FAQs
NOTE: These FAQs are specific to issues relating to the setup of Protex Version2. More general FAQs on version 1 and the E2BN filtering policy are here
FAQ1: How do I block or allow a URL for a specific filter profile?
FAQ2: How do I set up a banned user group?
FAQ3: How do I block facebook.com to staff?
FAQ4: How do I block the BBC's iPlayer?
FAQ5: How can I tell which profile I am using?
FAQ6: My Protex server fails to connect to Windows 2008 server
FAQ7: Windows clients need to log in to Protex
FAQ1. How do I block or allow a URL for a specific filter profile?
There are age/profile specific categories to allow you to modify the URLs that specific profiles can access:
- Pre-9 Block: block PRIMARY profile only
- Pre-12 Block: block MIDDLE, PRIMARY profile
- Pre-16 Block: block SECONDARY, MIDDLE, & PRIMARY
- Pre-18 Block: block SIXTH FORM, SECONDARY, MIDDLE, & PRIMARY
- Post-16 Only: allow for SIXTH FORM & STAFF only
- Post-12 Only: allow for SECONDARY, SIXTH FORM & STAFF only
Post-9 Only: allow for MIDDLE, SECONDARY, SIXTH FORM & STAFF only
As an example, suppose that you want to modify the sites that sixth formers can access. To do this, add the URL as normal in the appropriate category:
To BLOCK a URL: Add the URL to block lists under category 'Pre-18 Block'. To ALLOW a URL: Add the URL to allow lists (Tusted or ContentChecked) under category 'Post-16 Only'. Then restart Protex to confirm the list changes.
For other profiles the process is similar but you must remember that the (un)blocking is cumulative. For example, blocking a URL to the MIDDLE profile will also block it to the PRIMARY one. Similarly, allowing a URL to MIDDLE will allow it for the SECONDARY, SIXTH FORM and STAFF ones but not the PRIMARY profile.
FAQ2: How do I set up a banned user group?
Setting up a sin-bin is straightforward as long as you remember a few key points. The screencast below shows you how to do the Protex side of it once you have set up your AD group. So the sequence is:
- set up an AD group which will be banned. Users will be added to this group only when they are being denied Internet access. There is no need to remove users from their usual AD group - the profile given to this group will override their normal filter setting
- In the Protex interface assign the E2BN:Banned profile to this group
- Make sure this group/profile pair is at the top of the list. Filters are assigned from the top down - the profile assigned to the first group the user is a member of will be applied
- Reconfigure Protex
FAQ3: How do I block facebook.com to staff?
facebook.com is set up as a ContentChecked site for adults in the central lists. This means that if you put facebook.com in the 'LocalBlockAll' category locally it will still be available to staff users as its central 'greylisting' will take precedence. So to block it to all users you must delist it from the rbc list.
- go to 'Advanced Options' > 'Remove from Blacklists' and de-list facebook.com more...
- go to 'Add items to lists' and add facebook.com to the 'to block' list under the 'LocalBlockAll' category more...
- Restart to confirm list changes more...
FAQ4: How do I block the BBC's iPlayer?
The BBC site - bbc.co.uk - is listed centrally as a trusted site so no local changes to block parts of the BBC site will have any effect as its Trusted status will take precedence. As iPlayer will fall back to running over port 80 (by default it uses port 1935 but will try 80 an 443 if it cannot connect over that one) blocking 1935 on the firewall will have no effect.
It is possible to block iPlayer but only by removing the BBC's Trusted status and having it subject to the normal Protex filter rules so parts of the site may be blocked depending upon the content of the page. Also some file downloads will be blocked in common with other untrusted sites. Whether you see this as an advantage or disadvantage will depend upon your school.
If you still wish to block iPlayer then:
- go to 'Advanced Options' > 'Remove from Blacklists' and delist bbc.co.uk more...
- go to 'Add items to lists' and add bbc.co.uk/iplayer to the 'to block' list in the appropriate category. For example, to block to students but allow staff access then add it to the Adult category more...
- Restart protex to confirm list changes more...
FAQ5: How can I tell which profile I am using?
Many of the most common filtering issues arise because the school and/or staff are using the wrong filter profile. It is very important that staff access the STAFF profile as this allows downloads from untrusted sites (e.g. .zip files); allows access to some site which use only an IP address and not a full domain name and has a higher weighted phrase threshold for blocking than the student profiles do.
To check which profile is in use at any time try to access the following URL while using Protex filtering.
CHECK PROFILE: http://pleaseblockme.site. The family of the profile in place is indicated by the body colour of the block page as follows:
PRIMARY |
MIDDLE |
SECONDARY |
STAFF |
FAQ6: My Protex server fails to connect to Windows 2008 server
This fix from Appliansys:
Microsoft Vista/2008 heightened their default security settings - the new minimum level is NTLM v2 only. This stops the current release of Protex/Appliansys servers communicating correctly.
The fix is to relax the minimum allowed level of security. I think this is relevant: http://support.microsoft.com/kb/954387
The following may also work:
Click Start -> Run
In the Run field type: secpol.msc - that will bring you to Vista's security policy system.
Then go to: Local Policies > Security Options
Find Network Security: LAN Manager - authentication level.
Then change the Setting from Send NTLMv2 response only to Send LM & NTLM -- use NTLMv2 session security if negotiated.
You may also need to make the following Registry changes:
HKLM\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection (REG_DWORD) = 1
HKLM\System\CurrentControlSet\Control\LSA\LmCompatibilityLevel (REG_DWORD) = 3
If your server is running Windows 2008 R2 you may additionally need to make a further registry change as Windowx2008 does not support NTLMv1 out of the box:
HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AllowNT4Crypto (REG_DWORD) = 1
FAQ7: Windows clients need to log in to Protex
This is a similar problem to FAQ6 and affects Windows XP(SP2), Windows Vista, and Windows 7
By default these operating systems use NTLMv2 with NTLMv1 turned off. In order for these clients to communicate with the Protex server they must be able to use NTLMv1 when requested.
WinXP(SP2) using AD Group Policy:
Computer config > Policies > Security Settings > Local Policies > Security Options
Find Network security: LAN Manager authentication level
and set to Send LM & NTLM responses
Find Network security: Minimum session security for NTLM SSP based (including secure RPC) Clients
- check **define these policy settings**
- uncheck all other options
Windows 7 / Vista
Click Start -> Run
In the Run field type: secpol.msc - that will bring you to Vista's security policy system.
Then go to: Local Policies > Security Options
Navigate to the policy Network Security: LAN Manager authentication level and open it.
Then change the Setting from Send NTLMv2 response only
to Send LM & NTLM -- use NTLMv2 session security if negotiated.
Alternatively another very similar solution (Windows 7/Vista) appears to be:
Control Panel -> Administrative Tools -> Local Security Policy
Local Policies - Security Options
Network security: LAN Manager authentication level
Send LM & NTLM -- use NTLMv2 session security if negotiated
set: Minimum session security for NTLM SSP
and Disable Require 128-bit encryption