speckytecky (11th September 2012)
Got an e-mail today announcing SWGfL new transparent proxy service. This is timed quite nicely for us as I've been looking at a BYOD setup using our Ruckus Wireless system. I'm making use of our 'admin' scope of IP addresses that we've never used on a separate VLAN to have these devices reside in. Just got this side of it working and started playing with WPAD to help auto configure the proxy settings and this pops up in my mailbox. Nice.
Will report again when we've got it running.
speckytecky (11th September 2012)
Did you get this working? Im seriously looking into BYOD due to budget constraints etc so could i pop over and have a look at your setup? The only difference with ours is we use Extricom for our Wireless.
Last edited by techie08; 13th September 2012 at 12:10 PM.
I had seen the announcement from the SWGfL folk on twitter. Looks like a nice solution, and actually the same solution I am trying to get my RBC/LEA to implement.
Just out of interest... have you checked with the SWGfL on using the 'admin' range for BYOD? There might be different firewall rules, which might make it not suitable for BYOD use. Probably worth checking?
The whole BYOD is running, I'm testing it at the mo - writing this on my personal netbook as a test.
I'm still waiting for the transparent proxy to be enabled - I've put the order in and I've had confirmation and a checklist from SWGfL for things to check. I've made it clear to them that I'm working on that particular IP address range and ideally only want it activated on that range - I'm waiting a responsde from their engineers.
My reasoning for using that range is that we don't use it. I don't have any sort of NAT device on our network so the only way of getting this working is to use the scope(s) that we have from SWGfL.
I've setup a VLAN specifically for this and that VLAN only works for that range of addresses with no routing setup to that vlan to the others. I'm am however using IP Helper-Address for the DHCP server to issue addresses and set their DNS address to that of the DNS Servers of SWGfL.
I essentially setup our Ruckus System following the video that Ruckus put on YouTube for setting up BYOD. I've got two additional SSID's running, one which is open and is setup as a 'walled garden'. They can only go to a Login Screen on the ZoneDirector which authenticates them against an AD Group. If sucessful, the Zero-IT Configuration utility then setups up a wireless network on their device with their Pre-Shared Key which is unqiue to that MAC Address of the device in use, valid for a set period. They latch onto that and that's that.
I like this sort of setup as the BYOD are seperate on a different VLAN once secured, so, essentially secured away from the main network and servers. Hopefully this new service will stop me having to worry about setting up WPAD or explaining proxy servers to users. The new 9.3 firmware release of Ruckus does support WPAD configuration but I couldn't get it working but I'm not too worried if this new Transparent proxy works. Tricky part has been getting the VLAN tagging and untagging in place on the numerous switches, but Spiceworks has been helpful in identifying what is plugged into where.
For now, it'll do (hopefully) and this will be aimed purely at Staff at present. However, if and when we do get a 6th Form, I've already been hinted at that BYOD will be the big thing for this. Numbers will be greater so upgrades will be needed and more than likely bigger address range or the setup of some sort of NAT device.
Hope that helps. I'll report back once this new transparent proxy service is in place.
If the SWGfL can do it, I hope BGFL will offer the same/similar service... come on chaps, make it happen
Just to add, the next challenge is seeing if I can work out how to route to our Frog Server from the BYOD range. That would be a useful mechanism to allow access to their files while attached internally on the BYOD network - I'm hoping that we can get one of the additional NICs on the Frogserver activated within it's own IP address and hook this into the BYOD VLAN, I'm still working it out in my head - one step at a time though.
@FragglePete Your setup is practically the same as mine, same kit, same youtube video... The only thing we are missing is the transparent proxy, although my LEA are investigating this with their supplier. They have however assigned us an additional subnet which we have hacked into chunks of IP's which get filtered at different levels, so a KS3 child, will be filtered/monitored at the appropriate level.
We have used WPAD and PAC files successfully, but it proved to complicated for many popping a pac address in an Apple device, or a manual proxy on Android. Effectively killing off our previous BYOD scheme.
How are you getting on with ZeroIT on Android? It's confused the few people we tried it with because it downloads as an App. And do any of your devices automatically drop the walled garden SSID and connect to the BYOD SSID after installing the profile/exe/apt like it shows in the youtube video?
This represents a huge step forward for schools wishing to provide proper "Guest WiFi" services. We've been providing this for about a year with various methods for dealing with the proxy configuration. None have proved reliable so we've ended up with posters around the school telling people the proxy details they need to manually add to their device. Losing this hindrance altogether promises to make the Guest Wifi facility come alive and be really useful.
I haven't launched it to staff yet, but can see the Android thing being an issue, as it's got no idea what to do with an .exe file. Some instructions will be provided I guess and we'll see how it goes.
Yes, that is one behaviour I did notice, is that it doesn't actually swap the Wireless Network to the secure one which it seems to do in the BYOD Video - the video was demonstrated on a MAC so I guess it might work on a those?
When I annouce it, I'll give as clear as instructions where I can and see how it goes.
The problem I can see with the WPAD and PAC files on the Zone Director is that it hosts the WPAD file on the main VLAN address range which can't be accessed when they swap to the BYOD VLAN with it's own scope. That's what I figured anyway ? !
Androids download a .apk file (or at least the default browser in my ICS tablet does, dolphin downloads a zip). It installs an app called WifiAutoConf4.0 which your users then need to open. This app, has a button which installs the SSID settings. A bit of a faff.
It's on my list to test it from a Mac. I suspect this is the only platform that might automatically jump networks once installed.
Our PAC and WPAD files are served from an internal web server which we've allowed access to through the ACLs. It's also our moodle server, so we wanted all that traffic to stay internal.
We got switched over to the Transparent Proxy system this morning, and it all seems to work but have noticed an issue which I need to resolve. I was just getting excited and was about to annouce this service to staff but a small issue has just kerbed my enthusiasm.....
When connected to BYOD, users can't access our internal e-mail server of VLE server. The reason being, that their sitting on a seperate VLAN which has not routing to the main VLAN. The DNS server I'm using for this range is the SWGfL Servers which when you type in the 'public' address of our VLE server it pings back the internal IP address of the server on the main VLAN. After all, the SWGfL DNS are pointing it back to a server on their internal network, our subnet. Type in the actual public IP address of the server, and a connection is made but obviously the certificate gets all tissy.
I knew at the back of my mind when doing this that I'd have to setup some sort of route on our core switch to allow access to the servers; it makes sense after all. This is where I'm a little stuck. I don't want the BYOD VLAN have full access to the other VLANs configured but do want it to allow access to two specific servers on the main VLAN. So I guess I need to setup some sort of static route and I believe ACLs as well? Anybody got an pointers on configuring this on a HP ProCurve 5460zl switch?
Just wondered how you went about setting up the transparent proxy service. We have a request in but the prerequisites talk about renaming our entire internal domain which sounds like a real headache especially as we use Exchange 2010 which apparently doesn't like domain renaming. Did you manage to do this without too much pain?
There are currently 1 users browsing this thread. (0 members and 1 guests)