me myself and i 0 Posted January 21, 2021 Share Posted January 21, 2021 Dear all, as described in the topic we have some issues with blocking categories in web control. the situation is: if the client is offsite (HomeOffice) everything works fine and as expected. if a website is blocked (http or https) the user gets a blocking page in the browser. as soon, as the client is in the office he will connect to the internet via a proxy (Cisco WSA (http and https proxy enabled) or Bluecoat CAS (only http proxy enabled)) http sites are still working as expected (user gets blocked message in browser) https sites not. The client only gets a "This site can’t be reached" & "ERR_TUNNEL_CONNECTION_FAILED" in Chrome and "Hmmm... cannot reach this page" in Edge. What can i do to get the https sites to work as expected if the client is behind a proxy? Pls advice. Best Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted January 21, 2021 Administrators Share Posted January 21, 2021 Ekrn must be able to communicate with ESET's server listed in https://support.eset.com/en/kb332 in order for Web Control to work. In particular: Make sure to open UDP port 53535 for the addresses in the table below and allow requests to your local DNS server (UDP/TCP port 53). Hostname IP address h1-arsp01-v.eset.com 91.228.166.42 h1-arsp02-v.eset.com 91.228.166.43 h3-arsp01-v.eset.com 91.228.167.141 h3-arsp02-v.eset.com 91.228.167.142 h5-arsp01-v.eset.com 38.90.226.14 h5-arsp02-v.eset.com 38.90.226.15 Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 21, 2021 Author Share Posted January 21, 2021 Hi Marcos, I checked that already. in our Firewall-Ruleset we have a rules like: Client -> *.eset.com -> Service:all -> allow and Client -> internal DNS -> Service:DNS -> allow DNS is working fine Any other idea? Best Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted January 21, 2021 Administrators Share Posted January 21, 2021 So ekrn can communicate with those servers on port 53535 ? Please enable advanced network protection, antispam and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 21, 2021 Author Share Posted January 21, 2021 5 minutes ago, Marcos said: So ekrn can communicate with those servers on port 53535 ? Hi, Yes i think it can. How can test it? Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 21, 2021 Author Share Posted January 21, 2021 3 minutes ago, me myself and i said: 9 minutes ago, Marcos said: So ekrn can communicate with those servers on port 53535 ? Hi, Yes i think it can. How can test it? telnet from the client to the servers on port 53535 works Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 21, 2021 Author Share Posted January 21, 2021 (edited) don't know if this is important, but in the alert message (sent to administrator via email) the entries are: /21/2021 15:36:42 PM - During execution of on the computer <ClientName>, the following event occurred: Web control: Web page blocked by category rule. URL: hxxp://<blockedSite>.de:443 i would expect: https://<blockedSite>.de Edited January 21, 2021 by me myself and i Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 22, 2021 Author Share Posted January 22, 2021 No Ideas? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted January 22, 2021 Administrators Share Posted January 22, 2021 Please enable advanced network protection and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 22, 2021 Author Share Posted January 22, 2021 will do. this will take some time, as i have some other things to do first. Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 22, 2021 Share Posted January 22, 2021 On a PC having connection issues, scroll down to this section, "3. Disable Automatically Detect Settings," in this article: https://www.techbout.com/err-tunnel-connection-failed-error-in-chrome-39692/ and do what is recommended. See if this resolves the issue. Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 22, 2021 Author Share Posted January 22, 2021 unfortunatly not. and it is in all browers, not only chrome Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 22, 2021 Author Share Posted January 22, 2021 here are the files... first attempt to http --> works fine second attempt to https --> error ees_logs.zip Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 25, 2021 Author Share Posted January 25, 2021 On 1/22/2021 at 5:21 PM, Marcos said: Please enable advanced network protection and Web control logging in the adv. setup -> tools -> diagnostics, reproduce the issue, disable logging, collect logs with ESET Log Collector and upload the generated archive here. have you had a chance to look at the logs? Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 27, 2021 Author Share Posted January 27, 2021 Hello? no one there? Could you check the logs? Best Link to comment Share on other sites More sharing options...
me myself and i 0 Posted January 28, 2021 Author Share Posted January 28, 2021 HelloooOOOooo??? Asked for Log-files and then nearly one week no reaction? i hope you are okay!? Best Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted January 29, 2021 Administrators Share Posted January 29, 2021 I've checked the logs; it took a few hours to understand the meaning of web control diagnostic records. It appears that categories are determined for both http and https websites alright so there's no issue with blocking UDP communication on port 53535. Unfortunately the ELC logs were incomplete and didn't contain the configuration nor a SysInspector log. Please provide complete ELC logs. Link to comment Share on other sites More sharing options...
me myself and i 0 Posted February 2, 2021 Author Share Posted February 2, 2021 @Marcos as this is a public forum, i would like to share as less information as possible. Is there another way to offer you the logs? Best Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted February 2, 2021 Administrators Share Posted February 2, 2021 Files that you upload are accessible only by ESET staff. It's ok to upload logs here. Link to comment Share on other sites More sharing options...
me myself and i 0 Posted February 2, 2021 Author Share Posted February 2, 2021 Ok. didn't know that. I will upload them later today. Best Link to comment Share on other sites More sharing options...
me myself and i 0 Posted February 2, 2021 Author Share Posted February 2, 2021 here they are... ees_logs_full.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted February 2, 2021 Administrators Share Posted February 2, 2021 There are no records with "not resolved" category so it seems that both urls were categorized and blocked by a rule. Proxy server was disabled in the provided configuration. That said, everything looks ok to me. Issues with Web control would occur if the client was unable to communicate with ESET's servers neither directly nor through a proxy on UDP port 53535. Based on the config I'd recommend enabling the following for maximum protection: 1, Detection of potentially unsafe applications 2, LiveGrid feedback system (improves both protection and cleaning, speeds up response to new threats) You have a couple of performance exclusions set. Is there any reason to have them? What issue would occur if you removed them? Asking since each exclusion creates a potential security hole so they should be used with care only if a specific issue cannot be solved otherwise. Link to comment Share on other sites More sharing options...
itman 1,538 Posted February 2, 2021 Share Posted February 2, 2021 On 1/21/2021 at 6:20 AM, me myself and i said: the client is in the office he will connect to the internet via a proxy (Cisco WSA (http and https proxy enabled) or Bluecoat CAS (only http proxy enabled) Have you tried to create rules on these firewalls to allow all inbound/outbound traffic from ekrn.exe? Link to comment Share on other sites More sharing options...
me myself and i 0 Posted February 2, 2021 Author Share Posted February 2, 2021 39 minutes ago, Marcos said: There are no records with "not resolved" category so it seems that both urls were categorized and blocked by a rule. Proxy server was disabled in the provided configuration. That said, everything looks ok to me. Issues with Web control would occur if the client was unable to communicate with ESET's servers neither directly nor through a proxy on UDP port 53535. Ok That means? Everything is like it should, but it dos not work as it should? Link to comment Share on other sites More sharing options...
me myself and i 0 Posted February 2, 2021 Author Share Posted February 2, 2021 42 minutes ago, Marcos said: Based on the config I'd recommend enabling the following for maximum protection: 1, Detection of potentially unsafe applications 2, LiveGrid feedback system (improves both protection and cleaning, speeds up response to new threats) You have a couple of performance exclusions set. Is there any reason to have them? What issue would occur if you removed them? Asking since each exclusion creates a potential security hole so they should be used with care only if a specific issue cannot be solved otherwise. thank you for the recommendations Link to comment Share on other sites More sharing options...
Recommended Posts