| Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126424] |
Tue, 15 December 2015 15:41  |
nmm4829
Messages: 32
Registered: November 2015
|
|
|
|
 Hi friends
i have encountered an strange problem in Kerio control 8.6.2 build 3847
i have newly installed kerio control software appliance into my hyper-v 2012R2 VM and joined it to my clean windows 2012R2 domain and test domain connection passes successfully.
prior to doing any modifications in kerio control, because of default "internet Access (NAT) rule", everything is ok and i can browse internet from any internal computer without any problem and no authentication occurs.
but i need to modify this behavior so that users be forced to login at kerio login page in order to access internet.
but after doing two modifications in kerio control, now no login page appears and internet access (IE shows the blank "the page can't be displayed":
1- in domain and user login, i checked "Always require users to be authenticated"
2- in default "internet Access (NAT) rule", i removed the "Trusted/Local interfaces" and instead i added any of the following groups but no one works
"Authenticated users" or "Domain users" "MyDomainGroup1"
any help please. thanks in advanced
[Updated on: Tue, 15 December 2015 15:42] Report message to a moderator |
|
|
|
|
|
| Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126435 is a reply to message #126427] |
Tue, 15 December 2015 19:09  |
nmm4829
Messages: 32
Registered: November 2015
|
|
|
|
Pavel Dobry (Kerio) wrote on Tue, 15 December 2015 15:48Please read http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html for more informations.
If you redirect users to firewall login page, make sure that this is allowed by traffic rules and also that clients can resolve firewall hostname.
thanks. i reviewed that link and all related links.my settings are correct. clients are able to resolve the hostname & FQDN of kerio control.
here odd behaviour. in default NAT rule, when i add trusted/local interfaces (in addition of authenticated users", now :
when i type a name in address bar (for example www.google.com), the login page is appeared & i had to login (what i wanted)
but when i type in ip address at the address bar (for example http://19.168.1.10 which is a web server located in DMZ), that website is opened without any authentication & without kerio login page appear.
i really got confused.
by the way, what traffic rule is needed about your sentence:
"If you redirect users to firewall login page, make sure that this is allowed by traffic rules"
if i don't mistake, kerio by default has this requirement and it is not required to create any rule for this purpose (redirecting to kerio login web page)
any furtur help please
[Updated on: Tue, 15 December 2015 19:13] Report message to a moderator |
|
|
|
| Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126453 is a reply to message #126424] |
Wed, 16 December 2015 13:45 |
nmm4829
Messages: 32
Registered: November 2015
|
|
|
|
i designed the full details about my network topology via Visio and attach it here, waiting for help.
to remind: i have a very simple problem, IE is not redirected to kerio login page
after installing kerio, all clients can browse both internet and DMZ web servers.
Only changes after kerio control installation are:
Created a traffic rule to allow DNS queries from (DC+DNS srv) to internet
In Domains and user login, the "always require users to be authenticated" checkmark has been selected
In default "internet access (NAT)" rule, in Destination, Kerio's DMZ interface (192.168.1.101) added
In advanced options, web interface tab:
force SSL is deselected
Web interface is accessible at: http://control101.mykerio.lab:4080
Control101 record has been created in DNS database and clients can resolve control101.mykerio.lab to ip address of 10.1.1.101
In default "internet access (NAT)" rule, in "source", we remove all existing items and instead we add only "any authenticated user" or "domain users" or "DomainGroup1"
But when clients want to browse to www.google.com or 192.168.1.20, IE is not redirected to kerio login page and instead IE shows the blank page can't be displayed.
any help please !
[Updated on: Wed, 16 December 2015 13:57] Report message to a moderator |
|
|
|
|
|
|
|
| Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126491 is a reply to message #126455] |
Wed, 16 December 2015 23:34 |
nmm4829
Messages: 32
Registered: November 2015
|
|
|
|
Petr Dobry (Kerio) wrote on Wed, 16 December 2015 14:14Kerio Control redirects automatically only when unauthenticated users are accessing the Internet via HTTP protocol. So you need to enable "always require users to be authenticated" and allow a traffic rule for them (Source: LAN, Destination: Internet interfaces, Service HTTP, Allow, NAT).
Once users are authenticated, your rule with Source: Authenticated users will apply.
Otherwise, users must authenticate on http://control101.mykerio.lab:4080 manually prior to accessing the Internet.
Hi thanks.
so i created the rule you mentioned, above my rule
now another odd behavior:
when from DC i browse to DMZ web server (192.168.1.20), redirection page appears
but when from client browse to DMZ web server (192.168.1.20), the DMZ website opens without any authentication ( system shows they accessed via NAT rule you mentioned)
really annoying.i migrated from MS TMG server to Kerio with the hope of eliminating problems, but now new strange problem in kerio control as well.
-
Attachment: Capture.PNG
(Size: 89.18KB, Downloaded 977 times)
|
|
|
|
|
|
|
|
| Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126574 is a reply to message #126424] |
Sat, 19 December 2015 16:19 |
nmm4829
Messages: 32
Registered: November 2015
|
|
|
|
Hi again. unfortunately nobody gave me a correct complete help.
i myself accidentally noticed a very important thing which nobody mentioned here.
in one of the kerio documentations i noticed the correct procedure to reach this goal (specially step 2 below):
step 1: my first need was users be redirected to login page when accessing internet or DMZ web servers
so the correct solution which worked is : 
above the default NAT rule, creating such rule:
source:trusted local interfaces, destination:internet interfaces and DMZ interface , service= http, action=allow, translation=NAT
step 2 : (nobody guide me this:) my second need was doing a configuration so that only specific users or groups be allowed to browse web servers in internet or DMZ, we must go to content filter\content rules and there we must create a rule at topmost level and in the source, we specify the user or group
now my final problem is, although in content filter\content rules, at the topmost level, I've specified only a specific domain user or a specific domain group in the "source", but firewall accepts all domain users are when they enter their username & password at firewall login page.
content rule: detected content:any source:user1@Mydomain.lab or group1<_at_>mydomain.lab , action=allow
what can be the problem ? 
[Updated on: Sat, 19 December 2015 16:34] Report message to a moderator |
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
