Kerio Control has been available as a hardware appliance for some time now, but I hadn't actually directly worked on one until this week when I had two of them to pre-configure for customers. Both of these were the smaller model, the 1110 series.
I had never paid close attention to the physical specs, so the size of these surprised me a little when I took the first one out of its shipping box. I thought the unit was attractive (hardly important for a firewall, of course) and put it down on my kitchen counter for a snapshot.
As you can see here, this has a four port switch. For initial configuration, port 1 is assigned to the Internet connection and the rest are for the LAN. This can all be changed later, but for initial setup, that's what's expected.
The power switch is over to the right as indicated above. When you first plug in the box, a red LED in that switch turns on, indicating that power is applied but the firewall is not running.
Pushing the switch in powers up the firewall and the switch LED turns blue.
Did you notice the USB ports? They are for Kerio's USB tools, which can be used for forgotten admin passwords, total factory reset, failed upgrades and diagnostics. Normal upgrades are done through the web admin (update check failed here because I'm not connected to the Internet):
The serial port gives access to the Linux console (though I don't own anything that still has serial ports - I'd need to use a USB to serial adaptor).
I plugged my iMac into port 4 and let it get the default 10.10.10.x IP address and pointed my browser at https://10.10.10.1:4081/admin as the instructions direct. This brought up the initial configuration dialog.
I thought I might have to temporarily let this box have my Internet connection to complete the installation as some of the prompts implied that configuration would continue only after connecting to Kerio, but in fact I was able to do everything with no working Internet at the box. I used my own connection to register and download the license file and installed that through the LAN connection to the box.
Configuration is basically no different than in the software versions of Control, so I quickly had everything set as I wanted it. I was pleasantly surprised to see this warning pop up:
That's a nice feature for those of us who fat-finger things every now and then. I hadn't painted myself into a corner this time, though, so was able to get logged back in with the new LAN IP. I also added an alias for an IP on my network so that I could do more configuration without my iMac being disconnected from the rest of my network.
Further configuration was routine. I added the users who will have VPN access, added a few known internal hosts to the DNS file and configured a DHCP scope to match his existing firewall. I disabled the DHCP temporarily so that the customer can plug this in to his network to become familiar with it and make any last minute changes before replacing the existing firewall.
I also enabled ssh (hold SHIFT while clicking on Tasks in System Health on older versions, newer version hold Shift when clicking on System Health and you'll see the "Enable SSH" at the bottom) just to take a look at the internals:
Poking around a bit showed nothing unusual or unexpected:
~ # df -k Filesystem 1K-blocks Used Available Use% Mounted on rootfs 497581 299785 172796 64% / /dev/sda2 497581 299785 172796 64% / tmp 1033372 176 1033196 1% /tmp dev 2048 496 1552 25% /dev /dev/sda1 24395 12714 10461 55% /boot /dev/sda4 2893096 122120 2624012 5% /var ~ # cat /etc/inittab # $Revision: 1.1 $ ::sysinit:/usr/bin/run-parts2 -a start /etc/boxinit.d ::ctrlaltdel:/sbin/reboot ::shutdown:/usr/bin/run-parts2 -r -a stop /etc/boxinit.d ::restart:/sbin/init tty1::respawn:/usr/sbin/kerio-console.init tty2::respawn:/sbin/getty -L 9600 tty2 tty3::respawn:/sbin/getty -L 9600 tty3 ttyS0::respawn:/sbin/getty -L 9600 ttyS0 ~ # ls /etc/boxinit.d 00udev 06network-base 15kipf 21postinst 59consoleApp 01kernel 07syslogd 18acpid 30custom 60winroute 05basefs 09usbscript 19parallels-tools 31ssh 97setdefaultboot 05hwclock 10console 19vmware 40firebird 05sysctl 11factoryreset 20network 50winbind ~ # lspci 00:00.0 Host bridge: Intel Corporation Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller (rev 04) 00:02.0 VGA compatible controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 04) 00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 04) 00:1c.1 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 2 (rev 04) 00:1c.2 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 3 (rev 04) 00:1c.3 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 4 (rev 04) 00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 04) 00:1d.1 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #2 (rev 04) 00:1d.7 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller (rev 04) 00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev d4) 00:1f.0 ISA bridge: Intel Corporation 82801FBM (ICH6M) LPC Interface Bridge (rev 04) 00:1f.1 IDE interface: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller (rev 04) 00:1f.2 IDE interface: Intel Corporation 82801FBM (ICH6M) SATA Controller (rev 04) 00:1f.3 SMBus: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) SMBus Controller (rev 04) 01:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller 02:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller 03:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller 04:00.0 Ethernet controller: Intel Corporation 82573L Gigabit Ethernet Controller
Notice that each ethernet port has its own card? The default is that ports 2-4 are your LAN, but that can be changed:
The box is ready to go. I'll talk to the customer today to see if there is anything else he wants done before I pack it up to ship to him. He'll need to add any other users and machines he wants to track and we'll double check the rules once it is attached to his network, but it's basically ready to plug and play.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-05-22 Anthony Lawrence
Basic happened to be on a GE timesharing system that was done by Dartmouth, and when GE decided to franchise that, it started spreading Basic around just because it was there, not because it had any intrinsic merits whatsoever. (Alan Kay)