Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Newbie question - Http policy not working?!!
  •  
martin.porter

Messages: 7
Karma: 0
Send a private message to this user
Hi All,

I have tried to create a URL rule to block HTTP access to a site, say http://www.abc.com

It doesnt work, access is still fine from any machine?

I have set the criteria as "*.abc.com*"

I have tried "http://*.abc.com*" and also "http://*.abc.com/*"

Nothing seems to work?

Please help, its driving me mad! am i missing something obvious?

Thanks

Martin
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Do not use 'http://' protocol name in the URL.

It can be specified as follows:

= full address of a server, a document or a web page without protocol specification (http://)
= use substrings with the special * and ? characters. An asterisk stands for any number of characters, a question-mark represents one character.

Examples:

= www.kerio.cz/index.html — a particular page
= www.* — all URL addresses starting with www. www.*
= www.kerio.com — all URLs at the www.kerio.com server (this string is equal to the www.kerio.com/* string)
= *sex* — all URL addresses containing the sex string
= *sex??.cz* — all URL addresses containing such strings as sexxx.cz, sex99.cz, etc.
  •  
martin.porter

Messages: 7
Karma: 0
Send a private message to this user
Pavel,

Thanks for your response. I have the criteria set as www.abc.com without the http:// and it doesnt work?

I have attached a screenshot of the first page of the rule. Maybe that will give you a clue?

Regards

Martin


  • Attachment: url rule.jpg
    (Size: 72.48KB, Downloaded 583 times)
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I suppose your rule should work as it is, but I always make it like
*www.ptc.com/* , or
*.ptc.com/*
so that it is obvious to me that all URLS in the ptc domain are catched...

Maybe you have another rule ABOVE this one that somehow permits connections? The first rule to 'fit' will be the one that is valid...

And are you SURE that traffic goes through KWF and not some other router somewhere?
  •  
martin.porter

Messages: 7
Karma: 0
Send a private message to this user
Hi Winkleman,

KWF is the default gateway for all machines on the network, so i don't think any can be bypassing to get direct access to the net. The actual router has a public IP , and as all machines on the network use 192.168.1.x , then they couldnt route to it...

I havent any rules other than the default ones to allow access to kerio.com and windowsupdate. Just to be sure, i moved the rule to the top of the list and entered *.ptc.com/* as the criteria. It Still doesnt work and is driving me mad.

Any thoughts anyone?

FYI:

OS is server 2003, Winroute firewall is version 6.011

Regards

Martin

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Are you sure that Windows Server 2003 is not also routing traffic itself? That would explain your behaviour, since it would then be the same gateway address (and wk3 is certainly capable of routing, if so configured).

You could try turning off KWF. If you are then still able to access the Internet, it's some other routing solution doing the job.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Another idea:
I also think the 'Protocol Inspector' has to be turned on in the 'Traffic Policy' that handles this traffic. Without the 'Protocol Inspector' KWF is probably just a simple, basic router...
  •  
martin.porter

Messages: 7
Karma: 0
Send a private message to this user
I've just renenabled the "non transparent proxy" and setup IE to use it. Now the blocking rule works?!

Is that the reason, or should the transparent proxy also use the rules as well?

Protocal inpsector is turned off on port 80 (caused lockups on earlier versions of winroute). Enabling it dint do anything


any thoughts?

Cheers

M
  •  
martin.porter

Messages: 7
Karma: 0
Send a private message to this user
Hi All,

For some reason this morning it all seems to work fine?

The protocol inspector does need enabling, and i turned off the transparent proxy/restarted Winroute, then turned on trasparent proxy/restarted.

IE has a direct connection, with no proxy set. its using the transparent proxy of KWF.

THanks for eveyone's help!

best regards

MArtin
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You do not need to use any proxy, transparent or non-transparent. I do not use either and all rules and filters work just fine.

Of course, you can use proxies if you like.

I think the only benefit of the transparent proxy is that it enables the KWF to cache webpages. This is nice on slow connections, or if you have to pay for the actual data-traffic. I do not use it, because I am on a fast, flat-fee connection. I tried it for some time, but couldn't find any difference in surfing speed, so I turned it off to keep everything as simple as possible. (I also got the impression that sometimes, very seldomly, people were getting the cached version of a website while the actual website had already been changed. But this was not a real issue... so don't worry.)
Previous Topic: How to disable WinRoute
Next Topic: Authentication required for massengers using
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 22:41:41 CET 2017

Total time taken to generate the page: 0.00539 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.