Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Big Problem With HTTPS  () 1 Vote
  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
I really need your help!

Network
A = 1 server (windows server 2003) - with Kerio
B1 = PC (Windows XP- SP2)
B2 = PC (Windows XP- SP2)
B3 = PC (Windows XP- SP2)

Web sites
X - website with https protocol https://site:8000
Y - website with http protocol http://site:8000
Z - website with https protocol on default port on https://site

Problem
1. I cant access websites X or Z from B1,B2 or B3
2. I can access ALL sites from Server A
3. I can access website Y from All computers

Solutions I tried!
1. Lowering MTU on B1, B2, B3 - not working
2. Disable Windows Firewall, and restart - not working

Little more description
When I try to access https website from B1,B2 or B3... its just oppening (read trying to open)... for a few minutes, and only thing what is opened is Page Title! Then writes: WebSite Can't be found.. so, I really hope that someone will help me
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
Which build of WinRoute are you running? This should have been resolved by version 6.2.2 with adjusted handling for maximum segment size.

Brian Carmichael
Instructional Content Architect
  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
My version is 6.2.0

Is this some version bug?
I'll try new version.. Thank you


P.S. What you mean by: with adjusted handling for maximum segment size. little help here?

[Updated on: Fri, 27 October 2006 09:50]

  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
1. The problem that occurs with Kerio Winroute Firewall 6.2.3 (and earlier 6.2.x versions) while routing some data from HTTPS sites to the LAN clients, has not been solved yet. This occurs especially when the https site uses ports, as the PLESK DNS Administrator does (TCP/UDP port: 8443). Our e-bank provider https site passes without any problem for an example.
2. Consider that KWF was all the time set to pass all HTTP and HTTPS data (NAT set to typical setting)
3. Consider that HTTPS works well on the Winroute computer (in our case - the company's server)
4. Consider that Symantec Enterprise Antivirus Server is installed and turned on on the server computer (one that KWF is running)
5. Consider that client computers are running Symantec NAV Client (a client part of the Symantec Enterprise AV Server)
6. Consider that all client computers have Windows firewall turned on.

Following the suggestions found on the Kerios's forum against this issue, I did the following:

1. I turned off Winroute firewall (permit Source: ALL, Destination: ALL, Service: ALL, Action: Permit)
2. I lowered the MTUs to 1480, as it was suggested on both Winroute's and client's network adapter
3. I turned off client's Windows firewall
4. I restarted both the server and clients

The results were disappointing. Same problems, with no improvements at all. Please help us.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Maybe a silly question but..
You're saying that traffic rules allows all HTTP and HTTPS data. Do you have also allowed connections to port 8443? Because it is not in HTTPS protocol definition by default.
  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
Yes, certanly! The TCP:8443 and UDP:8443 ports has been both defined under the service name PLESK and added to the KFW settings as follows:

http://img136.imageshack.us/img136/2472/imagexf5.gif

Same results we got when we replaced the PLESK service with ports (Port: TCP 8443, Port: UDP 8443)

Additionaly, under Content filtering / HTTP Policy we defined an URL group with these settings:

Allow: http*mkhost* (This was the first URL filter. Still in use)
Allow: https://win.mkhost.org:8443/ (This is a "problematic" URL, so we put it here as is)

(These two are written in order as shown above and both are active)

Thank you for your answer.

[Updated on: Mon, 30 October 2006 13:43]

  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
I suppose there is no answer to this up...

[Updated on: Mon, 13 November 2006 09:35]

  •  
makempire

Messages: 6
Karma: 0
Send a private message to this user
I guess there is no answer at this..
  •  
starcom.8m

Messages: 7
Karma: 0
Send a private message to this user
Try to keep lowering the MTU at client PCs. You can test the correct MTU size running this command from the DOS shell window:

ping -f -l 1472 yahoo.com
If you receive the message: Packet needs to be fragmented but DF set. Then you need to lower the MTU.

Try the same test again using 1400 in place of 1472. If you get a message like: Reply from 216.115.108.243: bytes=1472 time=180ms TTL=246. Then 1400 is a sufficient size. Otherwise you'll need to continue lowering the value until you get a reply.
Cool
  •  
moizee

Messages: 2
Karma: 0
Send a private message to this user
I am using 6.2.3 but having same issue where clients doesnt get the https sites??????

Did any body get resolution? please help.

thanks
Moiz
  •  
behnam

Messages: 3

Karma: 0
Send a private message to this user
hi, recently i solved it as follow :
1- adding DNS in my internet interface properties as below:
4.2.2.3;8.8.8.8
2- another tip is that you should make a traffic rule ex;HTTPS , add Https in services and let any source access to firewall allowed within it.
3- also because my certificates imported to kerio in both internet interface and vpn server i choosed current imported certs, before it show 'No certificate selected'.
hope this help you.
regards,behnam

[Updated on: Sun, 14 April 2013 05:16]

Previous Topic: Is there any method to set expiration date for users?
Next Topic: help - unable establish data tunnel
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 23:53:20 CEST 2017

Total time taken to generate the page: 0.00488 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.