Kerio WinRoute Firewall
Strengths: Good range of protection and filtering.
Weaknesses: Lacks more advanced features.
Verdict: A good option for those smaller environments with more modest needs.
This was the only software being tested. WinRoute is intended to be installed on Windows systems, and there must be doubts about the product's viability as Microsoft continues building features into ISA Server. For now, WinRoute is cheaper and offers features ISA does not.
The software set up with no glitches. The internal Windows firewall had to be disabled, which the installer took care of. Technically, we feel this should have been left until after the required reboot.
A wizard walks through initial configuration. It can be rerun any time, but this removes existing rules and replaces them. The same admin client can manage remote Kerio firewalls through the same interface, and a basic address book keeps them organized.
The actual firewall rules options are pretty basic, specifying source, destination and services. But every piece has to be set up in separate panels, so we ended up clicking all over the place just to set up simple rules. The process is less arduous for editing existing rules.
Content filtering comes as a page-classification service licensed from ISS. While it caches known page results locally, any new page request results in a connection to ISS to retrieve the data, which will result in a noticeable page load delay on slow connections. We'd prefer a local cache of the whole database with periodic updates.
AV is included with McAfee's engine and support for others.
There is almost no context help, although most of the interface is intuitive, but the manual is more than adequate.
Two VPN options are provided, one using a proprietary IPsec-like set-up with Kerio's own endpoint client, and an SSL VPN.
In general, logging is split into several categories (VPN activity, firewall exceptions, and others), so different functions can be tracked separately. No options to filter or process the logs is provided, so you have to export the logs (or log to syslog) and do analysis yourself.
This is not a bad offering, and is an attractive option for smaller organizations, although some parts of the GUI could be better.