With Network Address Translation (NAT) technology, the local private network can be connected to the Internet through a single public IP address (static or dynamic). Unlike proxy servers, with NAT technology all Internet services will be accessible from any workstation and it will be possible to run most standard network applications, as if all computers within the LAN had their own connection to the Internet.

The integrated firewall protects all the local network including the workstation it is installed on, regardless of whether the NAT function (IP translation) is used or WinRoute is used as a neutral router between two networks. Kerio WinRoute Firewall offers the same standard of protection found in much more costly hardware solutions.

All the security settings within WinRoute are managed through so-called traffic policy rules. These provide effective network protection from external attacks as well as easy access to all the services running on servers within the protected local network (e.g. Web Server, Mail server, FTP Server, etc.). Communication rules in the traffic policy can also restrict local users in accessing certain services on the Internet.

Typically, problems with Internet connection arise when a user attempts to download big volume of data (installation archive, disk image, audio/video file, etc.) and thus the connection to the Internet and to other server services is slowed down for other users. The WinRoute's built-in Bandwidth Limiter module enables to reserve bandwidth for transfer of big size data. The rest of the bandwidth will be constantly available for other services.

You may come across applications that do not support the standard communication and that may for instance use incompatible communication protocols, etc. To challenge this problem, WinRoute includes so-called protocol inspectors, which identify the appropriate application protocol and modify the firewall's behavior dynamically, such as temporary access to a specific port (it can temporarily open the port demanded by the server). FTP in the active mode, Real Audio or PPTP are just a few examples.

WinRoute has a built-in DHCP server, which sets TCP/IP parameters for each workstation within your local network. Parameters for all workstations can be set centrally from a single point. This reduces the amount of time needed to set up the network and minimizes the risk of making a mistake during this process.

DNS forwarder module enables easy DNS configuration and faster responses to DNS requests. It is a simple type of caching nameserver that relays requests to another DNS server. Responses are stored in its cache. This significantly speeds up responses to frequent requests. Combined with the DHCP server and the system's HOSTS file, the DNS forwarder can be also used as a dynamic DNS server for the local domain.

All settings are performed in the Kerio Administration Console, an independent administration console used to manage all Kerio's server products. It can be run either on the workstation with WinRoute or on another host within the local network or the Internet. Communication between WinRoute and the administration console is encrypted and thus protected from being tapped or misused.

WinRoute works with standard TCP/IP protocols. From the point of view of workstations within the local network it acts as a standard router and no special client applications are required. Therefore, any operating system with TCP/IP, such as Windows, Unix/Linux, Mac OS etc., can be run within the LAN.

WinRoute can monitor all HTTP and FTP communication and block objects that do not match given criteria. The settings can be global or defined specifically for each user.

WinRoute can perform antivirus check of transmitted files. For this purpose, either the built-in McAfee antivirus or an external antivirus program (e.g. NOD32, AVG, etc.) are available. Antivirus check can be applied to HTTP, FTP, SMTP and POP3 protocols.

If WinRoute is employed in a network using the Active Directory domain, it is not necessary to create local accounts or import users from the domain as Active Directory directory accounts can be used in WinRoute. This option simplifies administration of user accounts, especially for greater number of users.

WinRoute can send email alerts informing users about various events. This function makes firewall administration easier for the administrators since they need not connect to WinRoute frequently to check it through. All sent alerts are saved in a special log file.

A limit can be set for transmitted data per each user. This limit can be set for the amount of downloaded or/and uploaded data per day/month. These limits are called quotas. If any quota is exceeded, the connection to the Internet will be blocked for a corresponding user. Email alert can be optionally sent to the user.

WinRoute can detect and block so called Peer-to-Peer networks (networks used for sharing of files, such as Kazaa, DirectConnect etc.).

Detailed statistics of the firewall interface (current speed of transmitted data, amount of data transmitted in certain time periods) as well as of individual users (amount of transmitted data, used services, visited websites and their categories, etc.) can be viewed in WinRoute.

Basic statistics are available in the administration program while detailed statistics can be found in the firewall's web interface.

WinRoute also provides a proprietary VPN solution which can be applied to the server-to-server and client-to-server modes. This VPN solution can perform NAT (even multiple) at both ends. The Kerio VPN Client client software is included in the WinRoute package that can be used for creation of client-to-server VPN types (connection of remote clients to local networks).

The role of the VPN solution which requires a special application at the client side can be supplied by remote access to a private network using a web browser. Clientless SSL-VPN enables browsing through hosts and shared items in remote networks as well as files downloads and saving. The traffic is secured by SSL (HTTPS).