Ray, When do you expect to roll this out to other JoeBox sites? Thanks, Seth On Wed, Dec 22, 2010 at 4:44 PM, Ray Soucy <[log in to unmask]> wrote: > A big "thank you" to the following schools. It really helps us keep > things moving forward over break, hopefully testing goes well. > > Nobel High School > Mount View High School > Old Town High School > Lawrence High School > > Upgrades went very smoothly with the exception of Lawrence (which had > a unique configuration that would have broken with the current 10.x > live software updates, anyway), but we got it figured out (sorry about > that, Brad). > > Ray > > On Wed, Dec 22, 2010 at 11:24 AM, Ray Soucy <[log in to unmask]> wrote: > > Greetings, All. > > > > The new release of Joebox software from MECnet is finally looking like > > it's at a point where we can start doing production testing. > > > > We're still calling this a "beta" until we've verified that it is > > working well in a production K12 environment; so ideally we're looking > > for sites that are willing to work with us to troubleshoot and resolve > > any issues that come up due to the upgrade. > > > > If you're interested in being a "beta tester" for the new release, > > please drop me a note. > > Disclaimer: There will be a limited number of sites that get the beta > > software, so you may or may not get included. > > > > > > > > > > Here is a summary of what has changed in the new release. As you can > > see there are a lot of major changes, so we may run into bugs that > > weren't caught in internal testing. > > > > FIREWALL ENGINE > > > > The JB Firewall Engine has been re-written. The new engine > > dynamically adds, modifies, and removes rules without flushing and > > re-creating the entire policy (which is how the current version > > operates). This should improve stability and make minor changes to > > the Joebox less disruptive to production traffic. > > > > Firewall groups and rules can now be ordered in the web UI. The > > Joebox will now correctly respect ordering. This resolves issues for > > sites using multiple groups. > > > > The Linux kernel used by the system has been upgraded to the long-term > > stable development tree (2.6.32). > > > > Additional kernel tuning to provide better support for large networks. > > > > Firewall rules now allow for ICMP protocol and type to be specified. > > > > SMTP filtering now provides an internal ACL field for IP addresses or > > networks that should be allowed to make outgoing SMTP connections. > > > > Policy Engineering for Low, Medium, and High policy levels has been > > re-worked. The new policy will allow for rules to correctly filter > > between internal networks. > > > > WEB FILTERING > > > > MECguard has been upgrade to a new major version. The new version of > > MECguard no longer resets active connections when changes are applied, > > making changes less disruptive. > > > > The TLD list has been replaced with global Allow and Block lists; > > which now works. This makes the user interface a little more > > intuitive. > > > > A "soft allow" list has been added to ignore URLs that would be > > otherwise blocked as part of a filter category, but not be globally > > allowed (e.g. these sites will still go through the standard checks). > > For example, "youtube.com" is in the "Pornography" category list. You > > likely wouldn't want to allow youtube.com as that would allow any > > request to the site without making any checks. The soft allow removes > > youtube.com from the category list, but still allows for more > > fine-grain blocking via RTF or URL lists, for example blocking > > "youtube.com/signin" but not blocking all of youtube.com. > > > > RTF now correctly checks all keywords. This fixes an obscure bug > > where some keywords would be checked and others would not be. For > > example, the keyword "soucy" would always be ignored by RTF in the > > previous release. > > > > MECguard is now more respective of filter groups. For example, blocks > > triggered by RTF will only be applied to the group that the block was > > triggers on. Like the firewall engine, group order displayed is now > > respected by the system. Group-level options to use global URL lists > > and RTF are correctly respected. > > > > MECguard performance has been improved. > > > > MECguard now makes use of 192.0.0.1 as its override login address > > instead of 172.31.255.1 which was a conflict for some networks. The > > old address will remain valid until the next release to provide time > > to update block pages. > > > > A button to reset the MECguard block page to the system default has > > been added in the event you want to revert from a custom block page. > > > > MECguard access logs now correctly export. > > > > MECguard "top sites" log is now broken down by group. > > > > MECguard log viewer now includes a date widget. > > > > SECURE WEB FILTERING > > > > Major change here: MECguard SSL is now a proxy-based solution rather > > than a transparent one. This means that in order to use MECguard SSL > > the system or browser will need to be configured to do so. It also > > means, however, that MECguard will be able to block SSL websites by > > hostname and log requests without generating SSL certificate errors > > for allowed sites. > > > > A group-level "Force MECguard SSL" checkbox has been added which > > redirects any non-proxy HTTPS traffic for the group to a block page > > explaining that HTTPS is disabled unless using a proxy. MECguard SSL > > can still be used without blocking non-proxy traffic if the option is > > not checked. > > > > The Joebox provides an automatic proxy configuration script at the URL > > "http://192.0.0.1/wpad.dat", this script includes the necessary > > exceptions to not filter private networks, and only direct HTTPS > > requests to the proxy server (also at 192.0.0.1). > > > > For browsers to auto-discover the proxy configuration URL, you can > > create a DNS record for wpad.domain (where domain is whatever domain > > name you assign to your hosts) which points to 192.0.0.1. If using > > the Joebox as your DNS server in local mode (private IP addressing) > > the "wpad.local" DNS record will correctly respond without additional > > configuration. Site's using their own DNS server and a domain name > > other than local will need to manually create the DNS record. > > > > Client systems may need to have automatic configuration enabled under > > Internet settings for WPAD to work. > > > > Sites running their own DHCP server may be able to provide the WPAD > > configuration URL using DHCP (we believe the DHCP method is Windows > > only). > > > > SYSTEM > > > > Reminder messages have been added reminding you to save your > > configuration if changes have been made, and to reboot your Joebox if > > software has been upgraded. > > > > Fix for a memory leak in UI causing load average to slowly rise. > > > > Local-mode DHCP server now correctly includes the "authoritative;" > > statement and will force clients to request a new lease if they > > attempt to renew an invalid lease. This was causing significant > > address assignment problems for hosts that roam between different > > networks (such as wireless). > > > > System kernel has been upgraded to a more actively developed and > > maintained tree. > > > > -- > > Ray Soucy > > > > Epic Communications Specialist > > > > Phone: +1 (207) 561-3526 > > > > Networkmaine, a Unit of the University of Maine System > > http://www.networkmaine.net/ > > > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > -- Seth H. Thompson Technology Director Regional School Unit No. 5 207-865-4706 x232