 Kerio Connect redirects from HTTPS to HTTP [message #128536] |
Fri, 18 March 2016 15:08  |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
We are using WinGate as an edge firewall. We want to migrate from Exchange to Kerio Connect. WinGate is configured as a reverse proxy for Kerio Connect. The proxy server is listening on HTTPS. It requests client certificates and then proxies the requests to HTTP port 80 on the Kerio Connect server.
When visiting webmail on HTTPS, clients get redirected back to plain HTTP! When I change the URL back to HTTPS and log in, I am again redirected to HTTP. I actually want it the other way around but configuring the proxy this way will result in an endless loop because of this behaviour.
How can disable this redirection in Kerio Connect or otherwise fix this?
Thanks in advance!
|
|
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #128541 is a reply to message #128539] |
Fri, 18 March 2016 16:05  |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
Thank you for your quick response.
Unfortunately I don't understand what I need to change on the proxy server. It works flawlessly on other web applications I publish like Exchange and Kaseya. I think Kerio Connect redirects back to HTTP on purpose because it is accessed through HTTP and has no knowledge of the HTTPS connection I make to the proxy server. Can you tell me how to disable this redirection or what I can do on the proxy server to prevent it?
|
|
|
|
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #128953 is a reply to message #128553] |
Wed, 13 April 2016 10:56 |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
I really need this to work since Kerio Connect does not seem to be able to request client certificates. If client certificates cannot be requested, I cannot make Kerio Connect compliant with our company's security policy. This would be a shame because I like Kerio Connect very much because it is easy to administer and especially to troubleshoot and it has many features that we have missed in Exchange (2007) and every time I said Kerio Connect could do the trick.
Can anyone please tell me how to disable this redirection? Maybe in some configuration file? Or is there a way to make Kerio Connect request client certificates?
|
|
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #128963 is a reply to message #128960] |
Wed, 13 April 2016 14:28 |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
I think that is what Brian said. I tried that and that also results in an endless loop. I think because HTTPS requests reach Kerio Connect on its HTTP service that will redirect them to HTTPS which will again reach the HTTP service and be redirected again and so on.
When accessing webmail without requiring secure authentication I get this debug log:
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler BEGIN
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler starting
[13/Apr/2016 13:56:53][1900] {https} HTTP connection from 88.159.4.249:3632 started
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 302 Found
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.02 s, received 288 bytes, sent 282 bytes
[13/Apr/2016 13:56:53][1900] {https} GET request for URI /webmail/login/
[13/Apr/2016 13:56:53][1900] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1900] {https} Found dispatcher for url /webmail/login/ with service id 80.
[13/Apr/2016 13:56:53][1900] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1900] {https} Request finished in 0.00 s, received 294 bytes, sent 2222 bytes
[13/Apr/2016 13:56:53][1900] {https} Task 399 handler END
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler BEGIN
[13/Apr/2016 13:56:53][1344] {https} Task 400 handler starting
[13/Apr/2016 13:56:53][1344] {https} HTTP connection from 88.159.4.249:3633 started
[13/Apr/2016 13:56:53][1344] {https} GET request for URI /webmail/generatedDefaults.js
[13/Apr/2016 13:56:53][1344] {https} User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[13/Apr/2016 13:56:53][1344] {https} Found dispatcher for url /webmail/generatedDefaults.js with service id 80.
[13/Apr/2016 13:56:53][1344] {https} Response: HTTP/1.1 200 OK
[13/Apr/2016 13:56:53][1344] {https} Request finished in 0.00 s, received 342 bytes, sent 876 bytes
[13/Apr/2016 13:56:58][2976] {https} Task 84247 handler END
And when requiring secure authentication I get this debug log:
[13/Apr/2016 14:15:58][164] {https} Task 405 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 405 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8562 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 405 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8563 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 406 handler END
[13/Apr/2016 14:15:58][164] {https} Task 407 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 407 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8564 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 407 handler END
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler BEGIN
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler starting
[13/Apr/2016 14:15:58][2056] {https} HTTP connection from 88.159.4.249:8565 started
[13/Apr/2016 14:15:58][2056] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][2056] {https} Task 408 handler END
[13/Apr/2016 14:15:58][164] {https} Task 409 handler BEGIN
[13/Apr/2016 14:15:58][164] {https} Task 409 handler starting
[13/Apr/2016 14:15:58][164] {https} HTTP connection from 88.159.4.249:8566 started
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
[13/Apr/2016 14:15:58][164] {https} Task 409 handler END
...and so on until the browser detects the endless loop.
I noticed the log always says {https} even if I visit the HTTP service directly. First I thought Kerio Connect somehow knew my browser was using HTTPS but I guess that's not the case.
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #128966 is a reply to message #128963] |
Wed, 13 April 2016 17:34 |
clan
Messages: 187
Registered: May 2011
|
|
|
|
I am a bit confused now, does it work without requiring secure connections to Kerio? Then don't set the option. The connection is not encrypted between proxy and Kerio. Is there a setting in the proxy to set up a secure connection to the server?
This:
[13/Apr/2016 14:15:58][164] {https} HTTP request from 88.159.4.249 (GET /webmail/login/) redirected to HTTPS because of security policy.
shows that requests to http are redirected to https. If your proxy handles https requests, the redirected requests will never reach Kerio.
|
|
|
|
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #129007 is a reply to message #128536] |
Thu, 14 April 2016 17:47 |
Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
|
|
|
|
I didn't advise enabling or disabling the option, I was only directing you to the location within the configuration which controls the behavior. In either case, your reverse proxy should be able to handle the configuration. I suggest that you reach out to WinGate for assistance on this issue. Otherwise, if you replace WinGate with Kerio Control then we will be able to better assist you with your reverse proxy configuration.
Brian Carmichael
Instructional Content Architect
[Updated on: Thu, 14 April 2016 17:47] Report message to a moderator |
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #129128 is a reply to message #128536] |
Thu, 21 April 2016 13:13 |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
Unfortunately, the option does not affect this specific behaviour. Qbik (WinGate) cannot possibly help me with this, I think it's a bug in Kerio Connect since I can't think of any scenario in which this could be useful.
If this can or will not be changed, I hate to say we'll have to find an alternative, unless client certificate support would be added to Kerio Connect (or Kerio Control) soon. Kerio Control does not seem to support client certificates. So unless I've missed it, Kerio Control is not a viable alternative to WinGate for us.
|
|
|
|
|
|
| Re: Kerio Connect redirects from HTTPS to HTTP [message #129192 is a reply to message #129150] |
Mon, 25 April 2016 19:18 |
JeroenW
Messages: 14
Registered: March 2016
|
|
|
|
There are no HTTP headers modified or added by WinGate. Kerio Connect should not redirect to HTTPS, this option is not enabled. Kerio Connect redirects to HTTP instead of HTTPS and that is the problem, it should not redirect at all. I have not configured Kerio Connect to only accept certain host headers, I don't even know how to do that. Users reach Kerio Connect through the proxy using a hostname that internally resolves to the local IP address of the Kerio Connect server.
I can modify or add headers to be sent to the Kerio Connect server if required.
|
|
|
|
Members
Search
Help
Register
Login
Home
