+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Internet Related/Filtering/Firewall Thread, School Guardian Filtering problem in Technical; We have a problem with School Guardian; Our students are divided into yeargroup OUs under an "All Students" OU in ...
  1. #1
    kathabell's Avatar
    Join Date
    Jul 2008
    Location
    Lancashire
    Posts
    17
    Thank Post
    6
    Thanked 6 Times in 4 Posts
    Rep Power
    14

    Red face School Guardian Filtering problem

    We have a problem with School Guardian; Our students are divided into yeargroup OUs under an "All Students" OU in AD. We've mapped our "All Students" OU to a "Students" group in Guardian and this appears to work fine for most of the kids, but according to the logs, a lot are going through as "unauthenticated ips" and as a result, not all the filtering rules applicable to students are being applied. Any ideas why they would be in this category? How can I force Guardian to pick up their correct group? Any help appreciated!
    Kath

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,473
    Thank Post
    866
    Thanked 848 Times in 670 Posts
    Rep Power
    196
    What sort of authentication are you using (guardian/authentication/settings)?
    Are the students' usernames being picked up OK?
    What do the auth diags say (services/authentication/control)?

    Sorry for all the questions, but auth stuff is always trickiest to troubleshoot

    Tom

  3. #3
    kathabell's Avatar
    Join Date
    Jul 2008
    Location
    Lancashire
    Posts
    17
    Thank Post
    6
    Thanked 6 Times in 4 Posts
    Rep Power
    14
    Wow! That was quick - thanks for getting back to me!

    Quote Originally Posted by tom_newton View Post
    What sort of authentication are you using (guardian/authentication/settings)?

    LDAP
    Authentication = Microsoft Active Directory type = Kerberos


    Are the students' usernames being picked up OK?

    Yes, I see their AD usernames in the web filter log even when they are going through in the unauthorised ip category
    What do the auth diags say (services/authentication/control)?

    Manual control current status = RUNNING

    Authentication service = RUNNING
    Primary LDAP Server Resolves = OPEN
    Secondary LDAP Server Resolves = N/A
    Primary LDAP Server Connection = OPEN
    Secondary LDAP Server Connection = N/A
    Authentication Service Local Connection = OPEN
    Authentication Service LDAP Server Connection = OPEN
    Can list groups on LDAP Server = OPEN

    Sorry for all the questions, but auth stuff is always trickiest to troubleshoot
    Tom
    No problem, appreciate the help! This is driving me nuts!
    Kath

  4. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,473
    Thank Post
    866
    Thanked 848 Times in 670 Posts
    Rep Power
    196
    Kath - good news is you seem to have it set up perfectly. Bad news is, this means I don't know why it is misbehaving. I bet it's something trivial tho

    Let me open a support ticket for you and I will get one of the lads to give you a tinkle later today. Sorry I can't be a bit more useful

    Tom

  5. Thanks to tom_newton from:

    kathabell (23rd January 2009)

  6. #5
    kathabell's Avatar
    Join Date
    Jul 2008
    Location
    Lancashire
    Posts
    17
    Thank Post
    6
    Thanked 6 Times in 4 Posts
    Rep Power
    14
    Quote Originally Posted by tom_newton View Post
    Kath - good news is you seem to have it set up perfectly. Bad news is, this means I don't know why it is misbehaving. I bet it's something trivial tho

    Let me open a support ticket for you and I will get one of the lads to give you a tinkle later today. Sorry I can't be a bit more useful

    Tom
    Cheers! Glad I'm not just being a complete numpty - look forward to hearing from them.

    Kath

  7. #6

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Could it be the nested OUs?

    I may be wrong but maybe you need to add all the users into a single group on the AD something like student filtering and then link that group to the smoothwall group.

    I can't remember if this was my problem or if it was nested groups that i had an issue with.

  8. #7

    Join Date
    Feb 2009
    Posts
    25
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Similar issue to Kath's.

    Evaluating School Guardian and Network Guardian. I am using Active Directory authentication - NTLM Identification (Terminal Services compatibility mode) w/the Blue Star next to them. If I use the NTLM Identification (Terminal Services compatibility mode) w/o the Blue Star Dansguardian errors out.

    My issue - I am using Groups, no OU's - but in the case of my ID - I am a member of Domain Admin, a departmental group, and a general staff group. I can't figure out which group it actually pulls from. Restrictions for my Domain Admin groups are less restrictive (actually using some Allow rules to override Block rules for general staff), but I am getting restricted based on the general staff group.

    Are there rules for how groups are handled with mutiple groups? Do I need to create another group that is for Smoothwall mappings only (don't want to go that way - it is far less transparent). None of these groups are nested.

    Thanks,

    Scott

  9. #8

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    As far as i am aware school guardian doesn't work with nested groups. I created a group for all my pupil users and then added them to it. Then i created a group in School guardian and linked it to the AD group i created.

  10. #9

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by HodgeHi View Post
    As far as i am aware school guardian doesn't work with nested groups. I created a group for all my pupil users and then added them to it. Then i created a group in School guardian and linked it to the AD group i created.
    I hope this isn't the case.... Tom would you clarify please.

    We are thinking about moving to School Guardian soon, but our AD is setup so that there is a Students OU with Year group OUs nested within that. It is set this to make managing the students, creating distribution lists etc, is nice and easy. I would hope that School Gaurdian would be able to see the nested OUs and use them as groups for itself.

  11. #10

    Join Date
    Mar 2007
    Location
    Devon
    Posts
    1,042
    Thank Post
    226
    Thanked 63 Times in 56 Posts
    Rep Power
    30
    Have you checked under guardian/auth/settings that the unauthenticated IP's group is set to no rather than yes? Simple i know and i'm sure you have checked it but sounds like the issue.

  12. #11
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    112
    Quote Originally Posted by TheFopp View Post
    I hope this isn't the case.... Tom would you clarify please.

    We are thinking about moving to School Guardian soon, but our AD is setup so that there is a Students OU with Year group OUs nested within that. It is set this to make managing the students, creating distribution lists etc, is nice and easy. I would hope that School Gaurdian would be able to see the nested OUs and use them as groups for itself.
    You can authenticate users within the specified OU or a sub OU, mine are all organised in separate containers too. My groups are all held within a single OU and my groups setting points to that. You can't use the OU itself as the group.

  13. #12

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by DMcCoy View Post
    You can authenticate users within the specified OU or a sub OU, mine are all organised in separate containers too. My groups are all held within a single OU and my groups setting points to that. You can't use the OU itself as the group.
    So whilst it will happily authenticate the users in the sub OUs, you still have to create the groups on School Gaurdian..... bit of a faff, but do-able.... Feature Request Tom?

  14. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    112
    Quote Originally Posted by TheFopp View Post
    So whilst it will happily authenticate the users in the sub OUs, you still have to create the groups on School Gaurdian..... bit of a faff, but do-able.... Feature Request Tom?
    No, it reads the groups from AD depending on where you point the group path, these then show up to be used on SG, it just needs a search path to find them.

    The groups found under the search path are listed on the groups page. You will need the users in an AD group even if at minimum it's using the default domain users group.

  15. #14

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by DMcCoy View Post
    No, it reads the groups from AD depending on where you point the group path, these then show up to be used on SG, it just needs a search path to find them.

    The groups found under the search path are listed on the groups page. You will need the users in an AD group even if at minimum it's using the default domain users group.
    Ahhh, I see. That makes sense now. That's not a probnlem then as they are in groups in their year groups as well as in OUs of their year groups.

  16. #15

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    225
    Thank Post
    16
    Thanked 73 Times in 56 Posts
    Rep Power
    25
    Hey guys, sorry for the delay catching up to this. Best practice for handling AD groups with a smoothwall web filter is:

    - Create in AD separate groups for the separate policy groups you want in the SW, so an AD group Year7, Year8, Year9 etc. and put those in their own OU.

    - Set the group search root to be the OU above (ou=mygroups,dc=domain,dc=local for example)

    - Include the groups you want (Authentication > Include Groups)

    - Rename and map the groups to the smoothwall groups (Authentication > Groups)

    Handling of multiple group memberships isn't something that can be easily done, and it would make things too complicated to debug what user was getting which group anyway. Doing the above, and making sure each user is only in one group is the best way to do things.

    If you're trying to get NTLM Authentication rather than NTLM Identification working, and it's not, there are a couple of extra AD integration steps that need to be addressed. Basically, as NTLM Authentication checks the users' usernames and passwords with AD, the smoothwall itself needs to join the domain as a member server. Hence the user you specify on the System > Authentication > Settings page needs to be a domain admin, have a windows 2000 style user logon name (user@domain.local, top box of account tab) and password expiry turned off. Best to create a new user for the smoothwall rather than use Administrator or any other existing admin account. You also need to check that the smoothwall is using the AD DNS servers at the top of Networking > Interfaces and that AD DNS has a reverse lookup zone for the subnet in which the smoothwall and AD servers reside.

    Hope this is clear, still quite early in the day for this kind of thing Give me a shout if you need help, my number is below.

    Ta,

    Rob.

  17. Thanks to rob_f from:

    diggory (6th March 2009)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. School Guardian
    By tldees in forum Wireless Networks
    Replies: 3
    Last Post: 12th June 2008, 05:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •