What is our primary use case?
We use it ourselves and deploy it to our customers, which are small and medium-sized businesses. Our use cases are for both ourselves and our clients, mainly as a frontline protection for their internal networks to filter viruses and threats as well as for web filtering to ensure employees and guest networks don't access material that wouldn't be appropriate to be viewed. It's also used for remote access VPNs so remote users can access internal servers and resources, as well as site-to-site VPNs for multi-site offices to access resources located either at the main HQ headquarters or at an alternate site.
How has it helped my organization?
It does antivirus, malware, and ransomware. We feel the coverage is complete across the entire spectrum of malware, viruses, and most ransomware. It also covers some types of adware, which is an unwanted program that's not necessarily bad, but there's no reason to have it.
We have a lot of other companies that were multi-site companies which had servers at different sites not talking to each other. They had remote workers or maybe they were using open RDP as their access to their internal network. These customers were getting ransomware infections and constantly just getting frustrated not being able to share resources between sites and this gives them the capability. I have a lot of customers, especially in the non-profit market, where we've had a lot of success deploying the solution.
A lot of the non-profits also have open WiFi and the filtering tools have been great for making sure that the WiFi bandwidth isn't drained by somebody sitting there and just surfing videos. We can control the open WiFi and we can control public computers to make sure that they stay just on the sites that we want them to stay on, e.g., employment sites, training, etc. So, it's been really helpful for the non-profits.
If a tech has a basic understanding of firewalls, NATing, and security, it is amazing how quick we can teach them how to use the product to its full capabilities. We can take a half day to a day and a brand new tech who's never seen the product can pretty much understand it enough to set it up, work with a customer, and make changes that a customer requests. There's nothing better than a customer calling and saying, "We need to add this site," and instead of saying, "Well, let me open a ticket and get an engineer to look at the thing," we go, "One second," and, through the MyKerio portal, find their firewall, remote into it, make the change, and say, "Okay, test it now. Works? Perfect." Hang up the phone and we are done.
With COVID-19 and everything that has happened, customers would call us up and say, "We're shutting down. Friday's our last day. Everybody is going to work from home." In 24 hours, we could have them all working remotely. The amount of time and simplicity of getting users set up with the VPN allowed us to get massive numbers of users working remotely at businesses that had never even considered remote work as a possibility. Or, maybe the owner had a little bit of remote capability, but that was it. Just through the ease of and the free VPN client it was amazing how quickly we could roll out VPN to everybody, we had whole companies remotely working overnight.
What is most valuable?
The most valuable feature for us is the ease of use. We don't have to go crazy trying to figure out how to do something. It allows you to make changes, set things up, turn on things for a customer without having to go through 37 different menus, read the manual, and try to remember it. It's pretty straightforward. That's what attracted it to us in the beginning. While we can work with complicated systems, most of our customers don't need them, then we end up just spending more time setting up the solution than we really need to. It's more productive, the customer saves money and at the same time and we make more money off of it. I can set up a whole firewall solution in 30 minutes and that's valuable to me.
We have been very happy with the security features. We find that the keyword filtering is great. Also, the antivirus filtering is excellent. One thing we always tell our customers is that we have never had a client using Kerio Control and the antivirus tools that we suggest who has been infected with any type of ransomware. We have customers who have had ransomware, but they were all ones who chose not to go with Kerio Control. That's always just been a very simple, easy, and powerful fact that we can explain to people, "We've never had a customer who has used this firewall along with our recommended antivirus and had a ransomware infection."
It is very comprehensive. It has all the active protections. It's updated regularly. We love that you can set how often threat definitions updated so you can work what is right for the site. A large company with a lot of bandwidth can update the virus definitions and security definitions hourly, if they want. A smaller site that's remote, where maybe updating the definitions will eat into the bandwidth, we can schedule those more to go later at night. It's very flexible and works for us in all types of situations. This is great because then we don't have to learn seven different products to be able to work with seven different scenarios.
We've been very happy with the solution’s firewall and intrusion detection features. The company has been pretty good when it comes to maintaining it and closing out security holes. For example, when there was a security bug found in the encryption in the VPN, they were very quick about reacting to that and coming out with a new VPN client encryption. At the same time, they made sure that for those cases where maybe you couldn't upgrade right away, there was a bit of overlap of backward capability so you weren't like, "Oh geez. I have to do everybody at once."
We love the VPN feature. That is one of our favorite things. The free client that they have makes it so easy to attach computers to the company network and we can usually set somebody up in like five minutes or so. It's real simple for the users because of the way that it presents the information you don't have all types of weird keys and stuff that users have to remember or write down, which is great because a key lost on a piece of paper is just as bad as a key found by a hacker. So, the computer memorizes it all, stores it, and makes it real simple with a push button to either connect, disconnect, or keep the connection persistent, which we love because then for a company-owned computer it stays connected from the moment the user logs in to logs out. Then, we can actually sync the user's VPN credentials to their Active Directory account and that is really helpful, because if a user leaves, disabling their Active Directory credential also disables their VPN credentials automatically and now when an employee is no longer with the company we don't have to worry about going to a separate system and shutting that VPN down until we can get our hands physically back on the laptop. We don't have security risks hanging out there.
MyKerio is a really neat tool where there's one central website that I can go and see every Kerio firewall that we manage. I don't have to go find specific logins for every firewall because I log into the MyKerio site with my master credentials, and it has two-factor authentication to make sure it's secure. Once I'm in, I can choose any of the Kerio firewalls that we manage: Kerio firewalls, Kerio Operator Phone Systems, or their Kerio Connect mail product. I can find any of them and quickly attach to it, then help the customer. It makes it real nice instead of having to chase down a list of IP addresses and passwords. As a managed service provider, it's nice because if a tech leaves, then I can cut them out of all our customers by simply closing their MyKerio account since they never actually had a direct login to the firewall itself.
What needs improvement?
The one feature that seemed to be missing for a while that they finally just readded was the ability to filter by known IP lists, either specific countries, or lists of IPs know to be hackers. That was in the product awhile ago, but just wasn't maintained for a while, but they recently did start to maintain it again it.
The MyKerio online portal could probably use a little touch up and tweaks, sometimes the backups just fail or you have to log off and back in with a new browser to connect to a device. The site is glitchy every now and then.
The guest network that they had behind a splash screen is the one spot that we're not thrilled with. We believe the guest network could have a more reliable and better customization on the splash screen, and sometimes we have issues with users getting to the splash screen at all. Our solution is just buy unlimited licenses to get around that. Then instead of using the guest WiFi, we create a whole separate VLAN with no splash page or use a splash page through the access points if we need a splash page. Its also not customizable at all so you can't put logos or names on it, make them accept a usage agreement, etc.
For how long have I used the solution?
It was long before GFI even owned them. It has to be almost 10 years.
What do I think about the stability of the solution?
We have not had any problems with the stability at all. It's pretty solid once we get them running. Besides reboots for updates, we usually never have to do anything with them. The only ones that I can ever remember failing are caused by physical hardware failures. A lot of times either there is a lightning strike, electrical surge, or something like that. Once or twice, we've had a fail where we can't tell exactly why it failed, but it's always been the hardware that's failed, not the firewall software. I do remember one very old box that had gone through multiple iterations and had copied backups from hardware to hardware to hardware for almost a decade, which started acting a little funny. It stayed up, but we would see weird logs that didn't make sense. For that one, we finally did a backup, wiped it, restored the backup, and all the problems went away. That's the only time where the software was the cause and it was nothing that actually affected end users.
What do I think about the scalability of the solution?
I have it in customers that have four users. The largest site that we've had (with a single box) is probably 150 users, including guests, and it scaled right up and I'm sure I could have pushed it much farther. Again the nice part about the product is they have a software-only version where you could put it on your own hardware, where you can slap it in a Xeon server if you really needed to, and I'd have no fears that the product could actually filter a whole school campus.
In our company, it's mainly our techs who work with this solution. The roles are usually customer-facing techs and support techs. We call them technology specialists, but it would be equal to a tech support type person. Everybody in the company dealing with customers knows how to manage the product because it's so simple. There's no reason to have a firewall engineer. We have a senior person for a really complex setup, but every tech can work on the product and set it up for the average company. Every tech can make changes that the customer requests right then and there when they call.
How are customer service and technical support?
I would like to see a little improvement in their technical support when you have a problem. I may be a little jaded because I came from Kerio when we could call and get a person on the phone who worked on product. Every tech had their own demo setup. They had instant messaging capability with the developers. If we found a problem, then we could get a result for it quickly. Now, the product seems to be 24 hours response no matter what the issue. They have also gone to the model that if you need quicker support, then they now charge you additional for the exact same level of support that they used to give for free. I am assuming it's the exact same level of support that they say it is. I'm not paying extra for it. That's the biggest flaw with the product.
Which solution did I use previously and why did I switch?
We have a mix. A lot of our customers are just building or starting to manage thier network, so this is their first new product that didn't come from an office store. We also have some that were replacing an existing product either because the product got old and it was time to replace it, or sometimes because we've seen issues with other products we know this will fix. For one product in particular, we will see point-to-point VPN instability sometimes that customers have been dealing with years. We'll say, "Hey, let us put this in. Chances are it's going to clear up." Usually, it does. One customer had a point-to-point VPN with a that product that would go down almost every day. Now, the point-to-points have been up for about five months straight. This shows how reliable the solution is.
For other customers, sometimes we'll replace another product because they got oversold. They'll have some very large product that's really expensive, and we're like, "Hey, that's cool. It does a ton of neat things you don't even need. But this product will do pretty much all the same things, especially all the things you currently use as well as give you some capability to grow into." A lot of customers didn't realize they need VPNs until all of a sudden they grow. There is nothing worse than telling a customer, "Remember when you saved a couple hundred bucks a year ago. Well, that's all gone now because the product you chose doesn't support this." That's what we like about this solution. It is priced low enough for entry-level, but it has the power to grow with a company without them having to replace it.
How was the initial setup?
The initial setup is super straightforward. We can get a basic firewall running in under an hour. That is from opening the box to getting it working. We tend to take it out of the box and do a little bit of preconfiguring for half an hour, maybe 45 minutes if it's a really complex multi-VLAN setup. Once you have it ready and bring it out to the customer site, then you plug it in and do a couple of final steps. We can get a sealed box to set up in under an hour.
We do have some basic guidelines that we try and use across all of our customers (minimum requirements), but because we deal with a wide range of customers, where some of our customers have four employees and others have 400, there will be minor changes. Everybody usually has a regular network, then a VLAN for guests, but sometimes our larger companies have VLANs for labs and other sections of the business: for example maybe development and admins get more rights. We always make sure the antiviruses, the IPS, filtering are running with a basic number of rules.
Don't over think the implementation. The biggest thing that you can do is start overthinking when you're setting it up, and be like, "Well, what do I have to do next?" You're probably already done. It's real simple. Anybody could take the manual home if they've never seen it before. They have a complete 30-day demo that you can download. Even if you aren't hooked into the Internet, you can log into the web GUI and look through it. It's great because it gives you an opportunity to do that and play with the product. If you're a technical person, you could take the manual home for the night, then the next day set one of these things up.
What about the implementation team?
We always deploy it by ourselves, I think anyone with some IT experience could do it. I mean its not for Grandma but if you understand routing you can do it.
We're rolling out a four location non-profit right now that pretty much had zero network infrastructure. We're bringing our third site on out of four next week. Getting the firewall up is the easy part. It's been more of tying in their computers to the rest of the network and stuff, but eventually we're going to replace this hodgepodge of laptops and emailing files with central shares backed up and secured with the proper permissions all through the VPN.
What was our ROI?
Once customers get into doing site-to-site, employee remote VPNs, they start seeing savings in travel time and time costs. When everybody talks about savings, a lot of people forget to think about, "If my employees have to individually mail a bunch of files to somebody else, spend time trying to access files, or getting somebody in the office to send the files, that's a lot of time spent," this is where giving VPN capabilities both site-to-site and for end users who usually can't afford them is a giant cost savings, being able to seamlessly work remotely, include roaming employees who are able to go site-to-site and access the same resources at any location.
What's my experience with pricing, setup cost, and licensing?
It's generally inexpensive compared to a lot of other products out there.
We don't use the solution’s high-availability/failover protection. For our market, it just hasn't been something that's been worth it for the cost. Because the software can run on both the Kerio hardware as well as regular off the shelf computer hardware, we've actually just maintained a standard computer with some extra NICs in it or a microcomputer as a backup. So, if a box goes out, we just run out there, pull the backup file off the web (since it is backed up through the MyKerio portal), and push it to the box, then we can have them back up in an hour or two. We can then worry about a permanent replacement once the client is back up.
The biggest advice that I could probably give people is when you buy the solution be prepared to buy a few extra licenses if you want a guest network but you don't need to go crazy. Each user license gives you one employee and five devices. In the world nowadays where everybody has a cellphone, tablet, desktop, and laptop, that's still four devices and you still get one more device per person to cover the company printers, servers, etc.
Which other solutions did I evaluate?
We do evaluate other products both before we choose Kerio Control and on a regular bases. We do have one or two smaller firewall product that we use for the true entry-level businesses who don't need any capabilities, and we are constantly seeing products as we get new customers and what products they are using currently. We don't like to rip them out right away until we understand the network and its issues, we have to get familiar with a customer before we can make a recommendation.
Vendors are always coming out with new things and there are always new features. True cloud management seems to be the big buzz right now, so we've been looking at those type of products. However, so far we keep going back to Kerio Control.
A lot of times I can do things in one screen of Kerio Control that would take two to three screens. I was just making a firewall rule with NAT forwarding on a different product for a customer a couple of days ago and that took four different screens and four different menus. One of the nice things about Kerio is how it does firewall rules and port forwarding.You do it all-in-one screen called "rules" where It creates the forwarding, the NAT, and the port holes.
With some products I'd have to go into a window to create a firewall rule of VLAN 1 to VLAN 2, then I have to create a firewall rule of VLAN 2 to VLAN 3. Finally, I have to create a firewall rule of VLAN 1 to VLAN 3. That's three separate firewall rules that I have to build. If I want to block one port, then that's three separate firewall rules I have to edit. On Kerio Control, the way it's setup, I can make one rule that encompasses all three of those rules by having my source have multiple sources, multiple destinations, and multiple ports. For example, a security camera system needs three ports forwarded to it. I might have to create three rules and 3 NAT translations, one for each of those ports. Some of them I can group, but others you can't. With Kerio firewall, I can list all those ports in one spot. Therefore, I can create a rule that allows the WAN and VPN 2 to access a camera system on VPN 3 on these two ports and point it all to the Camera System using only one rule.
It is not the most powerful firewall out there, I understand that, but it's a great balancing act between the capabilities. It's as capable as many of my other firewalls, but at the same time, it's not as complicated. You don't need to take a three-month course like you do with some of the other products in order to be able to use it properly. It's all GUI-based, unlike some products. Sure a lot of products have a GUI where you get just so much done, then at a certain point, you have to jump into command line. There is no command line option in Kerio Control because its not needed, there isn't a point where I have to pull out a manual and find obscure commands to type in to get the product to do something I want it to do.
What other advice do I have?
It's definitely well suited for and marketed for SMBs but could some enterprises use it? I believe that they could. I believe that there are some spots in the enterprise market that should be looking at this product. I think that some companies would be pleasantly surprised if they considered it for enterprise market use.
It's inexpensive and secure enough that you could have multiple instances running across a campus, if you needed to do routing. It supports a ton of VLANs, especially if you put it on your own hardware. You can easily have this thing run thousands of users just by scaling up the hardware because it has the ability to run on standard PC or Server hardware so you can pop it right into a computer and boot it up. This is great because you can choose any amount of hardware that you want to put it on to get it to scale to what you need, and you can upgrade it as needed. It's also great when you do have virtual environments.
The company has always been pretty good to work with, which is important. Obviously, GFI's a much bigger company than the original vendor, so some things have changed, but they're a friendly company and want to work with you. They have a nice NFR program. We always like products that have NFR programs, not because we're always looking for free stuff, but because it's nice to be able to use the same equipment inside that we sell to customers, even if it doesn't make sense for us financially (though Kerio Control makes sense for us). Just having that capability to say, "Hey, we use this product ourselves." It's a question that customers ask IT companies a lot, "What do you use?" So, if I can say, "I use Kerio Control." That goes a long way to making the customer understand I really like this product. I trust my business to it. You can trust me when I say, "You can trust your business to it."
I would rate the product as a nine out of 10. I've never heard a customer that went on it be upset. I have never had a customer tell me, "I want to get rid of this thing."
Which deployment model are you using for this solution?
Which version of this solution are you currently using?