2.3  Installation

System requirements

Requirements on minimal hardware parameters of the host where WinRoute will be installed:

  • CPU 1 GHz,

  • 512 MB RAM,

  • 2 network interfaces (including dial-ups),

  • 50 MB free disk space (for the installation),

  • Disk space for statistics (see chapter 21  Kerio StaR — statistics and reporting) and logs (in accordance with traffic flow and logging level — see chapter 22  Logs),

  • to keep the installed product (especially its configuration files) as secure as possible, it is recommended to use the NTFS file system.

The following browsers can be used to access the WinRoute (Kerio StaR — see chapter 21  Kerio StaR — statistics and reporting and Kerio SSL-VPN — see chapter 24  Kerio Clientless SSL-VPN) web services:

  • Internet Explorer 6 and higher ,

  • Firefox 1.5 and higher,

  • Safari.

Installation packages

Kerio WinRoute Firewall is distributed in two editions: one is for 32-bit systems and the other for 64-bit systems (see the product's download page: http://www.kerio.com/firewall/download).

The 32-bit edition (the “win32” installation package) supports the following operating systems:

  • Windows 2000,

  • Windows XP (32 bit),

  • Windows Server 2003 (32 bit),

  • Windows Vista (32 bit),

  • Windows Server 2008 (32 bit).

The 64-bit edition (the “win64” installation package) supports the following operating systems:

  • Windows XP (64 bit),

  • Windows Server 2003 (64 bit),

  • Windows Vista (64 bit),

  • Windows Server 2008 (64 bit).

Older versions of Windows operating systems are not supported.

Note:

  1. WinRoute installation packages include the Kerio Administration Console. The separate Kerio Administration Console installation package (file kerio-kwf-admin*.exe) is designed for full remote administration from another host. This package is identical both for 32-bit and 64-bit Windows systems. For details on WinRoute administration, see chapter 3  WinRoute Administration.

  2. For correct functionality of the Kerio StaR interface (see chapter 21  Kerio StaR — statistics and reporting), it is necessary that the WinRoute host's operating system supports all languages that would be used in the Kerio StaR interface. Some languages (Chinese, Japanese, etc.) may require installation of supportive files. For details, refer to documents regarding the corresponding operating system.

Steps to be taken before the installation

Install WinRoute on a computer which is used as a gateway connecting the local network and the Internet. This computer must include at least one interface connected to the local network (Ethernet, WiFi, etc.) and at least one interface connected to the Internet. You can use either a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet interface.

We recommend you to check through the following items before you run WinRoute installation:

  • Time of the operating system should be set correctly (for timely operating system and antivirus upgrades, etc.),

  • The latest service packs and any security updates should be applied,

  • TCP/IP parameters should be set for all available network adapters,

  • All network connections (both to the local network and to the Internet) should function properly. You can use for example the ping command to detect time that is needed for connections.

These checks and pre-installation tests may protect you from later problems and complications.

Note: Basic installation of all supported operating systems include all components required for smooth functionality of WinRoute.

Installation and Basic Configuration Guide

Once the installation program is launched (i.e. by kerio-kwf-6.6.0-5700-win32.exe), it is possible to select a language for the installation wizard. Language selection affects only the installation, language of the user interface can then be set separately for individual WinRoute components.

In the installation wizard, you can choose either Full or Custom installation. Custom mode will let you select optional components of the program:

Installation — customization by selecting optional components

Figure 2.1. Installation — customization by selecting optional components


  • Kerio WinRoute Firewall Engine — core of the application.

  • VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN).

  • Administration Console — the Kerio Administration Console application (universal console for all server applications of Kerio Technologies) including WinRoute administration tools.

  • Help files — this manual in the HTML Help format. For help files details, see Kerio Administration Console — Help (available at http://www.kerio.com/firewall/manual).

Go to chapter 2.4  WinRoute Components for a detailed description of all WinRoute components. For detailed description on the proprietary VPN solution, refer to chapter 23  Kerio VPN.

Having completed this step, you can start the installation process. All files will be copied to the hard disk and all the necessary system settings will be performed. The initial Wizard will be run automatically after your first login (see chapter 2.7  Configuration Wizard).

Under usual circumstances, a reboot of the computer is not required after the installation (a restart may be required if the installation program rewrites shared files which are currently in use). This will install the WinRoute low-level driver into the system kernel. WinRoute Engine will be automatically launched when the installation is complete. The engine runs as a service.

Note:

  1. If you selected the Custom installation mode, the behavior of the installation program will be as follows:

    • all checked components will be installed or updated,

    • all checked components will not be installed or will be removed

    During an update, all components that are intended to remain must be ticked.

  2. The installation program does not allow to install the Administration Console separately. Installation of the Administration Console for the full remote administration requires a separate installation package (file kerio-kwf-admin*.exe).

Protection of the installed product

To provide the firewall with the highest security possible, it is necessary to ensure that undesirable (unauthorized) persons has no access to the critical files of the application, especially to configuration files. If the NTFS system is used, WinRoute refreshes settings related to access rights to the directory (including all subdirectories) where the firewall is installed upon each startup. Only members of the Administrators group and local system account (SYSTEM) are assigned the full access (read/write rights), other users are not allowed access the directory.

Warning

If the FAT32 file system is used, it is not possible to protect WinRoute in the way suggested above. For this reason, it is recommended to install WinRoute only on computers which use the NTFS file system.

Conflicting Applications and System Services

The WinRoute installation program detects applications and system services that might conflict with the WinRoute Firewall Engine.

  1. Windows Firewall's system components[1] and  Internet Connection Sharing.

    These components provide the same low-level functions as WinRoute. If they are running concurrently with WinRoute, the network communication would not be functioning correctly and  WinRoute might be unstable. Both components are run by the Windows Firewall / Internet Connection Sharing system service.[2].

    Warning

    To provide proper functionality of WinRoute, it is necessary that the Internet Connection Firewall / Internet Connection Sharing detection is stopped and forbidden!

  2. Universal Plug and Play Device Host and SSDP Discovery Service

    The services support UPnP (Universal Plug and Play) in the Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 18.2  Universal Plug-and-Play (UPnP)).

The WinRoute installation includes a dialog where it is possible to disable colliding system services.

Disabling colliding system services during installation

Figure 2.2. Disabling colliding system services during installation


By default, the WinRoute installation disables all the colliding services listed. Under usual circumstances, it is not necessary to change these settings. Generally, the following rules are applied:

  • The Windows Firewall / Internet Connection Sharing (ICS) service should be disabled. Otherwise, WinRoute will not work correctly. The option is a certain kind of warning which informs users that the service is running and that it should be disabled.

  • To enable support for the UPnP protocol in WinRoute (see chapter 18.2  Universal Plug-and-Play (UPnP)), it is necessary to disable also services Universal Plug and Play Device Host and SSDP Discovery Service.

  • If you do not plan to use support for UPnP in WinRoute, it is not necessary to disable the Universal Plug and Play Device Host and SSDP Discovery Serviceservices.

Note:

  1. Upon each startup, WinRoute detects automatically whether the Windows Firewall / Internet Connection Sharing is running. If it is, WinRoute stops it and makes a record in the warning log. This helps assure that the service will be enabled/started immediately after the WinRoute installation.

  2. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, WinRoute registers in the Security Center automatically. This implies that the Security Center always indicates firewall status correctly and it does not display warnings informing that the system is not protected.



[1] In Windows XP Service Pack 1 and older versions, the integrated firewall is called Internet Connection Firewall.

[2] In the older Windows versions listed above, the service is called Internet Connection Firewall / Internet Connection Sharing.