PDF Print

FAQs for ProtexLocal Administrators

How do I set up a banned user group?

Setting up a sin-bin group is straightforward as long as you remember a few key points. The sequence is:

  1. Set up an AD group which will be banned. Users will be added to this group only when they are being denied Internet access. There is no need to remove users from their usual AD group - the profile given to this group will override their normal filter setting
  2. In the Protex interface assign the E2BN:Banned profile to this group
  3. Make sure this group/profile pair is at the top of the list. Filters are assigned from the top down: the profile assigned to the first group the user is a member of will be applied
  4. Apply the changes and restart Protex

We use Macs - is this a problem?

No - the use of a proxy to make connections to the originating web site is completely transparent to the operating system. The only difference between Mac, Linux & Windows clients will be how to configure the browsers to use the Protex server on each desktop connected to the LAN: and this will also depend upon which network operating system and browser are being used.

What about viruses?

While Protex does have the facility to provide virus checking, and may do so in future, it is not currently implemented as this is a very resource-intensive operation which can have a marked impact on filtering performance.

All files downloaded to a PC (whether via the Internet, email or a USB stick) should be virus checked by the PC itself. In addition most webmail systems also perform virus and spam checking as do many Local Authorities and ISPs.

Staff want pupils to use Blogger...

Staff should set up the blogs for their students using the STAFF profile (which allows blogger/blogspot) then once they are all created give the network/filter manager a list of them. They should be of the form blogname.blogspot.com - then these individual blogs can be added to the ContentCheck or Trusted sites lists to give pupils access to them.

Trusting the whole of blogspot.com should be avoided as there are some very unsuitable blogs hosted under this domain.

There are similar blogging sites (tumblr.com for example) where individual blogs may be made available but the whole site should not be listed as some of these blogs are certainly not suitable for students to view.

Staff want pupils to use Flickr...

The structure of the site makes it impossible to allow single accounts (e.g. a school or teacher account) to be unfiltered while still blocking the rest of the site. In order to make flickr.com available it must be added to a Trusted sites list. Which category it is added to will determine which users can access it: for example, adding it to Teaching will allow all users access while Post-16 will restrict access to users of the Sixth Form profile.

Whether a site chooses to allow flickr.com to be un-filtered will depend on the ethos of the school, the level of supervision, etc. It can certainly be a useful resource and one that students may be using at home but if allowed the Academy or School's senior management must be aware that there are some images on the site which may be considered unsuitable for viewing in school.

Students have used a Site Builder at home - why can't they work on their site in school?

If your students have their created their own sites hosted on one one of the many free Site Builders which are currently blocked you can make it available in several ways. Preferably you should look at the URL of the site and see whether this particular site/account can be made available without unblocking the whole Site Builder.

However, the way companies create and maintain accounts on such sites varies (and changes from time to time) so it is not always possible to unblock individual accounts and/or sites. In this case the whole site would need to be listed which will make all others sites built and hosted there available as well. You will need to investigate the other sites' content and then decide whether making it available in school is appropriate.

As an added complication most of these sites require some of all of it to be available over https which will require the site to be Trusted and not merely ContentChecked so that no filtering at all will be possible on any of the other hosted sites.

Admin menu not working with IE9

The Protex menu is designed to work in IE9, Firefox and Chrome but it will not display correctly in IE9's compatibility mode.

If IE9's Intranet Settings have been enabled previously then it is likely that the page is being displayed in compatibility mode as this is the IE9 default security setting for intranet sites. The exact setting to change depends to some extent on what setting have already been selected but the following options may help find one that works for you.

(1) Go to the Tools -> Compatibility View dialog box to uncheck the item "Display intranet sites in Compatibility View"

(2) Go to Tools  -> Internet options -> Security. Click on Local Intranet then on Sites. In the dialog box uncheck the item "Include all sites that bypass the proxy server".

You may need to reload the page and/or restart IE9 to enable the changes.

Pupils cannot download files...

Protex will prevent certain file types from being downloaded from non-Trusted sites (see here for more about Trusted sites, etc.). Which file types are blocked is controlled by the filter profile in use - the STAFF profile is much less strict than the student profiles.

For sites listed as Trusted no filtering at all is applied and all file types can be downloaded by all profiles.

If there are some file types you would like your pupils to be able to download that are currently blocked (.zip for example) you can create a Local Profile to allow this. See the Protex documentation for details on how to create and edit a Local Profile.

How can staff see effect of student profile?

If you are using AD/NTLM authentication then it is possible to allow any Group/Profile pair to change their current profile to another. This could be useful for staff to, for example, check that a site they want to use is available to their students. In the Documentation (v3) go to Profiles -> Assign by... -> NTLM based filtering for more details. Checking the "Override" box will cause a drop down menu of configured profiles to be available in the "Logged in" window. Selecting a profile here will swap the profile in use for subsequent requests.

How do I block or allow a URL for a specific profile?

There are age/profile specific categories to allow you to modify the URLs that specific profiles can access:

  • Pre-9 Block: block PRIMARY profile only
  • Pre-12 Block: block MIDDLE, PRIMARY profile
  • Pre-16 Block: block SECONDARY, MIDDLE, & PRIMARY
  • Pre-18 Block: block SIXTH FORM, SECONDARY, MIDDLE, & PRIMARY
  • Post-16 Only: allow for SIXTH FORM & STAFF only
  • Post-12 Only: allow for SECONDARY, SIXTH FORM & STAFF only
  • Post-9 Only: allow for MIDDLE, SECONDARY, SIXTH FORM & STAFF only

    As an example, suppose that you want to modify the sites that sixth formers can access. To do this, add the URL as normal in the appropriate category:

    To BLOCK a URL: Add the URL to block lists under category 'Pre-18 Block'. To ALLOW a URL: Add the URL to allow lists (Tusted or ContentChecked) under category 'Post-16 Only'. Then restart Protex to confirm the list changes.

    For other profiles the process is similar but you must remember that the (un)blocking is cumulative. For example, blocking a URL to the MIDDLE profile will also block it to the PRIMARY one. Similarly, allowing a URL to MIDDLE will allow it for the SECONDARY, SIXTH FORM and STAFF ones but not the PRIMARY profile.

How do I block a site (e.g facebook.com) to staff

facebook.com is set up as a ContentChecked site for adults in the central lists. To block it for all users including staff put facebook.com in the 'LocalBlockAll' category. Restart to confirm the list change.

How do I block BBC's iPlayer

The BBC site - bbc.co.uk - is listed centrally as a trusted site so no local changes to block parts of the BBC site will have any effect as its Trusted status will take precedence. As iPlayer will fall back to running over port 80 (by default it uses port 1935 but will try 80 an 443 if it cannot connect over that one) blocking 1935 on the firewall will have no effect.

It is possible to block iPlayer but only by removing the BBC's Trusted status and having it subject to the normal Protex filter rules so parts of the site may be blocked depending upon the content of the page. Also some file downloads will be blocked in common with other untrusted sites. Whether you see this as an advantage or disadvantage will depend upon your school.

If you still wish to block iPlayer then:

  • go to 'Add items to lists' and add bbc.co.uk to a content check category - this will override the central "trusted" status.
  • go to 'Add items to lists' and add bbc.co.uk/iplayer to the 'to block' list in the appropriate category. For example, to block to students but allow staff access then add it to the Adult category
  • Restart protex to confirm list changes

Windows clients need to log in to protex

 

By default these operating systems use NTLMv2 with NTLMv1 turned off. In order for these clients to communicate with the Protex server they must be able to use NTLMv1 when requested.

WinXP(SP2) using AD Group Policy:

Computer config > Policies > Security Settings > Local Policies > Security Options

Find Network security: LAN Manager authentication level

and set to Send LM & NTLM responses

Find Network security: Minimum session security for NTLM SSP based (including secure RPC) Clients

- check "define these policy settings"

- uncheck all other options

Windows 7 / Vista

Click Start -> Run

In the Run field type: secpol.msc - that will bring you to Vista's security policy system.

Then go to: Local Policies > Security Options

Navigate to the policy Network Security: LAN Manager authentication level and open it.

Then change the Setting from Send NTLMv2 response only

to Send LM & NTLM -- use NTLMv2 session security if negotiated.

Alternatively another very similar solution (Windows 7/Vista) appears to be:

Control Panel -> Administrative Tools -> Local Security Policy

Local Policies - Security Options

Network security: LAN Manager authentication level

Send LM & NTLM -- use NTLMv2 session security if negotiated

set: Minimum session security for NTLM SSP

and Disable Require 128-bit encryption

ENDFAQ

 
 
© 2018 E2BN Protex Limited
Protex®, E2B® and E2BN® are registered trade marks and trading names of East of England Broadband Network (Company Registration No. 04649057)