CLEO Thread, The LightSpeed Filtering issue thread in Regional Broadband Consortiums (RBC); Originally Posted by SimpleSi
Using lancs email addresses as temp override authority so teachers can get on with things ...
2nd April 2014, 11:15 AM #46
- Rep Power
Originally Posted by SimpleSi
Thanks! works perfect for me!
9th April 2014, 07:55 AM #47
I've just emailed OCL about having a YouTube category created like @SchoolsBroadband have. This would give you a category of "YouTube" that you can block/unblock per policy instead of using URL pattern overrides. Plus in the future when YouTube change/add a domain one of us just emails OCL they add it to the category and boom every school in county is done.
9th April 2014, 01:32 PM #48
yes makes sense its an easy way to do it
Originally Posted by Arcath
10th April 2014, 01:33 PM #49
Yes it does!
Originally Posted by SchoolsBroadband
OCL are having issues at the moment that means that creating custom categories doesn't work at the moment but they do like the idea.
16th April 2014, 12:46 PM #50
I have just added our AD as an authentication source and thought I'd share my experience since I am behind a firewall.
I used a 1:1 NAT entry and just opened port 636 which is the secure LDAP port.
The LS wiki entry is here
The steps I took are:
Administration > Add Authentication Source
Type: Active Directory
Name: AD Source (Only seen in the admin panel)
Description: AD Source (Only seen in the admin panel)
Friendly Name : Network log on (This is seen on the webpage for logging in)
Server Hostname: 220.127.116.11 (Replace with the CLEO valid IP that you have mapped to your DC)
Domain: schooldomain (This is the single label domain and not the FQDN eg schooldomain.local)
Base DN: ou=schoolusers,dc=schooldomain,dc=local (This is the path to the OU that you want to get your user information from, you can get away with dc=schooldomain,dc=local but not advisable )
Administrator Account: schooldomain\normaluser (This does not need to be an admin account, it only needs to be a normal account to query your AD)
Password Confirmation: accountpassword
Encrypt Connection: (This is ticked to use secure LDAP port 636)
Once this is done you can use the test button. It will add the domain so use the format user and not domain\user.
Hopefully this should save someone a bit of time. Whether or not this kind of set up will work with the auto login client I don't know. See other posts regarding using this source for your users. You will need to tick Available to End Users on the authentication source btw.
Last edited by ChrisH; 16th April 2014 at 12:48 PM.
16th April 2014, 02:07 PM #51
Don't bother trying to use OUs as a source under assignments for rule sets as it just doesn't work! Stick to using groups.
1st May 2014, 09:58 AM #52
So I have to pose the question how many schools use different internal VLANs (not just admin and curriculum) ? Surely I can't be the only one who is using multiple VLANs with a layer 3 core switch/router ? I know there are plenty of you out there with Procurve 5400s etc. I have a VLAN per building/cabinet and functional based ones such printers, phones, domain wireless, guest wireless etc. I managed to get my firewall to do 1:1 NAT so each client would map to its own CLEO IP (which shows up fine in the lightspeed logs correctly) but that doesn't help with the client which will always report the clients IP address and not the one it gets mapped to.
I am assuming in this situation an onsite rocket is the only answer but I never heard mention of having to make any IP changes from other managed service providers. Is anyone in Lancashire utilising VLANs like me and has subnetted up their allocated ranges ? I can see this as an option but I haven't sat down and worked it out yet.
I really don't want to be changing my whole internal configuration because of the internet connection that just seems so wrong but it looks like my choices are:
Onsite Rocket (mentioned in some of the information a while ago)
Change my whole internal infrastructure including IP address, VLANs, ACLs and routing.
So am I alone in this or have other people in Lancs having to make big changes ?
1st May 2014, 11:05 AM #53
@ChrisH Without the machine (and thus the agent) knowing the CLEO IP that is has been given there is no way to have the automatic authentication work.
I do wonder if it would be possible to modify the agents requests e.g. if your machine is 192.168.0.34 and it has a cleo ip of 10.23.12.34 to just do a string replacement on its messages but that just adds an extra overhead to your routers.
Or if there was someway to give the CLEO IP to the machines as a virtual interface that the agent can see so it reports that IP aswell.
Or if there was a way to add a static route to your tier only that can lets your internal IPs talk directly to the rocket.
Just some ideas the last one seems like the best to me but it depends on if OCL will help and if shared tier system OCL is using supports it.
1st May 2014, 11:26 AM #54
I think the only real options are the on-site Rocket or me changing all my IP ranges and subnetting up my curriculum range, the only issue I have with that is the router interface is always x.x.x.1 and if I wan't that in it's own subnetwork I'm going to be wasting 125 IPs which I can get away with but its a pain. If it was at the end of the range I could just use a /30 mask.
12th May 2014, 02:07 PM #55
Got mine all sorted now, you must have an IP address from your assigned 10.x.x.x range. I still have my firewall in-place and my separate VLANs so everything worked out okay in the end.
20th May 2014, 12:06 PM #56
- Rep Power
Is it just me or is almost every URL shortening service blocked? Yacapaca.com uses bit.ly, and after asking OCL they say they can't change the default block list to allow it?
20th May 2014, 12:10 PM #57
Are you surprised? Given the choice, I would have every single one of them blocked too. Biggest source of infection from websites and downloads are thanks to those damn things.
20th May 2014, 02:25 PM #58
- Rep Power
Not surprised no, just annoying as they work fine on our old filtering (Cumbria) which we never had any problems with.
2nd June 2014, 11:57 AM #59
@ellsandell you could try Unshorten any URL - unshort.me to get the link the bit.ly url points to.
Thanks to Arcath from:
ellsandell (3rd June 2014)
2nd June 2014, 12:11 PM #60
I've tried to set up the e-mail authentication method to do filtering over-ride, but it continues to say that there is no authentication source. I've followed the instructions and double checked all the settings... I'm so confused !!
Last Post: 9th June 2009, 11:10 AM
By Number6 in forum Internet Related/Filtering/Firewall
Last Post: 11th March 2009, 02:29 PM
By FN-GM in forum EduGeek.net Site Problems
Last Post: 18th February 2008, 11:06 PM
By mrforgetful in forum General Chat
Last Post: 2nd July 2007, 10:25 AM
By wesleyw in forum Virtual Learning Platforms
Last Post: 22nd May 2007, 09:33 AM
Users Browsing this Thread
There are currently 2 users browsing this thread. (0 members and 2 guests)