SWGfL and remote access?

[yabbadabba]

Hello to all in the SWGfL forum

A quick one as such, how do you all setup remote access with SWGfL.

Does everyone use their managed service or has any one moved away from this and use thier own firewall ect.

Cheers

Paul.

[stuartwilkie]

would be interested in this too - particularly in light of what the bill was going to be this year. i think some of the exeter schools were looking at this - hope someone from there can post.

we on the managed service at the mo, and got a isa publishing sharepoint and exchange. got some webparts for sharepoint to publish my docs.

[yabbadabba]

When I mean moved away I mean get SWGfL to open up the internet connection so the end user can control what is/isnt open when it comes to port fowarding etc.

[klawd]

Two links into school, here.

One Business ADSL, one SWGFL connection.

We use 2x Application server tunnelled over the ADSL, this works fanastically.
The county were trying to sell some hugely expensive VPN solution, which wer were not willing to pay for.

We have also found the SWGFL connection to be unreliable, It seems most maintenance is done out of hours, right when we need remote access.

We have managed to get around 20 ports opened on the County router, took forever to get someone to agree to it, and the actual openining was done while I was on the phone and took literally minutes to complete.

They will however not allow certain ports. Low ports usually, things such as 25 etc.

Since we use the ADSL for everything though, this is not an issue for us.

[Tamarside]

I've submitted a change control request around two years ago. It was a simple request, something along these lines:

Please open ALL TCP & UDP ports for inbound and outbound access, except for port 25.

I received a lengthy reply lecturing me on the dangers of exposing a mail server to the Net, and explaining the implications of running an open proxy! Now in context, my Exchange box is NOT an open proxy and I've even tarpitted it. I find it amusing that they only lectured me on the one port I specifically asked them NOT to open!

Every so often I nudge them about this request, which as far as I'm concerned is still open.

I get various responses, but most seem to centre on the "No, because it would place the whole SWGfL at risk" argument. My counter argument is that they tell us their network is secure and data flow directly between sites is not possible (even though we know it IS possible!). I ask them how this network can be a threat to the stability of the rest of the grid, given their stringent firewall controls.

I'm still waiting on a reply to my counter argument!

We have an ISA 06 box on site and we filter Internet connection again on site. We started doing that primarily because of SWGfL's apparent inability to filter out proxy bypass sites, as well as the clunkiness of their web-based interface. There are a number of free proxy bypass lists available on the Internet in ISA's XML format and they do get updated, although not quite as often as we'd like. Still, free is always a good price!

We've extended our on-site filtering to three levels for students: We have Green access, which allows students that have consistently shown they are trustworthy to have access to sites such as Bebo. Yellow access is what most students have and it simply filters out the usual suspects, including Bebo. Finally we have Red access for students that struggle to remain focused on their school work. Students with this level of access are allowed only onto a set white list, to which we add URL's all the time.

We don't use the Staff Proxy at all, nor have we used the unfiltered proxy since around 2005.

The burning question I have for SWGfL relates to Shibboleth. Up until a year or two ago they were dropping it at every conceivable opportunity and telling anybody within earshot how Merlin, and various other services on the grid will be Shibboleth compliant.

Now Shibboleth is essentially an identity federation system, as in Mr X can use application Y running on Z.local domain because all systems can check his credentials against each other. Shibboleth can be a nightmare to set up, but for us Windows folks it can also be a doddle to have Shibboleth compliance, in the form of Microsoft's Active Directory Federation Services.

Once any school has Shibboleth complaince in place, why do we still need seperate usernames and passwords for everything on SWGfL's side?

[mpe]

I've submitted a change control request around two years ago. It was a simple request, something along these lines:

Please open ALL TCP & UDP ports for inbound and outbound access, except for port 25.

I received a lengthy reply lecturing me on the dangers of exposing a mail server to the Net, and explaining the implications of running an open proxy! Now in context, my Exchange box is NOT an open proxy and I've even tarpitted it. I find it amusing that they only lectured me on the one port I specifically asked them NOT to open!

I actually found that they'd opened TCP ports 22, 25, 80, 443 & 8383 on 10.3.48.4 together with a NAT from 62.171.195.12 to 10.3.48.4. Thus was after I discovered they had put in an outgoing rule to TCP port 80.
Not only were these not requested they also appear to breach the "security policy"...

I get various responses, but most seem to centre on the "No, because it would place the whole SWGfL at risk" argument. My counter argument is that they tell us their network is secure and data flow directly between sites is not possible (even though we know it IS possible!).

Though it dosn't appear to be the best of ideas that anything between sites tends to get SNATed to 62.171.194.161.