Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Need Assistance : In Suggesting User Licenses
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
Hi

Need Assistance : In Suggesting User Licenses
Please understand and see the details below, and guide me.

For your reference network diagram attached

Headoffice is connected with 30 Remote locations through VPN Network ( GRE TUNNELS CREATED FROM ROUTER TO ROUTER with CISCO 3700 SERIES and Not with KERIO WinRoute Firewall)

Headoffice has 10 Servers, and 390 Workstations
Each remote locations has 1 Servers and minimum of 20 Workstations
Apart from this 4 Warehouse each has 50 Workstations and 1 Server

Here total numbers of Machines are 1234 Nos.

In detail Headoffice has 400 Machines
Remote locations has 630 Machines
Warehouses has 204 Machines

Purpose of the network is to have videoconferencing, VOIP, Mail, file
share and some database application sharing. All remote offices and
warehouses will connect to Headoffice for information or data.

VPN Connectivity as Follows:
Remote location does not have internet connectivity. Only Headoffice has
internet.

Now let⤙s take, we are deploying WinRoute firewall in Headoffice as
gateway machine

834 machines from remote locations and warehouses will contact Headoffice
through Firewall. 400 Machines from Headoffice connects to remote location
through Firewall.

Let⤙s consider, we are providing internet connectivity to 50
Users/machines in Headoffice and 2 users/machines from each remote
location and warehouse through WinRoute proxy (Remote location
Users/machines never come under NAT).

So total number of users/machines connected to internet is 118 Machines.
But Total number of machines on this network is 1234 Machines.

Now please suggest me how many user licenses should I go for WinRoute
firewall?

As a feature of WinRoute firewall, it releases the User/Machines if they
are inactive for 15 minutes continuously. Here WinRoute firewall
constantly specifies 45 to 60 users/machines in USE on the firewall at any
given time.

Now I need clarification for the below mentioned queries:

1 How many user licenses should I go for?

Is that the total number of computers on the Network? (Then it should
1234 User License)
Is that the total computer are in Headoffice? (Then it should 400 User
License)
Is that the computer are in remote locations? (Then it should 834 User
License)
or the displayed Users/machines in USE? (Then it should 60 User License)


Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
A user license is used for every computer using a 'service' from the KWF. So a computer which is blocked to access the internet, but even so constantly tries to connect anyway will use up one license. A computer which never has any dealings with the KWF will not use up a licence.

And if you have 100 computers using the Internet, but never all at the same time, you would not need 100 licenses. The actual connected clients can just never go over your number of licenses.

Quote:

Here WinRoute firewall constantly specifies 45 to 60 users/machines in USE

so in your situation 60 licenses should suffice (a little bit more would be comforting of course...)

(As I understand, this license timeout of 15 minutes was increased to some hours in some late version of KWF. I do not know this exactly...)
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
Hi thanks for your reply.

We are discussing on how many computer connecting to internet

Here actually 45 to 60 Users connects to internet. Then this is fine. What will happen if my Headoffice computers try to connect to other location through firewall?

Or other location computers try to connect the Headoffice computers? please guide me

reson

Regards,
Kumar

Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
If the KWF is used in any way (for DNS, routing, filtering, DHCP, whatever) it will take a license. Not just when actually connecting to the Internet.

So the actual use depends heavily on your IP network segmentation, etc. Do ALL computers in some way have the KWF as gateway (of which only 60 or so may use the Internet)? Then you would need more licenses then just 60...
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
Hi,

Thanks. Here you go

All headoffice machines has gateway of the KWF. (Around 400 machines) and our branch office machines are connects to headoffice for Internet and Mail and File sharing (around 800 Machines) still the status is the same.

IP segmentations as follows

Firewall (KWF) - 192.168.0.2

Headoffice - 192.168.0.3 to 192.168.0.254 (New Delhi)
192.168.1.1 to 192.168.0.254

All are in VPN (internet access restricted by the service provider. They are connecting internet through headoffice)

Location 2 - 192.168.3.1 to 192.168.3.254 (Mumbai)
Location 3 - 192.168.4.1 to 192.168.4.254 (Agra)
Location 4 - 192.168.5.1 to 192.168.5.254 (Bangalore)
Location 5 - 192.168.6.1 to 192.168.6.254 (Chennai)
--
--
--
Location 27 - 192.168.28.1 to 192.168.28.254 (Jaipur)

Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
Please find the network diagram


Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Ok.

So if any one of the ~1200 PC's tries to use the Internet it will somehow end up and the KWF (who will then decide if it is allowed for that specific machine or not). Richt?

In that case it gets tricky. You don't need ~1200 licenses, because not all machines will be actually using the KWF at once. Saying "no, you can't use the Internet" to a PC will also take a license for a short while so you may need more then just the number of PC's that actually are allowed to use the Internet. But then agina, not all PC's will actually use the Internet at the same time.

Quote:

Here WinRoute firewall constantly specifies 45 to 60 users/machines in USE

Where did you get this? Do you already run KWF (in trial or something)?
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
Yes. I already implemented KWF on the network. And need to decide on number of license.

Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Then just go to the 'title page' of the Kerio Administration Console when connected to your KWF. There is mentioned how many users are "in use". Monitor this value for some time, take the highest number, add some for your own comfort and there you go.
  •  
deejas

Messages: 15
Karma: 0
Send a private message to this user
then it would be 60 May i right

Kumaresan Pandurangan
Enterprise Security & Communication Consultant

Deejas Corporation,
New Delhi, INDIA.
W http://www.deejas.in
E kumar<_at_>deejas.in
T +91 11 51832123, 124, 125, 126
Previous Topic: Winroute vs ISA
Next Topic: Can I able to setup multiple gateways by using KWF?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 04:31:26 CET 2017

Total time taken to generate the page: 0.00456 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.