Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » HTTPS/IMAPS/SSL for workstations?
  •  
ClouD

Messages: 2
Karma: 0
Send a private message to this user
Hi all,

I seem to have this problem in accessing HTTPS/IMAPS and possibly all other SSL related sites or application for my workstations, my host computer works fine.

Logging shows that NAT did translate the IP address, and connection seem to have taken place but after many syns and acks, it seem that the workstations just gives up and show the page cannot be displayed error.

I tried allowing all traffic through in the traffic policy, but the workstations still gives me the same error.

Trying KWF 5.1.9 on Window XP pro

Any idea on this?
Please help, thanks. Sad

  •  
igormsk

Messages: 13
Karma: 0
Send a private message to this user
Do you have any FireWalls on the Workstations installed, ICF for instance?
  •  
ClouD

Messages: 2
Karma: 0
Send a private message to this user
Hi,

Yup, I made sure they are not using any firewalls, which is why, I am totally confused by this, everything seems fine, but the workstations just refuse to enter a HTTPS site like the secure mail login in yahoo. I wished KWF would show me some errors on this for me to work on... Sad


  •  
igormsk

Messages: 13
Karma: 0
Send a private message to this user
Well, the reason I asked about the firewalls, is that I've experienced similar problems (https sites were inaccesseble) when I had the Outpost2.0 Firewall installed on a workstation. With KerioPersonalFirewall or AtGuard it worked fine...

I'm sorry, but I don't have any futher ideas.
  •  
gert

Messages: 16
Karma: 0
Send a private message to this user
I seem to be having a somewhat similar problem. I can't get Windows Update or Internet banking to work other than on the firewall host.

I seem to have narrowed the problem down the the transparent proxy (which I didn't even know was there until I did some research Rolling Eyes ).

I've managed to get it working by bypassing the transparent proxy. Unfortunately, the only way I've found to do this is by using the non-transparent proxy.
  •  
igormsk

Messages: 13
Karma: 0
Send a private message to this user
Well, the solution for this problem is very simple: all you have to do is to decrease the MTU (Maximal Transmit Unit) for the network cards on the clients (the default value is 1500).
The step-by-step descriprion how to do it, can be found here http://www.kerio.com/us/supp_wrp_pppoe.html For me setting it to 1400 (decimal) worked fine, but you may need to try lower values if it doesn't help.

The problem occures when using https (for example WindowsUpdate) or getting big emails through POP3, maybe also in some other cases.

[Updated on: Sun, 22 February 2004 19:50]

  •  
gert

Messages: 16
Karma: 0
Send a private message to this user
Well, that solved my problem at least. Lowering the MTU to 1480 did the trick for me. Thank you very much igormsk!

I recently changed from a hardware router to Kerio and didn't think about checking if the MTU setting needed to be changed. That being said, I didn't know it could break HTTPS. I just thought the fragmentation would slow down traffic and nothing more.

Btw, you can probably increase your MTU a bit from the 1400 you have it set to. Just use the ping test and work your way up, then add 28 on top of that for the registry setting. That worked for me anyway. Just remember to set your MTU to a high value before you begin the test.

[Updated on: Mon, 23 February 2004 13:48]

  •  
igormsk

Messages: 13
Karma: 0
Send a private message to this user
I'm glad you solved yuor problem.
As for me I tried setting the MTU to 1480 and 1450, but it did't worket (I'm using PPPoE as the primary and PPTP throught PPPoE on an other gateway as a secondary connection)- I got the pakets fragmented. Maybe I will try higher than 1400 values later. Thanks for your advise.
  •  
RaveRod

Messages: 2

Karma: 0
Send a private message to this user
Hi! I seem to be having the EXACT same problem but for me, I can't even PING "yahoo.com" from the client computers. Ping returns time outs EVERY time.

Seems strange because I can access the internet fine from the client computer, cannot connect to ANY HTTPS site, cannot ping ANY website (and yes, I changed the firewall rules to permit the client computers to run ping).

I set the MTU setting on the client computer down to 1400, 1300, 1200 and 1000 without any success. Does anyone else have any information on this problem?

I'm running NAT through a 10MBit HUB with an always-on 1MBit cable modem connection on the server machine.

Access HTTPS sites from the server machine works fine. Please help as this a serious problem with our network.

Note: I can ping any other computer inside our network including the server.

Update: Here's one for you. I fixed the ping problem (didn't have NAT translation turned on in the "ICMP Traffic" rule. I was able to ping "yahoo.com" when MTU was set at 1310.

Now, I set the MTU to 1310, restarted and it worked fine. I removed NAT Translation and the network from the ICMP rule and guess what, HTTPS sites don't work!! Try and figure that out!?!

So to get around this, I've had to leave my network and NAT Translation in the "ICMP Traffic" rule. But, at least it works now (does 1310 for the MTU seem a little low for a 1MBit connection?).

[Updated on: Sun, 14 March 2004 16:06]

Previous Topic: Problems with MAP in 2000 Professional
Next Topic: Connection Log Reader ???
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 04:19:53 CET 2017

Total time taken to generate the page: 0.00549 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.