Version 6.1.1 of Kerio WinRoute Firewall adds support for both IPSec- and Secure Sockets Layer (SSL)-based virtual private networks (VPNs), as well as the ability to import user lists from Windows Server 2000/2003 Active Directory, making it easier for network managers to control access for large numbers of users.

Once the Administration console is opened, the application presents a network rules wizard that offers to implement pre-defined traffic policy rules that can later be altered if required. Options include allowing or denying access to all services, or choosing to allow or deny individual protocols such as HTTP, HTTPS, FTP, SMTP, DNS, POP3, IMAP and telnet traffic, with their associated port numbers.

We found it easy to migrate users from our Windows 2000 Active Directory list, just by specifying domain and server names and then clicking on the Import button. The software interface is generally clear and easy to navigate.

That said, it is not immediately obvious how to configure the various rules and relationships between specific network users, groups and the firewall. The on-screen help index is not as helpful as it could be here, which is disappointing for a package aimed at small and medium-sized companies where expert IT staff may not always be available.

There are some customisation options that allow administrators to choose which columns they want to display within the traffic policy window, such as source, destination, service and action. Individual parameters can be modified by right-clicking within each column, with new users, user groups or IP address ranges added to the source or destination options. Changes to the action column need only one click to permit, allow or deny traffic between source and destination.

A wealth of statistics and system events can be recorded, including configuration, error, warning and debug messages that help network managers see exactly what has happened within the application. The connection and web logs list which users or IP addresses connected to which web sites and when they did so – useful for those occasions when administrators have to investigate the possibility of users accessing unsuitable online content.

An integrated McAfee antivirus engine, available at extra cost, allows users to choose how often to automatically check for virus updates. Antivirus scanning can be individually applied to different types of traffic, including POP3 and email attachments, while limits can be applied to file sizes. HTTP or FTP file transfers can also be quarantined or denied.

Organisations can also pay extra for ISS’s OrangeWeb content filter to be integrated within the WinRoute software. This allows configurable lists of words, URLs and URL suffixes to be blocked, alongside peer-to-peer (P2P) traffic either by port or by service.

Administrators can view internet traffic statistics either by connection, user, protocol or interface, and a histogram records total throughput in graphical form. There is also an interesting view available under the ISS OrangeWeb filter that divides content into categories such as online ordering, gambling, entertainment/culture, IT, information/communication, pornography/ nudity and criminal activities among others.

WinRoute also provides VPN options that allow remote users to securely connect into the server, using an SSL-based client to provide access from any web browser. Once the SSL VPN is set up, users can connect to the VPN login screen by typing in a specific URL that includes the name of the server and port number.

One complaint is that although WinRoute can be set to regularly check the Kerio web site to see if an update is available, it cannot automatically download and install updates. So IT administrators are forced to perform manual upgrades, and even re-install the whole application in some cases.