Windows Thread, Web Filtering in Technical; Just wondering if it is possible to set a setting so that only Teachers under the group policy of active ...
13th May 2008, 08:09 AM #1
- Rep Power
Just wondering if it is possible to set a setting so that only Teachers under the group policy of active directory can access the google search engine?
we have webfiltering which is provided by our ISP Synetrix and i can do the filtering myself but that means everyone will stop having access to Google.
Is this possible at all or not?
13th May 2008, 08:16 AM #2
the only thing you can do is either set the staff gpo to have the home page of google but if you just wanted to stop the kids from going onto the internet net you could set an application policy on the hash value of the IE to stop opening which would stop the kids from accesing the internet at our school we use impero which is really good becuase we can turn off the internet too either the room or to the pupil them selfs. or you say give them links that only you allow very customizable
13th May 2008, 08:43 AM #3
If you wanted to block a site from one group and not another, the best way to do it is with a webfilter but you say yours only does its webfiltering on everyone. Dunno if its worth asking your ISP if the webfilter can filter by group in AD, if not maybe get a filter that will do what you want. If you want a paid version then Smoothwall Guardian can work or if you dont want to pay for it then you could create a nix box with dansguardian, squid etc.
13th May 2008, 08:48 AM #4
Indeed - if your LEA level filtering isn't tied to your AD - which seems to be the usual way, a 3rd party filter is probably the best way round this.
13th May 2008, 08:53 AM #5
- Rep Power
One way is to have one OU (of users) to go through one proxy and the other through a different. You can have 2 proxys going, even on one box.
Also a better way imo - you can use dansguardian/smoothwall etc. and use Ident if req. on machines so that you can then add exceptions on the filter to allow certain users through.
Or find a windows AD solution..
Last edited by blacksheep; 15th May 2008 at 08:58 AM.
13th May 2008, 08:15 PM #6
I am not 100% sure of how you are using the RBC filtering so i will quickly run through the options for you with EMBC.
You can have it so that no one logs in and they get a standard level of filtering ... using Netsweeper as a transparent proxy.
You can have everyone login in and then put people into different groups (this is usually referred to as Portal Controlled Filtering, or PCF). For here you can put people who are students in a group (eg group2) and stop them from having access to the Google search engine, whilst you have staff in a group (eg group3) and they have access to Google. I would then also have 2 other groups ... group1 is the admins ... the important people that need access to lots of things and then group 4 is for those you want to be uber-filtered.
Controlling what policies apply to these group means that you need to be able to log in to Netsweeper ... this is called Local Control of Filtering.
The present admin tool, the WAT, cannot stick people into these groups at the moment so it is a support call I am afraid. It is going to be a but longer before you can do it directly with the support tool. I don't have a time frame I can give out right now.
I hope this helps
13th May 2008, 08:37 PM #7
So I take it single sign on is out of the equation? The user, when he/she logs into the network the AD account is not good enough and they have to log into the portal for proper use of web filtering??
Originally Posted by GrumbleDook
13th May 2008, 08:52 PM #8
SSO for LAN login will be worked on but I don't have details on the times on it yet. I know that there is a pilot project and it relies on agreeing to the standard network build, but I don't know where we are with that yet.
I'll drop an email to EMBC and feed back as soon as I can.
14th May 2008, 08:16 AM #9
i dont know if you have heard of them but web sense is a good one and i know you can have one of their servers which sit at your site and that ties to AD
14th May 2008, 08:47 AM #10
I think if the NetSweeper or which ever filtering system EMBC uses if its compatiable with Shibbeloth then there is a potential for this to happen otherwise its a bit of pain for the the users to login.
Originally Posted by GrumbleDook
14th May 2008, 08:59 AM #11
A bit about the authentication process within RBCs ...
RBCs are the Regional Identity Provider (Regional IdP) and they are slowly coming over the the UK Access Management Federation. Services they make available to schools are meant to be tied in with a single login to their central Directory Service.
In EMBC this is a regional AD. This is already hooked into Netsweeper so that as you log into the Sharepoint based gateway you can access files are resources you have permissions to see, but also have your filtering level set for using Netsweeper (if you school is using PCF).
The key is to hook in to the Regional AD and there are mechanisms in place for this already. IIRC it had been tested under Fujitsu already. Other services, such as compliant VLEs, can also hook in to this as an authentication service as long as they meet the correct standards, which are those set out under UKAMF.
Presently in Northants we are working with both LP+ and Synetrix to get this sorted, and other LAs may vary (slightly dependent on things like BSF, whether your LA has opted for a single VLE / Learning Platform / MLE and whether your school is based on the standard network build).
I have asked for clarification about it and hopefully I will get that on Friday afternoon. People may wish to contact their LA directly to see if they have any news. Please remember that presently this forum is not a substitute for direct contact with your LA about EMBC (except perhaps Northants, but it should be done through official channels ... if nothing else so they know I am actually doing some work and not just reading forums ... erm ...)
14th May 2008, 09:46 AM #12
I now have an answer ...
There are likely to be two methods for this ... the first is LAN Login which is being piloted in June. I don't have the methodology behind it to hand but I believe there is an agent that sits between your DS and the EMBC DS ... I will feed back once the pilot is started.
The second is ADI (Active Directory Intergration) which ... erm ... integrates directly with your AD ... this is a difficult one as things can go pear-shaped and can cause problems in your local AD ... so this one will be done very carefully and will not be rushed.
I hope this helps clear things up.
By Steve500 in forum Wireless Networks
Last Post: 9th May 2008, 06:46 PM
By Sunderwood in forum How do you do....it?
Last Post: 23rd April 2008, 11:27 AM
By ltunstall in forum Network and Classroom Management
Last Post: 14th April 2008, 06:08 PM
By SpuffMonkey in forum How do you do....it?
Last Post: 17th May 2006, 09:10 PM
By pooley in forum Windows
Last Post: 1st April 2006, 12:16 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)