MSAD #60 will be willing to beta test Eric Chellis Network Manager MSAD #60 21 Main St. North Berwick, ME 03906 207.676.2234 x302 (Voice) 207.451.3296 (Cell) Joebox User <[log in to unmask]> writes: >Greetings, All. > >The new release of Joebox software from MECnet is finally looking like >it's at a point where we can start doing production testing. > >We're still calling this a "beta" until we've verified that it is >working well in a production K12 environment; so ideally we're looking >for sites that are willing to work with us to troubleshoot and resolve >any issues that come up due to the upgrade. > >If you're interested in being a "beta tester" for the new release, >please drop me a note. >Disclaimer: There will be a limited number of sites that get the beta >software, so you may or may not get included. > > > > >Here is a summary of what has changed in the new release. As you can >see there are a lot of major changes, so we may run into bugs that >weren't caught in internal testing. > >FIREWALL ENGINE > >The JB Firewall Engine has been re-written. The new engine >dynamically adds, modifies, and removes rules without flushing and >re-creating the entire policy (which is how the current version >operates). This should improve stability and make minor changes to >the Joebox less disruptive to production traffic. > >Firewall groups and rules can now be ordered in the web UI. The >Joebox will now correctly respect ordering. This resolves issues for >sites using multiple groups. > >The Linux kernel used by the system has been upgraded to the long-term >stable development tree (2.6.32). > >Additional kernel tuning to provide better support for large networks. > >Firewall rules now allow for ICMP protocol and type to be specified. > >SMTP filtering now provides an internal ACL field for IP addresses or >networks that should be allowed to make outgoing SMTP connections. > >Policy Engineering for Low, Medium, and High policy levels has been >re-worked. The new policy will allow for rules to correctly filter >between internal networks. > >WEB FILTERING > >MECguard has been upgrade to a new major version. The new version of >MECguard no longer resets active connections when changes are applied, >making changes less disruptive. > >The TLD list has been replaced with global Allow and Block lists; >which now works. This makes the user interface a little more >intuitive. > >A "soft allow" list has been added to ignore URLs that would be >otherwise blocked as part of a filter category, but not be globally >allowed (e.g. these sites will still go through the standard checks). >For example, "youtube.com" is in the "Pornography" category list. You >likely wouldn't want to allow youtube.com as that would allow any >request to the site without making any checks. The soft allow removes >youtube.com from the category list, but still allows for more >fine-grain blocking via RTF or URL lists, for example blocking >"youtube.com/signin" but not blocking all of youtube.com. > >RTF now correctly checks all keywords. This fixes an obscure bug >where some keywords would be checked and others would not be. For >example, the keyword "soucy" would always be ignored by RTF in the >previous release. > >MECguard is now more respective of filter groups. For example, blocks >triggered by RTF will only be applied to the group that the block was >triggers on. Like the firewall engine, group order displayed is now >respected by the system. Group-level options to use global URL lists >and RTF are correctly respected. > >MECguard performance has been improved. > >MECguard now makes use of 192.0.0.1 as its override login address >instead of 172.31.255.1 which was a conflict for some networks. The >old address will remain valid until the next release to provide time >to update block pages. > >A button to reset the MECguard block page to the system default has >been added in the event you want to revert from a custom block page. > >MECguard access logs now correctly export. > >MECguard "top sites" log is now broken down by group. > >MECguard log viewer now includes a date widget. > >SECURE WEB FILTERING > >Major change here: MECguard SSL is now a proxy-based solution rather >than a transparent one. This means that in order to use MECguard SSL >the system or browser will need to be configured to do so. It also >means, however, that MECguard will be able to block SSL websites by >hostname and log requests without generating SSL certificate errors >for allowed sites. > >A group-level "Force MECguard SSL" checkbox has been added which >redirects any non-proxy HTTPS traffic for the group to a block page >explaining that HTTPS is disabled unless using a proxy. MECguard SSL >can still be used without blocking non-proxy traffic if the option is >not checked. > >The Joebox provides an automatic proxy configuration script at the URL >"http://192.0.0.1/wpad.dat", this script includes the necessary >exceptions to not filter private networks, and only direct HTTPS >requests to the proxy server (also at 192.0.0.1). > >For browsers to auto-discover the proxy configuration URL, you can >create a DNS record for wpad.domain (where domain is whatever domain >name you assign to your hosts) which points to 192.0.0.1. If using >the Joebox as your DNS server in local mode (private IP addressing) >the "wpad.local" DNS record will correctly respond without additional >configuration. Site's using their own DNS server and a domain name >other than local will need to manually create the DNS record. > >Client systems may need to have automatic configuration enabled under >Internet settings for WPAD to work. > >Sites running their own DHCP server may be able to provide the WPAD >configuration URL using DHCP (we believe the DHCP method is Windows >only). > >SYSTEM > >Reminder messages have been added reminding you to save your >configuration if changes have been made, and to reboot your Joebox if >software has been upgraded. > >Fix for a memory leak in UI causing load average to slowly rise. > >Local-mode DHCP server now correctly includes the "authoritative;" >statement and will force clients to request a new lease if they >attempt to renew an invalid lease. This was causing significant >address assignment problems for hosts that roam between different >networks (such as wireless). > >System kernel has been upgraded to a more actively developed and >maintained tree. > >-- >Ray Soucy > >Epic Communications Specialist > >Phone: +1 (207) 561-3526 > >Networkmaine, a Unit of the University of Maine System >http://www.networkmaine.net/