Just wondering if it is possible to set a setting so that only Teachers under the group policy of active directory can access the google search engine?
we have webfiltering which is provided by our ISP Synetrix and i can do the filtering myself but that means everyone will stop having access to Google.
Is this possible at all or not?
the only thing you can do is either set the staff gpo to have the home page of google but if you just wanted to stop the kids from going onto the internet net you could set an application policy on the hash value of the IE to stop opening which would stop the kids from accesing the internet at our school we use impero which is really good becuase we can turn off the internet too either the room or to the pupil them selfs. or you say give them links that only you allow very customizable
If you wanted to block a site from one group and not another, the best way to do it is with a webfilter but you say yours only does its webfiltering on everyone. Dunno if its worth asking your ISP if the webfilter can filter by group in AD, if not maybe get a filter that will do what you want. If you want a paid version then Smoothwall Guardian can work or if you dont want to pay for it then you could create a nix box with dansguardian, squid etc.
Indeed - if your LEA level filtering isn't tied to your AD - which seems to be the usual way, a 3rd party filter is probably the best way round this.
One way is to have one OU (of users) to go through one proxy and the other through a different. You can have 2 proxys going, even on one box.
Also a better way imo - you can use dansguardian/smoothwall etc. and use Ident if req. on machines so that you can then add exceptions on the filter to allow certain users through.
Or find a windows AD solution..
I am not 100% sure of how you are using the RBC filtering so i will quickly run through the options for you with EMBC.
You can have it so that no one logs in and they get a standard level of filtering ... using Netsweeper as a transparent proxy.
You can have everyone login in and then put people into different groups (this is usually referred to as Portal Controlled Filtering, or PCF). For here you can put people who are students in a group (eg group2) and stop them from having access to the Google search engine, whilst you have staff in a group (eg group3) and they have access to Google. I would then also have 2 other groups ... group1 is the admins ... the important people that need access to lots of things and then group 4 is for those you want to be uber-filtered.
Controlling what policies apply to these group means that you need to be able to log in to Netsweeper ... this is called Local Control of Filtering.
The present admin tool, the WAT, cannot stick people into these groups at the moment so it is a support call I am afraid. It is going to be a but longer before you can do it directly with the support tool. I don't have a time frame I can give out right now.
I hope this helps
So I take it single sign on is out of the equation? The user, when he/she logs into the network the AD account is not good enough and they have to log into the portal for proper use of web filtering??
Originally Posted by GrumbleDook
SSO for LAN login will be worked on but I don't have details on the times on it yet. I know that there is a pilot project and it relies on agreeing to the standard network build, but I don't know where we are with that yet.
I'll drop an email to EMBC and feed back as soon as I can.
i dont know if you have heard of them but web sense is a good one and i know you can have one of their servers which sit at your site and that ties to AD
I think if the NetSweeper or which ever filtering system EMBC uses if its compatiable with Shibbeloth then there is a potential for this to happen otherwise its a bit of pain for the the users to login.
Originally Posted by GrumbleDook
A bit about the authentication process within RBCs ...
RBCs are the Regional Identity Provider (Regional IdP) and they are slowly coming over the the UK Access Management Federation. Services they make available to schools are meant to be tied in with a single login to their central Directory Service.
In EMBC this is a regional AD. This is already hooked into Netsweeper so that as you log into the Sharepoint based gateway you can access files are resources you have permissions to see, but also have your filtering level set for using Netsweeper (if you school is using PCF).
The key is to hook in to the Regional AD and there are mechanisms in place for this already. IIRC it had been tested under Fujitsu already. Other services, such as compliant VLEs, can also hook in to this as an authentication service as long as they meet the correct standards, which are those set out under UKAMF.
Presently in Northants we are working with both LP+ and Synetrix to get this sorted, and other LAs may vary (slightly dependent on things like BSF, whether your LA has opted for a single VLE / Learning Platform / MLE and whether your school is based on the standard network build).
I have asked for clarification about it and hopefully I will get that on Friday afternoon. People may wish to contact their LA directly to see if they have any news. Please remember that presently this forum is not a substitute for direct contact with your LA about EMBC (except perhaps Northants, but it should be done through official channels ... if nothing else so they know I am actually doing some work and not just reading forums ... erm ...)
I now have an answer ...
There are likely to be two methods for this ... the first is LAN Login which is being piloted in June. I don't have the methodology behind it to hand but I believe there is an agent that sits between your DS and the EMBC DS ... I will feed back once the pilot is started.
The second is ADI (Active Directory Intergration) which ... erm ... integrates directly with your AD ... this is a difficult one as things can go pear-shaped and can cause problems in your local AD ... so this one will be done very carefully and will not be rushed.
I hope this helps clear things up.