Network Managers, how do you filter net usage?

[BoomAM]

Hi.
Im appealing to fellow network managers to ask how you all filter internet usage at your place of work?

Basically, at the moment, everything goes through our Proxy server, that runs 'SurfControl'. Now, its possible to block by rooms if static IPs are used, but the problem im facing is the fact that im gonna have a significantly higher workload having to do that every hour of the day at lesson change over, as im gonna have to click about 10-15 room sets, multiple times, each hour.

Im looking for suggestions for improvements, how you handle it, and what software you use to combat the problem.

Thanks in advance all.

 

[kip02]

We use a system called Websense at my workplace. Couldn't tell you much about it as i don't manage it. But it is really good as to allowing us to block websites at certain times of the day and incorporates itself into AD. Allowing you to block specific users not just IP's

 

[TriedandTested]

We're trialling this at the moment:

http://www.netsupportschool.com/

Each teacher turn the internet access off for their classroom at the click of a button. I expect we'll purchase it. It does LOTS of other useful stuff too.

 

[Phemo]

We use a Blue Coat proxy server which runs Blue Coat's own content filtering database, although others such as SurfControl and WebSense are supported. What is it that you're trying to block exactly? On the Blue Coats you can block whole site categories so providing the database is kept up-to-date, that alone is pretty good at making sure you block all shopping sites, porn sites, etc. We have the Blue Coat tied in with Active Directory so that you need to be logged into a machine on the domain in order to get access through the proxy server (well, if you're not on the domain you get a login prompt anyway).

So, what is it you're trying to block? Is it certain sites, individual users or just entire machines? Our AD is set up so that sales are in their own group, technical are in their own group, warehouse are in their own group, etc. so the whole of technical can be given different access rights to sales. Which proxy server are you using and do you use Active Directory at all? If so, is it not possible to create AD groups and then block according to that?

 

[ruffneck]

Barracuda

 

[hybrid]

CensortNet v3 - we swear by it.

Had it running now for over 2 years with great success. You can enable/disbale workstations from using the net at certain time, assign profiles, blacklist, whitelist... the list goes on.

Great piece of kit and best of all... its FREEEEEEEEEEEEEEEE - Open Source.

 

[BoomAM]

So, what is it you're trying to block?

We want to be able to block groups of computers from accessing the internet as/when needed.
That NetSupport Software that has been suggested though looks the ticket! .

So just to confirm, from the 'teacher' computer, it would be possible for the teacher to block access to the internet to the entire room with the click of a button? And it wouldnt interfere with normal web filtering on the server?

 

[Dr_Evil]

MS ISA Server and firewall clients.

 

[WotDa]

We want to be able to block groups of computers from accessing the internet as/when needed.
That NetSupport Software that has been suggested though looks the ticket! .

So just to confirm, from the 'teacher' computer, it would be possible for the teacher to block access to the internet to the entire room with the click of a button? And it wouldnt interfere with normal web filtering on the server?

Should do, yup, my school was running a RM programme that did that, the teachers could block access by individual PC, or the whole room.

I don't see why it would interfere with the filtering, I assume it just blocks access to the authentication server (if you have one) or something.

 

[BoomAM]

Should do, yup, my school was running a RM programme that did that, the teachers could block access by individual PC, or the whole room.

I don't see why it would interfere with the filtering, I assume it just blocks access to the authentication server (if you have one) or something.

Thanks. Might download the trial version and see how it goes.

More suggestions are still welcome though.

 

[BoomAM]

Well, im quite impressed with it tbh.
The only 2 flaws i can see are:
-- 'Teacher' machines can control other teacher machines. Meaning that i cant have the client running on my workstation next to the server to remote fix things without others prehaps seeing what im doing. (spying on the spyer )
-- The deploy applet doesnt let me set the student machines to quiet/silent mode so its all invisible to the kids. Meaning i have to manually install it on each station.

Other than that though, impressed thus far, as is the teacher whos testing it.

 

[m4cc45]

If you have the money go for BlueCoat Proxy. The dogs danglies of all Proxy servers and, as stated elsewhere in this post, they can do pretty much anything.

Obviously from what you're saying you work in some kind of school / university - to block rooms would mean creating groups on the proxy for each individual room by the netbios name or IP range (which could be a pain if you have a hundred rooms).

However I still thnk Bluecoat is the way forward.



M.

 

[BoomAM]

Unfortunatelly, the Bluecoat thing looks like it wont do what we want it to.
We can already technically block by sets of computers, its just a job and a half to do because i'd have to go and set every computer to static IPs.
Plus, this NetSupport Schools thing is pretty good, and upto now, the pros far outweight the cons.
If i could make it so the server cant be viewed/controlled, but it can view/control other stations, then it'd be near perfect.

 

[Lethal`]

Just like to point out about netsupport:

I have it at my school and it is easily disabled using Task Manager - client32.exe

 

[ruffneck]

Your School's IT are stupid then because as a user you should have no access to task manager, hardly net-supports fault

might want to point them towards http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx

 

[WotDa]

Your School's IT are stupid then because as a user you should have no access to task manager, hardly net-supports fault

Indeed they are, my old school used to lock everything down, they even stopped a good 50% of us emailing each other.

However, I will share this with you, anyone who hates RM Tutor 2, you can ctrl + alt + del your way out of it if you use a windows + d after.

 

[Lethal`]

Not with RM SafetyNet

Yep they are a bit stupid though - but i dont care

 

[m4cc45]

Unfortunatelly, the Bluecoat thing looks like it wont do what we want it to.
We can already technically block by sets of computers, its just a job and a half to do because i'd have to go and set every computer to static IPs.
Plus, this NetSupport Schools thing is pretty good, and upto now, the pros far outweight the cons.
If i could make it so the server cant be viewed/controlled, but it can view/control other stations, then it'd be near perfect.

You could block by the Netbios name rather than IP thus you shouldn't need to assign statics.

 

[BoomAM]

The SurfControl software afaik doesnt support NetBIOS blocking unfortunatelly.

 

[m4cc45]

If you're not already using group policy then this is going to be a no go but I'll say it anyway.

Create two OUs with the computer rooms in there with the computer names in there then create a group policy whereby nobody can access internet tools and point there proxy server at say 0.0.0.0 or 1.1.1.1 and then enforce it. When you want to disable it simply move them to the other OU with it turned off with the right settings in there (i.e. no proxy) and then within 15 mins or however fast you have GPrefresh on you'll have no or full net access.


M