Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Unauthenticated access to HTTPS sites allowed whilst requiring authentication
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
When you are not authenticated, you can still go to HTTPS sites. Going to such a site will not bring up the Kerio Authentication Page.

My KWF requires authentication for Internet access. When you're not authenticated, you will be presented the login screen. (In traffic rules I allow HTTP and HTTPS traffic from the LAN to the Internet, but in the Users configuration I selected "Always require users to be authenticated when accessing web pages'.)

I understand KWF cannot look into HTTPS streams, nonetheless it should not be possible to browse the web if you've configured KWF to require authentication (even if only to HTTPS sites).

I am running more and more into 'HTTPS issues'. You cannot block access to HTTPS sites based on URL's, now I find out you cannot even require users to be authenticated when going to HTTPS sites. This is becoming problematic.

I urge Kerio to look into this matter. As I said, I understand KWF cannot look into encrypted streams, but for example, the initial request to a HTTPS site is not encrypted, so I see no technical reason why KWF should not be able to block sites or enforce authentication. More and more of the internet is going secure and I am losing my abillity to use KWF to limit Internet access. Sad

Or... if I am wrong and something is misconfigured here, please do tell.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The initial request to the HTTPS sites is also encrypted. A secure, encrypted channel is established BEFORE that. The only thing you can restrict in HTTPS is a destination server - because is is normal TCP connection as others.
If you're using proxy, you can use also URL rules in KWF for restricting users. URL rules are valid also for proxy server in KWF. Unfortunately, only server name can be used in rules, you cannot restrict files or extensions. The URL rule must contain 'https://' to be valid only for HTTPS in proxy server.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Hmmm, ok. This damned encryption! Smile

But what about the fact that people can go to HTTPS sites, even while not authenticated? I am sure this is not supposed to happen. And if you really can't stop it, please put a warning in the Administration Console next to the option that requires users to be authenticated to access 'web pages' (is a HTTPS page not a web page?).

About restricting access do HTTPS destination servers... I've tried that some time ago and couldn't get that to work either. (Opened a topic about this some time ago: http://forums.kerio.com/index.php?t=msg&goto=22562&S =45922d9913afabd48ec0bc277071980c ) I will try it again, maybe I did something wrong or something is changed in the newer KWF since May...
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
<bump>
winkelman wrote on Mon, 25 July 2005 12:08

But what about the fact that people can go to HTTPS sites, even while not authenticated? I am sure this is not supposed to happen. And if you really can't stop it, please put a warning in the Administration Console next to the option that requires users to be authenticated to access 'web pages' (is a HTTPS page not a web page?).

Somebody got an idea about this? My setup requires authentication, but even while not authenticated people can visit HTTPS sites. Can someone else confirm this?

Encryption or not, this seems illogical.
  •  
Omid

Messages: 1
Karma: 0
Send a private message to this user
I also have the same problem. Unauthenticated users can access HTTPS pages. Kerio won't log HTTPS pages for authenticated users even. That's funny, it hasn't been solved after 10 yeas.

[Updated on: Mon, 25 May 2015 09:31]

  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Please, don't reopen 10 year old threads.

If you want to allow only auth users access to Internet, create a NAT rule with Authenticated users as Source and put it on top.
That way user must authenticate before he's allowed any access to the internet.

http://kb.kerio.com/product/kerio-control/content-filtering/ filtering-https-connections-1651.html
http://kb.kerio.com/product/kerio-control/security/configuri ng-traffic-rules-1312.html

Petr Dobry
Product Development Manager | Kerio
Previous Topic: Protocol Inspector
Next Topic: Web Filter categorization disabled
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Jun 23 05:29:37 CEST 2017

Total time taken to generate the page: 0.00426 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.