powdarrmonkey (6th May 2010)
@mb... Keep asking. It helps. I'll owe you a beer*
Auth3.. the lowdown (brief version):
* multi domain - talk to multiple, distinct auth servers
* better diags
* multi-auth method - "use NTLM for these PCs, SSL for others"
* more reliability
* much quicker
* easier to configure
* tree-view of ADs
* group "priority"
* single-user groups
There are no new "methods", but these have been allowed for, and we should see some toward year-end.
Would your SSL users appreciate a java login app? That's something I am trying to get done...
* redeemable at BETT or edugeek conf of your choice
Last edited by tom_newton; 6th May 2010 at 11:32 AM. Reason: added new bits
powdarrmonkey (6th May 2010)
mmmmm..... Multi domain...
Oh Tom, can I ask for "Number of Concurrent Logins based on group membership" for some point in the future. It would be nice to limit my staff/pupils to 1 login and me and my techie to UNLIMITED!!! <insert evil laugh for no explainable reason here>
tom_newton (6th May 2010)
I think our users would appreciate not having to log on at all (like NTLM) to be honest.
I guess if NTML just wasn't going to be a reliable option in future releases then a Java login app would at least be a step in the right direction (and hopefully remove the SSL error message?)
On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.
I have to say... my historical opinion of RM couldn't be much lower (and my previous posts probably demonstrate that!), and I would still never move to their Connect products or overly rely on their support services.... but....
So far I have had a very good relationship with the team of business managers / infrastructure specialists and educational specialists they have assigned to our project.
The uniqueness (is that a word!?) of our situation meant we could dictate the kind of network we had from a very early point, and the decision was made to stick with our Vanilla approach which has worked well over the years. While I expected this to become a major issue, it really hasn't.
On issues like content filtering / firewall we have been able to specify what we want and they work with us to make it happen.
Your situation might be different because of the restrictions imposed by BSF, but I certainly wouldn't give up hope.
Just installed the Auth 3 thingy and... it doesn't like me.
I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says
Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.
To use non-transparent NTLM, disable the second port.
To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.
I don't want to enable transparent proxy or allow direct access so it looks like I can't use it
Error - "Block direct web access" and "Transparent" cannot be enabled at the same time
I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird
Block direct is a bit of an ancient hangover from the past - you should be able to block direct access in the outgoing rules.
Let me chat to dev and I will see what i can find out.
Have to say that the box is really quick this morning after the updates. I have been looking at logs and they are miles quicker at updating than before.
tom_newton (13th May 2010)
My colleagues are asking why you don't want transparent on - they rightly point out that you can bypass transparent for selected IPs if you wish - going transparent will not give users any more access than normal either (they will still get auth'd).
Other than that it may be a manual removal of iptables rules.
It should be pointed out that this is due to a limitation in Guardian - we can't do proxyntlm in 2auth mode - which will be going away in the major Guardian (as opposed to Auth) update later in the year. At that point we will be able to run as many differing auth schemes on as many ports as we like
Good to see that speed has improved too. We suspected oldauth as being something of a bottleneck, and you have also applied the new reporting stuffs which will speed things up.
That's a feature that would be really handy to our setup at Ash Hi. Is it posible we could have a look at that as well.
There are currently 1 users browsing this thread. (0 members and 1 guests)