Phone Lines icon GFI Support Home

Articles in this section

See more

Unable to Block YouTube Through Kerio Control

Author: Central KB Updated

Overview

Kerio Control does not block YouTube when users access the site using Google Chrome. This article explains why this issue occurs and how you can work around it. 

Note:

The QUIC functionality can be disabled directly in Google Chrome, but it works successfully at the individual level only. At the group level, disabling QUIC functionality may or may not work.

Please follow the steps below if you wish to do so.

  1. Open a new tab and type chrome://flags.

  2. Look for QUIC and disable Experimental QUIC protocol.

    youtube_quic.png

  3. Click Relaunch Now.

Environment

  • Kerio Control versions 9.2.6 and below
  • Google Chrome

Root Cause

Kerio Control's TLS (Transport Layer Security) recognizer only detects TCP protocol. YouTube uses the QUIC protocolwhich is operating on UDP port 443 on Google Chrome. Therefore, the TLS recognizer does not block the YouTube URL.

The application awareness for YouTube also checks for TCP connections, and this does not work for the QUIC protocol operating on UDP port 443.

Resolution

Kerio Control 9.2.8 release has enhanced our TLS protocol recognizer to detect hostnames from QUIC traffic. You need to upgrade to this version to permanently resolve this issue.

Workaround

If it is not feasible to do an upgrade at this time, you can create a traffic rule that blocks UDP port 443 and adding www.youtube.com to the content filter as per the following steps:

  1. In the Kerio Control web console, go to Configuration (Gear Icon) > Content Filter.

  2. Create a new content rule by clicking on the Add button. Detected content type should be Any.

  3. Enter the rule name in the Name field.


    filter1.png

  4. Click on the URL Hostname under the Detected Content section, and enter the www.youtube.com URL.


    filter2.png

  5. Tick Also apply to secured connections (HTTPS) checkbox.


    filter3.png

  6. Enter the Username or IP address Group in the Source field.

  7. Select Drop or Deny in the Action field.

filter4.png

Note: If you are not blocking the UDP port 443, make sure you clear the cache within the web browser after adding the YouTube URL in the content filter for blocking.

Back to top

Troubleshooting Tips

If there are any issues with allowing traffic, you can try resolving them by enabling Skip Antivirus scanning and Do not require authentication options in the Content Rule - Action window.


filter5.png

Back to top

Additional Resources 

Back to top

Related articles