Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Restrict adminsite access
  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
In previous versions of Control where we had the admin console application, access to the admin section could be controlled by specifying a FW rule which allows access to the admin port for specific users/groups.

The latest versions only has web access so blocking the admin-port wouldn't do anymore, because login and admin runs on the same port.

I'd like to restrict access to the admin site for every user except for some specific users, who could authenticate through the normal login at the Firewall (/login/index.php).
I need to open the HTTPS port to the login section (and therefor the admin section) for users outside the network, so some additional service become available after login (remote working).

How can I manage this? I guess this, somehow, could be done by creating some HTTP rules, but I'm afraid I'll block myself...

I know I can setup who has access to the admin section (on the user sheet), so users (or hackers) can not login, but the can try to login or try to hack the admin site.


Any help would be appreciated.

[Updated on: Thu, 22 November 2012 14:32]

  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
Little kick: unfortunately no one knows how to do this? Sad
  •  
Lucian Maly (Kerio)

Messages: 136
Karma: 8
Send a private message to this user
Create a rule that allows service Kerio Control WebAdmin from only certain IP range.

Kerio Technologies AU Pty Ltd.
  •  
Dukeman

Messages: 57
Karma: 6
Send a private message to this user
Thank you for your reply.

Unfortunately (I think) this won't work, because some people needs to gain access from remote to internal services. They use the common login functionality (/login/login.php) to identify themselfs to open external ports (RDP for example).

When I restrict access to the webadmin port (which runs at 4081 for both admin and login) I'll block access to the login form as well. Unfortunately some of the people don't have a fixed IP address (but get a DHCP lease from there ISP), so I cannot add these addresses to an addressgroup.

I hope you have an other idea.

I hoped it could be done with (for example) a HTTP Policy rule, however the following part from the manual seems to restrict it, because it need to filter on the path of the page and not only the servername:

Quote:
HTTP Policy - Protocol -- by default, unsecured traffic is filtered (HTTP). Kerio Control allows to apply filtering also to secured connections (HTTPS), but only by server name. The rest of the condition is ignored. It is therefore possible to allow or block access to a particular server, without the option to allow or block access to individual pages located on the server.
Previous Topic: Can't download files
Next Topic: Multiple Gateways - Warning
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 11:45:40 CET 2017

Total time taken to generate the page: 0.00364 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.