Overview
While trying to prevent unauthenticated or unauthorized users and devices from accessing Internet web pages, specific Kerio Control settings should be applied. Internet access can be limited by modifying default Traffic rules.
This article provides a step-by-step procedure on how to allow access only for authenticated users and VPN clients.
Prerequisites
Enable Always require users to be authenticated when accessing web pages option
Solution
- Login to the Kerio Control administration interface and navigate to Configuration -> Traffic Rules.
- Locate the standard Internet Access (NAT) rule, double-click on the Source column, and modify the default items to include Any authenticated user and VPN clients only.
- (Optional) Move the rule to the top of the Traffic rules. The resulting rule will look like the following.
Forcing Users to Authenticate via HTTPS filtering
By default, Kerio Control has HTTPS traffic filtering disabled; whereas, most websites automatically redirect HTTP traffic to HTTPS. Since Kerio Control is not filtering/scanning this traffic, authentication is not forced on that traffic. For example, on most devices, users will be able to bypass the need to log in by ignoring the log in prompt and opening a new tab.
To resolve the issue and force users to authenticate before accessing any webpage, you can enable HTTPS Traffic filtering by navigating to the WebAdmin UI > Configuration > Content Filter > HTTPS Filtering > Tick the Decrypt and filters HTTPS traffic checkbox, as shown in the below image:
When HTTPS decryption is enabled, a security pop-up will appear each time a user tries to access an HTTPS/secure webpage. To prevent this from happening, please follow the guidelines in the Exporting and Importing Kerio Control Local Authority as a Root Certificate article.
Keep in mind that HTTPS decryption throttles the throughput of the network.
Testing
With this configuration, unauthenticated users will not be prompted to sign in. It would simply block all traffic until the user authenticates on their own. The below page will be shown to unauthenticated users: