Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Access denied (old browser)
  •  
twinstead

Messages: 29
Karma: 0
Send a private message to this user
I am using a program (a pop collector for email called 'popcon' to be specific). It works fine, however it does have an antivirus feature that I can't seem to get to work through winroute firewall.

It uses HTTP to download updated virus signatures. When it trys to update, the debugging logs show it receives this response from winroute "http://xx.xx.xx.xx:4080/nohost" (Ip address of firewall x'ed), which it turns out is an 'old browser' access denied page. Since the request isn't coming from a browser, can somebody give me a clue as to how to fix this?

Thanks
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
It seems like you are using the proxy. Try without using the proxy (I bet you can configure this in 'popcon').
  •  
twinstead

Messages: 29
Karma: 0
Send a private message to this user
I don't have any proxy information set in popcon, although it gives me the option to. It is akin to any program update from the myriad of software I have running on my network that does that without problem through winroute.

My first guess is that the request from popcon is formed in such a way that makes it so winroute can't tell from whom it's originating, so it rejects it.

What I don't know is if there is a way to get it through regardless, or should I tell Christensen Software who makes popcon that they might want to form the request differently in subsequent versions of their software.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Maybe too obvious: can you browse the web normally on the machine that runs 'popcon'? Can you browse to the URL 'popcon' gets its updates from?

Or: if you need to be authenticated to KWF, you are?
  •  
twinstead

Messages: 29
Karma: 0
Send a private message to this user
winkelman wrote on Tue, 13 December 2005 17:09

Maybe too obvious: can you browse the web normally on the machine that runs 'popcon'? Can you browse to the URL 'popcon' gets its updates from?

Or: if you need to be authenticated to KWF, you are?


LOL I do believe those are pertinent questions to ask, but the answer is yes to all.

My latest adventure is that if I create a rule to allow the IP address of one computer I have it installed popcon on to go out on port 80 to the wan, with no protocol inspection, I can access what I need. The same settings with the IP of another fails. Confused

I have about 5 layers of antivirus as far as mail goes, so it's not critical I get it to work, just a nuisance I've been working on for a bit and thought it might be an easy fix.


  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
twinstead wrote on Mon, 12 December 2005 20:45

I am using a program (a pop collector for email called 'popcon' to be specific). It works fine, however it does have an antivirus feature that I can't seem to get to work through winroute firewall.

It uses HTTP to download updated virus signatures. When it trys to update, the debugging logs show it receives this response from winroute "http://xx.xx.xx.xx:4080/nohost" (Ip address of firewall x'ed), which it turns out is an 'old browser' access denied page. Since the request isn't coming from a browser, can somebody give me a clue as to how to fix this?

Thanks


Popcon client does not send Host: header in HTTP request. This header is required for successful URL rules match. The request did not pass through HTTP protocol inspector without this header.
You can allow this particular site in traffic rules and disable protocol inspector in the rule. However, access to this website cannot be allowed or denied by HTTP URL rules then.

The second (and better) option is to set Popcon client to use proxy server in KWF. By this, client is enforced to send Host: header in HTTP request.
  •  
twinstead

Messages: 29
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Tue, 13 December 2005 23:45


Popcon client does not send Host: header in HTTP request. This header is required for successful URL rules match. The request did not pass through HTTP protocol inspector without this header.
You can allow this particular site in traffic rules and disable protocol inspector in the rule. However, access to this website cannot be allowed or denied by HTTP URL rules then.

The second (and better) option is to set Popcon client to use proxy server in KWF. By this, client is enforced to send Host: header in HTTP request.


Even better, I talked to the authors of the software, and they said they didn't realize that not sending the host header would be a problem.

They are going to make that change in the next version, and sent me a pre release to solve my problem immediately.

Your analysis was spot on. Thanks for your help!
Previous Topic: Remote desktop port mapping
Next Topic: WinRoute 6.1.3 and mIRC - how?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 02:19:18 CET 2017

Total time taken to generate the page: 0.00477 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.