Ray,
When do you expect to roll this out to other JoeBox sites?
Thanks,
Seth
On Wed, Dec 22, 2010 at 4:44 PM, Ray Soucy <[log in to unmask]> wrote:
> A big "thank you" to the following schools. It really helps us keep
> things moving forward over break, hopefully testing goes well.
>
> Nobel High School
> Mount View High School
> Old Town High School
> Lawrence High School
>
> Upgrades went very smoothly with the exception of Lawrence (which had
> a unique configuration that would have broken with the current 10.x
> live software updates, anyway), but we got it figured out (sorry about
> that, Brad).
>
> Ray
>
> On Wed, Dec 22, 2010 at 11:24 AM, Ray Soucy <[log in to unmask]> wrote:
> > Greetings, All.
> >
> > The new release of Joebox software from MECnet is finally looking like
> > it's at a point where we can start doing production testing.
> >
> > We're still calling this a "beta" until we've verified that it is
> > working well in a production K12 environment; so ideally we're looking
> > for sites that are willing to work with us to troubleshoot and resolve
> > any issues that come up due to the upgrade.
> >
> > If you're interested in being a "beta tester" for the new release,
> > please drop me a note.
> > Disclaimer: There will be a limited number of sites that get the beta
> > software, so you may or may not get included.
> >
> >
> >
> >
> > Here is a summary of what has changed in the new release. As you can
> > see there are a lot of major changes, so we may run into bugs that
> > weren't caught in internal testing.
> >
> > FIREWALL ENGINE
> >
> > The JB Firewall Engine has been re-written. The new engine
> > dynamically adds, modifies, and removes rules without flushing and
> > re-creating the entire policy (which is how the current version
> > operates). This should improve stability and make minor changes to
> > the Joebox less disruptive to production traffic.
> >
> > Firewall groups and rules can now be ordered in the web UI. The
> > Joebox will now correctly respect ordering. This resolves issues for
> > sites using multiple groups.
> >
> > The Linux kernel used by the system has been upgraded to the long-term
> > stable development tree (2.6.32).
> >
> > Additional kernel tuning to provide better support for large networks.
> >
> > Firewall rules now allow for ICMP protocol and type to be specified.
> >
> > SMTP filtering now provides an internal ACL field for IP addresses or
> > networks that should be allowed to make outgoing SMTP connections.
> >
> > Policy Engineering for Low, Medium, and High policy levels has been
> > re-worked. The new policy will allow for rules to correctly filter
> > between internal networks.
> >
> > WEB FILTERING
> >
> > MECguard has been upgrade to a new major version. The new version of
> > MECguard no longer resets active connections when changes are applied,
> > making changes less disruptive.
> >
> > The TLD list has been replaced with global Allow and Block lists;
> > which now works. This makes the user interface a little more
> > intuitive.
> >
> > A "soft allow" list has been added to ignore URLs that would be
> > otherwise blocked as part of a filter category, but not be globally
> > allowed (e.g. these sites will still go through the standard checks).
> > For example, "youtube.com" is in the "Pornography" category list. You
> > likely wouldn't want to allow youtube.com as that would allow any
> > request to the site without making any checks. The soft allow removes
> > youtube.com from the category list, but still allows for more
> > fine-grain blocking via RTF or URL lists, for example blocking
> > "youtube.com/signin" but not blocking all of youtube.com.
> >
> > RTF now correctly checks all keywords. This fixes an obscure bug
> > where some keywords would be checked and others would not be. For
> > example, the keyword "soucy" would always be ignored by RTF in the
> > previous release.
> >
> > MECguard is now more respective of filter groups. For example, blocks
> > triggered by RTF will only be applied to the group that the block was
> > triggers on. Like the firewall engine, group order displayed is now
> > respected by the system. Group-level options to use global URL lists
> > and RTF are correctly respected.
> >
> > MECguard performance has been improved.
> >
> > MECguard now makes use of 192.0.0.1 as its override login address
> > instead of 172.31.255.1 which was a conflict for some networks. The
> > old address will remain valid until the next release to provide time
> > to update block pages.
> >
> > A button to reset the MECguard block page to the system default has
> > been added in the event you want to revert from a custom block page.
> >
> > MECguard access logs now correctly export.
> >
> > MECguard "top sites" log is now broken down by group.
> >
> > MECguard log viewer now includes a date widget.
> >
> > SECURE WEB FILTERING
> >
> > Major change here: MECguard SSL is now a proxy-based solution rather
> > than a transparent one. This means that in order to use MECguard SSL
> > the system or browser will need to be configured to do so. It also
> > means, however, that MECguard will be able to block SSL websites by
> > hostname and log requests without generating SSL certificate errors
> > for allowed sites.
> >
> > A group-level "Force MECguard SSL" checkbox has been added which
> > redirects any non-proxy HTTPS traffic for the group to a block page
> > explaining that HTTPS is disabled unless using a proxy. MECguard SSL
> > can still be used without blocking non-proxy traffic if the option is
> > not checked.
> >
> > The Joebox provides an automatic proxy configuration script at the URL
> > "http://192.0.0.1/wpad.dat", this script includes the necessary
> > exceptions to not filter private networks, and only direct HTTPS
> > requests to the proxy server (also at 192.0.0.1).
> >
> > For browsers to auto-discover the proxy configuration URL, you can
> > create a DNS record for wpad.domain (where domain is whatever domain
> > name you assign to your hosts) which points to 192.0.0.1. If using
> > the Joebox as your DNS server in local mode (private IP addressing)
> > the "wpad.local" DNS record will correctly respond without additional
> > configuration. Site's using their own DNS server and a domain name
> > other than local will need to manually create the DNS record.
> >
> > Client systems may need to have automatic configuration enabled under
> > Internet settings for WPAD to work.
> >
> > Sites running their own DHCP server may be able to provide the WPAD
> > configuration URL using DHCP (we believe the DHCP method is Windows
> > only).
> >
> > SYSTEM
> >
> > Reminder messages have been added reminding you to save your
> > configuration if changes have been made, and to reboot your Joebox if
> > software has been upgraded.
> >
> > Fix for a memory leak in UI causing load average to slowly rise.
> >
> > Local-mode DHCP server now correctly includes the "authoritative;"
> > statement and will force clients to request a new lease if they
> > attempt to renew an invalid lease. This was causing significant
> > address assignment problems for hosts that roam between different
> > networks (such as wireless).
> >
> > System kernel has been upgraded to a more actively developed and
> > maintained tree.
> >
> > --
> > Ray Soucy
> >
> > Epic Communications Specialist
> >
> > Phone: +1 (207) 561-3526
> >
> > Networkmaine, a Unit of the University of Maine System
> > http://www.networkmaine.net/
> >
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
--
Seth H. Thompson
Technology Director
Regional School Unit No. 5
207-865-4706 x232
|
