JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU
Options: Use Forum View

Use Monospaced Font
Show HTML Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Joebox 12.x Beta Test
From:
Mark Gumprecht <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Wed, 22 Dec 2010 12:24:01 -0500
Content-Type:
multipart/alternative
Parts/Attachments:
text/plain (7 kB) , text/html (8 kB) 
Msad3 is interested in testing. 

Grace and Peace 
Mark 

------------------------ 
Mark Gumprecht 
Director of Technology 
IT Systems Specialist 
84 School Street 
Unity, Maine 04988 
[log in to unmask] 

Confidentiality Statement 
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. 

----- Original Message ----- 
From: "Ray Soucy" <[log in to unmask]> 
To: [log in to unmask] 
Sent: Wednesday, December 22, 2010 11:24:25 AM 
Subject: Joebox 12.x Beta Test 

Greetings, All. 

The new release of Joebox software from MECnet is finally looking like 
it's at a point where we can start doing production testing. 

We're still calling this a "beta" until we've verified that it is 
working well in a production K12 environment; so ideally we're looking 
for sites that are willing to work with us to troubleshoot and resolve 
any issues that come up due to the upgrade. 

If you're interested in being a "beta tester" for the new release, 
please drop me a note. 
Disclaimer: There will be a limited number of sites that get the beta 
software, so you may or may not get included. 




Here is a summary of what has changed in the new release. As you can 
see there are a lot of major changes, so we may run into bugs that 
weren't caught in internal testing. 

FIREWALL ENGINE 

The JB Firewall Engine has been re-written. The new engine 
dynamically adds, modifies, and removes rules without flushing and 
re-creating the entire policy (which is how the current version 
operates). This should improve stability and make minor changes to 
the Joebox less disruptive to production traffic. 

Firewall groups and rules can now be ordered in the web UI. The 
Joebox will now correctly respect ordering. This resolves issues for 
sites using multiple groups. 

The Linux kernel used by the system has been upgraded to the long-term 
stable development tree (2.6.32). 

Additional kernel tuning to provide better support for large networks. 

Firewall rules now allow for ICMP protocol and type to be specified. 

SMTP filtering now provides an internal ACL field for IP addresses or 
networks that should be allowed to make outgoing SMTP connections. 

Policy Engineering for Low, Medium, and High policy levels has been 
re-worked. The new policy will allow for rules to correctly filter 
between internal networks. 

WEB FILTERING 

MECguard has been upgrade to a new major version. The new version of 
MECguard no longer resets active connections when changes are applied, 
making changes less disruptive. 

The TLD list has been replaced with global Allow and Block lists; 
which now works. This makes the user interface a little more 
intuitive. 

A "soft allow" list has been added to ignore URLs that would be 
otherwise blocked as part of a filter category, but not be globally 
allowed (e.g. these sites will still go through the standard checks). 
For example, "youtube.com" is in the "Pornography" category list. You 
likely wouldn't want to allow youtube.com as that would allow any 
request to the site without making any checks. The soft allow removes 
youtube.com from the category list, but still allows for more 
fine-grain blocking via RTF or URL lists, for example blocking 
"youtube.com/signin" but not blocking all of youtube.com. 

RTF now correctly checks all keywords. This fixes an obscure bug 
where some keywords would be checked and others would not be. For 
example, the keyword "soucy" would always be ignored by RTF in the 
previous release. 

MECguard is now more respective of filter groups. For example, blocks 
triggered by RTF will only be applied to the group that the block was 
triggers on. Like the firewall engine, group order displayed is now 
respected by the system. Group-level options to use global URL lists 
and RTF are correctly respected. 

MECguard performance has been improved. 

MECguard now makes use of 192.0.0.1 as its override login address 
instead of 172.31.255.1 which was a conflict for some networks. The 
old address will remain valid until the next release to provide time 
to update block pages. 

A button to reset the MECguard block page to the system default has 
been added in the event you want to revert from a custom block page. 

MECguard access logs now correctly export. 

MECguard "top sites" log is now broken down by group. 

MECguard log viewer now includes a date widget. 

SECURE WEB FILTERING 

Major change here: MECguard SSL is now a proxy-based solution rather 
than a transparent one. This means that in order to use MECguard SSL 
the system or browser will need to be configured to do so. It also 
means, however, that MECguard will be able to block SSL websites by 
hostname and log requests without generating SSL certificate errors 
for allowed sites. 

A group-level "Force MECguard SSL" checkbox has been added which 
redirects any non-proxy HTTPS traffic for the group to a block page 
explaining that HTTPS is disabled unless using a proxy. MECguard SSL 
can still be used without blocking non-proxy traffic if the option is 
not checked. 

The Joebox provides an automatic proxy configuration script at the URL 
"http://192.0.0.1/wpad.dat", this script includes the necessary 
exceptions to not filter private networks, and only direct HTTPS 
requests to the proxy server (also at 192.0.0.1). 

For browsers to auto-discover the proxy configuration URL, you can 
create a DNS record for wpad.domain (where domain is whatever domain 
name you assign to your hosts) which points to 192.0.0.1. If using 
the Joebox as your DNS server in local mode (private IP addressing) 
the "wpad.local" DNS record will correctly respond without additional 
configuration. Site's using their own DNS server and a domain name 
other than local will need to manually create the DNS record. 

Client systems may need to have automatic configuration enabled under 
Internet settings for WPAD to work. 

Sites running their own DHCP server may be able to provide the WPAD 
configuration URL using DHCP (we believe the DHCP method is Windows 
only). 

SYSTEM 

Reminder messages have been added reminding you to save your 
configuration if changes have been made, and to reboot your Joebox if 
software has been upgraded. 

Fix for a memory leak in UI causing load average to slowly rise. 

Local-mode DHCP server now correctly includes the "authoritative;" 
statement and will force clients to request a new lease if they 
attempt to renew an invalid lease. This was causing significant 
address assignment problems for hosts that roam between different 
networks (such as wireless). 

System kernel has been upgraded to a more actively developed and 
maintained tree. 

-- 
Ray Soucy 

Epic Communications Specialist 

Phone: +1 (207) 561-3526 

Networkmaine, a Unit of the University of Maine System 
http://www.networkmaine.net/

ATOM RSS1 RSS2