Filtering HTTPS connections

Kerio Control decrypts and filters HTTPSHypertext Transfer Protocol - version of HTTP secured by SSL. connections. Filtering is the same as for the HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. protocol. Kerio Control can apply the same filters and methods to the content of HTTPS connections, such as:

  • filtering URLs
  • Kerio Control Web Filter
  • antivirus check

You can see the filtering results in User Statistics and Reporting.

When a user accesses a site secured by HTTPS, an SSL certificateSSL certificates are used to authenticate an identity on a server. warning appears because Kerio Control uses its own certificate for reencrypting HTTPS communication. Therefore it is important to distribute the Kerio Control certificate to your users’ web browsers as a root certificate authority.

NOTE

HTTPS protocol filtering provides an HTTPS inspector. You can switch off the inspector for a particular rule in the Traffic Rules section or for a particular protocol in the Definitions > Services section. Read more in the Disabling protocol inspectors article.

WARNING

If you use a non-transparent proxy server, the HTTPS filtering does not work.

Configuring HTTPS filtering

To start HTTPS filtering:

  1. Go to Content Filter > HTTPS Filtering in the administration interface.
  2. Select Decrypt and filter HTTPS traffic.
  3. Select Show Legal Notice to users, if it is necessary in your country. Contact your legal advisor if it is necessary to select this option. When users open a HTTPS site, Kerio Control warns them that the connection is decrypted by Kerio Control. The disclaimer appears each logged-in user once per session and might be annoying to users.
  4. Click Apply.

Kerio Control decrypts and filters all HTTPS communication.

Setting HTTPS filtering exceptions

Kerio Control allows you to add exceptions from HTTPS filtering. There are two types of exceptions. You can:

  • Exclude specified traffic from decryption
  • Decrypt specified traffic only use it when you need to decrypt only certain servers or users.

You can set exceptions for:

Excluding traffic to/from IP addresses

Some web applications cannot use the Kerio Control certification authority (for example web access to banks, dropbox.com, microsoft.com) or use a non-HTTPS service on port 443. You must exclude these web applications from the HTTPS filtering.

To set exceptions for an web application, you must know its IP addressAn identifier assigned to devices connected to a TCP/IP network., domain name, or hostname:

  1. On the HTTPS Filtering tab, select Exclude specified traffic from decryption.
  2. Next to the Traffic to/from IP addresses which belong to field, click Edit.
  3. In the IP Address Groups dialog box, click Add.
  4. In the Add IP Address dialog box, click Select existing.
  5. In the Select existing menu, select HTTPS exclusions.
  6. Select Addresses and type the IP address, host name or domain name of the web application.
  1. Save your settings.
  2. On the HTTPS Filtering tab, click Apply.

All web applications in this list are excluded from the HTTPS filtering.

NOTE

To change or delete an exclusion, go to the Definitions > IP address groups section.

Excluding users from the HTTPS filtering

If there are Kerio Control users, which cannot use HTTPS filtering (for example because of legal reasons),you can exclude them:

  1. On the HTTPS Filtering tab, click Exclude specified traffic from decryption.
  2. Next to the Traffic from the following users field, click Select.
  3. In the Select Items dialog box, click Add.

  1. In the new Select Items dialog box, select the domain of users which should be excluded.
  2. Select users and click OK. Kerio Control adds users to the list.
  3. Click OK.
  4. On the HTTPS Filtering tab, click Apply.

Kerio Control displays the list of excluded user in the Exclude traffic from the following users field. These users are excluded from the HTTPS filtering.

Importing a certificate for an untrusted web applications into Kerio Control

Sometimes you or your users need to go to servers with a self-signed certificate. Such certificates are untrusted, so Kerio Control needs the certificate for authentication. You can:

Installing certificates to Kerio Control

  1. In the administration interface, go to Definitions > SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. Certificates.
  2. Click the More actions > Import > Import New Certificate button.
  3. The Import Certificate dialog box opens.
  4. In the Import Certificate dialog box, select Certificate without private key.
  5. Type the URL of the web application or if you have the certificate, select the certificate file.
  6. Click Import.

New certificate appears in the SSL Certificates section. Now your users can go to the untrusted page.