We have just changed ISP providers - both used Fortinet filter boxes, the latest one is the 60D.
I cant help but feel this change has introduced major issues in getting our devices to work on the school network.
All the PC’s need a new certificate before they would display internet pages, a GPO fixed this but it was a very hit and miss affair on some devices, taking three or four reboots the get it installed !! .
iPads needed to be given reserved IP address from an IP address range; this had been setup for “student” filtering. This had to be done even before they would get the certificate error from the Fortinet box, you could then choose to ignore this then you finally got a webpage. I then had to configure an FTP server to install the certificate onto these devices - quick to do, but all the work has been very time consuming.
Android devices are a different story. These too had to be given a reserved IP address, but I couldn't FTP to these devises like I could from Safari on the iPads - so I had to email the certificate and install it from an attachment.
All this brings me round to BYOD. We were hoping to introduce a very simple BYOD hotspot in the school where we could issue a tick that would allow internet access for a few hours, half a day, all day etc. Very important for guest or trainers and future plans for the school to open Saturdays when there won't be any IT staff around. But that would seem to be a very difficult job to do judging by the issue above.
Question is - where has it gone wrong? Surely, if we want to set up BYOD access in the school we shouldn't have to reserve an IP address of that device then install a certificate. I can tell you now, IT staff draw the line at installing anything that is not owned by the school, particularly on personal devices.
Has anyone got a similar problems with the Fortinet filter solution or a fix for the above nightmare ??
this is to do with HTTPS filtering in non proxy mode. The Fortinet needs to do a "man in the middle attack" and pose as the website you are trying to view. You can turn off HTTPS deep scanning but then you'll find the filter isn't quite as good at blocking things.
I'd recommend static DHCP leases if you know the MAC addresses of the devices you are giving out or say that guest wireless always gets xyz ip's and therefore gets abc filtering policy.
Google has been difficult now all of its sites are HTTPS. If you don't use the nossl variant to be enforced via DNS servers then safesearch can easily be tampered with and all sorts can be viewed.
Hi Dave and thanks for the reply. I know its the HTTPS deep scanning that is the issue. But I look after three other schools who use Fortinet filtering and they do not have the same issue. Connecting any wireless device to the the school network will give them internet access without the need to reserve an IP address or install a certificate. Likewise, when I install or rebuild a PC with Windows 7, most of the drivers are installed for me over the internet because an internet connection is available.
But how does HTTPS deep scanning fit into BYOD - the idea of that is to quickly connect almost any wireless device and get instant internet access, it would appear this is no longer possible. How does "SchoolsBroadband" work in a school who want to run BYOD and are reluctant to install certificates on devices that do not belong to the school or when there is no IT manager around to do the job??
BYOD in schools is going to be massive, there must be a simple solution to connecting wireless devices to the school network, offering them filtering without the need to play around with reserved IP addresses and certificates???
Last edited by bewlay51; 17th April 2014 at 11:15 AM.