The principle how Kerio Network Monitor works implies some small limitations. They are to be kept in mind especially when choosing the computer for installation of Kerio Network Monitor
If your network contains switch (switching hub), keep in mind that it does not send all the data to all its ports! But Kerio Network Monitor requires all the data to be present in the segment, which is “his”computer connected to.
There are several solutions:
install Kerio Network Monitor directly on the computer, which is connected to the Internet. This solution is recommended always when on the internet gateway runs Windows type operating system. (Kerio Network Monitor then must be set up for monitoring on the “inner” network adapters — see chapter 6.1).
some types of switches can be configured so that they send all data to one (so called monitoring) port. The station, which Kerio Network Monitor Daemon runs on, can be connected to this port.
insert small hub between the switch and the internet gateway (3 ports are enough — one for the switch, the second for the internet gateway and the third to the computer, where Kerio Network Monitor Daemon runs).
If the network is divided by the router to more IP segments Kerio Network Monitor Daemon must be installed on computer in the same segment as the internet gateway.
If the network has more segments and each of them is connected directly to the internet gateway Kerio Network Monitor must be installed directly on the gateway. In the other case it will monitor only the data in the segment which it is connected to.
The natural requirement of the network administrator is also to monitor the volume of the data transferred via electronic mail (E-mail) and accepted by the local mail server.
The most common case is the situation when the mail server runs on the computer that is also the internet gateway. Kerio Network Monitor then “sees” only the local communication of the clients with the mail server. In the default configuration of Kerio Network Monitor are created rules, which consider this communication to be the Internet communication (so that the volume of the data is measured. It is necessary to keep in mind that the volume of the date is measured also when the users are sending mail locally to each other.
If the mail server runs on another (“inner”) computer, Kerio Network Monitor records E-mail communication outside of the local network twice: when the client communicates with the mail server in the Internet. Then it is useful to change predefined rules for the SMTP, POP3 and IMAP services so that the rules are valid only for IP address of the mail server — e.g.:
<192.168.1.10> <255.255.255.255> TCP25 on Internet
and add the rules for ignoring any other mail communication — e.g.:
<all addresses> <all addresses> TCP25 discard packet
These rules must be in the list of the rules lower than the rules for particular mail server. Detail description can be found in chapter 6.1
Similarly as in the case of the mail server located on the computer, which is the internet gateway, raises the problem with monitoring the communication of the clients with the proxy server, when the data is taken from its case — also this data will be evaluated as downloaded from the Internet.
This problem can be avoided only by switching of the cache, which can be unpleasant under some conditions.