Overview
Users of Kerio Control version 9.4.4 may experience issues while trying to access internal servers over HTTPS (port 443), usually located in other LAN subnets.
The behavior only affects HTTPS traffic on the standard 443 port, while ping or other traffic (SMTP, IMAP, HTTPS on custom ports etc.) is unhindered.
The behavior is known to affect authenticated users (including VPN users), and is characterized by the following messages which can be seen in the debug log with Packets dropped for some reason messages:
[19/Mar/2024 13:19:33] {pktdrop} packet dropped: Not authenticated (from LAN, proto:TCP, len:52, 10.10.10.11:59990 -> 10.20.0.11:443, flags:[ SYN ], seq:4062925448 ack:0, win:64240, tcplen:0)
Solution
This was a known issue with GFI Kerio Control version 9.4.4 (build 8407), which affects the way that the authentication to the appliance is being interpreted in the HTTPS traffic.
The issue is fixed as of Kerio Control 9.4.4 P1 Release Notes, so in order to fix the behavior, please proceed with Upgrading Kerio Control to version 9.4.4. p1.
If you are unable to upgrade to the version containing the fix, for any reason, you can leverage the workarounds in this article.
Each point below is a workaround of its own, and you can apply the one that is most convenient for your current configuration and business need:
-
(Preferred) Disable the protocol inspection on the Local traffic traffic rule
- In the administration interface, go to Configuration > Traffic Rules.
- Right-click a table header and choose Columns > Inspector.
- In the Local Traffic rule, double-click the Inspector column and choose None.
- Click Apply.
- Alternatively, if you have a rule for a specific HTTPS server sitting behind Kerio Control, you can disable the protocol inspection on that specific rule. See below example of an internal Kerio Connect server:
- Enable HTTPS decryption; however, this would require effort from the end clients, as the Kerio Control HTTPS certificate would need to be installed on all client machines.
- Disable "Always require users to be authenticated when accessing web pages" - this is the least preferred, as this option may require a lot of other adjustments, depending on your setup, however, this was also verified as a valid workaround.
<supportagent>
Issue is investigated under: https://github.com/trilogy-group/eng-maintenance/issues/7459
</supportagent>
Summary
This article provides workarounds to a known issue with GFI Kerio Control version 9.4.4, characterized by user being unable to access internal HTTPS resources on port 443. Debug logs will also contain "packet dropped: Not authenticated." messages, despite the users being authenticated. The suggested workarounds include disabling protocol inspection, enabling HTTPS decryption, and disabling the requirement for user authentication when accessing web pages.
FAQ
-
What is the cause of the internal HTTPS traffic on port 443 failing with Kerio Control version 9.4.4?
The issue is related to the authentication process and affects only HTTPS traffic on the default port 443. -
What are the possible workarounds for this issue?
Workarounds include disabling protocol inspection, enabling HTTPS decryption, and disabling the requirement for user authentication when accessing web pages. -
Will there be a fix available?
The issue is currently under investigation by the Development team, and as soon as a version containing the fix is published, it will be listed in the Kerio Control Release notes section. You can use the Follow button at the top to be notified when new articles are available.