Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » How to block certain HTTPS sites?

Messages: 2119
Karma: 3
Send a private message to this user
I would like to block certain secure HTTPS websites, based on their URL. It says in the manual:


Connections must not be encrypted. SSL encrypted traffic (HTTPS and FTPS protocols) cannot be monitored. In this case you can block access to certain servers using traffic rules (see chapter Definition of Custom Traffic Rules).

Note: If the proxy server is used (see chapter Proxy server), It is also possible to filter HTTPS servers (e.g. However, it is not possible to filter individual objects at these servers.

(I would rather not use the proxy server, to keep things as simple (and my life as headache free) as possible.)

So now I'm trying to block the sites through Traffic Rules (as suggested in the manual), however, I am unable to get this to work. I want to block the website so I made a Traffic Rule as follows and placed it ABOVE the rule that allows normal HTTP(S) traffic:

Source: <internal interface> (will later be specific group of users)
Destination: host
Service: HTTPS
Action: Deny
Translation: NAT (default outgoing interface)
Protocol Inspector: Default

This does not work, I can still access the site. Can anybody help? Much appreciated...

More and more of the Internet is getting secure (lot's of webmail sites I want to block for example) and so KWF is losing more and more of it's potential to regulate Internet usage if I am not able do block specific HTTPS sites in an easy way.

I understand KWF cannot look 'into' a HTTPS connection, nonetheless it should be possible to block HTTPS connections to certain URL's. Preferrably in the 'Content Filtering - HTTP Policy' context. Then there would be ONE place for blocking certain websites. The initial DNS requests etc. are not encrypted. So KWF may see someone trying to setup a HTTPS connection to a website which is forbidden and block it. Yes? No? Consider this a feature request...

[Updated on: Fri, 27 May 2005 14:50]


Messages: 523
Karma: 0
Send a private message to this user
Check if the traffic rule is above the traffic rule that allows access to https sites. Rules are checked from top to bottom until a match is found.

You can change the behaviour by blocking all HTTPS unless its allowed:

name: HTTPS (from LAN only)
source: LAN
dest: address group of allowed HTTPS urls
service: HTTPS
action: allow
translation: nat default outgoing interface

name: block HTTPS (for LAN and firewall)
source: LAN, firewall
dest: internet
service: HTTPS
action: deny

This should work fine. Sites that are allowed are added to the address group.

Messages: 2119
Karma: 3
Send a private message to this user
The traffic rule is above the rule that allows HTTP(S) traffic.

I do not want to restrict access to all HTTPS servers, except some... I want to allow access to HTTPS sites, except some...

(This above is some months ago, I will try it now again with KWF 6.1.1, maybe something changed...)

[Updated on: Mon, 25 July 2005 12:08]


Messages: 2119
Karma: 3
Send a private message to this user
Follow up:

Well, blocking of HTTPS sites works now Cool. Probably it was just me doing something wrong of course (or mabybe something has changed in recent versions of KWF).

Anyway, I made a rule to block HTTPS traffic to addresses in the address group 'blocked HTTPS sites'. This rule is placed above the rule which allows HTTP(S) traffic in general. When I want to block a certain HTTPS-site, I just add the domain to the address group 'blocked HTTPS sites'.

(There is still the HTTPS issue that people can visit HTTPS sites without being authenticated, even though my setup requires authentication.)
Previous Topic: Port opening?!
Next Topic: To enable again admin account
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 17 22:18:01 CET 2017

Total time taken to generate the page: 0.00460 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.