GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » Unauthenticated access to HTTPS sites allowed whilst requiring authentication
icon4.gif  Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #25068] Fri, 22 July 2005 17:52 Go to next message
winkelman is currently offline  winkelman
Messages: 26
Registered: May 2005
Location: Amsterdam, The Netherland...
When you are not authenticated, you can still go to HTTPS sites. Going to such a site will not bring up the Kerio Authentication Page.

My KWF requires authentication for Internet access. When you're not authenticated, you will be presented the login screen. (In traffic rules I allow HTTP and HTTPS traffic from the LAN to the Internet, but in the Users configuration I selected "Always require users to be authenticated when accessing web pages'.)

I understand KWF cannot look into HTTPS streams, nonetheless it should not be possible to browse the web if you've configured KWF to require authentication (even if only to HTTPS sites).

I am running more and more into 'HTTPS issues'. You cannot block access to HTTPS sites based on URL's, now I find out you cannot even require users to be authenticated when going to HTTPS sites. This is becoming problematic.

I urge Kerio to look into this matter. As I said, I understand KWF cannot look into encrypted streams, but for example, the initial request to a HTTPS site is not encrypted, so I see no technical reason why KWF should not be able to block sites or enforce authentication. More and more of the internet is going secure and I am losing my abillity to use KWF to limit Internet access. Sad

Or... if I am wrong and something is misconfigured here, please do tell.

Report message to a moderator

Re: Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #25144 is a reply to message #25068] Sat, 23 July 2005 20:17 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
The initial request to the HTTPS sites is also encrypted. A secure, encrypted channel is established BEFORE that. The only thing you can restrict in HTTPS is a destination server - because is is normal TCP connection as others.
If you're using proxy, you can use also URL rules in KWF for restricting users. URL rules are valid also for proxy server in KWF. Unfortunately, only server name can be used in rules, you cannot restrict files or extensions. The URL rule must contain 'https://' to be valid only for HTTPS in proxy server.

Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.

Report message to a moderator

Re: Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #25221 is a reply to message #25144] Mon, 25 July 2005 12:08 Go to previous messageGo to next message
winkelman is currently offline  winkelman
Messages: 26
Registered: May 2005
Location: Amsterdam, The Netherland...
Hmmm, ok. This damned encryption! Smile

But what about the fact that people can go to HTTPS sites, even while not authenticated? I am sure this is not supposed to happen. And if you really can't stop it, please put a warning in the Administration Console next to the option that requires users to be authenticated to access 'web pages' (is a HTTPS page not a web page?).

About restricting access do HTTPS destination servers... I've tried that some time ago and couldn't get that to work either. (Opened a topic about this some time ago: http://forums.kerio.com/index.php?t=msg&goto=22562&S =45922d9913afabd48ec0bc277071980c ) I will try it again, maybe I did something wrong or something is changed in the newer KWF since May...

Report message to a moderator

Re: Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #26718 is a reply to message #25221] Fri, 19 August 2005 11:55 Go to previous messageGo to next message
winkelman is currently offline  winkelman
Messages: 26
Registered: May 2005
Location: Amsterdam, The Netherland...
<bump>
winkelman wrote on Mon, 25 July 2005 12:08

But what about the fact that people can go to HTTPS sites, even while not authenticated? I am sure this is not supposed to happen. And if you really can't stop it, please put a warning in the Administration Console next to the option that requires users to be authenticated to access 'web pages' (is a HTTPS page not a web page?).

Somebody got an idea about this? My setup requires authentication, but even while not authenticated people can visit HTTPS sites. Can someone else confirm this?

Encryption or not, this seems illogical.

Report message to a moderator

Re: Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #121521 is a reply to message #26718] Mon, 25 May 2015 09:29 Go to previous messageGo to next message
Omid is currently offline  Omid
Messages: 1
Registered: May 2015
I also have the same problem. Unauthenticated users can access HTTPS pages. Kerio won't log HTTPS pages for authenticated users even. That's funny, it hasn't been solved after 10 yeas.

[Updated on: Mon, 25 May 2015 09:31]

Report message to a moderator

Re: Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #121525 is a reply to message #121521] Mon, 25 May 2015 12:20 Go to previous message
Petr Dobry (Kerio) is currently offline  Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies
Please, don't reopen 10 year old threads.

If you want to allow only auth users access to Internet, create a NAT rule with Authenticated users as Source and put it on top.
That way user must authenticate before he's allowed any access to the internet.

http://kb.kerio.com/product/kerio-control/content-filtering/ filtering-https-connections-1651.html
http://kb.kerio.com/product/kerio-control/security/configuri ng-traffic-rules-1312.html

Petr Dobry
Product Development Manager | Kerio

Report message to a moderator

Previous Topic: Protocol Inspector
Next Topic: Web Filter categorization disabled
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue May 30 00:56:19 CEST 2023

Total time taken to generate the page: 0.05541 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software