Phone Lines icon GFI Support Home

Articles in this section

See more

Filtering HTTPS Connections

Author: Hossam Mohsen Updated

Overview

Kerio Control decrypts and filters HTTPS (Hyper Text Transfer Protocol Secure) connections. Filtering is the same as for the HTTP (Hyper Text Transfer Protocol). Kerio Control can apply the same filters and methods to the content of HTTPS connections, such as:

  • Filtering URLs.
  • Kerio Control Web Filter.
  • Antivirus check.

The filtering results can be reviewed under User Statistics and Reporting.

When a user accesses a site secured by HTTPS, an SSL certificate warning appears because Kerio Control uses its own certificate for encrypting HTTPS communication. For additional information refer to Exporting and Importing Kerio Control Local Authority as a Root Certificate.

Note: HTTPS protocol filtering provides an HTTPS inspector. Administrators can switch off the inspector for a particular rule in the Traffic Rules section or for a specific protocol in the Definitions > Services section. For additional information, refer to Configuring the Protocol Inspection Feature.

Important: When using a non-transparent proxy server, the HTTPS filtering does not work. For additional information, refer to Configuring Proxy Servers.

Step By Step Guide

  1. In the administration interface, go to Content Filter > HTTPS Filtering.
  2. Check the option Decrypt and filter HTTPS traffic.
  3. Check the option Show Legal Notice to users if it is necessary for your country. Contact your legal advisor if it is necessary to choose this option. When users open an HTTPS site, Kerio Control warns them that the connection is decrypted by Kerio Control. The disclaimer appears each logged-in user once per session and might be annoying to users.
  4. Click Apply.

Kerio Control decrypts and filters all HTTPS communication.

Setting HTTPS Filtering Exceptions

Kerio Control allows you to add exceptions from HTTPS filtering. There are two types of exceptions:

  • Exclude specific traffic from decryption.
  • Decrypt specified traffic only use it when you need to decrypt only certain servers or users.

You can set exceptions for:

  • IP addresses.
  • Users.

Excluding Traffic to/from IP Addresses

Some web applications cannot use the Kerio Control certification authority (e.g. web access to banks, Dropbox, Microsoft) or use a non-HTTPS service on port 443. You must exclude these web applications from the HTTPS filtering.

To set exceptions for a web application, you must know its IP address, domain name, or hostname:

  1. On the HTTPS Filtering tab, choose the option Exclude specific traffic from decryption.
  2. Next to the Traffic to/from IP addresses which belong to field, click Edit.
  3. In the IP Address Groups dialog box, click Add.
  4. In the Add IP Address dialog box, click Select existing.
  5. In the Select existing menu, choose HTTPS exclusions.
  6. Choose Addresses and enter the IP address, hostname or domain name of the web application.

    Note: If you add a domain name, you must use the Kerio Control DNS server and enable the DNS cache. For additional information, refer to DNS Forwarding Service.

    If you use an IP address or a hostname, you can use any DNS server.
  7. Save your settings.
  8. On the HTTPS Filtering tab, click Apply. All web applications in this list are excluded from the HTTPS filtering.

Note: To change or delete an exclusion, go to the Definitions > IP address groups section.

Excluding Users from the HTTPS Filtering

If there are Kerio Control users which cannot use HTTPS filtering (e.g. because of legal reasons):

  1. On the HTTPS Filtering tab, click Exclude specified traffic from decryption.
  2. Next to the Traffic from the following users field, click Select.
  3. In the Select Items dialog box, click Add.

  4. In the new Select Items dialog box, choose the domain of users which should be excluded.
  5. Choose the users and click OK. Kerio Control adds users to the list.
  6. Click OK.
  7. On the HTTPS Filtering tab, click Apply.

Kerio Control displays the list of excluded user in the Exclude traffic from the following users field. These users are excluded from the HTTPS filtering.

Importing a certificate for untrusted web applications

Sometimes you or your users need to go to servers with a self-signed certificate. Such certificates are untrusted, so Kerio Control needs the certificate for authentication:

  • Add the server to a list of excluded applications.
  • Install the certificate of the server to Kerio Control.

Installing certificates to Kerio Control

  1. In the administration interface, go to Definitions > SSL Certificates.
  2. Click More actions > Import > Import New Certificate.
  3. The Import Certificate dialog box opens.
  4. In the Import Certificate dialog box, choose the option Certificate without private key.
  5. Enter the URL of the web application or if you have the certificate, choose the certificate file.
  6. Click Import.

Confirmation

The new certificate appears in the SSL Certificates section. Now your users can go to the untrusted page.

Related articles