Hi Seth,
It doesn't matter if your trying to reach an HTTPS site from a computer,
a phone, or a rock. As long as you're connecting through the Joebox and SSL
is enabled, the traffic will be filtered.
Anthony
Networkmaine Support Center
University of Maine System
Maine School and Library Network
Communications and Network Services
(207) 561-3587
[log in to unmask]
On Mon, Apr 11, 2011 at 11:51 AM, Seth Thompson <[log in to unmask]> wrote:
> Ray,
>
> Do you know if MECGuard SSL will work with cell phones, iPads, etc?
>
> Thanks,
> Seth
>
> On Fri, Apr 8, 2011 at 12:49 PM, Ray Soucy <[log in to unmask]> wrote:
>
>> No, "Force MECguard SSL" will block _all_ HTTPS traffic (the idea is
>> that you check this box after you have your browsers setup to use
>> MECguard for HTTPS as a proxy server to enforce it).
>>
>> On Fri, Apr 8, 2011 at 12:36 PM, Jaimie Moores <[log in to unmask]> wrote:
>> > Does "Force MECGuard SSL" have to be checked in order for the closed
>> port
>> > rules to work?
>> >
>> > Jaimie Moores
>> > Technology Coordinator
>> > PowerSchool Administrator
>> > Machias Memorial High School
>> >
>> >
>> > On Fri, Apr 8, 2011 at 11:34 AM, Ray Soucy <[log in to unmask]> wrote:
>> >>
>> >> Facebook currently has 2 IP networks:
>> >> 1. MailScanner has detected a possible fraud attempt from
>> "66.220.144.0"
>> >> claiming to be *MailScanner has detected a possible fraud attempt from
>> "66.220.144.0" claiming to be* 66.220.144.0/20 <http://66.220.144.0/20>
>> >> 2. MailScanner has detected a possible fraud attempt from "69.63.176.0"
>> >> claiming to be *MailScanner has detected a possible fraud attempt from
>> "69.63.176.0" claiming to be* 69.63.176.0/20 <http://69.63.176.0/20>
>> >>
>> >> Steps for a Firewall block of Facebook (as opposed to MECguard):
>> >>
>> >> Step 1: Create two "Closed Port" rules with the following settings:
>> >>
>> >> Rule 1:
>> >>
>> >> Description: Facebook
>> >> Rule Chain: FORWARD
>> >> Source Type: Firewall Group
>> >> Source Group: LAN (or whatever group you want blocked)
>> >> Destination Type: IP/Hostname
>> >> Destination IP/Hostname: MailScanner has detected a possible fraud
>> attempt
>> >> from "66.220.144.0" claiming to be *MailScanner has detected a
>> possible fraud attempt from "66.220.144.0" claiming to be*66.220.144.0/20<http://66.220.144.0/20>
>> >> Protocol: TCP
>> >> Closed Ports: 80,443
>> >>
>> >> Rule 2:
>> >>
>> >> Description: Facebook
>> >> Rule Chain: FORWARD
>> >> Source Type: Firewall Group
>> >> Source Group: LAN (or whatever group you want blocked)
>> >> Destination Type: IP/Hostname
>> >> Destination IP/Hostname: MailScanner has detected a possible fraud
>> attempt
>> >> from "69.63.176.0" claiming to be *MailScanner has detected a possible
>> fraud attempt from "69.63.176.0" claiming to be* 69.63.176.0/20<http://69.63.176.0/20>
>> >> Protocol: TCP
>> >> Closed Ports: 80,443
>> >>
>> >> On Fri, Apr 8, 2011 at 11:14 AM, Eric R. Warren <[log in to unmask]>
>> >> wrote:
>> >> > That's a useful trick! Would you mind sharing those
>> Facebook-blocking
>> >> > settings with us?
>> >> >
>> >> > Eric
>> >> > MSAD 45
>> >> >
>> >> > -----Original Message-----
>> >> > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray
>> >> > Soucy
>> >> > Sent: Friday, April 08, 2011 11:08 AM
>> >> > To: [log in to unmask]
>> >> > Subject: Re: Joebox Updates
>> >> >
>> >> > Linda,
>> >> >
>> >> > If you were using the old "MECguard SSL" it would no longer be active
>> >> > after the upgrade (to my knowledge only a handful of people were
>> >> > trying to use it because of all the browser errors it would
>> generate).
>> >> >
>> >> > The "Force MECguard SSL" option will block SSL requests unless made
>> >> > using a proxy server, but requires that browsers know about the proxy
>> >> > server (as described in the MECguard notes I posted a few days ago).
>> >> >
>> >> > Other than that, it shouldn't have changed.
>> >> >
>> >> > I've created two "Closed Port" rules in your Firewall that will block
>> >> > web access to the Facebook IP networks, but left them disabled. You
>> >> > can enable these rules and restart your firewall if you want to start
>> >> > blocking access to Facebook over HTTPS.
>> >> >
>> >> > I've noticed that you only have one Group for MECguard. If you block
>> >> > Facebook using the Firewall you might want to create a "Teachers"
>> >> > group with the IP addresses of teacher PCs so you can create a rule
>> to
>> >> > not block Facebook for those users.
>> >> >
>> >> > Because you're running a "LOW" Firewall policy, you'll need to apply
>> >> > the 12.1 software update before Open Port rules to do this will work,
>> >> > the Software Update can be run at any time.
>> >> >
>> >> > Feel free to give support a call if you'd like us to do any of this
>> >> > for you: 1-888-367-6756
>> >> >
>> >> > Sorry about any disruption... The upgrade was a major change and
>> >> > required a manual process to apply. Future updates will be provided
>> >> > through the Software Update tool and be left up to you to apply.
>> >> >
>> >> > On Fri, Apr 8, 2011 at 9:38 AM, Linda Chaisson <
>> [log in to unmask]>
>> >> > wrote:
>> >> >> Ray:
>> >> >> Previously our students couldn’t get to facebook by adding the s to
>> >> >> http
>> >> > and
>> >> >> now they can. Was anything changed?
>> >> >> Thanks,
>> >> >> Linda
>> >> >>
>> >> >>
>> >> >>
>> >> >> On 4/6/11 1:24 PM, "Ray Soucy" <[log in to unmask]> wrote:
>> >> >>
>> >> >> We realize that for many of you it seems like you just upgraded, but
>> >> >> some of you have been running the code for over a month and have
>> found
>> >> >> a bug or two. We have a minor update available.
>> >> >>
>> >> >> Feel free to apply this update using the "Software Update" tool on
>> the
>> >> >> Joebox at your convince. This is a non-critical update and can be
>> >> >> applied at any time.
>> >> >>
>> >> >> As always, if you need help running the Software Update utility, or
>> >> >> encounter any problems, please give us a call: 1-888-367-6756
>> >> >>
>> >> >> New packages are labeled 12.1.
>> >> >>
>> >> >> Change Log:
>> >> >>
>> >> >> 1. A "Reinitialize Firewall" button has been added to the Firewall
>> >> >> options page. This button does a forced restart of the Firewall
>> >> >> service (all rules are flushed and re-added) to recover from the
>> >> >> Firewall Engine becoming out of sync. If you run into a situation
>> >> >> where using this button is the only way to "fix" your Joebox please
>> >> >> contact us so we can take a look at your configuration and track
>> down
>> >> >> the invalid rule that is causing problems.
>> >> >>
>> >> >> 2. Port Forward rules with protocol "IP" weren't ignoring port
>> fields
>> >> >> (causing invalid rules). This is now fixed.
>> >> >>
>> >> >> 3. Open Port rules were not being applied when a Firewall policy
>> level
>> >> >> of LOW was in use. They should now be applied correctly.
>> >> >>
>> >> >> 4. In isolated circumstances, some traffic making use of TCP window
>> >> >> scaling was being marked as INVALID by connection state tracking and
>> >> >> being dropped by the Firewall. This was found to be affecting less
>> >> >> than 1% of traffic. This should now be fixed, as TCP window size is
>> >> >> no longer used to determine packet validity.
>> >> >>
>> >> >> 5. Minor update to SNMP to facilitate changes in Joebox monitoring
>> by
>> >> >> Networkmaine.
>> >> >>
>> >> >> 6. Minor UI update to fix changing of static route to be applied
>> >> >> without
>> >> >> reboot.
>> >> >>
>> >> >> 7. Minor UI update to allow DHCP service to be disable if in a
>> failed
>> >> >> status (e.g. enabled without a valid configuration), mostly to get
>> rid
>> >> >> of the "red" status indicator for sites not using DHCP on the
>> Joebox.
>> >> >>
>> >> >> Linda Chaisson
>> >> >> Technology Coordinator
>> >> >> Regional School Unit 16
>> >> >> C/O PRHS - 1457 Maine Street
>> >> >> Poland, ME 04274
>> >> >> 207-998-5400 Ext 103
>> >> >> [log in to unmask]
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Ray Soucy
>> >> >
>> >> > Epic Communications Specialist
>> >> >
>> >> > Phone: +1 (207) 561-3526
>> >> >
>> >> > Networkmaine, a Unit of the University of Maine System
>> >> > http://www.networkmaine.net/
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Ray Soucy
>> >>
>> >> Epic Communications Specialist
>> >>
>> >> Phone: +1 (207) 561-3526
>> >>
>> >> Networkmaine, a Unit of the University of Maine System
>> >> http://www.networkmaine.net/
>> >
>> > The information transmitted herein is intended only for the person or
>> entity
>> > to which it is addressed and may contain confidential material. Any
>> review,
>> > retransmission, dissemination or other use of, or taking of any action
>> in
>> > reliance upon, this information by persons or entities other than the
>> > intended recipient is prohibited. If you received this in error, please
>> > contact the sender and delete the e-mail and any attachments from any
>> > computer.
>> >
>> >
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>
>
>
> --
> Seth H. Thompson
> Technology Director
> Regional School Unit No. 5
> 207-865-4706 x232
>
>
>