+ Post New Thread
Results 1 to 3 of 3
Internet Related/Filtering/Firewall Thread, Fortinet 60D + BYOD issue in Technical; ...
  1. #1

    Join Date
    Jan 2010
    Location
    Stockport
    Posts
    77
    Thank Post
    39
    Thanked 4 Times in 2 Posts
    Rep Power
    10

    Fortinet 60D + BYOD issue

    We have just changed ISP providers - both used Fortinet filter boxes, the latest one is the 60D.

    I cant help but feel this change has introduced major issues in getting our devices to work on the school network.

    All the PC’s need a new certificate before they would display internet pages, a GPO fixed this but it was a very hit and miss affair on some devices, taking three or four reboots the get it installed !! .

    iPads needed to be given reserved IP address from an IP address range; this had been setup for “student” filtering. This had to be done even before they would get the certificate error from the Fortinet box, you could then choose to ignore this then you finally got a webpage. I then had to configure an FTP server to install the certificate onto these devices - quick to do, but all the work has been very time consuming.

    Android devices are a different story. These too had to be given a reserved IP address, but I couldn't FTP to these devises like I could from Safari on the iPads - so I had to email the certificate and install it from an attachment.

    All this brings me round to BYOD. We were hoping to introduce a very simple BYOD hotspot in the school where we could issue a tick that would allow internet access for a few hours, half a day, all day etc. Very important for guest or trainers and future plans for the school to open Saturdays when there won't be any IT staff around. But that would seem to be a very difficult job to do judging by the issue above.

    Question is - where has it gone wrong? Surely, if we want to set up BYOD access in the school we shouldn't have to reserve an IP address of that device then install a certificate. I can tell you now, IT staff draw the line at installing anything that is not owned by the school, particularly on personal devices.

    Has anyone got a similar problems with the Fortinet filter solution or a fix for the above nightmare ??

  2. #2

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    300
    Thank Post
    0
    Thanked 67 Times in 53 Posts
    Rep Power
    36
    Hi there,

    this is to do with HTTPS filtering in non proxy mode. The Fortinet needs to do a "man in the middle attack" and pose as the website you are trying to view. You can turn off HTTPS deep scanning but then you'll find the filter isn't quite as good at blocking things.

    I'd recommend static DHCP leases if you know the MAC addresses of the devices you are giving out or say that guest wireless always gets xyz ip's and therefore gets abc filtering policy.

    Google has been difficult now all of its sites are HTTPS. If you don't use the nossl variant to be enforced via DNS servers then safesearch can easily be tampered with and all sorts can be viewed.

    Thanks

    Dave

  3. #3

    Join Date
    Jan 2010
    Location
    Stockport
    Posts
    77
    Thank Post
    39
    Thanked 4 Times in 2 Posts
    Rep Power
    10
    Hi Dave and thanks for the reply. I know its the HTTPS deep scanning that is the issue. But I look after three other schools who use Fortinet filtering and they do not have the same issue. Connecting any wireless device to the the school network will give them internet access without the need to reserve an IP address or install a certificate. Likewise, when I install or rebuild a PC with Windows 7, most of the drivers are installed for me over the internet because an internet connection is available.

    But how does HTTPS deep scanning fit into BYOD - the idea of that is to quickly connect almost any wireless device and get instant internet access, it would appear this is no longer possible. How does "SchoolsBroadband" work in a school who want to run BYOD and are reluctant to install certificates on devices that do not belong to the school or when there is no IT manager around to do the job??

    BYOD in schools is going to be massive, there must be a simple solution to connecting wireless devices to the school network, offering them filtering without the need to play around with reserved IP addresses and certificates???

    Thanks,

    John
    Last edited by bewlay51; 17th April 2014 at 11:15 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. Fortinet Authentication Issues
    By huxlow in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 9th May 2013, 12:31 PM
  2. Squid issues new install
    By ChrisH in forum *nix
    Replies: 5
    Last Post: 10th November 2005, 03:09 PM
  3. Gentoo issues
    By _Bob_ in forum *nix
    Replies: 1
    Last Post: 31st October 2005, 02:29 PM
  4. Exchange 2003 and Server 2003 SP1 issue.
    By tosca925 in forum Windows
    Replies: 0
    Last Post: 21st August 2005, 10:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •