The short of it is:
Active Directory forces all students to use our Squid proxy server when using IE.
The Squid server caches content to reduce bandwidth
The Squid server has its own filtering tools. These tools are optional.
The Squid server is using OpenDNS for its DNS.
OpenDNS can be customized to be very restrictive.
Step 1
Set up an account with OpenDNS. Pay attention to the IP number you assign to this account. After we did a little testing of OpenDNS, we used one-to-one NAT on our firewall to attach this number to our Squid proxy server.
Step 2
Setup a proxy server. We used a standard Linux install with the proxy server Squid but I imagine any proxy server would do. You will eventually set up the DNS on this box to point to OpenDNS.
It is not too difficult to do this with Linux, even if you have never touched Linux before. If you find a Linux guru, it can be done in about an hour. Have the GUI interface installed; it will make it easer to work with. An additional filter, SquidGuard can be added to Squid. If you know anything about Linux, you know it will work well on a computer you salvage off of the scrap heap. A Pentium PIII with 256mb memory will probably work fine. We are using a four year old P4.
Step 3
In Active Directory we pointed the ‘students’ Organizational Unit to the Squid server by creating a Group Policy. User Configuration
Windows Settings
Internet Explorer Maintenance
Connection
Proxy Settings
Here we enabled Proxy settings and pointed ‘all addresses’ to the Squid IP at the appropriate port. We excluded our local domain here and on the Squid.
That’s it. You will have to fill in some gaps yourself on most of the items but it is not rocket science.
Good Luck, Fort Atkinson Computer Technology Department
Other issues and solutions:
There are still a few things we are concerned about but haven’t surfaced yet:
We have not
found a way to point all Firefox to our Squid.
(This solved in
Students pointing to their own private proxy at home.
Pointing our Macs to the Squid without visiting every one of them
Problem:
A teacher was updating his local web pages multiple times during the day but the changes were not showing up for students.
Reason:
Squid was caching content and students were not seeing new content.
Solution:
We excluded the local domain (www.fortschools.org and fortschools.org) from using proxy in Active Directory (We don’t think that this did anything). Also, we excluded the local domain in the Squid settings.
Problem:
Our libraries are served off of a local computer running Tomcat web server. (hs.fortschools.org) Students were unable to get to this library webserver. It worked for teachers and others because the local DNS is assigning hs.fortschools.org a local IP number .
Reason:
Students using the Squid (and OpenDNS) were trying to access the site by going out and back in. No outside DNS entry existed for hs.fortschools.org.
Solution:
We added entries to the HOSTS file on Squid for all local servers. All entries pointed to local IP numbers. We also made further exclusion in Active Directory. We do not think that this does anything.
Although the above scheme works very well for Internet Explorer, it continues a security hole for Firefox (also, Safari, Opera and others) In addition it does not proxy non-students. To close this security hole and proxy all other users, try this.
Second Proxy server
Setup a second proxy server that does not use OpenDNS or uses OpenDNS with a different IP and less restrictive settings. This proxy server is to be used by all non-students.
Create Group Policy
At the root level, create another Group Policy to direct all users to point to this second non-student Proxy server. The Group Policy on the students Organizational Unit will still point students to the more restrictive student proxy server.
Modify rules on firewall
Restrict HTTP traffic on your firewall to only your proxy servers. This will require any traffic on your network to go through your proxy servers. This closes down the issue of users with Firefox or other browsers bypassing our proxy servers.
