Jump to content

Schoolguardian - updates

Simcfc73
 Share

Recommended Posts

Simcfc73

Simcfc73

Posted
Posted

There were quite a few updates today for schoolguardian but not the dual proxy feature I was hoping for, is this coming out soon or have I just missed the feature and its hidden somewhere?

 

main : Update 18

 

  • New - Improved concurrency handling when running multiple database scrapers
  • New - Improved database performance and resilience
  • Ref 1144 - failback mode has been made more robust
  • Ref 1145 - an issue with log rotation on slave machines has been resolved
  • Ref 1300 - an issue with portal log rotation has been resolved
  • Ref 1307 - memory resource management when restoring database backups has been improved
  • Ref 1343 and 1344 - potential issues with updates to the meta table during database transactions have been resolved
  • Ref 1362 - global HTTPD directories are no longer listable
  • Ref 1375 - an issue when blocking a network range of destination IPs has been resolved
  • Ref 1393 - a compatibility issue between the SmoothWall-SSL-OpenVPN client and Windows 7 has been resolved
  • Ref 1434 - traffic graph images are now included in emailed reports
  • Ref 1476 - new option "Retain Database logs" available on the information > logs > log settings page enables better troubleshooting
  • Ref 1477 - unnecessary messages are no longer displayed on the console when restarting the database
  • Ref 1533 - a page display issue in Internet Explorer 8 has been resolved
  • Ref 1613 - advanced warning of high disk usage has been added to the UI
  • Ref 1719 - a data issue, after restoring a database, has been resolved
  • Ref 1721 - the information message displayed when restoring a database has been improved
  • Ref 1723 - the progress bar displayed when restoring a database has been improved
  • Ref 1801 - an issue with exceptionally long URLs has been resolved

Released: Tue May 4 09:25:00 2010

 

main : Update 19

 

 

This update includes, addresses or resolves the following:

  • Ref 1878 - reduce the use of fallback mode when importing log lines

Released: Tue May 4 09:25:00 2010

 

 

guardian : Update 21 This update includes, addresses or resolves the following:

  • Ref 1878 - reduce the use of fallback mode when importing log lines
  • Ref 1945 - an issue relating to log import and long URLs has been resolved

Released: Tue May 4 09:25:00 2010

 

guardian : Update 20 This update includes, addresses or resolves the following:

  • Ref 464 - an issue when validating custom-added domains has been resolved
  • Ref 1136 - HTTPS interception security has been enhanced
  • Ref 1196 - information now displayed for invalid HTTPS interception certificates is more useful
  • Ref 1236 - regular expressions used in queries have been improved
  • Ref 1319 - an issue with the Time Spent Browsing report has been resolved
  • Ref 1330 - database insertions have been improved
  • Ref 1419 - an issue with search term reporting has been resolved
  • Ref 1435 - an issue with characters in database queries has been resolved
  • Ref 1436 - blocking ads in Flash videos has been improved
  • Ref 1486 - an issue with NTLM authentication and logged-in users has been resolved
  • Ref 1490 - the maximum content filter size has been increased to 1.5Mb
  • Ref 1513 - an intermittent error when inserting search terms in the database has been resolved

Released: Mon May 3 09:25:00 201

  • Thanks 1
tom_newton

tom_newton

Posted
Posted
This was the update "blocking" that release, which will be to a "select few" on monday. Since you asked, you can be part of that :) especially as you are nearby (we like to start releases with those geographically close to to one of our 3 offices).
Simcfc73

Simcfc73

Posted
  • Author
Posted
This was the update "blocking" that release, which will be to a "select few" on monday. Since you asked, you can be part of that :) especially as you are nearby (we like to start releases with those geographically close to to one of our 3 offices).

 

Cool, how do I get it, do I need to sign my life away in blood or something?

Simcfc73

Simcfc73

Posted
  • Author
Posted
what is the dual proxy feature?

 

Its supposed to be where you can point clients to different proxy ports so they authenticate differently, I am hoping I can keep all the domain machines using the NTLM crap and allow non domain machines to use the SSL page.

tom_newton

tom_newton

Posted
Posted

Stuart - I'm assured wave1 will be out monday. How rapidly wave2 and 3 get released depends on uptake in the first cohort, and sucessful migrations.

 

Mid to late next-week I should hope to be in a position to offer it to people in real need of the functionality, presuming wave1 went ok.

 

I do apologise for the repeated delays in Auth3 - the sales folk are pritty irritated with me :) Some of these delays are natural slippage, but about 3 weeks was because we rearranged another project unexpectedly.

 

This project was the integration of a new anti-malware engine, which should boost your protection against all sorts of nasty web exploits: SmoothWall Steps Up Malware Protection with Sunbelt Software's VIPRE - VIPRE includes windows executable and javascript emulation to protect against 0-days, and will be out in June/July.

Gatt

Gatt

Posted
Posted

I'm waiting to find out if we are gonna renew

Complicated here cos we are due to mvoe to RM in September a la BSF, but allegedly we can kep our own network!

So need to sort out what licences we need to renew

Stuart_C

Stuart_C

Posted
Posted (edited)
Stuart - I'm assured wave1 will be out monday. How rapidly wave2 and 3 get released depends on uptake in the first cohort, and sucessful migrations.

 

Mid to late next-week I should hope to be in a position to offer it to people in real need of the functionality, presuming wave1 went ok.

 

Cheers. I've just put all the latest updates on and it seems OK. :)

I think I've just wokred put how to blag the NTLM ident for two domains (lucklly domain 2 is only about 20 users) but I'm hoping the new Auth3 will do it better. Might hold of making any changes until next week then if the updates are that close.

Edited by Stuart_C
tom_newton

tom_newton

Posted
Posted

@Gatt - the more people moaning at RM that they want to keep their smoothies the better... we are trying to befriend 'em :)

 

@Stuart - ooh, do tell about your cunning blag, I always like those.

Stuart_C

Stuart_C

Posted
Posted

It's not that cunning....

Smoothie looks at my Accademic domian (500+ users) but obviously can't look at my Admin domain (20ish users) . Basically as I'm only using NTLM Ident all I need to do is create some user account in my Accademic domain with the same name as the Admin domian users. Put them in a domain group and then map it to a new smoothie group. This does seem to work for my test user. The downside is that I can't use NTLM Auth as the passwords don't match.

 

I could easilly script the whole user creation process using DSADD.exe but as you say we might be getting the new auth in the next two weeks I'm tempted not to bother and see what options i have with that when it's released.

  • Thanks 1
mb2k01

mb2k01

Posted
Posted

Could someone describe what Auth3 is?

We had issues with NTLM and moved to forcing teachers to log in via the SSL portal - which didn't go down well.

Having a new Auth method available which didn't require a manual user authentication step (as long as it worked without issues like experienced with NTLM) would be fantastic.

 

PS - I have had a conversation with RM about content filtering for our new school project, and was actually told they were in discussions with Smoothwall with a view to offering that as an alternative to Smartcache!

  • Thanks 1
tom_newton

tom_newton

Posted
Posted (edited)

@mb... Keep asking. It helps. I'll owe you a beer* :)

 

Auth3.. the lowdown (brief version):

* multi domain - talk to multiple, distinct auth servers

* better diags

* multi-auth method - "use NTLM for these PCs, SSL for others"

* more reliability

* much quicker

* easier to configure

* tree-view of ADs

* group "priority"

* single-user groups

 

There are no new "methods", but these have been allowed for, and we should see some toward year-end.

 

Would your SSL users appreciate a java login app? That's something I am trying to get done...

 

* redeemable at BETT or edugeek conf of your choice

Edited by tom_newton
added new bits
  • Thanks 1
Stuart_C

Stuart_C

Posted
Posted

mmmmm..... Multi domain...

 

Oh Tom, can I ask for "Number of Concurrent Logins based on group membership" for some point in the future. It would be nice to limit my staff/pupils to 1 login and me and my techie to UNLIMITED!!!

  • Thanks 1
mb2k01

mb2k01

Posted
Posted

I think our users would appreciate not having to log on at all (like NTLM) to be honest.

I guess if NTML just wasn't going to be a reliable option in future releases then a Java login app would at least be a step in the right direction (and hopefully remove the SSL error message?)

 

On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.

Gatt

Gatt

Posted
Posted
On the RM comment - My situation is quite unique... a complete new build outside of BSF / PFI. RM are contracted as our IT Framework Partners but working with me to design the overall solution. I stated to them fairly early on that we use Smoothwall for staff (currently not pupils) and it didn't seem an issue at all - in fact they were open about the fact they were looking at it themselves. I've since looked at the UTM product as we want complete firewall controll in our new school too.

 

Sounds kinda simliar to our position - we are contracted to move to RM as part of BSF, but due to us being the ONLY school in Salford running a fully fledged Windows 7 / 2008 R2 network, it has been agreed that we can keep our exisiting network and not have to buy into CC4 - guessing our network will need to be linked somehow to RM's (probably via a trust relationship of sorts (not yet privvy to that info).. So would make sense that we keep smoothwall as well as its already part of our infrastructure...

mb2k01

mb2k01

Posted
Posted

I have to say... my historical opinion of RM couldn't be much lower (and my previous posts probably demonstrate that!), and I would still never move to their Connect products or overly rely on their support services.... but....

 

So far I have had a very good relationship with the team of business managers / infrastructure specialists and educational specialists they have assigned to our project.

The uniqueness (is that a word!?) of our situation meant we could dictate the kind of network we had from a very early point, and the decision was made to stick with our Vanilla approach which has worked well over the years. While I expected this to become a major issue, it really hasn't.

On issues like content filtering / firewall we have been able to specify what we want and they work with us to make it happen.

Your situation might be different because of the restrictions imposed by BSF, but I certainly wouldn't give up hope.

Simcfc73

Simcfc73

Posted
  • Author
Posted

Just installed the Auth 3 thingy and... it doesn't like me.

 

I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says

 

Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.

To use non-transparent NTLM, disable the second port.

To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.

I don't want to enable transparent proxy or allow direct access so it looks like I can't use it :(

 

Error - "Block direct web access" and "Transparent" cannot be enabled at the same time

I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird

tom_newton

tom_newton

Posted
Posted
Just installed the Auth 3 thingy and... it doesn't like me.

 

I currently use NTLM (terminal compat mode), if I try and enable the second proxy it says

 

Error - NTLM can not be used in non-transparent mode when the second proxy port is enabled.

To use non-transparent NTLM, disable the second port.

To use NTLM with the second port, turn on the transparent proxying option on the guardian->proxy->web proxy page.

I don't want to enable transparent proxy or allow direct access so it looks like I can't use it :(

 

Error - "Block direct web access" and "Transparent" cannot be enabled at the same time

I suppose I was expecting too much, I've never had the block direct access unticked... isn't that a security risk?... weird

 

I'll check it out. This is likely due to needing to use the "transparent trick" in NTLM (we have 2 ways of authenticating with NTLM) - so there shouldn't be a requirement to actually transparently proxy anything (though it shouldn't hurt?).

 

Block direct is a bit of an ancient hangover from the past - you should be able to block direct access in the outgoing rules.

 

Let me chat to dev and I will see what i can find out.

Simcfc73

Simcfc73

Posted
  • Author
Posted
Have to say that the box is really quick this morning after the updates. I have been looking at logs and they are miles quicker at updating than before.
  • Thanks 1
tom_newton

tom_newton

Posted
Posted

My colleagues are asking why you don't want transparent on - they rightly point out that you can bypass transparent for selected IPs if you wish - going transparent will not give users any more access than normal either (they will still get auth'd).

 

Other than that it may be a manual removal of iptables rules.

 

It should be pointed out that this is due to a limitation in Guardian - we can't do proxyntlm in 2auth mode - which will be going away in the major Guardian (as opposed to Auth) update later in the year. At that point we will be able to run as many differing auth schemes on as many ports as we like :)

 

Good to see that speed has improved too. We suspected oldauth as being something of a bottleneck, and you have also applied the new reporting stuffs which will speed things up.

imunro01

imunro01

Posted
Posted

Hi Tom,

 

That's a feature that would be really handy to our setup at Ash Hi. Is it posible we could have a look at that as well.

 

Cheers.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 8 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Please comment in the thread what works for you
      • Either time
×
×
  • Create New...