Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » need help?!...
  •  
Mr.CuPRa

Messages: 9
Karma: 0
Send a private message to this user
am using kerio in my office and and its really helpful specially with web filtering..but i had a problem and i hope it can be solved..some of the employees still can access the websites that i have blocked..they do it by using (http's') writing 'S' after the HTTP they gain a secured access by ths like for example..im blocking "www.facebook.com" but some of them still can get access by writing it in this way "https://www.facebook.com" ..and thats my problem as am lookin for a way to completely block these websites...
  •  
robsik

Messages: 75

Karma: 0
Send a private message to this user
There is no possibility to inspect HTTPS protokol - it's kind of point-to-point connection.

Robert
  •  
KursadOlmez

Messages: 118
Karma: 3
Send a private message to this user
Hi Mr.CuPRa

You can block any kind of website or address instead of using Kerio Web Filter by creating Traffic Rule as showed on the image below and place that rule on the top of your NAT (Internet Access rule for clients).

You can customize that rule by changing Source. You can use an IP Group, User or User Group for the Source so you can apply that rule for specific clients or groups not all your network.

http://proxima.web.tr/pub/kerio/Traffic-Policy-Fbook.png




[Updated on: Fri, 14 May 2010 23:48]

  •  
KursadOlmez

Messages: 118
Karma: 3
Send a private message to this user
I realized that users can access the site like that address www.facebook.com/I.Kursad.Olmez. The policy above is only runs for facebook.com or www.facebook.com.

So here is the updated rule with IP address ranges of Facebook.

http://proxima.web.tr/pub/kerio/Traffic-Policy-Fbook-Updated.png

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I think this is an increasing problem that Kerio should address. Ever more sites are switching to HTTPS and this makes it more and more difficult to control access.

Before, I could just use the web filter to block access to 'Webmail' sites (such as Hotmail or Gmail), but now I have to manually create and maintain a list of sites, IP addresses, etc. to block access. Impossible! Well, at least very impractical. That's not why a purchased the web filter! Smile

Now I do understand KWF cannot look into the encrypted HTTP streams, so it doesn't know what's going on. But Kerio DOES know the IP address of the destination, so could do a reverse IP look-up and block the traffic if it goes to a site listed in a certain web filter category. Or not just put categories onto URL's, but onto IP addresses as well. Then the reverse look-up is not even needed.

Sure, this is a 'blanket' approach, since behind a single IP addresses, a lot of different sites can be present.

And they could also 'solve' this problem during the DNS requests, same way as you can block groups of sites using OpenDNS. I could start using OpenDNS, but I'd rather have the filtering going on in one place (KWF)...
  •  
Reinaldo

Messages: 226
Karma: -8
Send a private message to this user
Unfortunately we are increasingly seeing this happening with our customers in Brazil. This is a big issue for the Web Filter piece and also for the URL filtering.
Is there a solution in the roadmap for this? Any workaround? I have many requests from current users and prospects.
Thanks,
Reinaldo
Previous Topic: iptables command equivalent in control , how ?
Next Topic: Kcontrol on VMware ESX environments
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 02:31:56 CET 2017

Total time taken to generate the page: 0.00385 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.