What is our primary use case?
We mostly use Kerio Control as a virtual firewall solution, and the user accounts let people have access to the internet through the firewall. We also have a few cases where we use the VPN. But it's mostly a firewall solution with multiple VLANs and the network behind it.
It's deployed on-premises, both virtual and hardware solutions. The NG100 is the smallest solution for smaller businesses, but we mostly use the virtual appliance.
Most of our customers are small to medium companies, where there are between five and 40 work spaces. Everyone has a PC and they have a VoIP phone and their own phones, and they have tablets. Most of the time, it's one to four devices per user. The biggest client we have is around 30 users.
How has it helped my organization?
It has made it easier for us and our employees to manage and add settings to the firewall, as opposed to another brand where you have to use command-line or really complicated layouts. The ease of use is a big plus.
The solution has also saved us a lot of time in managing security. We have to adjust the content rules and now we have one place where we can enter them. We have a customer with about 20 Kerio Controls and we don't have to set all the rules on each firewall. When we have to add some rules to each of the firewalls, it can be done within one minute. Normally, it would take 20 to 30 minutes, depending on if they're all online — and we would have to check them manually. Now, we just have to enter them and, when they come online, they sync with the global rule sets.
What is most valuable?
The traffic insight page or the administrative portal is really helpful because you can see all the internet usage down to the point where you can see if it's big files or streams. It gives us a good view of what the internet usage is of users who are coupled to an IP address. That way, if there are problems with, for example, a lot of data usage or problems with the connection, we can narrow it down to a single user or server and address the problem. It's really helpful for diagnostic data.
The content filtering is pretty good for our needs, especially with the global rules you can define. We can define global rules and use them on multiple Kerio Control installations. So we have one place to set all the rules for different customers. That's very good. The rules that it auto-updates and that are automatically available — for example, spam or indecent websites, or whatever else is in the firewall by default — are good.
The VPN works pretty well, especially with the Kerio Control VPN software. Some products don't have their own VPN software and, with Windows, sometimes it's just better to have a piece of software. That's especially true for some of our customers because they only have to open the software and press "Connect." Windows can be a little bit weird when it comes to that, and it breaks connections. You really don't see when Windows loses a connection or if you have to reconnect. The Kerio Control VPN client is pretty good at that.
What needs improvement?
The antivirus is either on or off, but we can't really see or measure how well it is doing. Sometimes we get the feeling that some files get past it and then they get caught on the antivirus of the client PC. We would like to have more control with the antivirus.
Also, we have multiple employees working on firewalls and if one employee changes a rule and traffic that shouldn't be there suddenly comes through the firewall, it's hard to pinpoint which rule is affecting that traffic because there is some overlap. It's not clear if it's getting past it because it's not decrypted. It needs more logging or more in-depth diagnostics about which traffic is hitting which rule on the firewall. Sometimes we have 20 or 30 rules and it becomes a whole job to figure that out.
When it comes to QOS, the quality of service, you have to set a fixed bandwidth. But sometimes, when we have multiple connections in front of it, it's a fallback line. For example, when we use Kerio aboard a ship, there is the satellite connection but there is also a 3G or 4G connection. We always have to set a fixed limit for the connection. If we set the fixed limit to 4G and it switches to navigation, one user can use up all the bandwidth for the entire ship. It would be better if there were something more dynamic, where it could sense the total and we could use percentages. For example, we could say a user has always 5 percent of the connection. But now we have 5 percent of a fixed connection number. The fixed limit on a line for QOS is a problem because we don't always know which connection is in front of it.
Also, if you have to dive deeper into the firewall or any other features, then you really have to read up a bit about how to set it up properly. Some of my colleagues, in the beginning, jumped in and made a bunch of rules but then it got really messy. If Kerio had a template or guidelines for best practices, at the beginning, that would really help. With Kerio Control it's basically "find out for yourself."
We've also had some problems with how to set the rules, but that's when more than one rule is overlapping and cancels out all the other rules. However, that's more our fault.
For how long have I used the solution?
I have been using Kerio Control for around six years.
What do I think about the stability of the solution?
It's pretty stable. We had some problems with Kerio Control virtual appliances. If it was running more than 20 days, it would become really slow and sometimes it would just stop working. When we rebooted the solution it would come back up. But that was something that was happening a year-and-a-half ago. Since then, we haven't had any more problems with it.
We had a few solutions that just went corrupt. We're not sure if that was the disk or Kerio itself. We always have an installation of the virtual appliance on the server, so we can set up a new one, load the backup back in, and be up and running again in 15 minutes.
How are customer service and technical support?
It's been a while since we contacted support, but back when we did it was pretty hard to get a hold of someone. We didn't get a lot of feedback. Most of the time, it was, "Look at the documentation." It was hard to get someone to look over our shoulder and help us with the problem. I think that was before GFI took over.
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
As I said, if there were best practices or a template, the setup would be a lot easier because you start and then you change the setup according to what you think is right. But later on, when you encounter problems and look in the documentation, you see that another way is better. That was a bit of a problem when setting up. It all works, but in managing or adding rules, for example, or we just didn't do it properly. It was a bit of trial and error and that was a problem. It's too much trial and error when you start.
Deployment time, for some customers, is fairly quick. A basic setup can be up and running in 15 or 30 minutes. With other customers that have a lot of rules we do testing so it could take three or four hours.
For our implementation strategy, we just look at what the client wants. For some clients, we have a basic template now, where we always use a backup from an existing Kerio. If it's a new customer, we check if we have an existing Kerio that's pretty much the same, or we just do it from scratch if there aren't too many rules or networking behind it.
What was our ROI?
We see ROI because the ease of use is a lot better, so we spend less time on maintenance, administrating, changing rules, and checking usage.
What's my experience with pricing, setup cost, and licensing?
If you have a lot of users, the licensing can be a bit of a problem because we have a lot of customers who don't use the user feature, but we have five devices per user, and we have to extend the license every time. The fixed model of users and devices is a bit of a problem for us. We want to be able to expand it fast and not have to contact our supplier first to get a license. That takes another one or two days and the customer is waiting.
It might be better if they offered a fixed monthly or yearly price instead of the user-based price. That's really keeping us from deploying with some of our smaller customers or customers that have a more dynamic user base. If they had a larger fixed price with unlimited users or devices, that would help. Now, it's five users each time. A pack of 100 or 200 users for a certain price would make it more dynamic and user-scalable.
Which other solutions did I evaluate?
We looked at pfSense and some paid firewall solutions, but in terms of how user-friendly it is for our employees and my colleagues, and how well we could manage it from a remote portal, Kerio Control was better, in our opinion.
What other advice do I have?
Kerio Control is a nice-to-have for a small business like ours.
My advice would be to look at best practices or get someone to show you how to properly set it up before you try anything and it gets too messy. The biggest lesson I have learned from using this solution is to look out when it comes to firewall rules. Don't use too many firewall rules or content rules because it can get really messy, really quickly, if you don't have a decent strategy for that.
We always try to use auto-update, so most of the time we're on the most recent version. We have some examples where we use Kerio Control aboard ships where the bandwidth is really limited. In those cases we use our own timeframe to update Kerio Control, but it's normally done within a month or two, so most of them are up to date.
We haven't seen anything yet in the antivirus and we haven't had any problems with malware with our systems. I don't know if malware is being detected that well, because sometimes the clients still have some malware. I don't know if it's because it's an HTTPS site or something else.
In our company, most of the work with Kerio is done by about 10 people. Everyone does the same tasks: administrating, changing rules, and installing new Kerios. I work on it in my role as a system admin team lead and developer. As of late, I've been more of a developer than administrator. The others are system administrators, business consultants, and there are two other developers.
Which deployment model are you using for this solution?