Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Https Site login without authentication with kerio control (access Https site without authentication )
  •  
MSH

Messages: 10
Karma: 0
Send a private message to this user
Hi

in my network users must be authenticated for accessing internet web sites but the problem is for http sites this is ok and users should enter their usernames and passwords to access these sites but for https there is a problem users can access these websites without any authentication I used many rules but nothing happened except completely blocked https(according to this forum)and test it with any version of Kerio Control but this problem dose not solved yet!
I want to know if this is a BUG for kerio or there is a way to solve this. it seems this problem will not solve with writing traffic rule because I tried many rules.

BR
  •  
merc

Messages: 6
Karma: 0
Send a private message to this user
I have exactly the same problem.
This is a BUG kerio !!!
My personal opinion, Kerio does not do quality control before releasing their versions
  •  
Brian Carmichael (Kerio)

Messages: 705
Karma: 70
Send a private message to this user
This topic has been discussed in other threads. Unfortunately the firewall is not able to redirect HTTPS connections to the authentication page. This is due to the fundamental security architecture of HTTPS. So, the default behavior allows those HTTPS connections.
Rather than allowing these connections, you can create a traffic rule that permits HTTPS traffic only for authenticated users. This way, users will not be able to reach secure sites unless they are first authenticated. However, the redirection still will not work if the user first attempts to reach a secure web site. In this case, they will see only a white page as if they were not connected to the Internet.

There are some exceptions or alternatives. For example, if you use HTTPS filtering, then users can be redirected even if they are going to a secure site. You can use WPA2-Enterprise if those users are connecting over WiFi. You can assign the MAC or IP address of the device to the user (in the user properties in "Addresses" tab).

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
merc

Messages: 6
Karma: 0
Send a private message to this user
HTTPS filtering, I would like, but it's impossible to recognize the certificates in Ipad, IPhone. (V 10.3.2)
Why HTTPS filtering cannot be used with Content Filter instead of IP addresses groups?
  •  
Brian Carmichael (Kerio)

Messages: 705
Karma: 70
Send a private message to this user
WPA2-Enterprise is the best option if you are using WiFi. HTTPS filtering is not ideal regardless of the device as it requires the client to accept the certificate of Kerio Control. And as you noted, some devices may not allow or easily enable you to add the certificate.
Regarding your question, I don't quite understand what you're asking. You can add IP address groups in the Content Filter by adding the column (it is hidden by default).

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
merc

Messages: 6
Karma: 0
Send a private message to this user
Quote:
Regarding your question, I don't quite understand what you're asking. You can add IP address groups in the Content Filter by adding the column (it is hidden by default).


Hep, my English is not good,
I ask my question with example:
In HTTPS filtering option it's not possible to exclude specific traffic from decryption by choosing the Finance/Investment in the Application and Web Categories.
and,
With the IP addresses groups we must to know all ip and it's not possible to use * EX: *domain*
  •  
Brian Carmichael (Kerio)

Messages: 705
Karma: 70
Send a private message to this user
The reason you cannot use content rules is because the firewall would need to first decrypt the traffic to determine the application category. Note however that in the HTTPS exclusions, you are allowed to use domain names. For example, the default exclusions apply to dropbox.com, microsoft.com, and mozilla.org.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
./fa/4677/0/Both Http and Https are intercepted by the content rule, but Http are redirected and Https deny, why??

  •  
fco18us

Messages: 6

Karma: 0
Send a private message to this user
THE SOLUTION FOR THIS IS SIMPLE IF YOU NEED ALL COMPUTERS LOGIN WITH HTTP OR HTTPS:

1) FIRST CHECK IN WEB AUTHENTICATION ALWAYS REQUIRE USERS TO BE AUTHENTICATED WHEN ACCESSING WEB PAGES

2) IN CONTENT FILTER SELECT HTTPS FILTERING AND CHECK DECRYPT AND FILTER HTTPS TRAFFIC AND CHECK SHOW LEGAL NOTICE TO USER, IN HTTPS FILTERING EXCEPTIONS CHECK EXCLUDE SPECIFIED TRAFFIC FROM DECRYPTION AN AFTER IN TRAFFIC TO/FROM IP ADRESSES WHICH BELONG TO: SELECT HTTPS EXPLUSION AN AFTER IN TRAFFIC FROM THE FOLLOWING USER: ADD ALL GROUPS ARE YOU CREATED ON FIREWALL,

THIS WORK FINE FOR ME, ANY COMPUTER IN MY NETWORK THAT NO HAVE USER AUTHENTICATTION NO CAN SURF IN HTTP OR HTTPS, THEIR NEED USER AND PASSWORD FOR GET ACCESS ON INTERNET, ATTACH AND IMAGE OF CONTENT FILTER IN HTTPS FILTERING.

SORRY FRIENDS MY ENGLISH IS BAD, REGARDS

  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
Ok but are they always redirected to login page automatically??
Also if the fist page is Https?
Second Question:
Enabling Https filtering all clients will be prompted onto certificate page error?




fco18us wrote on Fri, 14 July 2017 05:42
THE SOLUTION FOR THIS IS SIMPLE IF YOU NEED ALL COMPUTERS LOGIN WITH HTTP OR HTTPS:

1) FIRST CHECK IN WEB AUTHENTICATION ALWAYS REQUIRE USERS TO BE AUTHENTICATED WHEN ACCESSING WEB PAGES

2) IN CONTENT FILTER SELECT HTTPS FILTERING AND CHECK DECRYPT AND FILTER HTTPS TRAFFIC AND CHECK SHOW LEGAL NOTICE TO USER, IN HTTPS FILTERING EXCEPTIONS CHECK EXCLUDE SPECIFIED TRAFFIC FROM DECRYPTION AN AFTER IN TRAFFIC TO/FROM IP ADRESSES WHICH BELONG TO: SELECT HTTPS EXPLUSION AN AFTER IN TRAFFIC FROM THE FOLLOWING USER: ADD ALL GROUPS ARE YOU CREATED ON FIREWALL,

THIS WORK FINE FOR ME, ANY COMPUTER IN MY NETWORK THAT NO HAVE USER AUTHENTICATTION NO CAN SURF IN HTTP OR HTTPS, THEIR NEED USER AND PASSWORD FOR GET ACCESS ON INTERNET, ATTACH AND IMAGE OF CONTENT FILTER IN HTTPS FILTERING.

SORRY FRIENDS MY ENGLISH IS BAD, REGARDS

  •  
fco18us

Messages: 6

Karma: 0
Send a private message to this user
Ok but are they always redirected to login page automatically??
Also if the fist page is Https?

R: no redirect when open a page in https, only work in http, if you need login users use the login page:

https://192.168.2.1:4081/login (example)

Enabling Https filtering all clients will be prompted onto certificate page error?
R: yes always prompted certificate error, but need logon in the login page for use http or https.
Previous Topic: Block remote access (LogMeIn, GoToMyPC, etc)
Next Topic: Problem with secondary directory controller
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Jul 27 06:44:28 CEST 2017

Total time taken to generate the page: 0.00509 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.