Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » permit certain web site and deny the rest
  •  
stu_stu

Messages: 7
Karma: 0
Send a private message to this user
Hi, I'm using Kerio Winroute 6.1, and I have problem about HTTP Policy.

I need to give access several web sites, and banned the rest. But when I configure the winroute :

Rule#1
user accessing url : any user
url begin : *
allow access to the web site
time : my defined time period

Rule#2
user accessing url : any user
url begin : *
allow access to the web site
time : any

Rule#3
user accessing url : any user
url begin : *
deny access to the web site
time : any

but, if I tried to access the certain web site, the winroute banned the site.

If I ommit the rule#3, The user can access all sites.

Can you help me, please

thx
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
IMHO, these rules don't make sense:
First you allow anyone access to anyplace ('*') during a specific time interval. Then you allow anyone access to enyplace again, but now during all times. And then you deny enyone access to everything all the time?
  •  
stu_stu

Messages: 7
Karma: 0
Send a private message to this user
I have tried put only Rule#1, but, I still could access other web sites which I didn't put in URL Group.

so, do you have any idea, how to configure HTTP policy?

Sorry, still a newbie...
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
The * means you allow access to ANY website (the * is used as a wild card).
You should use the 'is in URL group' option. Or, if it's a single website, put it in the 'URL begins with' option.

The websites itself should be specified with wildcards (*) as follows. Say you want to give your users access to everything in the microsoft.com domain, than you sould specify the site as:
*.microsoft.com/*
(But this is all in the manual).

Furthermore, turn on logging of the rule in the 'URL Rule' and see if the rules is actually being 'triggered' in the filter log.
  •  
stu_stu

Messages: 7
Karma: 0
Send a private message to this user
thx. I have tried using the url group. Here is my configuration :

Rule#1:

user accessing URL : any
in URL Group : mygroup
allow access to the web site
time interval : any
ip addr group : my_ip_addr_grp

but, still the client can access the site I didn't mention in mygroup.

For example, my group only allow *.yahoo.com, but I still can access google.com.

have any idea ?

thx alot.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
The rule you mention allows access to certain sites, but it does not limit access to other sites. (When going to google, is your rule 'used' or not? If it's used, you are not specifying the rule correctly, if it isn't used, something else is allowing access to google. You can check this if you turn on logging as I previously mentioned.)

So for example you could make a rule that blocks all traffic as the last rule (the so called 'any, any, any, drop' rule Smile and put rules allowing things above that one. So then all sites are blocked except the ones explicitly allowed.

PS: You should use '*.yahoo.com/*' instead of '*.yahoo.com'
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
And: what does your Traffic Policy that allows HTTP traffic look like. Did you turn off protocol inspectors?
  •  
stu_stu

Messages: 7
Karma: 0
Send a private message to this user
In the traffic policy, I have disable Portocol Inspector ( I set to None). Is that the problem? Have I turn it become HTTP??

Well, if I summarize, the rule in HTTP Policy are:

Rule#1
user accessing URL : any
in URL Group : mygroup
allow access to the web site
time interval : any
ip addr group : my_ip_addr_grp

Rule#2
user accessing URL : any
URL begin : *
deny access to the web site
time interval : any
ip addr group : my_ip_addr_grp

is it right? if wrong, please tell me how to configure it.

thx alot.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
How can KWF filter HTTP traffic if you disable the inspection of this protocol?!??

Turn on the protocol inspector.
  •  
stu_stu

Messages: 7
Karma: 0
Send a private message to this user
Ok, thx, the HTTP policy is running now.

But, now I have a new problem. If I turn on protocol inspector to HTTP, I was unable to retrieve email on internet. (I'm using MS Outlook to retrive my email).

Do you have any suggestion??

BTW, thank you very much... Surprised
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
(I answered in the new topic you opened for this question...)
Previous Topic: smtp and pop3 problem
Next Topic: How do you copy current Profile
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 10:35:45 CET 2017

Total time taken to generate the page: 0.00456 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.