Internet Related/Filtering/Firewall Thread, Schoolguardian - updates in Technical; @mb... Keep asking. It helps. I'll owe you a beer*
Auth3.. the lowdown (brief version):
* multi domain - talk ...
6th May 2010, 12:04 PM #16
@mb... Keep asking. It helps. I'll owe you a beer*
Auth3.. the lowdown (brief version):
* multi domain - talk to multiple, distinct auth servers
* better diags
* multi-auth method - "use NTLM for these PCs, SSL for others"
* more reliability
* much quicker
* easier to configure
* tree-view of ADs
* group "priority"
* single-user groups
There are no new "methods", but these have been allowed for, and we should see some toward year-end.
Would your SSL users appreciate a java login app? That's something I am trying to get done...
* redeemable at BETT or edugeek conf of your choice
Last edited by tom_newton; 6th May 2010 at 12:32 PM.
Reason: added new bits
Thanks to tom_newton from:
powdarrmonkey (6th May 2010)
6th May 2010, 12:16 PM #17
mmmmm..... Multi domain...
Oh Tom, can I ask for "Number of Concurrent Logins based on group membership" for some point in the future. It would be nice to limit my staff/pupils to 1 login and me and my techie to UNLIMITED!!! <insert evil laugh for no explainable reason here>
Thanks to Stuart_C from:
tom_newton (6th May 2010)
6th May 2010, 12:16 PM #18
I think our users would appreciate not having to log on at all (like NTLM) to be honest.
I guess if NTML just wasn't going to be a reliable option in future releases then a Java login app would at least be a step in the right direction (and hopefully remove the SSL error message?)
On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.
6th May 2010, 12:21 PM #19
Sounds kinda simliar to our position - we are contracted to move to RM as part of BSF, but due to us being the ONLY school in Salford running a fully fledged Windows 7 / 2008 R2 network, it has been agreed that we can keep our exisiting network and not have to buy into CC4 - guessing our network will need to be linked somehow to RM's (probably via a trust relationship of sorts (not yet privvy to that info).. So would make sense that we keep smoothwall as well as its already part of our infrastructure...
Originally Posted by mb2k01
6th May 2010, 12:29 PM #20
I have to say... my historical opinion of RM couldn't be much lower (and my previous posts probably demonstrate that!), and I would still never move to their Connect products or overly rely on their support services.... but....
So far I have had a very good relationship with the team of business managers / infrastructure specialists and educational specialists they have assigned to our project.
The uniqueness (is that a word!?) of our situation meant we could dictate the kind of network we had from a very early point, and the decision was made to stick with our Vanilla approach which has worked well over the years. While I expected this to become a major issue, it really hasn't.
On issues like content filtering / firewall we have been able to specify what we want and they work with us to make it happen.
Your situation might be different because of the restrictions imposed by BSF, but I certainly wouldn't give up hope.
12th May 2010, 10:58 PM #21
Just installed the Auth 3 thingy and... it doesn't like me.
I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says
Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.
To use non-transparent NTLM, disable the second port.
To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.
I don't want to enable transparent proxy or allow direct access so it looks like I can't use it
Error - "Block direct web access" and "Transparent" cannot be enabled at the same time
I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird
13th May 2010, 08:47 AM #22
I'll check it out. This is likely due to needing to use the "transparent trick" in NTLM (we have 2 ways of authenticating with NTLM) - so there shouldn't be a requirement to actually transparently proxy anything (though it shouldn't hurt?).
Originally Posted by Simcfc73
Block direct is a bit of an ancient hangover from the past - you should be able to block direct access in the outgoing rules.
Let me chat to dev and I will see what i can find out.
13th May 2010, 11:45 AM #23
Have to say that the box is really quick this morning after the updates. I have been looking at logs and they are miles quicker at updating than before.
Thanks to Simcfc73 from:
tom_newton (13th May 2010)
13th May 2010, 12:16 PM #24
My colleagues are asking why you don't want transparent on - they rightly point out that you can bypass transparent for selected IPs if you wish - going transparent will not give users any more access than normal either (they will still get auth'd).
Other than that it may be a manual removal of iptables rules.
It should be pointed out that this is due to a limitation in Guardian - we can't do proxyntlm in 2auth mode - which will be going away in the major Guardian (as opposed to Auth) update later in the year. At that point we will be able to run as many differing auth schemes on as many ports as we like
Good to see that speed has improved too. We suspected oldauth as being something of a bottleneck, and you have also applied the new reporting stuffs which will speed things up.
13th May 2010, 02:17 PM #25
- Rep Power
That's a feature that would be really handy to our setup at Ash Hi. Is it posible we could have a look at that as well.
Last Post: 7th September 2007, 02:44 PM
Last Post: 8th June 2007, 12:33 PM
Last Post: 20th April 2007, 08:11 AM
By Simcfc73 in forum Wireless Networks
Last Post: 22nd September 2006, 04:28 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)