Ray, Do you know if MECGuard SSL will work with cell phones, iPads, etc? Thanks, Seth On Fri, Apr 8, 2011 at 12:49 PM, Ray Soucy <[log in to unmask]> wrote: > No, "Force MECguard SSL" will block _all_ HTTPS traffic (the idea is > that you check this box after you have your browsers setup to use > MECguard for HTTPS as a proxy server to enforce it). > > On Fri, Apr 8, 2011 at 12:36 PM, Jaimie Moores <[log in to unmask]> wrote: > > Does "Force MECGuard SSL" have to be checked in order for the closed port > > rules to work? > > > > Jaimie Moores > > Technology Coordinator > > PowerSchool Administrator > > Machias Memorial High School > > > > > > On Fri, Apr 8, 2011 at 11:34 AM, Ray Soucy <[log in to unmask]> wrote: > >> > >> Facebook currently has 2 IP networks: > >> 1. MailScanner has detected a possible fraud attempt from "66.220.144.0" > >> claiming to be 66.220.144.0/20 > >> 2. MailScanner has detected a possible fraud attempt from "69.63.176.0" > >> claiming to be 69.63.176.0/20 > >> > >> Steps for a Firewall block of Facebook (as opposed to MECguard): > >> > >> Step 1: Create two "Closed Port" rules with the following settings: > >> > >> Rule 1: > >> > >> Description: Facebook > >> Rule Chain: FORWARD > >> Source Type: Firewall Group > >> Source Group: LAN (or whatever group you want blocked) > >> Destination Type: IP/Hostname > >> Destination IP/Hostname: MailScanner has detected a possible fraud > attempt > >> from "66.220.144.0" claiming to be 66.220.144.0/20 > >> Protocol: TCP > >> Closed Ports: 80,443 > >> > >> Rule 2: > >> > >> Description: Facebook > >> Rule Chain: FORWARD > >> Source Type: Firewall Group > >> Source Group: LAN (or whatever group you want blocked) > >> Destination Type: IP/Hostname > >> Destination IP/Hostname: MailScanner has detected a possible fraud > attempt > >> from "69.63.176.0" claiming to be 69.63.176.0/20 > >> Protocol: TCP > >> Closed Ports: 80,443 > >> > >> On Fri, Apr 8, 2011 at 11:14 AM, Eric R. Warren <[log in to unmask]> > >> wrote: > >> > That's a useful trick! Would you mind sharing those Facebook-blocking > >> > settings with us? > >> > > >> > Eric > >> > MSAD 45 > >> > > >> > -----Original Message----- > >> > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray > >> > Soucy > >> > Sent: Friday, April 08, 2011 11:08 AM > >> > To: [log in to unmask] > >> > Subject: Re: Joebox Updates > >> > > >> > Linda, > >> > > >> > If you were using the old "MECguard SSL" it would no longer be active > >> > after the upgrade (to my knowledge only a handful of people were > >> > trying to use it because of all the browser errors it would generate). > >> > > >> > The "Force MECguard SSL" option will block SSL requests unless made > >> > using a proxy server, but requires that browsers know about the proxy > >> > server (as described in the MECguard notes I posted a few days ago). > >> > > >> > Other than that, it shouldn't have changed. > >> > > >> > I've created two "Closed Port" rules in your Firewall that will block > >> > web access to the Facebook IP networks, but left them disabled. You > >> > can enable these rules and restart your firewall if you want to start > >> > blocking access to Facebook over HTTPS. > >> > > >> > I've noticed that you only have one Group for MECguard. If you block > >> > Facebook using the Firewall you might want to create a "Teachers" > >> > group with the IP addresses of teacher PCs so you can create a rule to > >> > not block Facebook for those users. > >> > > >> > Because you're running a "LOW" Firewall policy, you'll need to apply > >> > the 12.1 software update before Open Port rules to do this will work, > >> > the Software Update can be run at any time. > >> > > >> > Feel free to give support a call if you'd like us to do any of this > >> > for you: 1-888-367-6756 > >> > > >> > Sorry about any disruption... The upgrade was a major change and > >> > required a manual process to apply. Future updates will be provided > >> > through the Software Update tool and be left up to you to apply. > >> > > >> > On Fri, Apr 8, 2011 at 9:38 AM, Linda Chaisson < > [log in to unmask]> > >> > wrote: > >> >> Ray: > >> >> Previously our students couldn’t get to facebook by adding the s to > >> >> http > >> > and > >> >> now they can. Was anything changed? > >> >> Thanks, > >> >> Linda > >> >> > >> >> > >> >> > >> >> On 4/6/11 1:24 PM, "Ray Soucy" <[log in to unmask]> wrote: > >> >> > >> >> We realize that for many of you it seems like you just upgraded, but > >> >> some of you have been running the code for over a month and have > found > >> >> a bug or two. We have a minor update available. > >> >> > >> >> Feel free to apply this update using the "Software Update" tool on > the > >> >> Joebox at your convince. This is a non-critical update and can be > >> >> applied at any time. > >> >> > >> >> As always, if you need help running the Software Update utility, or > >> >> encounter any problems, please give us a call: 1-888-367-6756 > >> >> > >> >> New packages are labeled 12.1. > >> >> > >> >> Change Log: > >> >> > >> >> 1. A "Reinitialize Firewall" button has been added to the Firewall > >> >> options page. This button does a forced restart of the Firewall > >> >> service (all rules are flushed and re-added) to recover from the > >> >> Firewall Engine becoming out of sync. If you run into a situation > >> >> where using this button is the only way to "fix" your Joebox please > >> >> contact us so we can take a look at your configuration and track down > >> >> the invalid rule that is causing problems. > >> >> > >> >> 2. Port Forward rules with protocol "IP" weren't ignoring port fields > >> >> (causing invalid rules). This is now fixed. > >> >> > >> >> 3. Open Port rules were not being applied when a Firewall policy > level > >> >> of LOW was in use. They should now be applied correctly. > >> >> > >> >> 4. In isolated circumstances, some traffic making use of TCP window > >> >> scaling was being marked as INVALID by connection state tracking and > >> >> being dropped by the Firewall. This was found to be affecting less > >> >> than 1% of traffic. This should now be fixed, as TCP window size is > >> >> no longer used to determine packet validity. > >> >> > >> >> 5. Minor update to SNMP to facilitate changes in Joebox monitoring by > >> >> Networkmaine. > >> >> > >> >> 6. Minor UI update to fix changing of static route to be applied > >> >> without > >> >> reboot. > >> >> > >> >> 7. Minor UI update to allow DHCP service to be disable if in a failed > >> >> status (e.g. enabled without a valid configuration), mostly to get > rid > >> >> of the "red" status indicator for sites not using DHCP on the Joebox. > >> >> > >> >> Linda Chaisson > >> >> Technology Coordinator > >> >> Regional School Unit 16 > >> >> C/O PRHS - 1457 Maine Street > >> >> Poland, ME 04274 > >> >> 207-998-5400 Ext 103 > >> >> [log in to unmask] > >> >> > >> >> > >> > > >> > > >> > > >> > -- > >> > Ray Soucy > >> > > >> > Epic Communications Specialist > >> > > >> > Phone: +1 (207) 561-3526 > >> > > >> > Networkmaine, a Unit of the University of Maine System > >> > http://www.networkmaine.net/ > >> > > >> > >> > >> > >> -- > >> Ray Soucy > >> > >> Epic Communications Specialist > >> > >> Phone: +1 (207) 561-3526 > >> > >> Networkmaine, a Unit of the University of Maine System > >> http://www.networkmaine.net/ > > > > The information transmitted herein is intended only for the person or > entity > > to which it is addressed and may contain confidential material. Any > review, > > retransmission, dissemination or other use of, or taking of any action in > > reliance upon, this information by persons or entities other than the > > intended recipient is prohibited. If you received this in error, please > > contact the sender and delete the e-mail and any attachments from any > > computer. > > > > > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > -- Seth H. Thompson Technology Director Regional School Unit No. 5 207-865-4706 x232