Summary #
We see lots of people with non-ideal setups for appliances with multiple Filter Sets (appliances that do authentication). This article will help you learn what the best ways are to setup and manage multiple Filter Sets.
Start With The Provided Filter Sets #
When you get your appliance, we give you two Filter Sets by default. Depending on the branding of your product the names will vary, but the concept is that there is one Filter Set for Administrators (“SSB_Administrators” for example) and one Filter Set for everyone else (“SSB_Users” for example). These Filter Sets cannot be deleted. So instead of having them “hang around” and clutter up the appliance, you might as well use them.
The “SSB_Users” Filter Set is the Filter Set that will be used if/when authentication gets turned off. This should be used as your most restrictive Filter Set. If you are a school, the best way to use this is to rename it to “SSB_Students” and use it for your students.
The “SSB_Administrators” Filter Set cannot be renamed. You should make a group on your network called “SSB_Administrators” and put users in this group that need to be almost 100% unfiltered. In this Filter Set, you should minimally have the following lists turned on:
- Safe Sites
- Hacking
- Phishing
- Pornography
- Proxy
- Virus Infected
- Warez
Filter Sets / Group Overload #
The best way to setup your Filter Sets when using a form of authentication that connects into your existing network (NTLM, LDAP, etc) is to create new groups that are used for the sole purpose of controlling how they will be filtered. Keep these groups following a standard naming scheme. For example, SSB_Administrators, SSB_Teachers, SSB_Staff, SSB_Students, etc. If you follow this simple tip, you’ll save yourself lots of potential problems and complications down the road, and give you much more flexibility when controlling how your users are filtered.
- By starting all your groups with the same thing (“SSB_” for example), it’s easy to look at the properties of a user and see if they are allowed access to the Internet. If they aren’t in a group that starts with that, then they will be denied.
- By creating new security groups instead of overloading your existing security groups, you eliminate problems with users being in two Filter Sets, creating erratic filtering behavior. For example, if your teachers are also in your students group since they need access to some shared folders, and your Filter Sets are “teachers” and “students”, there is a 50/50 guess at which Filter Set your teachers will be in. SecureSchool gets the group membership from your domain, and the first match it finds is the one it uses. The order changes quite frequently, so your effective Filter Set will frequently change.
- New security groups also solve the need for duplicate Filter Sets. For example, if you use your existing groups called “Teachers” and “Staff”, you have to make a Filter Set for each of them. However, both groups of people probably need the same things unfiltered. By minimizing the number of Filter Sets, it makes your job easier when adding and deleting sites, as well as making restarts faster since it only needs to restart one Filter Set instead of two.
A more extreme example would be if you used groups like “ClassOf20”, “ClassOf19”, “ClassOf18”, “ClassOf17”, and so on. You need to step back from what is currently happening and determine what the better way to solve the problem is. Do those 4 groups of people REALLY need different Filter Sets? Would it hurt at all if “ClassOf17” got to a games site that you unblocked for “ClassOf18”? This is a simple consolidation. By making one Filter Set called “SSB_Students”, you have drastically cut down on restart times, as well as management complexity.
Sample Filter Set Layout #
Based on our experience with schools, we recommend you start with the following Filter Sets:
- Use SSB_Administrators (with the guidelines stated out above) for your technology team and for your school administrators that need to be unfiltered.
- Rename SSB_Users to SSB_Students, and place your students in this Filter Set.
- If you have two drastically different ages of students (for example, if you are a K-12 district, or perhaps even K-8), you may need an additional Filter Set for students. If that’s the case, then create “SSB_UpperStudents” and instead of renaming “SSB_Users” to “SSB_Students”, name it “SSB_LowerStudents”.
- Create a filter set “SSB_Staff” for your faculty and staff.
