Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Automatically detect settings

Messages: 326
Karma: 5
Send a private message to this user
Appliance 8Rc1
If this option is enabled in internet options, Internet explorer loading first page 15 sec.
if is disable, all is fine.
What can be a problem?

Question cannot be stupid, but some of the answers can.
Matt W.

Messages: 4
Karma: 3
Send a private message to this user
Just wanted to quickly reply and tell you that I'm working on a much longer response about this very problem and am working with Kerio to resolve the issue and/or find a better work-around. Stay tuned for a longer more detailed response! --Matt
Matt W.

Messages: 4
Karma: 3
Send a private message to this user
For Kerio employees reading this thread, my Support Ticket ID # is: SKH-148599

Here's a copy/paste of the info I just sent to Kerio Support regarding this issue that at least as of this morning, Kerio has no record of anything related to "Automatically detect settings" or "WPAD" in their bug database. Hopefully, they will soon. Wink

I'm posting this here in this manner 1) for efficiency's sake, and 2) in case any of the info helps others contribute other ideas or scenarios that help get this issue resolved sooner.

Note: I do *not* intend to copy/paste other details or updates from the ticket as this progresses, but rather short summaries of recent findings or status updates.

PPS - Just before posting, I got a message from the forum: "You cannot use links until you have posted more than 5 messages." Therefore, I've disabled each link below in a way I hope you can quickly re-structure back into a link.

Cheers! --Matt
Kerio Support,

For starters, please disregard the past contents of the current ticket for a minute. Here is the NEW SUMMARY of my issue:

"While connected to any recent version of Kerio Control via any recent version of Kerio VPN Client for Windows, *some* secure Web pages take 15-45 seconds to load while each certificate related to the site has its revocation status checked. This issue seems to only happen while the "Automatically detect settings" box is checked under IE's Proxy/LAN Settings config page."

With this NEW summary in mind, here are many other notes, findings, and tests to consider as it relates to what I believe is a bug with Kerio Control at the proxy server level:

1. Adding as many hostnames as possible to the host table does not help with performance or the issue at hand. This is not a DNS issue (at least not as it relates to translating a hostname to an IP Address).
2. I was wrong about the Kerio VPN client (and even server) version numbers. I can reproduce this issue across all versions (7.4 8.1) of the VPN client as well as Kerio Control server (including the Kerio Control Box).
3. The certificate revocation alert only pops up when Internet Explorer is calling an affected site (such as hxxp: / optimalblue. com) from *within* the context of another program. I *think* the "developer" way to say this is: When Internet Explorer is called via a COMobject, users will see the Certificate Revocation alert.
4. However, if you visit the site directly via Internet Explorer in the right conditions (I'll explain these "conditions" later), then although you will never see a certificate revocation alert, you will see delays of either 15, 30, or 45 seconds when visiting a site where CRLs need to be checked. The delays are 15 seconds for each certificate that needs to be checked where the second CRL isn't checked until the first times out & so on up to the 45 seconds delay (3 certificates). Here's another Kerio user with this issue: hxxp: / forums.kerio. com/t/24077// [message #99531]
5. One of the links dev sent me before did help me determine that changing some of the timeout values via Group Policy did have an effect on the length of time it took before the timeout finished and either the pages continued loading, or else the certificate revocation alert popped up.
a. Here is the page link: hxxp: / com/en-us/library/cc771429(v=ws.10). aspx
b. I think the rep was suggesting that if I waited long enough, the "problem" of the certificate revocation alerts would go away, but after a much longer than 15 second wait per certificate.
c. I think he was right, but I now know the certificate revocation alert is simply a SYMPTOM of a *much* bigger "slow page load while connected to the VPN" issue rather than a specific problem that needs to be solved by INCREASING the wait time.
6. Because this is tied to certificate revocation checking, one workaround for the timeout issue is to disable certificate revocation checking via the 1-2 related checkboxes in IE Internet Options Advanced tab as in: hxxp: / support.kaspersky. com/5204
7. But the more direct (and safer) way to work around the issue is to disable the "Automatically detect settings" checkbox in IE for Tools > Internet Options > Connections > LAN settings. With this disabled, the Optimal Blue website loads instantaneously.
8. IMPORTANT: Once a site such as OptimalBlue. com has been loaded and the CRLs checked/timedout, you will not see the problem on its own with that particular site for approximately 24 hours! However, I eventually learned that you *will* see the issue if you login as a different user on the machine, which told me the issue was somehow a cached/per user thing. This eventually led me to find that I could reproduce the problem post-site load by issuing the following command at a command prompt: " certutil -URLcache * delete " ? This command will delete the applicable contents of the following folder: C:\Users\username\AppData\LocalLow\Microsoft\CryptnetUrlCach e
a. For more information on this see the "Disk and Memory Caches" section of the following TechNet site: hxxp: / com/en-us/library/ee619754(v=ws.10). aspx
9. Once the URL cache is deleted and IE closed/re-opened, the 15, 30, & 45 second delays will return.
10. The above tests while disconnected from Kerio VPN result in no delay. The timeouts/delays only happen with CRL checking enabled and while "Automatically detect settings" is enabled in Internet Options!
11. While waiting for the 15-45 second timeouts, a DNS debug log shows numerous calls related to WPAD (Web Proxy Autodiscovery Protocol).
a. I do not know for sure that an issue with WPAD or WPAD-discovery via DNS or otherwise is related to this issue. I've simply come to this as a possible cause since that's the type of traffic is *think* I see happening while waiting for a slow-loading page to load while connected to the VPN.
b. Sidenote: The following CensorNet guide *appears* to be something I would expect Kerio to eventually support as a possible solution to this problem? hxxp: / www.profelis. com. tr/files/8112/7972/1064/Web_Proxy_Auto_Discovery_WPAD_v2.pdf
c. More info "About implementing WPAD" --> hxxp: / com/en-us/library/cc995261.aspx
d. Here's an interesting article that not only summarizes the WPAD process (that portion of which I've copied and pasted below further in this e-mail), but discusses a Man in the Middle vulnerability as well: hxxp: / www.netresec. com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Mi ddle

I think that's all I have of much use for now; however, there are many other ideas I have that I want to test to see if I can learn more about the actual, specific cause of this problem. Things I want answered in my own further testing are:
1. Does the fact my domain name is XYZ.local have anything to do with this?
2. Does reverse-DNS have anything to do with this?
3. Is there anything wrong with my present AD domain / custom DNS forwarding settings?
4. What happens if I split VPN traffic off into its own traffic rule and disable HTTP inspection altogether? Or does it not matter because I'm not routing all traffic through the VPN as it stands anyway?
5. I still haven't tested this with an IPSec connection to Kerio since I only recently learned how to connect a single Windows PC to Kerio Control via this connection method.
6. There are many options within the Configuration > HTTP Policy > "Proxy Configuration" tab of Kerio Control that I want to see if they have an effect: "Enable non-transparent proxy server" (try disabling it), "Kerio Control non-transparent proxy server" (vs. Direct access transparent proxy which is default), and "Allow browsers to use configuration script automatically via DHCP server in Kerio Control (but I still have no idea how I would implement this to accurately test it!)
a. NOTE: I want to say that I have already attempted the non-transparent option & it works fine once the browser is *manually* configured properly. But it's this very act of not having to manually configure the browser settings that I'm attempting to work-around.

That's all to my ticket update for now. See below for a WPAD Discovery summary. I think Kerio Control isn't handling this properly & that's the root of the issue... but I could be wrong!


What is WPAD?
WPAD is short for "Web Proxy Autodiscovery Protocol", and is a method for Windows machines to detect which machine to use as proxy for HTTP(S) traffic.

The process of finding a web proxy with WPAD basically works like this:
1. Did I receive a WPAD entry in my DHCP lease?
If yes, then jump to #4.
2. Ask the DNS server who is called "wpad" (or wpad.[mydomain. com]).
Jump to #4 if a the lookup was successful.
3. Broadcast a NetBIOS Name Service message and ask for "WPAD".
Continue to #4 if anyone on the network claims to be called "WPAD", otherwise don't use any web proxy.
4. Download the file hxxp: / wpad /wpad.dat
5. Use IP address defined in wpad.dat as the web proxy for all HTTP and HTTPS web traffic.
Previous Topic: Curl auth for Kerio Control 8
Next Topic: 8.1 and SNMP
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 17:22:16 CEST 2017

Total time taken to generate the page: 0.00416 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.