Jump to content

Web Control behind a proxy not showing blocking page for https sites


Recommended Posts

Dear all,

as described in the topic we have some issues with blocking categories in web control.

the situation is:
if the client is offsite (HomeOffice) everything works fine and as expected.
if a website is blocked (http or https) the user gets a blocking page in the browser.
as soon, as the client is in the office he will connect to the internet via a proxy (Cisco WSA (http and https proxy enabled) or Bluecoat CAS (only http proxy enabled))
http sites are still working as expected (user gets blocked message in browser)
https sites not.

The client only gets a "This site can’t be reached" & "ERR_TUNNEL_CONNECTION_FAILED" in Chrome and "Hmmm... cannot reach this page" in Edge.

What can i do to get the https sites to work as expected if the client is behind a proxy?

Pls advice.

Best

Link to comment
Share on other sites

  • Administrators

Ekrn must be able to communicate with ESET's server listed in https://support.eset.com/en/kb332 in order for Web Control to work. In particular:

  • Make sure to open UDP port 53535 for the addresses in the table below and allow requests to your local DNS server (UDP/TCP port 53).
Hostname IP address
h1-arsp01-v.eset.com 91.228.166.42
h1-arsp02-v.eset.com 91.228.166.43
h3-arsp01-v.eset.com 91.228.167.141
h3-arsp02-v.eset.com 91.228.167.142
h5-arsp01-v.eset.com 38.90.226.14
h5-arsp02-v.eset.com 38.90.226.15
Link to comment
Share on other sites

Hi Marcos,

I checked that already.

in our Firewall-Ruleset we have a rules like:
Client -> *.eset.com -> Service:all -> allow
and
Client -> internal DNS -> Service:DNS -> allow

DNS is working fine

Any other idea?
Best

Link to comment
Share on other sites

  • Administrators

So ekrn can communicate with those servers on port 53535 ?

Please enable advanced network protection, antispam and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here.

Link to comment
Share on other sites

3 minutes ago, me myself and i said:
9 minutes ago, Marcos said:

So ekrn can communicate with those servers on port 53535 ?

Hi,

Yes i think it can.
How can test it?

telnet from the client to the servers on port 53535 works

Link to comment
Share on other sites

don't know if this is important, but in the alert message (sent to administrator via email) the entries are:
 

/21/2021 15:36:42 PM - During execution of  on the computer <ClientName>, the following event occurred: Web control:

Web page blocked by category rule.

URL:

hxxp://<blockedSite>.de:443

i would expect:

https://<blockedSite>.de

Edited by me myself and i
Link to comment
Share on other sites

  • Administrators

Please enable advanced network protection and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here.

Link to comment
Share on other sites

On 1/22/2021 at 5:21 PM, Marcos said:

Please enable advanced network protection and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here.

have you had a chance to look at the logs?

Link to comment
Share on other sites

  • Administrators

I've checked the logs; it took a few hours to understand the meaning of web control diagnostic records.

It appears that categories are determined for both http and https websites alright so there's no issue with blocking UDP communication on port 53535. Unfortunately the ELC logs were incomplete and didn't contain the configuration nor a SysInspector log. Please provide complete ELC logs.

Link to comment
Share on other sites

  • Administrators

Files that you upload are accessible only by ESET staff. It's ok to upload logs here.

Link to comment
Share on other sites

  • Administrators

There are no records with "not resolved" category so it seems that both urls were categorized and blocked by a rule. Proxy server was disabled in the provided configuration.

That said, everything looks ok to me. Issues with Web control would occur if the client was unable to communicate with ESET's servers neither directly nor through a proxy on UDP port 53535.

 

Based on the config I'd recommend enabling the following for maximum protection:

1, Detection of potentially unsafe applications
2, LiveGrid feedback system (improves both protection and cleaning, speeds up response to new threats)

You have a couple of performance exclusions set. Is there any reason to have them? What issue would occur if you removed them? Asking since each exclusion creates a potential security hole so they should be used with care only if a specific issue cannot be solved otherwise.

Link to comment
Share on other sites

On 1/21/2021 at 6:20 AM, me myself and i said:

the client is in the office he will connect to the internet via a proxy (Cisco WSA (http and https proxy enabled) or Bluecoat CAS (only http proxy enabled)

Have you tried to create rules on these firewalls to allow all inbound/outbound traffic from ekrn.exe?

Link to comment
Share on other sites

39 minutes ago, Marcos said:

There are no records with "not resolved" category so it seems that both urls were categorized and blocked by a rule. Proxy server was disabled in the provided configuration.

That said, everything looks ok to me. Issues with Web control would occur if the client was unable to communicate with ESET's servers neither directly nor through a proxy on UDP port 53535.

Ok
That means? Everything is like it should, but it dos not work as it should?

Link to comment
Share on other sites

42 minutes ago, Marcos said:

Based on the config I'd recommend enabling the following for maximum protection:

1, Detection of potentially unsafe applications
2, LiveGrid feedback system (improves both protection and cleaning, speeds up response to new threats)

You have a couple of performance exclusions set. Is there any reason to have them? What issue would occur if you removed them? Asking since each exclusion creates a potential security hole so they should be used with care only if a specific issue cannot be solved otherwise.

thank you for the recommendations

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...