Overview
You may be experiencing difficulties in blocking access to specific websites (Facebook, TikTok, Youtube, Skype etc.) for certain or all users on the network. If that is the case, then this article is for you!
You may have also applied (for Youtube) the steps for Unable to Block YouTube Through Kerio Control, and the traffic is still not blocked. The difficulty in blocking these sites/platforms comes from the fact that at least part of their traffic is flowing via QUIC or UDP protocols, and the Content Filter is ineffective against these protocols, as it was designed for the TCP protocol.
Solution
One of the most important aspects of the content filter is that it operates on the HTTP protocol, and all modern websites and platforms have HTTPS in place.
Therefore, in order to be able to efficiently block modern social media, Filtering HTTPS Connections needs to be implemented. Please note that HTTPS decryption requires that the Kerio Control Authority Certificate is downloaded on each client device, in order to avoid SSL certificate warnings. This is further detailed in our article for Exporting and Importing Kerio Control Local Authority as a Root Certificate.
However, if you are unable, for any reason, to enable HTTPS decryption, you will need to configure traffic rules in order to block such traffic, by leveraging the website hostname and wildcard expressions. Below you can see a very simple traffic rule that completely blocks TikTok, disregarding HTTPS decryption:
Similar rules can be configured for any other platforms that you wish to block.
You can find more information on the process in our dedicated article for Configuring Generic Traffic Rules in Kerio Control.
Another approach to blocking unwanted traffic to specific platform, is to create a generic traffic rule that blocks UDP traffic on port 443. However, please note that this is highly dependent on the network configuration and business needs.
Summary
This article provides a step-by-step guide on how to block access to specific websites (Facebook, TikTok, Youtube, Skype etc.), for which the Content Filter may not be effective. The solution includes, enabling HTTPS decryption, creating traffic rules containing the hostnames of the websites, or creating a traffic rule to block traffic on UDP port 443.
FAQ
-
Why is HTTPS Decryption necessary?
HTTPS Decryption is necessary for the content rules to work effectively, as many websites use secure connections (HTTPS). -
What is the role of the Kerio Control Authority certificate in this process?
Because Kerio Control filters HTTPS traffic, an SSL certificate warning appears to users, since the HTTPS traffic is re-encrypted by Kerio Control using its own certificate. Installing the Kerio Control certificate in the client machines allows the warnings to go away, as each client will deem the traffic as valid. -
What should I do if I can't enable HTTPS decryption to block these HTTPS websites?
Whenever unable to leverage Content Rules and HTTPS decryption, you can resort to creating Traffic Rules against the websites/hostnames in questions. Traffic rules also allow the usage of wildcards (*).