Authentication Methods

Three methods of deciding which filter profile to use are currently implemented. The following outlines each of them and how they interact.

• Port based

  This is the default method: each profile is assigned a port so that clients connecting to the Protex server on this port will be filtered with the specified profile. The default is for the STAFF profile to be assigned to port 8084 and the appropriate student profile to port 8080. Protex offers a wide range of profiles "out of the box" and you can have up to 10 profiles assigned to different ports (8080-8089). Clicking on Configure... will take you to a dialog box where these assignments can be made.

• Location based

  In some situations it is more convenient to assign a particular profile to a particular group of computers - in the Library or Staff room perhaps. Here you can create locations or groups of computers by specifying their IP addresses. Once the locations have been created a filter profile can be allocated to each of them.

• NTLM (Active Directory integration)

  If there is an MS Active Directory server on the network Protex can be integrated with it so that filter profiles can be assigned to users based on their AD group. In addition their network username will appear in the logs. There are two stages to setting up NTLM authentication:

  1. Set up the Protex server to join the AD domain
  2. Assign a filter profile to at least one AD group

  In addition to assigning filter profiles via your existing AD groups this scheme also offers the facility to automatically modify the filter profile assigned to a group according to the time of day. i.e. timebands can be set for lesson time and lunchtime so that games become during luchtimes but are blocked during lessons. There is more detail on setting up timebands here.

Note that these three mechanisms are not mutually exclusive: it is perfectly possible for all three methods to be used at the same time. For example, port 8080 can be left as the default for NTLM authentication while each of 8081-8084 are used for Port based authentication and particular computers are assigned profiles based on their IP address. The actual profile assigned to a user will then depend on the port their browser is assigned (perhaps via a Group Policy in the AD) and which computer they are using.

The order in which the various authentication mechanisms are applied is the same as the order above. However:

• users at a computer in a defined location will receive the profile associated with this location
• users directed to a particular port will have the profile associated with that port unless they are using a computer in a defined location in which case the location profile takes precedence
• users directed to the authentication port
  • Protex first determines whether the host is in one of the defined locations
  • If it is then the profile associated with that location is applied
  • If not then one of two things may happen:
    • If NTLM/AD Authentication IS being used then the user has the profile associated with their AD group applied (or the default profile if they are not in a group which has a filter group assigned to it)
    • If NTLM/AD Authentication has NOT been set up then the default profile is applied.

The interaction between NTLM and Location based authentication is particularly important to understand: the priority of location over NTLM group has implications for how the locations are set up in each case.

For sites NOT using NTLM based authentication the use of locations can provide a way to apply a profile to users which depends upon where they are: whether they are, for example, in a particular classroom, the library, or staffroom. Clearly there will be no personal identification of the user in the filter server logs but the combination of Group Policies, Location and Port based filter authentication can be used to provide a good level of control over who gets which profile.

If sites DO use NTLM based authentication then locations should be used more sparingly: for specific locations where there is no requirement for network login (an open access kiosk in the foyer for example). If they are used too broadly (a "whole-school" location for example) then NTLM authentication will never be reached as the location will always take precedence.

In general when setting up any of the authentication mechanisms it is best to work by exceptions. In other words when setting up the basic configuration set the defaults first and then gradually add exceptions. For example set the default profile; then add any specific locations required, any port based profiles required or assign filter profiles to AD groups.