+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
Internet Related/Filtering/Firewall Thread, Schoolguardian - updates in Technical; @mb... Keep asking. It helps. I'll owe you a beer* Auth3.. the lowdown (brief version): * multi domain - talk ...
  1. #16


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    @mb... Keep asking. It helps. I'll owe you a beer*

    Auth3.. the lowdown (brief version):
    * multi domain - talk to multiple, distinct auth servers
    * better diags
    * multi-auth method - "use NTLM for these PCs, SSL for others"
    * more reliability
    * much quicker
    * easier to configure
    * tree-view of ADs
    * group "priority"
    * single-user groups

    There are no new "methods", but these have been allowed for, and we should see some toward year-end.

    Would your SSL users appreciate a java login app? That's something I am trying to get done...

    * redeemable at BETT or edugeek conf of your choice
    Last edited by tom_newton; 6th May 2010 at 11:32 AM. Reason: added new bits

  2. Thanks to tom_newton from:

    powdarrmonkey (6th May 2010)

  3. #17

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,678
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    45
    mmmmm..... Multi domain...

    Oh Tom, can I ask for "Number of Concurrent Logins based on group membership" for some point in the future. It would be nice to limit my staff/pupils to 1 login and me and my techie to UNLIMITED!!! <insert evil laugh for no explainable reason here>

  4. Thanks to Stuart_C from:

    tom_newton (6th May 2010)

  5. #18
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,138
    Thank Post
    189
    Thanked 230 Times in 195 Posts
    Rep Power
    92
    I think our users would appreciate not having to log on at all (like NTLM) to be honest.
    I guess if NTML just wasn't going to be a reliable option in future releases then a Java login app would at least be a step in the right direction (and hopefully remove the SSL error message?)

    On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.

  6. #19

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Quote Originally Posted by mb2k01 View Post
    On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.
    Sounds kinda simliar to our position - we are contracted to move to RM as part of BSF, but due to us being the ONLY school in Salford running a fully fledged Windows 7 / 2008 R2 network, it has been agreed that we can keep our exisiting network and not have to buy into CC4 - guessing our network will need to be linked somehow to RM's (probably via a trust relationship of sorts (not yet privvy to that info).. So would make sense that we keep smoothwall as well as its already part of our infrastructure...

  7. #20
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,138
    Thank Post
    189
    Thanked 230 Times in 195 Posts
    Rep Power
    92
    I have to say... my historical opinion of RM couldn't be much lower (and my previous posts probably demonstrate that!), and I would still never move to their Connect products or overly rely on their support services.... but....

    So far I have had a very good relationship with the team of business managers / infrastructure specialists and educational specialists they have assigned to our project.
    The uniqueness (is that a word!?) of our situation meant we could dictate the kind of network we had from a very early point, and the decision was made to stick with our Vanilla approach which has worked well over the years. While I expected this to become a major issue, it really hasn't.
    On issues like content filtering / firewall we have been able to specify what we want and they work with us to make it happen.
    Your situation might be different because of the restrictions imposed by BSF, but I certainly wouldn't give up hope.

  8. #21

    Join Date
    Nov 2005
    Location
    North
    Posts
    1,840
    Thank Post
    25
    Thanked 91 Times in 71 Posts
    Rep Power
    51
    Just installed the Auth 3 thingy and... it doesn't like me.

    I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says

    Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.
    To use non-transparent NTLM, disable the second port.
    To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.


    I don't want to enable transparent proxy or allow direct access so it looks like I can't use it

    Error - "Block direct web access" and "Transparent" cannot be enabled at the same time

    I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird

  9. #22


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Quote Originally Posted by Simcfc73 View Post
    Just installed the Auth 3 thingy and... it doesn't like me.

    I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says

    Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.
    To use non-transparent NTLM, disable the second port.
    To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.


    I don't want to enable transparent proxy or allow direct access so it looks like I can't use it

    Error - "Block direct web access" and "Transparent" cannot be enabled at the same time

    I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird
    I'll check it out. This is likely due to needing to use the "transparent trick" in NTLM (we have 2 ways of authenticating with NTLM) - so there shouldn't be a requirement to actually transparently proxy anything (though it shouldn't hurt?).

    Block direct is a bit of an ancient hangover from the past - you should be able to block direct access in the outgoing rules.

    Let me chat to dev and I will see what i can find out.

  10. #23

    Join Date
    Nov 2005
    Location
    North
    Posts
    1,840
    Thank Post
    25
    Thanked 91 Times in 71 Posts
    Rep Power
    51
    Have to say that the box is really quick this morning after the updates. I have been looking at logs and they are miles quicker at updating than before.

  11. Thanks to Simcfc73 from:

    tom_newton (13th May 2010)

  12. #24


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    My colleagues are asking why you don't want transparent on - they rightly point out that you can bypass transparent for selected IPs if you wish - going transparent will not give users any more access than normal either (they will still get auth'd).

    Other than that it may be a manual removal of iptables rules.

    It should be pointed out that this is due to a limitation in Guardian - we can't do proxyntlm in 2auth mode - which will be going away in the major Guardian (as opposed to Auth) update later in the year. At that point we will be able to run as many differing auth schemes on as many ports as we like

    Good to see that speed has improved too. We suspected oldauth as being something of a bottleneck, and you have also applied the new reporting stuffs which will speed things up.

  13. #25

    Join Date
    Nov 2008
    Posts
    137
    Thank Post
    6
    Thanked 3 Times in 2 Posts
    Rep Power
    12
    Hi Tom,

    That's a feature that would be really handy to our setup at Ash Hi. Is it posible we could have a look at that as well.

    Cheers.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. SchoolGuardian Problems
    By Gatt in forum *nix
    Replies: 5
    Last Post: 7th September 2007, 01:44 PM
  2. SchoolGuardian + WSUS
    By dave.81 in forum *nix
    Replies: 10
    Last Post: 8th June 2007, 11:33 AM
  3. SW SchoolGuardian
    By Gatt in forum *nix
    Replies: 17
    Last Post: 20th April 2007, 07:11 AM
  4. SchoolGuardian
    By Simcfc73 in forum Wireless Networks
    Replies: 23
    Last Post: 22nd September 2006, 03:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •