Requirements on minimal hardware parameters of the host where WinRoute will be installed:
CPU 1 GHz
512 MB RAM
2 network interfaces
50 MB free disk space (for the installation)
Disk space for statistics (see chapter 19 Kerio StaR — statistics and reporting) and logs (in accordance with traffic flow and logging level — see chapter 20 Logs)
For maximum protection of the installed product (particularly its configuration files), it is recommended to use the NTFS file system.
The following browsers can be used to access the WinRoute (Kerio StaR — see chapter 19 Kerio StaR — statistics and reporting and Kerio SSL-VPN — see chapter 22 Kerio Clientless SSL-VPN) web services:
Internet Explorer 6 a 7
Firefox 1.5 a 2
Safari 1 and 2
Kerio WinRoute Firewall is distributed in two editions: one is for 32-bit systems and the other for 64-bit systems (see the product's download page: http://www.kerio.com/kwfdwn).
The 32-bit edition (the “win32” installation package) supports the following operating systems:
Windows 2000
Windows XP (32 bit)
Windows Server 2003 (32 bit)
Windows Vista (32 bit)
Older versions of Windows operating systems are not supported.
The 64-bit edition (the “win64” installation package) supports the following operating systems:
Windows XP (64 bit)
Windows Server 2003 (64 bit)
Windows Vista (64 bit)
Note: WinRoute installation packages include the Kerio Administration Console. The separate Kerio Administration Console installation package (file kerio-kwf-admin*.exe) is designed for remote administration from another host. This package is identical both for 32-bit and 64-bit systems. For details on WinRoute administration, see chapter 3 WinRoute Administration.
Install WinRoute on a computer which is used as a gateway connecting the local network and the Internet. This computer must include at least one interface connected to the local network (Ethernet, TokenRing, etc.) and at least one interface connected to the Internet. You can use either a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet interface.
We recommend you to check through the following items before you run WinRoute installation:
Time of the operating system should be set correctly (for timely operating system and antivirus upgrades, etc.)
The latest service packs and any Microsoft recommended security updates should be applied.
TCP/IP parameters should be set for all available network adapters
All network connections (both to the local network and to the Internet) should function properly. You can use for example the
pingcommand to detect time that is needed for connections.
These checks and pre-installation tests may protect you from later problems and complications.
Note: Basic installation of all supported operating systems include all components required for smooth functionality of WinRoute.
Once the installation program is launched (i.e. through kerio-kwf-6.3.1-2600-win32.exe), a guide will take you through setting the basic firewall parameters.
The first step is selection of installation type — Typical (full) or Custom. Choosing the custom mode will let you select WinRoute's individual components:
Kerio WinRoute Firewall Engine — core of the application
VPN Support — proprietary VPN solution developed by Kerio Technologies,
Administration Console — the Kerio Administration Console application (universal console for all server applications of Kerio Technologies),
Help Files — this manual in the HTML Help format. For help files details, see Kerio Administration Console — Help (http://www.kerio.com/kwf-manual).
Go to chapter 2.4 WinRoute Components for a detailed description of all WinRoute components. For detailed description on the proprietary VPN solution, refer to chapter 21 Kerio VPN.
Having completed this step, you can start the installation process. All files will be copied to the hard disk and all the necessary system settings will be performed. The initial Wizard will be run automatically after your first login (see chapter 2.7 Configuration Wizard).
Under usual circumstances, a reboot of the computer is not required after the installation (a restart may be required if the installation program rewrites shared files which are currently in use). This will install the WinRoute low-level driver into the system kernel. WinRoute Engine will be automatically launched when the installation is complete. The engine runs as a service.
Notes:
If you selected the Custom installation mode, the behavior of the installation program will be as follows:
all checked components will be installed or updated
all checked components will not be installed or will be removed
During an update, all components that are intended to remain must be ticked.
During the installation process of the WinRoute's low-level drivers, the operating system may display a warning message informing that compatibility of the drivers with the Windows operating system cannot be verified (this depends on configuration of the operating system).
However, the drivers provided within the WinRoute installation package have been tested on all supported Windows operating systems. Therefore, these drivers may be considered as compatible.
The Kerio WinRoute Firewall Device low-level driver (Kerio WinRoute Firewall Driver — Lower Layer) is required to be installed for each network adapter. Therefore, the total number of alerts depends on the number of network adapters in the system.
The installation program does not allow to install the Administration Console separately. Installation of the Administration Console for the remote administration requires a separate installation package (file
kerio-kwf-admin*.exe).
To provide the firewall with the highest security possible, it is necessary to ensure that undesirable (unauthorized) persons has no access to the critical files of the application, especially to configuration files. If the NTFS system is used, WinRoute refreshes settings related to access rights to the directory (including all subdirectories) where the firewall is installed upon each startup. Only members of the Administrators group and local system account (SYSTEM) are assigned the full access (read/write rights), other users are not allowed access the directory.
Warning: If the FAT32 file system is applied, it is not possible to secure WinRoute files in the way described above. For this reason, it is recommended to install WinRoute only on computers which use the NTFS file system.
The WinRoute installation program detects applications and system services that might conflict with the WinRoute Firewall Engine.
Windows Firewall's system components[1] and Internet Connection Sharing.
These components provide the same low-level functions as WinRoute. If they are running concurrently with WinRoute, the network communication would not be functioning correctly and WinRoute might be unstable. Both components are run by the Windows Firewall / Internet Connection Sharing system service.[2].
Warning: To provide proper functionality of WinRoute, it is necessary that the Internet Connection Firewall / Internet Connection Sharing detection is stopped and forbidden!
Universal Plug and Play Device Host and SSDP Discovery Service
The services support UPnP (Universal Plug and Play) in the Windows XP and Server 2003 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 16.3 Universal Plug-and-Play (UPnP)).
The WinRoute installation includes a dialog where it is possible to disable colliding system services.
By default, the WinRoute installation disables all the colliding services listed. Under usual circumstances, it is not necessary to change these settings. Generally, the following rules are applied:
The Windows Firewall / Internet Connection Sharing (ICS) service should be disabled. Otherwise, WinRoute will not work correctly. The option is a certain kind of warning which informs users that the service is running and that it should be disabled.
To enable support for the UPnP protocol in WinRoute (see chapter 16.3 Universal Plug-and-Play (UPnP)), it is necessary to disable also services Universal Plug and Play Device Host and SSDP Discovery Service.
If you do not plan to use support for UPnP in WinRoute, it is not necessary to disable the Universal Plug and Play Device Host and SSDP Discovery Serviceservices.
Notes:
Upon each startup, WinRoute detects automatically whether the Windows Firewall / Internet Connection Sharing is running. If it is, WinRoute stops it and makes a record in the warning log. This helps assure that the service will be enabled immediately after the WinRoute installation.
In Windows XP Service Pack 2, WinRoute automatically registers in the Security Center. This implies that the Security Center always indicates firewall status correctly and it does not display warnings informing that the system is not protected.