GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Kerio Connect redirects from HTTPS to HTTP
icon4.gif  Kerio Connect redirects from HTTPS to HTTP [message #128536] Fri, 18 March 2016 15:08 Go to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
We are using WinGate as an edge firewall. We want to migrate from Exchange to Kerio Connect. WinGate is configured as a reverse proxy for Kerio Connect. The proxy server is listening on HTTPS. It requests client certificates and then proxies the requests to HTTP port 80 on the Kerio Connect server.
When visiting webmail on HTTPS, clients get redirected back to plain HTTP! When I change the URL back to HTTPS and log in, I am again redirected to HTTP. I actually want it the other way around but configuring the proxy this way will result in an endless loop because of this behaviour.
How can disable this redirection in Kerio Connect or otherwise fix this?

Thanks in advance!
Re: Kerio Connect redirects from HTTPS to HTTP [message #128539 is a reply to message #128536] Fri, 18 March 2016 15:21 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
I think that this requires better configuration of proxy server. If it terminates HTTPS connection and then translates it to HTTP then it must also rewrite URLs in redirects made by target server from HTTP to HTTPS. Kerio Connect has no information that your HTTPS connection ends on a proxy server. Kerio Connect does not allow redirect from HTTPS to HTTP. In fact, it can do the opposite.
So any redirect from secure to not secure protocol is due to misconfiguration of proxy server.


Re: Kerio Connect redirects from HTTPS to HTTP [message #128541 is a reply to message #128539] Fri, 18 March 2016 16:05 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
Thank you for your quick response.

Unfortunately I don't understand what I need to change on the proxy server. It works flawlessly on other web applications I publish like Exchange and Kaseya. I think Kerio Connect redirects back to HTTP on purpose because it is accessed through HTTP and has no knowledge of the HTTPS connection I make to the proxy server. Can you tell me how to disable this redirection or what I can do on the proxy server to prevent it?
Re: Kerio Connect redirects from HTTPS to HTTP [message #128542 is a reply to message #128541] Fri, 18 March 2016 16:29 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
In Kerio Connect the setting to force secure connections is located in the security section -> security policy.

Brian Carmichael
Instructional Content Architect
Re: Kerio Connect redirects from HTTPS to HTTP [message #128553 is a reply to message #128542] Mon, 21 March 2016 08:33 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
Thanks, but that option also results in an endless loop, I think because HTTPS requests reach Kerio Connect on its HTTP service that will redirect them to HTTPS.
Re: Kerio Connect redirects from HTTPS to HTTP [message #128953 is a reply to message #128553] Wed, 13 April 2016 10:56 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
I really need this to work since Kerio Connect does not seem to be able to request client certificates. If client certificates cannot be requested, I cannot make Kerio Connect compliant with our company's security policy. This would be a shame because I like Kerio Connect very much because it is easy to administer and especially to troubleshoot and it has many features that we have missed in Exchange (2007) and every time I said Kerio Connect could do the trick.

Can anyone please tell me how to disable this redirection? Maybe in some configuration file? Or is there a way to make Kerio Connect request client certificates?
Re: Kerio Connect redirects from HTTPS to HTTP [message #128960 is a reply to message #128953] Wed, 13 April 2016 12:14 Go to previous messageGo to next message
clan is currently offline  clan
Messages: 187
Registered: May 2011
If you set Kerio to force secure connections it will redirect access on port 80 to https on port 443. If Kerio is accessed on port 443 it should not redirect to http.
Did you check Kerios debug log?
Re: Kerio Connect redirects from HTTPS to HTTP [message #128963 is a reply to message #128960] Wed, 13 April 2016 14:28 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
I think that is what Brian said. I tried that and that also results in an endless loop. I think because HTTPS requests reach Kerio Connect on its HTTP service that will redirect them to HTTPS which will again reach the HTTP service and be redirected again and so on.

When accessing webmail without requiring secure authentication I get this debug log:
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler BEGIN
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler starting
[13/Apr/2016 13:56:53][1900] {https} HTTP connection from 88.159.4.249:3632 started
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 302 Found
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.02 s, received 288 bytes, sent 282 bytes
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/login/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/login/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.00 s, received 294 bytes, sent 2222 bytes
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler END
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler BEGIN
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler starting
[13/Apr/2016 13:56:53][1344] {https} HTTP connection from 88.159.4.249:3633 started
[13/Apr/2016 13:56:53][1344] {https} GET request for URI /webmail/generatedDefaults.js
[13/Apr/2016 13:56:53][1344] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1344] {https} Found dispatcher for url /webmail/generatedDefaults.js with service id 80.
[13/Apr/2016 13:56:53][1344] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1344] {https} Request finished in 0.00 s, received 342 bytes, sent 876 bytes
[13/Apr/2016 13:56:58][2976] {https} Task 84247 handler END


And when requiring secure authentication I get this debug log:
[13/Apr/2016 14:15:58][164] {https} Task 405 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 405 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8562 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 405 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8563 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler END
[13/Apr/2016 14:15:58][164] {https} Task 407 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 407 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8564 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 407 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8565 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler END
[13/Apr/2016 14:15:58][164] {https} Task 409 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 409 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8566 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 409 handler END

...and so on until the browser detects the endless loop.

I noticed the log always says {https} even if I visit the HTTP service directly. First I thought Kerio Connect somehow knew my browser was using HTTPS but I guess that's not the case.
Re: Kerio Connect redirects from HTTPS to HTTP [message #128966 is a reply to message #128963] Wed, 13 April 2016 17:34 Go to previous messageGo to next message
clan is currently offline  clan
Messages: 187
Registered: May 2011
I am a bit confused now, does it work without requiring secure connections to Kerio? Then don't set the option. The connection is not encrypted between proxy and Kerio. Is there a setting in the proxy to set up a secure connection to the server?

This:
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.

shows that requests to http are redirected to https. If your proxy handles https requests, the redirected requests will never reach Kerio.
Re: Kerio Connect redirects from HTTPS to HTTP [message #128971 is a reply to message #128963] Wed, 13 April 2016 20:18 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
{https} means "HTTP Server", not HTTPS.

I do not understand. If you use proxy to change connection from HTTPS to HTTP why did you configure Kerio Connect to require encrypted connection? If you want to use unencrypted HTTP connection from your proxy server you should not configure Kerio Connect to redirect HTTP connections to HTTPS because your proxy server is not capable to make HTTPS connection to Kerio Connect server.


Re: Kerio Connect redirects from HTTPS to HTTP [message #128974 is a reply to message #128971] Thu, 14 April 2016 08:36 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
I only configured Kerio Connect to require secure authentication temporarily because Brian told me to and so did Clan.

I don't want to redirect anything, the plain HTTP service redirects clients to plain HTTP when they are using HTTPS through the proxy. That is the original problem.

I assume people using Kerio Control as reverse proxy for Kerio Connect will experience the same problem unless Kerio Control can forward requests to HTTPS, I can't using (this version of) WinGate. If Kerio Control can do this and request client certificates than it is going to replace this WinGate server which is quite old anyway. Smile

[Updated on: Thu, 14 April 2016 09:04]

Report message to a moderator

Re: Kerio Connect redirects from HTTPS to HTTP [message #129007 is a reply to message #128536] Thu, 14 April 2016 17:47 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
I didn't advise enabling or disabling the option, I was only directing you to the location within the configuration which controls the behavior. In either case, your reverse proxy should be able to handle the configuration. I suggest that you reach out to WinGate for assistance on this issue. Otherwise, if you replace WinGate with Kerio Control then we will be able to better assist you with your reverse proxy configuration.

Brian Carmichael
Instructional Content Architect

[Updated on: Thu, 14 April 2016 17:47]

Report message to a moderator

Re: Kerio Connect redirects from HTTPS to HTTP [message #129128 is a reply to message #128536] Thu, 21 April 2016 13:13 Go to previous messageGo to next message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
Unfortunately, the option does not affect this specific behaviour. Qbik (WinGate) cannot possibly help me with this, I think it's a bug in Kerio Connect since I can't think of any scenario in which this could be useful.
If this can or will not be changed, I hate to say we'll have to find an alternative, unless client certificate support would be added to Kerio Connect (or Kerio Control) soon. Kerio Control does not seem to support client certificates. So unless I've missed it, Kerio Control is not a viable alternative to WinGate for us.

Re: Kerio Connect redirects from HTTPS to HTTP [message #129150 is a reply to message #129128] Fri, 22 April 2016 15:33 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
Maybe you should share what HTTP headers are sent by WinGate to HTTP server behind it (Kerio Connect). If Kerio Connect has no idea that browser uses HTTPS how the server should redirect the user to HTTPS??
WinGate must rewrite Location HTTP header with correct hostname and protocol when doing reverse proxy. This is a basic functionality of every reverse proxy server.


Re: Kerio Connect redirects from HTTPS to HTTP [message #129192 is a reply to message #129150] Mon, 25 April 2016 19:18 Go to previous messageGo to previous message
JeroenW is currently offline  JeroenW
Messages: 14
Registered: March 2016
There are no HTTP headers modified or added by WinGate. Kerio Connect should not redirect to HTTPS, this option is not enabled. Kerio Connect redirects to HTTP instead of HTTPS and that is the problem, it should not redirect at all. I have not configured Kerio Connect to only accept certain host headers, I don't even know how to do that. Users reach Kerio Connect through the proxy using a hostname that internally resolves to the local IP address of the Kerio Connect server.

I can modify or add headers to be sent to the Kerio Connect server if required.
Previous Topic: Outlook 2016 on Windows with KC 9.0.2
Next Topic: "Inbox 1" in Outlook 2010 KOFF
Goto Forum:
  


Current Time: Wed Sep 27 03:02:35 CEST 2023

Total time taken to generate the page: 0.07174 seconds