Kerio WinRoute Firewall is distributed in two editions: one is for 32-bit systems and the other for 64-bit systems (see the product's download page: http://www.kerio.com/firewall/download).
The 32-bit edition (the “win32” installation package) supports the following operating systems:
Windows 2000,
Windows XP (32 bit),
Windows Server 2003 (32 bit),
Windows Vista (32 bit),
Windows Server 2008 (32 bit).
The 64-bit edition (the “win64” installation package) supports the following operating systems:
Windows XP (64 bit),
Windows Server 2003 (64 bit),
Windows Vista (64 bit),
Windows Server 2008 (64 bit).
Older versions of Windows operating systems are not supported.
Note:
WinRoute installation packages include the Kerio Administration Console. The separate Kerio Administration Console installation package (file kerio-kwf-admin*.exe
) is designed for full remote administration from another host. This package is identical both for 32-bit and 64-bit Windows systems. For details on WinRoute administration, see chapter 3 WinRoute Administration.
For correct functionality of the Kerio StaR interface (see chapter 21 Kerio StaR - statistics and reporting), it is necessary that the WinRoute host's operating system supports all languages that would be used in the Kerio StaR interface. Some languages (Chinese, Japanese, etc.) may require installation of supportive files. For details, refer to documents regarding the corresponding operating system.
Install WinRoute on a computer which is used as a gateway connecting the local network and the Internet. This computer must include at least one interface connected to the local network (Ethernet, WiFi, etc.) and at least one interface connected to the Internet. You can use either a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet interface.
We recommend you to check through the following items before you run WinRoute installation:
Time of the operating system should be set correctly (for timely operating system and antivirus upgrades, etc.),
The latest service packs and any security updates should be applied,
TCP/IP parameters should be set for all available network adapters,
All network connections (both to the local network and to the Internet) should function properly. You can use for example the ping
command to detect time that is needed for connections.
These checks and pre-installation tests may protect you from later problems and complications.
Note: Basic installation of all supported operating systems include all components required for smooth functionality of WinRoute.
Once the installation program is launched (i.e. by kerio-kwf-6.6.0-5700-win32.exe
), it is possible to select a language for the installation wizard. Language selection affects only the installation, language of the user interface can then be set separately for individual WinRoute components.
In the installation wizard, you can choose either Full or Custom installation. Custom mode will let you select optional components of the program:
Kerio WinRoute Firewall Engine — core of the application.
VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN).
Administration Console — the Kerio Administration Console application (universal console for all server applications of Kerio Technologies) including WinRoute administration tools.
Help files — this manual in the HTML Help format. For help files details, see Kerio Administration Console — Help (available at http://www.kerio.com/firewall/manual).
Go to chapter 2.9 WinRoute Components for a detailed description of all WinRoute components. For detailed description on the proprietary VPN solution, refer to chapter 23 Kerio VPN.
Having completed this step, you can start the installation process. All files will be copied to the hard disk and all the necessary system settings will be performed. The initial Wizard will be run automatically after your first login (see chapter 2.5 Initial configuration wizard (Windows)).
Under usual circumstances, a reboot of the computer is not required after the installation (a restart may be required if the installation program rewrites shared files which are currently in use). This will install the WinRoute low-level driver into the system kernel. WinRoute Engine will be automatically launched when the installation is complete. The engine runs as a service.
Note:
If you selected the Custom installation mode, the behavior of the installation program will be as follows:
all checked components will be installed or updated,
all checked components will not be installed or will be removed
During an update, all components that are intended to remain must be ticked.
The installation program does not allow to install the Administration Console separately. Installation of the Administration Console for the full remote administration requires a separate installation package (file kerio-kwf-admin*.exe
).
To provide the firewall with the highest security possible, it is necessary to ensure that undesirable (unauthorized) persons has no access to the critical files of the application, especially to configuration files. If the NTFS system is used, WinRoute refreshes settings related to access rights to the directory (including all subdirectories) where the firewall is installed upon each startup. Only members of the Administrators group and local system account (SYSTEM) are assigned the full access (read/write rights), other users are not allowed access the directory.
If the FAT32 file system is used, it is not possible to protect WinRoute in the way suggested above. For this reason, it is recommended to install WinRoute only on computers which use the NTFS file system.
The WinRoute installation program detects applications and system services that might conflict with the WinRoute Firewall Engine.
Windows Firewall's system components[1] and Internet Connection Sharing.
These components provide the same low-level functions as WinRoute. If they are running concurrently with WinRoute, the network communication would not be functioning correctly and WinRoute might be unstable. Both components are run by the Windows Firewall / Internet Connection Sharing system service.[2].
To provide proper functionality of WinRoute, it is necessary that the Internet Connection Firewall / Internet Connection Sharing detection is stopped and forbidden!
Universal Plug and Play Device Host and SSDP Discovery Service
The services support UPnP (Universal Plug and Play) in the Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 18.2 Universal Plug-and-Play (UPnP)).
The WinRoute installation includes a dialog where it is possible to disable colliding system services.
By default, the WinRoute installation disables all the colliding services listed. Under usual circumstances, it is not necessary to change these settings. Generally, the following rules are applied:
The Windows Firewall / Internet Connection Sharing (ICS) service should be disabled. Otherwise, WinRoute will not work correctly. The option is a certain kind of warning which informs users that the service is running and that it should be disabled.
To enable support for the UPnP protocol in WinRoute (see chapter 18.2 Universal Plug-and-Play (UPnP)), it is necessary to disable also services Universal Plug and Play Device Host and SSDP Discovery Service.
If you do not plan to use support for UPnP in WinRoute, it is not necessary to disable the Universal Plug and Play Device Host and SSDP Discovery Serviceservices.
Note:
Upon each startup, WinRoute detects automatically whether the Windows Firewall / Internet Connection Sharing is running. If it is, WinRoute stops it and makes a record in the warning log. This helps assure that the service will be enabled/started immediately after the WinRoute installation.
On Windows XP Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, WinRoute registers in the Security Center automatically. This implies that the Security Center always indicates firewall status correctly and it does not display warnings informing that the system is not protected.