JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Wed, 22 Dec 2010 16:44:21 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (186 lines)
A big "thank you" to the following schools.  It really helps us keep
things moving forward over break, hopefully testing goes well.

Nobel High School
Mount View High School
Old Town High School
Lawrence High School

Upgrades went very smoothly with the exception of Lawrence (which had
a unique configuration that would have broken with the current 10.x
live software updates, anyway), but we got it figured out (sorry about
that, Brad).

Ray

On Wed, Dec 22, 2010 at 11:24 AM, Ray Soucy <[log in to unmask]> wrote:
> Greetings, All.
>
> The new release of Joebox software from MECnet is finally looking like
> it's at a point where we can start doing production testing.
>
> We're still calling this a "beta" until we've verified that it is
> working well in a production K12 environment; so ideally we're looking
> for sites that are willing to work with us to troubleshoot and resolve
> any issues that come up due to the upgrade.
>
> If you're interested in being a "beta tester" for the new release,
> please drop me a note.
> Disclaimer: There will be a limited number of sites that get the beta
> software, so you may or may not get included.
>
>
>
>
> Here is a summary of what has changed in the new release.  As you can
> see there are a lot of major changes, so we may run into bugs that
> weren't caught in internal testing.
>
> FIREWALL ENGINE
>
> The JB Firewall Engine has been re-written.  The new engine
> dynamically adds, modifies, and removes rules without flushing and
> re-creating the entire policy (which is how the current version
> operates).  This should improve stability and make minor changes to
> the Joebox less disruptive to production traffic.
>
> Firewall groups and rules can now be ordered in the web UI.  The
> Joebox will now correctly respect ordering.  This resolves issues for
> sites using multiple groups.
>
> The Linux kernel used by the system has been upgraded to the long-term
> stable development tree (2.6.32).
>
> Additional kernel tuning to provide better support for large networks.
>
> Firewall rules now allow for ICMP protocol and type to be specified.
>
> SMTP filtering now provides an internal ACL field for IP addresses or
> networks that should be allowed to make outgoing SMTP connections.
>
> Policy Engineering for Low, Medium, and High policy levels has been
> re-worked.  The new policy will allow for rules to correctly filter
> between internal networks.
>
> WEB FILTERING
>
> MECguard has been upgrade to a new major version.  The new version of
> MECguard no longer resets active connections when changes are applied,
> making changes less disruptive.
>
> The TLD list has been replaced with global Allow and Block lists;
> which now works.  This makes the user interface a little more
> intuitive.
>
> A "soft allow" list has been added to ignore URLs that would be
> otherwise blocked as part of a filter category, but not be globally
> allowed (e.g. these sites will still go through the standard checks).
> For example, "youtube.com" is in the "Pornography" category list.  You
> likely wouldn't want to allow youtube.com as that would allow any
> request to the site without making any checks.  The soft allow removes
> youtube.com from the category list, but still allows for more
> fine-grain blocking via RTF or URL lists, for example blocking
> "youtube.com/signin" but not blocking all of youtube.com.
>
> RTF now correctly checks all keywords.  This fixes an obscure bug
> where some keywords would be checked and others would not be.  For
> example, the keyword "soucy" would always be ignored by RTF in the
> previous release.
>
> MECguard is now more respective of filter groups.  For example, blocks
> triggered by RTF will only be applied to the group that the block was
> triggers on.  Like the firewall engine, group order displayed is now
> respected by the system.  Group-level options to use global URL lists
> and RTF are correctly respected.
>
> MECguard performance has been improved.
>
> MECguard now makes use of 192.0.0.1 as its override login address
> instead of 172.31.255.1 which was a conflict for some networks.  The
> old address will remain valid until the next release to provide time
> to update block pages.
>
> A button to reset the MECguard block page to the system default has
> been added in the event you want to revert from a custom block page.
>
> MECguard access logs now correctly export.
>
> MECguard "top sites" log is now broken down by group.
>
> MECguard log viewer now includes a date widget.
>
> SECURE WEB FILTERING
>
> Major change here: MECguard SSL is now a proxy-based solution rather
> than a transparent one.  This means that in order to use MECguard SSL
> the system or browser will need to be configured to do so.  It also
> means, however, that MECguard will be able to block SSL websites by
> hostname and log requests without generating SSL certificate errors
> for allowed sites.
>
> A group-level "Force MECguard SSL" checkbox has been added which
> redirects any non-proxy HTTPS traffic for the group to a block page
> explaining that HTTPS is disabled unless using a proxy.  MECguard SSL
> can still be used without blocking non-proxy traffic if the option is
> not checked.
>
> The Joebox provides an automatic proxy configuration script at the URL
> "http://192.0.0.1/wpad.dat", this script includes the necessary
> exceptions to not filter private networks, and only direct HTTPS
> requests to the proxy server (also at 192.0.0.1).
>
> For browsers to auto-discover the proxy configuration URL, you can
> create a DNS record for wpad.domain (where domain is whatever domain
> name you assign to your hosts) which points to 192.0.0.1.  If using
> the Joebox as your DNS server in local mode (private IP addressing)
> the "wpad.local" DNS record will correctly respond without additional
> configuration.  Site's using their own DNS server and a domain name
> other than local will need to manually create the DNS record.
>
> Client systems may need to have automatic configuration enabled under
> Internet settings for WPAD to work.
>
> Sites running their own DHCP server may be able to provide the WPAD
> configuration URL using DHCP (we believe the DHCP method is Windows
> only).
>
> SYSTEM
>
> Reminder messages have been added reminding you to save your
> configuration if changes have been made, and to reboot your Joebox if
> software has been upgraded.
>
> Fix for a memory leak in UI causing load average to slowly rise.
>
> Local-mode DHCP server now correctly includes the "authoritative;"
> statement and will force clients to request a new lease if they
> attempt to renew an invalid lease.  This was causing significant
> address assignment problems for hosts that roam between different
> networks (such as wireless).
>
> System kernel has been upgraded to a more actively developed and
> maintained tree.
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2