+ Post New Thread
Results 1 to 6 of 6
South West Grid for Learning (SWGfL) Thread, SWGfL and remote access? in Regional Broadband Consortiums (RBC); Hello to all in the SWGfL forum A quick one as such, how do you all setup remote access with ...
  1. #1

    Join Date
    Sep 2008
    Location
    Dorset
    Posts
    129
    Thank Post
    11
    Thanked 5 Times in 4 Posts
    Rep Power
    12

    SWGfL and remote access?

    Hello to all in the SWGfL forum

    A quick one as such, how do you all setup remote access with SWGfL.

    Does everyone use their managed service or has any one moved away from this and use thier own firewall ect.

    Cheers

    Paul.

  2. #2
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,074
    Thank Post
    520
    Thanked 146 Times in 132 Posts
    Blog Entries
    78
    Rep Power
    78
    would be interested in this too - particularly in light of what the bill was going to be this year. i think some of the exeter schools were looking at this - hope someone from there can post.

    we on the managed service at the mo, and got a isa publishing sharepoint and exchange. got some webparts for sharepoint to publish my docs.

  3. #3

    Join Date
    Sep 2008
    Location
    Dorset
    Posts
    129
    Thank Post
    11
    Thanked 5 Times in 4 Posts
    Rep Power
    12

    RE: SWGfL

    When I mean moved away I mean get SWGfL to open up the internet connection so the end user can control what is/isnt open when it comes to port fowarding etc.

  4. #4

    Join Date
    May 2006
    Posts
    158
    Thank Post
    5
    Thanked 9 Times in 4 Posts
    Rep Power
    18
    Two links into school, here.

    One Business ADSL, one SWGFL connection.

    We use 2x Application server tunnelled over the ADSL, this works fanastically.
    The county were trying to sell some hugely expensive VPN solution, which wer were not willing to pay for.

    We have also found the SWGFL connection to be unreliable, It seems most maintenance is done out of hours, right when we need remote access.

    We have managed to get around 20 ports opened on the County router, took forever to get someone to agree to it, and the actual openining was done while I was on the phone and took literally minutes to complete.

    They will however not allow certain ports. Low ports usually, things such as 25 etc.

    Since we use the ADSL for everything though, this is not an issue for us.

  5. #5

    Join Date
    Dec 2008
    Location
    Plymouth
    Posts
    63
    Thank Post
    6
    Thanked 10 Times in 7 Posts
    Rep Power
    13
    I've submitted a change control request around two years ago. It was a simple request, something along these lines:

    Please open ALL TCP & UDP ports for inbound and outbound access, except for port 25.

    I received a lengthy reply lecturing me on the dangers of exposing a mail server to the Net, and explaining the implications of running an open proxy! Now in context, my Exchange box is NOT an open proxy and I've even tarpitted it. I find it amusing that they only lectured me on the one port I specifically asked them NOT to open!

    Every so often I nudge them about this request, which as far as I'm concerned is still open.

    I get various responses, but most seem to centre on the "No, because it would place the whole SWGfL at risk" argument. My counter argument is that they tell us their network is secure and data flow directly between sites is not possible (even though we know it IS possible!). I ask them how this network can be a threat to the stability of the rest of the grid, given their stringent firewall controls.

    I'm still waiting on a reply to my counter argument!

    We have an ISA 06 box on site and we filter Internet connection again on site. We started doing that primarily because of SWGfL's apparent inability to filter out proxy bypass sites, as well as the clunkiness of their web-based interface. There are a number of free proxy bypass lists available on the Internet in ISA's XML format and they do get updated, although not quite as often as we'd like. Still, free is always a good price!

    We've extended our on-site filtering to three levels for students: We have Green access, which allows students that have consistently shown they are trustworthy to have access to sites such as Bebo. Yellow access is what most students have and it simply filters out the usual suspects, including Bebo. Finally we have Red access for students that struggle to remain focused on their school work. Students with this level of access are allowed only onto a set white list, to which we add URL's all the time.

    We don't use the Staff Proxy at all, nor have we used the unfiltered proxy since around 2005.

    The burning question I have for SWGfL relates to Shibboleth. Up until a year or two ago they were dropping it at every conceivable opportunity and telling anybody within earshot how Merlin, and various other services on the grid will be Shibboleth compliant.

    Now Shibboleth is essentially an identity federation system, as in Mr X can use application Y running on Z.local domain because all systems can check his credentials against each other. Shibboleth can be a nightmare to set up, but for us Windows folks it can also be a doddle to have Shibboleth compliance, in the form of Microsoft's Active Directory Federation Services.

    Once any school has Shibboleth complaince in place, why do we still need seperate usernames and passwords for everything on SWGfL's side?

  6. #6
    mpe
    mpe is offline

    Join Date
    Nov 2008
    Location
    Exeter
    Posts
    1,046
    Thank Post
    103
    Thanked 53 Times in 48 Posts
    Rep Power
    30
    Quote Originally Posted by Tamarside View Post
    I've submitted a change control request around two years ago. It was a simple request, something along these lines:

    Please open ALL TCP & UDP ports for inbound and outbound access, except for port 25.

    I received a lengthy reply lecturing me on the dangers of exposing a mail server to the Net, and explaining the implications of running an open proxy! Now in context, my Exchange box is NOT an open proxy and I've even tarpitted it. I find it amusing that they only lectured me on the one port I specifically asked them NOT to open!
    I actually found that they'd opened TCP ports 22, 25, 80, 443 & 8383 on 10.3.48.4 together with a NAT from 62.171.195.12 to 10.3.48.4. Thus was after I discovered they had put in an outgoing rule to TCP port 80.
    Not only were these not requested they also appear to breach the "security policy"...

    Quote Originally Posted by Tamarside View Post
    I get various responses, but most seem to centre on the "No, because it would place the whole SWGfL at risk" argument. My counter argument is that they tell us their network is secure and data flow directly between sites is not possible (even though we know it IS possible!).
    Though it dosn't appear to be the best of ideas that anything between sites tends to get SNATed to 62.171.194.161.

SHARE:
+ Post New Thread

Similar Threads

  1. Remote Access - How?
    By Zoom7000 in forum Wired Networks
    Replies: 34
    Last Post: 1st February 2012, 12:43 PM
  2. Remote Access for Staff
    By Grommit in forum Windows
    Replies: 10
    Last Post: 16th January 2007, 09:09 PM
  3. Remote exchange access.... How?
    By edie209 in forum Web Development
    Replies: 13
    Last Post: 28th June 2006, 05:06 PM
  4. Moodle and remote access.
    By eejit in forum Windows
    Replies: 4
    Last Post: 5th January 2006, 10:59 AM
  5. Remote Access
    By ajbritton in forum How do you do....it?
    Replies: 6
    Last Post: 26th September 2005, 12:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •