+ Post New Thread
Results 1 to 14 of 14
South West Grid for Learning (SWGfL) Thread, SWGfL New Transparent Proxy in Regional Broadband Consortiums (RBC); Got an e-mail today announcing SWGfL new transparent proxy service. This is timed quite nicely for us as I've been ...
  1. #1

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42

    SWGfL New Transparent Proxy

    Got an e-mail today announcing SWGfL new transparent proxy service. This is timed quite nicely for us as I've been looking at a BYOD setup using our Ruckus Wireless system. I'm making use of our 'admin' scope of IP addresses that we've never used on a separate VLAN to have these devices reside in. Just got this side of it working and started playing with WPAD to help auto configure the proxy settings and this pops up in my mailbox. Nice.

    Will report again when we've got it running.

    Pete

  2. Thanks to FragglePete from:

    speckytecky (11th September 2012)

  3. #2

    Join Date
    May 2008
    Posts
    530
    Thank Post
    18
    Thanked 8 Times in 8 Posts
    Rep Power
    16
    Hi Pete

    Did you get this working? Im seriously looking into BYOD due to budget constraints etc so could i pop over and have a look at your setup? The only difference with ours is we use Extricom for our Wireless.

    Cheers
    Last edited by techie08; 13th September 2012 at 12:10 PM.

  4. #3
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    926
    Thank Post
    116
    Thanked 215 Times in 175 Posts
    Rep Power
    73
    I had seen the announcement from the SWGfL folk on twitter. Looks like a nice solution, and actually the same solution I am trying to get my RBC/LEA to implement.

    Just out of interest... have you checked with the SWGfL on using the 'admin' range for BYOD? There might be different firewall rules, which might make it not suitable for BYOD use. Probably worth checking?

  5. Thanks to IrritableTech from:

    FragglePete (13th September 2012)

  6. #4

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    Hi.
    The whole BYOD is running, I'm testing it at the mo - writing this on my personal netbook as a test.

    I'm still waiting for the transparent proxy to be enabled - I've put the order in and I've had confirmation and a checklist from SWGfL for things to check. I've made it clear to them that I'm working on that particular IP address range and ideally only want it activated on that range - I'm waiting a responsde from their engineers.

    My reasoning for using that range is that we don't use it. I don't have any sort of NAT device on our network so the only way of getting this working is to use the scope(s) that we have from SWGfL.

    I've setup a VLAN specifically for this and that VLAN only works for that range of addresses with no routing setup to that vlan to the others. I'm am however using IP Helper-Address for the DHCP server to issue addresses and set their DNS address to that of the DNS Servers of SWGfL.

    I essentially setup our Ruckus System following the video that Ruckus put on YouTube for setting up BYOD. I've got two additional SSID's running, one which is open and is setup as a 'walled garden'. They can only go to a Login Screen on the ZoneDirector which authenticates them against an AD Group. If sucessful, the Zero-IT Configuration utility then setups up a wireless network on their device with their Pre-Shared Key which is unqiue to that MAC Address of the device in use, valid for a set period. They latch onto that and that's that.

    I like this sort of setup as the BYOD are seperate on a different VLAN once secured, so, essentially secured away from the main network and servers. Hopefully this new service will stop me having to worry about setting up WPAD or explaining proxy servers to users. The new 9.3 firmware release of Ruckus does support WPAD configuration but I couldn't get it working but I'm not too worried if this new Transparent proxy works. Tricky part has been getting the VLAN tagging and untagging in place on the numerous switches, but Spiceworks has been helpful in identifying what is plugged into where.

    For now, it'll do (hopefully) and this will be aimed purely at Staff at present. However, if and when we do get a 6th Form, I've already been hinted at that BYOD will be the big thing for this. Numbers will be greater so upgrades will be needed and more than likely bigger address range or the setup of some sort of NAT device.

    Hope that helps. I'll report back once this new transparent proxy service is in place.

    Pete

  7. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    If the SWGfL can do it, I hope BGFL will offer the same/similar service... come on chaps, make it happen

  8. #6

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    Just to add, the next challenge is seeing if I can work out how to route to our Frog Server from the BYOD range. That would be a useful mechanism to allow access to their files while attached internally on the BYOD network - I'm hoping that we can get one of the additional NICs on the Frogserver activated within it's own IP address and hook this into the BYOD VLAN, I'm still working it out in my head - one step at a time though.

    Pete

  9. #7
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    926
    Thank Post
    116
    Thanked 215 Times in 175 Posts
    Rep Power
    73
    @FragglePete Your setup is practically the same as mine, same kit, same youtube video... The only thing we are missing is the transparent proxy, although my LEA are investigating this with their supplier. They have however assigned us an additional subnet which we have hacked into chunks of IP's which get filtered at different levels, so a KS3 child, will be filtered/monitored at the appropriate level.

    We have used WPAD and PAC files successfully, but it proved to complicated for many popping a pac address in an Apple device, or a manual proxy on Android. Effectively killing off our previous BYOD scheme.

    How are you getting on with ZeroIT on Android? It's confused the few people we tried it with because it downloads as an App. And do any of your devices automatically drop the walled garden SSID and connect to the BYOD SSID after installing the profile/exe/apt like it shows in the youtube video?

  10. #8

    Join Date
    Sep 2007
    Posts
    181
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    This represents a huge step forward for schools wishing to provide proper "Guest WiFi" services. We've been providing this for about a year with various methods for dealing with the proxy configuration. None have proved reliable so we've ended up with posters around the school telling people the proxy details they need to manually add to their device. Losing this hindrance altogether promises to make the Guest Wifi facility come alive and be really useful.

  11. #9

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    I haven't launched it to staff yet, but can see the Android thing being an issue, as it's got no idea what to do with an .exe file. Some instructions will be provided I guess and we'll see how it goes.

    Yes, that is one behaviour I did notice, is that it doesn't actually swap the Wireless Network to the secure one which it seems to do in the BYOD Video - the video was demonstrated on a MAC so I guess it might work on a those?

    When I annouce it, I'll give as clear as instructions where I can and see how it goes.

    The problem I can see with the WPAD and PAC files on the Zone Director is that it hosts the WPAD file on the main VLAN address range which can't be accessed when they swap to the BYOD VLAN with it's own scope. That's what I figured anyway ? !

    Pete

  12. #10
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    926
    Thank Post
    116
    Thanked 215 Times in 175 Posts
    Rep Power
    73
    Androids download a .apk file (or at least the default browser in my ICS tablet does, dolphin downloads a zip). It installs an app called WifiAutoConf4.0 which your users then need to open. This app, has a button which installs the SSID settings. A bit of a faff.

    It's on my list to test it from a Mac. I suspect this is the only platform that might automatically jump networks once installed.

    Our PAC and WPAD files are served from an internal web server which we've allowed access to through the ACLs. It's also our moodle server, so we wanted all that traffic to stay internal.

  13. Thanks to IrritableTech from:

    FragglePete (13th September 2012)

  14. #11

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    We got switched over to the Transparent Proxy system this morning, and it all seems to work but have noticed an issue which I need to resolve. I was just getting excited and was about to annouce this service to staff but a small issue has just kerbed my enthusiasm.....

    When connected to BYOD, users can't access our internal e-mail server of VLE server. The reason being, that their sitting on a seperate VLAN which has not routing to the main VLAN. The DNS server I'm using for this range is the SWGfL Servers which when you type in the 'public' address of our VLE server it pings back the internal IP address of the server on the main VLAN. After all, the SWGfL DNS are pointing it back to a server on their internal network, our subnet. Type in the actual public IP address of the server, and a connection is made but obviously the certificate gets all tissy.

    I knew at the back of my mind when doing this that I'd have to setup some sort of route on our core switch to allow access to the servers; it makes sense after all. This is where I'm a little stuck. I don't want the BYOD VLAN have full access to the other VLANs configured but do want it to allow access to two specific servers on the main VLAN. So I guess I need to setup some sort of static route and I believe ACLs as well? Anybody got an pointers on configuring this on a HP ProCurve 5460zl switch?

    Thanks

    Pete

  15. #12

    Join Date
    Sep 2007
    Location
    Devon
    Posts
    27
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Hi Pete

    Just wondered how you went about setting up the transparent proxy service. We have a request in but the prerequisites talk about renaming our entire internal domain which sounds like a real headache especially as we use Exchange 2010 which apparently doesn't like domain renaming. Did you manage to do this without too much pain?

    Cheers

    Simon

  16. #13

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    898
    Thank Post
    282
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    Quote Originally Posted by Bongo View Post
    Hi Pete

    Just wondered how you went about setting up the transparent proxy service. We have a request in but the prerequisites talk about renaming our entire internal domain which sounds like a real headache especially as we use Exchange 2010 which apparently doesn't like domain renaming. Did you manage to do this without too much pain?

    Cheers

    Simon
    Hi Simon,

    Sorry for not replying sooner. Fortunately for us our internal domain bears no resemblance to our email domain so hasnt been a problem for us. Did you do a rename?

    Pete

  17. #14

    Join Date
    Jun 2010
    Location
    Berkshire
    Posts
    111
    Thank Post
    18
    Thanked 9 Times in 9 Posts
    Rep Power
    11
    Quote Originally Posted by FragglePete View Post
    Hi Simon,

    Sorry for not replying sooner. Fortunately for us our internal domain bears no resemblance to our email domain so hasnt been a problem for us. Did you do a rename?

    Pete
    I set up transparent proxy and AD based filtration using CAPITALBYTES as an additional product running on a virtual linux server. It works really well and now teachers have you tube edu an no more faffing with proxies. Now I am setting up guest wifi which I couldn't do before because of the proxy problem.



SHARE:
+ Post New Thread

Similar Threads

  1. Transparent proxy vulnerability in Smooth Guard???
    By cjohnsonuk in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 9th April 2009, 02:32 PM
  2. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 12:26 PM
  3. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 05:33 PM
  4. VPN with Transparent Proxy
    By Jackd in forum Wireless Networks
    Replies: 6
    Last Post: 14th February 2008, 05:18 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 07:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •