JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 4 Oct 2010 15:30:51 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (155 lines)
I wanted to drop everyone a note on some Joebox issues that we have
been working with MECnet (the vendor) to resolve.

I apologize in advance for the length of this email; apparently there
is a lot to talk about. ;-)




Restarting the Firewall or MECguard service will cause a brief but
noticeable outage.  This is a design oversight in the way the services
were implemented, we have identified the cause and MECnet is working
to re-engineer these services.  The updates are in testing now, but
give us a few weeks before we roll them out to make sure nothing
breaks.

For now, the work-around is to wait until the end of the day to
restart MECguard or the Firewall if it's possible to minimize its
impact.




Many of you have called in with reports of problems accessing specific
websites.  Like the old Bess filter, MECguard is implemented as a
transparent HTTP proxy service.  This does indeed break the occasional
website.  The solution is to direct traffic around the proxy service
so it never gets intercepted at all.  This can be done using the "Web
Filter" section of the Firewall.

For example.  If you wanted to bypass filtering for the website at
130.111.32.130 (networkmaine.net) you could add a new Web Filter rule
with the following settings:

Enable: Yes
Description: networkmaine.net
Rule Type: Don't Filter Destination
Source Type: Firewall Group
Group: Everyone Else
Destination Type: IP/Hostname
IP/Hostname: 130.111.32.130




Another common request is to block access to Facebook, as students
quickly figure out that they can use HTTPS (which isn't filtered) in
place of HTTP.

To do this, we can create a few Closed Ports rules in the Firewall and
block HTTPS to the IP addresses used by Facebook.

The two IP networks currently used by Facebook appear to be
"66.220.144.0/20" and "69.63.176.0/20".  Note that this is may change
every now and then if Facebook starts using more addresses.

Here we would create two "Closed Ports" rules (one for each network)
in the Firewall, below is an example of the settings for one of them.

Enable Closed Port: Yes
Description: Facebook
Rule Chain: FORWARD
Source Type: Firewall Group
Group: LAN
Destination Type: IP/Hostname
IP/Hostname: 66.220.144.0/20
Protocol: TCP
Port to be Closed: 443

Based on your policy, you may decide to block Facebook specifically,
or SSL outright for everyone in a certain group.

Any rules created in the "Open Ports" section of the Firewall are
evaluated first.  So if you wanted to give a specific group, for
example "Teachers" unrestricted access to SSL websites (including
Facebook) you could create an Open Port rule in the firewall to let
that group through.  Here is an example:

Enable Open Port: Yes
Description: Allow SSL for Teachers
Rule Chain: FORWARD
Source Type: Firewall Group
Group: Teachers
Destination Type: Firewall Group
Group: Everyone Else
Protocol: TCP
Port to be Opened: 443




As always if you need assistance in setting this up, feel free to
contact the Support Desk.




Lastly, the current software available though software update is
looking stable, and resolves a series of issues that have been around
since the start of the school year.

The support desk has been working with sites to upgrade everyone.  If
you are experiencing problems aside from the Firewall and MECguard
restart issue mentioned above, you may want to call in and set up a
time to upgrade your software.

These updates (mostly) provide:

Fix for routing engine so it is not dropping its default route when
the firewall is restarted.

Fix for UI bug that broke open or closed ports firewall rules if the
protocol was set to "all".

Fix for MECguard memory leak causing performance issues.

Added automated nightly remote backup of configuration to Networkmaine
(we keep the last 7 days of configuration backups).

Minor UI fixes to correctly display service status.

System kernel changes to handle networks larger than 512 addresses
without causing performance issues.




If you have been experiencing problems not addressed here I would like
to hear from you (off-list) so we can take a look at your setup.

The majority of the time that users are having a terrible experience
with the Joebox turns out to be something easily corrected by making a
configuration change.

I'd also like to thank everyone, especially those of you who were
unlucky enough to test some of the less-than-stable software updates
leading up to this batch, for being patient as we work with MECnet to
improve the Joebox for use in Maine schools.

If you would like to share your questions, comments, joy, or
frustration with us in person, a few of us from Networkmaine will be
around at this year's ACTEM conference next week.  I'll be giving a
Joebox session there on the 14th, so if you haven't signed up yet, you
might want to take a look.

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2