Overview

Kerio Control 9.5.0 has been released and is available for download.

• Release date: June 5, 2025
• Build ID: 8778

New Features

New IPS Engine with Better Performance

The IPS engine with speed enhancements was originally introduced in the initial launch of 9.5. The updated Intrusion Prevention System (IPS) engine continues to deliver 20–40% better performance, depending on deployment.  Functionally, there are no major changes to IPS behavior compared to previous builds. Based on early access feedback from the original 9.5 release, this build includes refinements and stability improvements.

New Feature: OpenVPN Support

The new OpenVPN server is available in the standard interface section of the KerioControl GUI.
After enabling the server, users can connect by:

• Importing their profile into a client. This may trigger an HTTPS connection to the KerioControl web server.
• If attempted outside the firewall without the necessary firewall rules, the connection may fail.
• If importing the profile from within the LAN, it will work without issue.

Alternatively, users can log into their Kerio Control account (e.g., https://[YourKerioControlIP]:4081/login) and download the OpenVPN profile for use on other devices (like mobile phones). This profile can then be imported locally on the device where the VPN connection is being set up, even if that device is outside the Kerio Control network.

⚠️ If your firewall rules are strict, don't forget to explicitly allow OpenVPN services.

OpenVPN joins Kerio VPN and IPSec as the third supported VPN protocol, and it's ideal for mobile and cross-platform users.

New Feature: Shield Matrix

Shield Matrix is part of the Kerio Control Security Add-On, alongside IPS and antivirus. You can manage the feature via: Configuration > Shield Matrix. It's enabled with a simple checkbox

The system performs near real-time updates, which ensures the threat IP database is always current, enabling zero-hour protection against emerging threats:

• Current update interval: every 60 minutes
• Planned future update: every 15 minutes (planned for public release)
• IPs are gathered via a global network of honeypots and traps.

Each attack attempt is analyzed by AI to assign a confidence level (Low, Medium, High). This analysis is performed entirely on the update server, which aggregates and processes global data. No processing takes place on the Kerio Control appliance itself, ensuring optimal performance and minimizing resource impact on your local device.

Customizable Responses

You can set what happens based on threat confidence level (high, medium, low). Connections from flagged IPs will be dropped instantly, with no response sent back to the attacker. For TCP-based attacks, this means the handshake will never complete, effectively stopping the connection before any data exchange occurs.

Visibility and Logs

The Status > Shield Matrix screen shows connections from the past 5 minutes. In future updates, this visibility will be extended to cover longer periods and will include grouping functionality to enhance navigation, analysis, and overall workflow. Logging can be found under debug messages:

• shieldMatrix
• packet dropped for some reason

Shield Matrix operates immediately after the global GeoIP check so from processing perspective, this is the second engine processing your traffic.

Known UI Issue

You may see a "Failed to update database" message when no new update is available. This is a display issue, not an actual failure.

Fixes and Improvements

This build also includes a number of stability fixes and enhancements across core functionality:

• Fixed issue with AppManager-designated IP groups not working in Kerio Control
• Resolved crash caused by changing SSL cert on VPN server
• Fixed FTP backup path issues with special characters
• Added X-Forwarded-For headers in NAT scenarios
• Corrected email traffic detection on port 443 (was misclassified as P2P)
• Fixed RADIUS auth failures for Windows 11 clients
• Added detailed logging for winroute.cfg checksum issues
• Improved DHCP client behavior for ISP address changes on WAN

These improvements complement the introduction of OpenVPN and Shield Matrix, and are part of our ongoing effort to enhance Kerio Control's security, reliability, and usability.