Internet Related/Filtering/Firewall Thread, Getting rid of firewall and Websense totally! in Technical; Hi all
I'd be grateful to see what others think of this:
We currently use TMG and Websense and have ...
We currently use TMG and Websense and have done for years. The clients that connect out through this are W7-based devices connected to my network and authenticated by AD.
What we are increasingly finding is devices like IPads, Surface RTs, etc don't work very well behind an authenticated proxy so we've been looking at getting another device to sit alongside the TMG box.
Also, our ISP is SWGFL.
This has lead to a meeting I've just had with my principal where has questioned the need for the firewall and web filtering and asked why we cannot just ditch both and rely on the SWGFL filtering service and firewall (as a way of saving money).
I know we originally set up Websense as there were (many years ago) problems with the SWGFL service. We originally set up a firewall to 'protect' us from other schools who use SWGFL and share our IP range assigned through them.
Now I can see the benefit of getting shot of Websense, but getting rid of our firewall makes me feel very uneasy (even though it would make my life much easier in relation to unauthenticated proxy).
So, I'm just seeing what my fellow Edugeekers who have a set up similar to the above do (and would you argue for keeping the firewall or not?)
Our SWGfL connection used to allow access to other schools IP ranges (made supporting our local primary very handy) but disappeared about 3 years go.
We are purely using the upstream Safetynet for our filtering provision with the transparent option enabled as we also have Impero to log the website access on the workstations.
At present only our staff BYoD devices have the transparent proxy as their primary connection type as we still force all other connections via the normal SWGfL proxy address.
Must admit I fail to see how sending traffic via normal or transparent proxy will stop SWGfL from generating logs for users since it will still have IP address assigned regardless... then again from feedback from another site they have never managed to get any log files from SWGfL to resolve an issue.
I'd be terrified of using just SWGFL, having now been independent of them for 6 months. The SWGFL filtering is, at best, not logical, and the firewall admin is slow and patchy. We've previously had to wait for six weeks to have a bi-di port opened, and then they got it wrong the first 2 times they tried.
Firewall modifications have always been reasonable quick when you consider it's RMI doing some of the modifications, although I did have a few backwards and forwards attempts when getting IMAP opened up purely for the Microsoft Datacentres last summer but that only took a week in total.
Their filtering solution might not be the most advanced out there, but it does what it claims to do. No web filtering solution is every 100% perfect, but it just depends on how much you want to invest in it.