25.1  Configuration Backup and Transfer

For cases when it is necessary to reinstall the firewall's operating system (e.g. when new hardware is deployed), it is possible to back-up WinRoute's configuration including the major part of status information and use the back-up for your new WinRoute installation. This may save significant amount of your time as well as help you avoid solution of problems you have already figured out.

Configuration files

All WinRoute configuration data is stored in the following files under the same directory where WinRoute is installed

(the typical path is C:\Program Files\Kerio\WinRoute Firewall).

The following files are included:

winroute.cfg

Chief configuration file

UserDB.cfg

Information about groups and user accounts.

host.cfg

Preferences for backs-up of configuration, user accounts data, DHCP server database, etc.

logs.cfg

Log configurations

Note: The data in these files are saved in XML format so that it can be easily modified by an advanced user or generated automatically using another application.

Files in the following directories are also considered as configuration data:

dbSSL

An automatically generated SSL certificate generated for traffic between the WinRoute Firewall Engine and the Administration Console.

For details on traffic between the WinRoute Firewall Engine and the Administration Console, refer to Kerio Administration Console — Help (http://www.kerio.com/kwf-manual).

sslcert

SSL certificates for all components using SSL for traffic encryption (i.e. the web interface, VPN server and the Clientless SSL-VPN interface).

license

If WinRoute has already been registered, the license folder includes a license key file (including registered trial versions). If WinRoute has not been registered yet, the license folder is empty.

Status files

In addition, WinRoute generates other files and directories where certain status information is saved:

Files:

Cache.CFS

Current ISS OrangeWeb Filter's cache data (see chapter 12.4  Content Rating System (ISS OrangeWeb Filter)).

dnscache.cfg

DNS files stored in DNS forwarder's cache (see chapter 8.1  DNS Forwarder).

leases.cfg

IP addresses assigned by the DHCP server.

This file keeps all information available on the Leases tab of the Configuration → DHCP server section (refer to chapter 8.2  DHCP server).

ofclient.cfg

Current ISS OrangeWeb Filter configuration data (see chapter 12.4  Content Rating System (ISS OrangeWeb Filter)).

This file is generated automatically in accordance with ISS OrangeWeb Filter settings made in the main configuration file (winroute.cfg) and it is refreshed upon any change of these settings.

stats.cfg

Interface statistics (see chapter 20.2  Interface statistics) and user statistics (see chapter 20.1  Volume of transferred data and quota usage) data.

vpnleases.cfg

IP addresses assigned to VPN clients (see chapter 23.2  Configuration of VPN clients).

Directories:

logs

The logs directory stores all WinRoute logs (see chapter 22  Logs).

star

The star directory includes a complete database for statistics of the WinRoute web interface.

Handling configuration files

We recommend that WinRoute Firewall Engine be stopped prior to any manipulation with the configuration files (backups, recoveries, etc.)! Information contained within these files is loaded and saved only upon starting or stopping the MailServer. All changes to the configuration performed while the Engine is running are only stored in memory. All modifications done during Engine performance will be overwritten by the configuration in the system memory when the Engine is stopped.

Configuration backup recovery

Configuration can be backed-up by copying all the previously described configuration and/or status files.

To recover configuration through backed-up data (typically this need may arise when WinRoute is installed to a new workstation or when the operating system is being reinstalled), follow these steps:

  1. Perform WinRoute installation on a required machine (refer to chapter 2.3  Installation).

  2. Stop WinRoute Firewall Engine.

  3. Into the WinRoute directory

    (the typical path is C:\Program Files\Kerio\WinRoute Firewall)

    copy files host.cfg, logs.cfg, UserDB.cfg and winroute.cfg from the back-up

  4. Copy license and SSL certificate subdirectories (license, sslcert and dbSSL).

  5. Copy all files and directories with status information (files Cache.CFS, dnscache.cfg, leases.cfg, ofclient.cfg, stats.cfg, vpnclient.cfg and directories logs and star).

  6. Run WinRoute Firewall Engine.

    At this stage, WinRoute detects the required configuration file. Within this process, unknown network interfaces (ones which are not defined in the winroute.cfg configuration file) will be detected in the system. Each network interface includes a unique (randomly generated) identifier in the operating system. It is almost not possible that two identifiers were identical.

    To avoid setting up new interfaces and changing traffic rules, you can assign new identifiers to original interfaces in the winroute.cfg configuration file.

  7. Stop WinRoute Firewall Engine.

  8. Use a plaintext editor (e.g. Notepad) to open the winroute.cfg configuration file. Go to the following section:

    <list name="Interfaces">

    Scan this section for the original adapter. Find an identifier for a new interface in the new adapter's log and copy it to the original adapter. Remove the new interface's log.

    Example

    Name of the local network interface is LAN. This network connection is labeled as Local Area Connection in the new operating system. Now, the following data can be found in the Interfaces section (only the essential parts are listed):

    <listitem>
      <variable name="Id">
        \DEVICE\{7AC918EE-3B85-5A0E-8819-CBA57D4E11C7}
      </variable>
      <variable name="Name">LAN</variable>
      ...
    </listitem>
    <listitem>
      <variable name="Id">
        \DEVICE\{6BF377FB-3B85-4180-95E1-EAD57D5A60A1}
      </variable>
      <variable name="Name">Local Area Connection</variable>
      ...
    </listitem>
    

    Copy the Local Area Connection interface's identifier into the LAN interface. Remove the data for Local Area Connection (a relevant listitem section).

    When all these changes are performed, the data in the configuration file relating to interface connected to the local network will be as follows:

    <listitem>
      <variable name="Id">
        \DEVICE\{6BF377FB-3B85-4180-95E1-EAD57D5A60A1}
      </variable>
      <variable name="Name">LAN</variable>
      ...
    </listitem>
    
  9. Save the winroute.cfg file and run WinRoute Firewall Engine.

Now, the WinRoute configuration is identical with the original WinRoute configuration on the prior operating system.

Note: The method described above includes a complete “clone” of WinRoute on a new host. Some of the steps are optional — for example, if you do not wish to keep the current statistics, do not copy the star subdirectory.