Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Making an "IP whitelist" from an IPGroup
  •  
HelderConde

Messages: 7
Karma: 0
Send a private message to this user
Hi,

I've been using WinRoute for a couple of weeks and I'm well familiar with it. Great product by the way! But now, I need to set up certain rules and I haven't been able to accomplish what I actually need. Here is my situation.

I have a few servers outside my network, to which I want to grant access. So, anyone on my network can access those servers via HTTP and HTTPS.

I also want to make a small whitelist with some websites that are Ok for them to visit, like customers sites, partners sites, etc.

Easy: I set up a rule that will allow HTTP and HTTPS traffic on the Traffic Policy section and also set up a "Permit" rule on the HTTP Policy section, which will allow traffic to a certain URL Group. No big deal.

Now, here is the tricky part. I need to make a blacklist that is very restrictive. I don't want any other websites to work, other than the ones that are on those particular servers and on the whitelist. I can make an HTTP Policy that will block everything, but it will block the sites that are not explicitly on the whitelist.

The servers I mentioned are our own servers, and they have dozens of sites. I don't think that having to manually setup a whitelist for each site is an elegant solution. I'd like to have something like "whatever is on this IP Group is also part of the whitelist". Do you understand what I mean?

In other words: I want the Permit policy to take into account the "whitelist" with the URL Groups *AND* the IPGroups of the external servers. Is this possible?

Our trial will run for 7 days more and I'm really interested in purchasing WinRoute. It would be very nice if you guys could help me with that.

Best regards and thanks in advance.

Helder Conde
Atitude Digital Media
Brazil
  •  
RHarmsen.nl

Messages: 189

Karma: 0
Send a private message to this user
First it might be wise to contact Kerio through the official way through http://support.kerio.com



Concerning your question, perhaps you don't want to create the IP Whitelist rules in the HTTP Policy, but in the Traffic Policy window op Winroute.

First you can define the IPGroup whitelist in the Address Groups definition, and than add a rule to the traffic policy so everything to/from those IP's is allowed.

And then the other rules can be checked, in this way the IPs in the Group will always be reachable.

Good luck
  •  
HelderConde

Messages: 7
Karma: 0
Send a private message to this user
Hi,

Thanks for your reply. In fact, I've already done what you described, but still no luck.

Here are the steps I've taken:

1. Created a Traffic Policy to allow HTTP traffic to the web

2. Created an Address Group with my own external server IPs (My Servers)

3. Created a Traffic Policy that would allow traffic to and from those servers (My Servers)

4. Created an HTTP Policy to allow * from My Servers Group

5. Created an HTTP Policy to allow * from an URL Group (with the other sites I want to grant access to), named "OK Sites"

6. Created an HTTP Policy to block * from Any.

As far as I understand, I should be able to navigate to all site on the "Ok Sites" URL Group *AND* to any sites from the servers that are on that "My Servers" Address Group.

However, in practice, that's not what happens. I'm able to navigate on the "OK Sites" URL Group sites, but not on the sites from the "My Servers" address group.

Anyone has any idea on how to fix this?

Thanks very much,

Helder
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
The only idea I have is to disable the protocol inspector in the traffic policy rule that allows your address group. That way you will get around the 'block * from Any' content policy for those addresses.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
Night Shadow

Messages: 48
Karma: 0
Send a private message to this user
you can use the " ISS Orange Filter " in winroute to filter the websites you want ..


but remember you must make iss orange " permit " and put the website you want in this filter and make other " deny " ..


  •  
RHarmsen.nl

Messages: 189

Karma: 0
Send a private message to this user
You need to place the Trafic Policy that allows traffic to/from your servers above the HTTP Rule.

As Winroute processes all rules from top to bottom.


Perhaps you could describe the order of the rules you have set (or make a screenshot) in order to better understand how you have configured everything.
  •  
HelderConde

Messages: 7
Karma: 0
Send a private message to this user
Hi,

Thanks for helping me with this. With your help, I managed to make it work. Yessss!

Here is what I did:

1. Made a Traffic Policy rule to allow HTTP/ HTTPS to ANY.

2. Made an Address Group named "My Servers" with the IPs I want to have unrestricted access to.

3. Made a Traffic Policy rule to allow HTTP / HTTPS only to "My Servers" Address Group *AND* DISABLED Protocol Inspector for this rule. This is important!

4. Placed rule 1 *UNDER* rule 2. This is also important!

5. Made an URL Group named "Ok Sites" with additional sites I want to grant access to, which are not on my own servers.

6. Made an HTTP Policy rule to Allow * from a the URL Group.

7. Made an HTTP Policy rule to Block * and placed it below all other HTTP Policy rules. This is important, too!


By doing this, it worked just the way I needed: I'm able to navigate on any sites that are on "My Servers Group" (without me having to manually insert each of them in a list), navigate sites from other servers ("Ok Sites" URL Group) and block every other sites.

Basically, I have a whitelist that is composed of URLs and IPs. Everything else is blocked. Great!

A little tricky, but works flawlessly!

Thank you guys so very much.

Best regards,

Helder Conde
  •  
an2ny79

Messages: 109
Karma: 2
Send a private message to this user
I think, the main point to consider here is:
Traffic and HTTP Policies are in HIERARCHY order.
Previous Topic: I can't connect via RADMIN
Next Topic: is this rule correct to block host ..??
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 17:22:26 CET 2017

Total time taken to generate the page: 0.00540 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.