "Wasn't it a failover?", I asked. No, he explained: it had been configured to use both, but it is a much slower link, so people were complaining..

I muttered something unfriendly about the Astaro guy. That link shouldn't have been configured for load balancing. If you have a fast link and a slow link, you either configure the slow one for failover only or you use it only for some specific purpose like incoming mail - you don't plague users with it! I pulled out the "wrong" wire and plugged this one in to the port I had planned for failover.

But what about the wire I just pulled out of that port? What the heck was that? How could we have two connections to the network? It took me a few minutes to understand: there were not two connections to a switch; there was a connection to one switch and a connection to another and the firewall was sitting in the middle! So of course I killed the network when I switched it - I plugged half of their network into a port I had configured for the failover link! The really hilarious part of it was that a little 8 port switch was sitting right there - that extra line could have been plugged into that instead! Sheesh!

But at least we were working. Within a few tens of seconds, people had Internet access again and the network was reunited. I began introducing my contact to his new firewall.

Users and VPN access

I like to set up the VPN users and administrators first. Those are the users we absolutely need to define; the rest can wait. We already had six or seven people who ssh in and I had defined a DNAT rule to bring them in, but I explained that it really would be better for them to use the free Kerio VPN client instead. That would give them access to all network resources instead of just logging in by ssh. We set them up and gave them VPN rights.

I held off on adding any more users because I wanted to show him a neat way to do it in Kerio Control. This way is easier for everyone..

Lease reservations

In the DHCP section of the firewall, you can see leases. If you double click on one, you can give it a name (helpful when the machine names were carelessly assigned) and reserve the lease so that the device will always get that same IP. Why do we care? Because in the user config, there is the ability to assign an IP to a user - when the system sees traffic from that IP, it logs it as belonging to that user.

In this case, that "user" is called "Front Desk Downstairs". Note that spaces in the name are fine and that we really aren't defining a user - we're defining a machine. The Kerio reporting will treat it as a user and a user with more rights could specifically login at that machine, but otherwise we don't care who uses it - we're tracking what happens at that machine. The real user doesn't have to login, doesn't have to know the assigned password, really doesn't have to care at all. But the administrator can now easily see that "Front Desk Machine" spent a lot of time on Facebook just before lunch..

That's a simple and transparent way to handle users. The only people who even need to know passwords are the VPN users or anyone who has rights to unlock otherwise protected content. The administrator gets the oversight and the users don't have to login.

Blocking Sites

Kerio Control has a built in rule for its Kerio Web Filter, but don't forget that you have to double-click on it and select the specific categories you want to block.

Of course there may also be things you want to block specifically. The easiest way to do that is to create a new URL group:

And then add an http policy that blocks them:

This doesn't clutter your policy with dozens of rules and makes it easy for the administrator to add and remove sites.

StaR Reports

Kerio's StaR reports seemed to really fascinate my contact. "Didn't the Astaro do something like this?", I asked. He replied that it did, but only by IP address, so he never knew who was doing what. He said that the Astaro guy was "supposed to fix that", but never did.

Yeah. I think can you see why I was happy about this sale.

8 comments

More Articles by Anthony Lawrence - Find me on Google+

Click here to add your comments




Tue May 22 10:10:39 2012: 10993   NickBarron




I have to say the associating the IP with a user for logging is a very nice touch. Making the overview administration a breeze!

Control has PPTP and SSL VPN but no IPSec or L2TP over IPSec currently from what I can see, is that right?



Tue May 22 11:04:16 2012: 10994   TonyLawrence




No, no PPTP - although you can easily put PPTP behind it if you need to.



Wed Feb 20 14:07:32 2013: 11898   Manan




How to block https ????? https://google.com???

Kerio bug ...



Wed Feb 20 14:13:54 2013: 11899   TonyLawrence




Yeah, that's messy. If you Google "kerio control block https" you'll find relevant posts.



Wed Feb 20 14:15:36 2013: 11900   TonyLawrence




Oops: forgot that changed. See http://forums.kerio.com/fa/2670/



Wed Feb 20 14:18:27 2013: 11901   TonyLawrence




See http://manuals.kerio.com/control/adminguide/en/sect-urlrules.html


Protocol — by default, unsecured traffic is filtered (HTTP). Kerio Control allows to apply filtering also to secured connections (HTTPS), but only by server name. The rest of the condition is ignored. It is therefore possible to allow or block access to a particular server, without the option to allow or block access to individual pages located on the server.

For technical reasons, it is neither possible to apply HTTPS blocking to clients using Internet Explorer on Windows XP.






Wed Feb 20 14:31:45 2013: 11902   MananShastri




Thanks.. But we are using older version of kerio.. Version 6.7.0...



Wed Feb 20 14:36:27 2013: 11903   TonyLawrence




Well, no offense, but that's just dumb.

Why on earth would you run old software for something so important?

Upgrade it. Period.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Why no "Digg this!" etc.?

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here