Kerio Control for Windows to Kerio Control Appliance Migration Guide

A few opening words.



Fifteen years ago, a company of four enthusiasts in a small Czech town developed and released the first version of the revolutionary solution that laid the foundation for Kerio Technologies. WinRoute Pro was an advanced software router and NAT firewall running on the Windows operating system used on standard user PCs; it was the combination of these features that led to the huge popularity of the product among IT professionals.

Let's move forward in 2009. The past decade has been marked by increased attention to security, in this regard, the version of Kerio Winroute Firewall 6.7.1. enjoyed particular success. As part of this version, the first version of the software module (Software Appliance) was released. This module was built on the basis of a proprietary Linux-like OS using a proprietary web-based administration interface to perform system management functions. Simultaneously with the software module, a virtual module (Virtual Appliance) was prepared for the virtualization environment from VMware. However, both Appliance modules were less functional than the main Windows version of the application. A year later, there was a significant change in the name of the product, it became known as Kerio Control.

With the increasing popularity of the product among users, the goal of Kerio Control was to increase productivity and expand the ability to organize and maintain security. In Kerio Control 7.4, this is reflected in the addition of support for virtual local area networks (VLANs). However, this feature, like some others added over the past two years, was no longer available for the Kerio Control Windows application.

It was the fact that the powerful VLAN feature was released that marked the end of the Kerio Control era for Windows. Kerio Control 7.4 is the latest “Windows version” of Kerio Control.
Support for this version (both user and application code support) is provided by Kerio until the end of 2014. We encourage all our users, if possible, to migrate from current Windows versions of Kerio Control to Kerio software or virtual modules.

To simplify the transition, we added support for the virtualization system from Microsoft - Hyper-V. Authentication of users through the Microsoft Active Directory directory service is preserved in the full and familiar volume for our users. Administration and access to the user statistics interface can still be carried out using standard web browsers installed on any modern OS. Kerio VPN server and IPsec VPN allow you to connect both from various stationary OSs, including Windows, Linux, MacOS, and using the built-in VPN clients of Android and Apple mobile devices.

Yes, Windows is an excellent platform, but everything passes, and Kerio OS is coming in its place - a Linux-like OS, which is a universal platform for all Appliance builds of the Kerio Control application. And just to help our current users to switch from the Windows version of our KControl / KWF application, we decided to publish a special guide on switching from Windows to the Appliance platform, which can also be downloaded from a special page in our Samepage.io cloud in the form of pdf- file for review in "off-line" mode.

And he said, “Let's go !!”



So, I suggest starting in order. To begin with, I would like to consider some of the most common misconceptions that stop UTM Kerio Control administrators from such a migration:

  1. The complexity of the transition.
  2. Inability to save configuration, application logs, user statistics data when switching to the Appliance assembly.
  3. Mandatory knowledge of Open Source.
  4. Failure to perform more than one role on one physical server.
  5. The complexity of redundant Linux solutions.
  6. “It works - don’t touch it” (“If there is a possibility that some kind of trouble can happen, then it will happen” (“Murphy's Law”).


In refutation of these “myths,” I propose to briefly consider the real picture of what is happening during the migration from the Windows version to the Appliance version of Kerio Control:

  • The transition with the implementation of additional steps to update the version in cases where it is needed, takes no more than two hours of "dirty" time.
  • Configuration, log data and user statistics databases are fully migrated. This will be considered separately in the framework of this Guide.
  • Knowledge and experience with OpenSource in general and with the Linux family of OS in particular are not needed. Installation of the application and configuration of basic parameters (IP addresses, time and language of the system interface) occurs through a graphical user interface in Russian. All other steps for administering your Kerio Control UTM-gateway are carried out through the familiar Russified web-based administration interface. Access to the Linux console is not necessary, although it is possible and a little later we will consider in detail when this may be required.
  • Using the “virtual module” Kerio Control, you can perform as many IT roles as you need within one virtualization server. Virtualization as a whole allows you to make better use of server hardware resources and expand the boundaries in planning your IT infrastructure.
  • Another advantage of the transition is the simplified method of backing up the Kerio Control “software module” configuration using automatic configuration backup to the Kerio cloud - Samepage.io, or to any FTP server that is convenient for you.
  • The requirement to update the version may come not only from the IT department, but also be a consequence of the requirements of the business to expand the capabilities of the UTM solution. Do not forget that “everything that has been achieved to ensure flight safety is the result of overcoming the“ Murphy's Law ”.


Now I propose to get acquainted with what the software (Software Appliance) and virtual (Virtual Appliance) modules of Kerio Control are.

Kerio Control Software Appliance


 


                                                          


 


Kerio Control Software Appliance Features


  • Kerio Control combined with secure OS


  • 32-bit Debian OS on Linux Kernel 3.12 with the ability to use up to 64GB OP (PAE support)


  • Available in image (ISO)


  • It is burned to CD / DVD or USB-Flash for installation on bare metal.



 


The main advantages of the platform


  • Lack of software and hardware conflicts
  • No virus threats
  • The familiar and lightweight Kerio Control administration interface
  • No need to know * nix systems.



Kerio Control Virtual Appliance


 


Kerio Control Hypervisors from


Software Appliance VMware and Microsoft


                     


 


Supported Virtualization Tools:


  • VMware (workstation, player, server, ESX)


  • Hyper-V (2008 r2, 2012, 2012 r2)



 


The main advantages of the platform


  • Perform multiple isolated roles on the same physical
     server
  • Transfer UTM to another server in minutes
  • The ability to add a network adapter without changing the hardware
    means
  • Increased network security without the need for new
    equipment


After we got acquainted with possible distributions, it's time to turn to users of the “bearded” versions of Kerio Winroute. Below is information on upgrading old Windows versions of KWF to version Kerio Control 7.4 (the final version of the application for the Windows platform) as well as a few nuances that must be taken into account when performing the procedure for updating the version of Kerio Control / KWF in general.

Upgrading from a version below 6.X.X to version 7.X.X should be carried out in stages in accordance with the following scheme:


  1. Step-by-step transition from KWF 6.5.x to KControl 7.4.x (Windows)

  • 6.5.X> 6.6.0 >> 6.7.1> 7.0.X> 7.1.X >> 7.4.X

Direct migration to 7.4.X is only possible with version 7.1.X and later.



  1. Transition from version 7.0.X to version 8.XX (Appliance)

  • 7.0.X> 7.1.X >> 8.0.X (Software Appliance)

When performing the update, it is important to consider the following points:


  • Export of the configuration of the Windows version of KControl / KWF can be used for use only on a similar version of the Applaince assembly, for guaranteed transfer of 100% of all settings
  • It is possible to transfer the database of user statistics for Internet visits and the contents of the Kerio Control application logs.
  • The transfer of the database of user statistics for Internet visits and the contents of the logs of the Kerio Control application must be performed within version 7.4.2 (the final version of the Kerio Control application for Windows)


That's all for the introduction.

Now, to familiarize yourself directly with the sequence of actions of the administrator to update the version of KControl / KWF used.

Below, we’ll list the steps that some people, some only a part, will have to be performed by administrators,

  • Update used version
  • Switching to the Appliance Platform
  • Install Software Appliance
  • Install VMware Virtual Appliance
  • Install Hyper-V Virtual Appliance
  • Configure Network Interfaces
  • Saving and transferring user configuration and data
  • Migrating the database of application logs and the database of user statistics for visiting the Internet
  • Checking the integrity of migrated data
  • Update to the latest version of Kerio Control Appliance


Updating your version of Kerio Control (KWF)



The first thing we need to do is get those versions of the KControl / KWF distributions that you need to complete the transition, according to the transition order described a bit above. To download the necessary distributions, use only the official source - the Kerio website: www.kerio.ru or directly the site of our archive of releases: download.kerio.com/archive

The path to the archive is shown in the following images:







Suppose that you are migrating from the latest version of KWF 6.7.1, your goal is a working version of Kerio Control Appliance 8.3 (current version of the application as of April 2014)

The main “complexity” of the transition in this case is the need not to perform a direct upgrade from KWF 6.7.1 to Kerio Control 8.3, but a sequential transition to some major versions. This need is due to the inclusion in the configuration files of these "major" versions of some features that require post-processing after installing the application.
To upgrade from KWF 6.7.1 to Kerio Control 8.3, you will need to perform the following upgrade steps:

1. Upgrade to Kerio Control 7.0.0
2. Upgrade to Kerio Control 7.1.0
3. Upgrade to Kerio Control 7.4.2 (final version for Windows)

You can download the necessary distributions from our release archive .
The process of updating from version to version is the usual installation of a new version “on top” of the old one. The installation program will automatically shut down the Kerio Control system service (Kerio Winroute Firewall), determine the installation directory of the current version of Kerio Control (Kerio Win-route Firewall), and replace application files that require updating; Application log files and user configuration files are saved unchanged. The configuration files will be saved in the special “UpgradeBackups” directory located in the root of the% programmfiles% \ Kerio \ directory.

Video clip of the regular update process:



Switching to the latest Windows version of Kerio Control 7.4.2 will be the final update step within this platform. The next steps in the transition are preparing the Appliance platform, migrating the configuration, log database, and user statistics.

Transition to the Appliance platform.



In this section, we will look at deployment options for various Kerio Control Appliance distributions.

Install Software Appliance


This version of the installation package can be deployed in the following ways:
  • An ISO image can be recorded on a physical CD or DVD media, which you must later use to install Kerio Control on a physical or virtual host.
  • In the case of using virtual PCs, the ISO-image can be connected as a virtual CD / DVD-ROM to complete installation from it, without the need for recording to physical media.
  • ISO image can be written to a USB-flash drive and install from it. For instructions, refer to the corresponding article ( kb.kerio.com/928 ) in our knowledge base.


Install VMware Virtual Appliance


To install Kerio Control VMware Virtual Appliance on various virtualization tools from VMware, use the appropriate Kerio Control VMware Virtual Appliance distribution kit:

For VMware Server, Workstation, Player, Fusion use the archived (*. Zip) VMX file:

Install the virtual module in VMware player






  • For VMware ESX / ESXi / vSphere Hypervisor, use the special OVF link to import the virtual module, which looks like:

http://download.kerio.com/en/dwn/control/kerio-control-appliance-1.2.3-4567-linux.ovf

VMware ESX / ESXi will automatically download the OVF configuration file and its corresponding image of the virtual hard disk (.vmdk).
When using the OVF format, the following aspects must be taken into account:
  • In the Kerio Control virtual module, time synchronization with the virtualization server is disabled. However, Kerio Control has built-in tools for synchronizing time with public network sources of Internet time. Thus, the use of synchronization between the virtual machine and the virtualization server is optional.
  • The tasks of shutting down and restarting the virtual machine will be set to the default values. The ability to set these values ​​to the “forced” shutdown and “forced” restart mode is saved, however, these shutdown and restart options can cause data loss in the Kerio Control virtual module. The Kerio Control virtual module supports the so-called “Soft” shutdown and “soft” reboot, allowing you to turn off or restart the guest OS in the right way, so it is recommended to use the default values.


Install virtual module (ovf) in VMware vSphere




Install Virtual Appliance for Hyper-V


  • Download the archived (* .zip) distribution, unzip it to the desired folder.
  • Create a new virtual machine, select the option “Use existing virtual hard disk”, specifying as a disk image the file unpacked from the downloaded archive


Installing a virtual module in MS Hyper-V













The next important point in preparing for the transition to the Appliance platform is the correct configuration of network interfaces on the selected Appliance platform.

Configuring Network Interfaces in the Software Appliance


The Kerio Control Software Appliance pseudographic interface offers options for configuring IP addresses / multiple addresses in static or dynamic mode, creating VLAN interfaces and the ability to configure the interface in PPPoE mode.



Note: The initial configuration of network interfaces in the Kerio Control Software Appliance distribution package is identical for all Kerio Control Appliance assemblies; there are differences only when configuring virtual network interfaces in different virtualization environments where Kerio Control can be used.

Preparing Virtual Network Interfaces in Hyper-V


To correctly and minimally configure the Hyper-V virtual switch, you need to perform the following steps:

Mapping physical and virtual network interfaces


Checking for the availability of a virtual bridge service on the physical network interfaces of the server


To view the quick configuration option for Kerio Control Hyper-V virtual Appliance network interfaces next video clip:



Note: Full recommendations for configuring network interfaces for the Hyper-V virtualization environment should be taken from the official source of the manufacturer's company.
(http://technet.microsoft.com/ru-ru/)

Preparing virtual network interfaces in VMware vSphere


Approximately the same chain of actions in the case of the preparation of virtual network interfaces in vSphere.

Creating multiple virtual switches, the number depends on your needs for virtual network communications.


Creating a virtual switch in VMware vSphere


Creating a virtual switch in VMware vSphere


Creating a virtual switch in VMware vSphere


Adding the appropriate physical network interfaces to virtual switches so that the physical LAN of the enterprise can interact with them



Comparing the created virtual switches with the Kerio Control virtual network interfaces VMware Virtual Appliance



Note:Full recommendations on configuring network interfaces for VMware virtualization environment should be taken from the official source of the manufacturer's company ( www.vmware.com/support/vsphere-hypervisor.html )

After the Appliance assembly has been deployed and network interfaces have been configured, you can proceed to transfer the main user configuration from your Windows version of Kerio Control.
The configuration transfer process itself consists of two steps:

Saving the current configuration using the configuration assistant


When saving configuration, it is recommended to remember, and it is better to write out, the MAC addresses of your current network interfaces and their correspondence to the IP addresses used. You will need this when restoring the configuration on a new Kerio Control Appliance installation.

The process of saving the configuration is shown in the images below:









After this step, you saved the archive, which includes all user configuration files of the current version of Kerio Control.

The next step is to restore the previously saved configuration to the Appliance. When restoring the configuration, the configuration assistant will offer to compare the configuration of the old network interfaces with the new ones used on the Kerio Control Appliance server.

Note:This is exactly the moment when you need information about MAC and IP addresses from the old server, which you wrote down or remembered when saving the configuration to the old one.

The process of restoring the configuration is shown in the images below:











To save the configuration, the Kerio Control Appliance server will automatically reboot, after which it can be used.



However, the migration process is still too early to be considered complete, as we need to transfer application protocol data and user statistics databases from your old server.

And here the fun begins! What you will read below is not described in any official, but also in unofficial documentation, i.e. here will be placed several acceptable live hacks, the use of which will help you in the implementation of such an important process, the transition to the Kerio Control Appliance platform.

And as usual, before we go over to the direct description, the usual “disclaimer”:

IMPORTANT: The procedure described below is not a documented opportunity, so to avoid undesirable consequences, before you start the data transfer, create a full backup by copying data to a secure storage.

And so we transgress! First, save the current application protocol database. To do this, you need to save the log files that are located on the specified path.

%programfiles%\kerio\winroute firewall\logs\*

For better preservation of this data, before transferring it, it is recommended that you back it up to an accessible, secure storage.

Then, save the current user statistics database. All this information is concentrated in the firebird database file, located in the folder

%programfiles%\kerio\winroute firewall\star\data\

From there, we only need a file star.fdb. For better preservation of this data, it is recommended that you back up to an accessible, secure storage before transferring.

After we have discovered and saved all the necessary information, we need to transfer it to a new server running the Kerio Control Appliance, for this the first thing you need to do to upload previously saved data to the Kerio Control Appliance is to enable the SSH server for run SFTP access. To do this, in the Kerio Control web administration interface, go to the Status -> System Status menu , press and hold the “Shift” key and click on the “ Actions ” button . In the drop-down list, select “ Enable SSH ”, confirm your actions by agreeing to the question in the window that appears.







After that, you need to make sure that in the Kerio Control traffic rules you have allowed access to the Kerio Control Appliance host via SSH from the location you need.



After you enable SSH and allow the appropriate access, you need to connect to the Kerio Control Appliance server to download the necessary protocol data and user statistics database to it. To do this, we will use the WinSCP application, which allows connections via SFTP.
To connect to the Kerio Control Appliance server, you must specify the user name and access password; specify the root name (without quotes) as the user name; as the password, specify the password of the “Admin” account built into Kerio Control.

Parameters of sFTP connection to the Kerio Control server


After establishing a connection, you must place your data in specific server folders. The log files must be copied to the / var / winroute / logs folder , and the user statistics file must be copied to the / var / winroute / star / data folder , while the old files must either be deleted or renamed.



Note: It is better to rename old files, in order to keep a backup of the current data. In the case of application log files, you only need to rename the old files with the * .log extension

After the copy is complete, you must restart the Kerio Control service. To do this, you must have direct access to the Kerio Control Appliance server. In the case of the Software Appliance, access is through the monitor and keyboard of the server itself on which the Kerio Control Software Appliance is installed. In the case of the Kerio Control virtual module, access is via the console of the corresponding virtualization environment. In all other respects, the actions will be the same.

To switch from the pseudographic console to the command line interface, press the key combination “Alt-F2”. At the invitation to enter the user name, specify the name “root” (without quotes), press “enter”, in the password field enter the password of the Admin account built into Kerio Control.





Note:it is necessary to take into account that in the Linux family OS, the password is not displayed even with asterisk icons, and if you make a mistake, you cannot correct it - you will have to enter the password again.

At the command prompt, enter the following:

/etc/boxinit.d/60winroute restart

This command will restart the Kerio Control daemon (service), after which Kerio Control will “pick up” the application protocol data and user statistics that were previously copied.



After starting the Kerio Control daemon, you need to check the integrity of the transferred data, for this you can use the web interface of user statistics and / or the web interface of administration of the Kerio Control application.



If everything is in order with all the data, then we can consider the transition to the new Kerio Control Appliance platform complete and it remains only to complete the regular procedure for updating Kerio Control to the current version. If, with some part of the data, “everything is not in order”, then there are two options:
1) make sure that the data taken from the original Kerio Control (KWF) server was initially in order;)
2) if everything is ok with the initial data, it is necessary to repeat the procedure for transferring that part of the data with which there were problems.
3) if the solutions of paragraphs. 1 and 2 did not help, then leave a comment here, try to figure it out together :)


Now that all the important data is in place, you can "pull" the version of Kerio Control Appliance up to date. The regular update process can take place in two ways, in automatic and manual modes.

Automatic version update mode.


Kerio Control can automatically check for new versions on the Kerio update site.
  1. In the web administration interface, go to the menu item " Advanced options ", in the tab " Check for updates "
  2. Turn on the option “ Check periodically for new versions ”. Kerio Control will check for new versions every 24 hours. As soon as the new version is installed, a link to download the update will be displayed on the " Check for Updates " tab . To check for an update immediately, click on the “ Check Now ” button .
  3. If you want to download updated versions immediately after they are discovered, enable the option “ Download new versions automatically ”. As soon as the new version is downloaded, you will receive a notification in the administration web interface.
  4. After downloading the update, click the " Update Now " button
  5. Confirm your intention to upgrade and perform a subsequent automatic reboot of Kerio Control
  6. Wait until the new version is installed and Kerio Control is rebooted.
  7. Update completed.
















Manual update mode.


This update mode may be useful in the following circumstances:

  • Rollback to previous version of Kerio Control
  • Upgrade to an intermediate or non-regular version (for example, a closed Beta release).
  • Updating the gateway in the presence of maximum restrictions for ITU on access to Internet resources.


To perform an update in manual mode, you need to download a special image (Upgrade Image) from the Kerio Control download page (http://www.kerio.ru/support/kerio-control).

After downloading, follow these steps:
  • In the web administration interface, go to the menu item " Advanced options ", in the tab " Check for updates "
  • Click on the “ Select ” button .
  • Specify the location of the update image file (kerio-control-upgrade.img)
  • Click on the button “ Download version update file
  • After downloading, click on the “ Start Version Upgrade ” button .
  • Wait for the Kerio Control version upgrade and reboot
  • Update completed.


















Voila, you have a full-fledged Internet gateway based on the Kerio Control Appliance! Congratulations on completing the transition to Kerio Control UTM!

Only registered users can participate in the survey. Please come in.

Which platform do you think is best suited for enterprise UTM gateway?

95 users voted. 25 users abstained.
Tags:

Also popular now: