Hi All, I wanted to drop a note to everyone on the work being done to improve MECguard, the website filter used by the Joebox. It's a fairly long email so here are some highlights: * New Joebox NE software should be ready for production testing next week. * This update include a new version of MECguard and production-quality MECguard SSL. * MECguard SSL moves from a transparent to a proxy server model. Requires browser configuration. * Browser configuration simplified when possible using Web Proxy Auto-Discovery (WPAD) and Proxy Auto-Configuration (PAC). * Proxy-based HTTPS filtering is done by web server hostname (e.g. "www.facebook.com") not full URL filtering (which is not possible without breaking SSL encryption). * Option to block HTTPS traffic for groups unless they use the HTTPS proxy server. The Joebox software release Networkmaine Edition 12.x will provide a new version of MECguard. This long-awaited upgrade provides stronger group-based filtering (group ordering is now respected, a host will now always get filtered in the first group that it matches; groups will always be in the same order that they appear on the web interface), more stable configuration updates (active connections are no longer reset when MECguard is restarted), fixes for outstanding bugs, and improved performance. This release also introduces a production-quality SSL filter, MECguard SSL. The current Joebox SSL filter was a beta feature in an attempt to see if transparent SSL filtering was possible. The user experience for this proved to be unacceptable for production use, and further work on this method has been abandoned in favor of a proxy-based solution. The Joebox now provides the ability to act as an HTTPS proxy server, and will make filtering determinations on the hostname of the website requested. The hostname is the only information provided to the proxy server from the browser, so more specific URL filtering, or content filtering for HTTPS is not possible with MECguard SSL (note that it isn’t possible with any filter without breaking encryption). Note that only HTTPS filtering makes use of the proxy server model. Normal HTTP filtering is still transparent and requires no browser configuration. Filtering using this method means that MECguard SSL can take advantage of its existing category lists and apply them to HTTPS requests. It also makes it possible to allow or block HTTPS websites using the same global or group-level block and allow lists by specifying the hostname you wish blocked. For example, if you wanted to block access to Facebook for a group, you could add "facebook.com" to the group-level block list. This would block Facebook for both HTTP and HTTPS requests made using MECguard SSL. Without a proxy-based solution HTTPS filtering can only be accomplished by IP address (which is the method used by Bess). We do not have access to a database of inappropriate secure website IP addresses to block, so this method would have proven to be inadequate for the majority of our users. The up side is that you can easily block HTTPS by hostname instead of keeping track of IP addresses. The down side is that the browsers require proxy configuration. In order to make this easier, the Joebox provides automatic proxy server configuration through WPAD (Web Proxy Auto-Discovery protocol). This will allow for most browsers to automatically detect and configure proxy server information provided by the Joebox (with the correct exceptions) and has been tested with current versions of popular browsers. The only requirement for WPAD to work for your network is that a DNS record exist under the same domain that your host computers are configured with. For example, if the domain name provided to your PC by DHCP is "something.k12.me.us", you simply need to create a DNS record for "wpad.something.k12.me.us" to point to "192.0.0.1" (a special reserved address used by the Joebox). Some browsers may be set to detect and use proxy servers through WPAD by default. For others, you will need to enable the option in the connection settings (generally the first checkbox or two). We are preparing more detailed instructions. As a last resort, manual configuration can be made using the IP address of 192.0.0.1 and port 8616 for "Secure" connections only in your browser. You will need to add appropriate exceptions to the exception list so that local services over HTTPS do not get proxied, including the 192.0.0.1 address which is used by MECguard for the override login page. The "Enable MECguard SSL" group-level checkbox has been replaced with a "Force MECguard SSL" checkbox which will block HTTPS requests unless they are made using the MECguard SSL proxy. This is the only way are able to deliver reliable and effective HTTPS filter on the Joebox that can easily be configured and is not disruptive for normal, allowed, traffic. Given that it takes time to verify browsers are set correctly we have offered the option to use Bess for HTTPS filtering until the end of February break as mentioned in a recent announcement. Testing is looking very good so far and we are close to being able to release this upgrade. MECguard specifically is looking much, much, better. -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/