> ~
> Hi,
> ~
> I inherited two computer labs in a school (adult ed) with 28 desktops
> running Windows XP SP2 which are part of the same network
> ~
> All 28 computers use the same group account to login and authenticate
> via NTLM to a proxy server
> ~
> Now, company offering us Internet access is relatively large
> corporation trying to venture in the grant-based business and doesn't
> have experience running schools
> ~
> My network is fenced by pretty nasty firewall rules which appear to
> apply to the actual workers of the company (not only youtube and
> myspace are obviously blocked for employees, but also sites such as
> web-based email ones and craigslist.org)
> ~
> My supervisor told me to do whatever I could "without messing with
> things" (which we don't own) so that students/teachers could use the
> lab
> ~
> I was basically thinking of:
> ~
> 1) making all computers use one of the computers as a proxy
> ~
> 2) this computer (1) would have installed squid and would carry of
> its ntlm proxy negotiation with the proxy facing the Internet
> ~
> Should I use squid for win32 or Linux? I think squid for win32 should
> be better because it could be using win32 NTLM from the OS itself, but
> I don't really know
> ~
> What other issues should I consider?
> ~
> FW rules I am dealing with don't even the kind of syndicated content
> driven by AJAX requests (apparently because they don't send much of
> the Headers?) , so if teachers took the time to put their lessons of
> the web, say at yahoo's geocities, then students can not access it
> (?!)
> ~
> Can I play with squid caching rules so that I make sure that content
> is local before teachers get to the lab?
Can be tricky unless you have some control over where the content is
coming from (not a guarantee).
It sounds like your provider is kind of paranoid about security, maybe a
good thing for them and you.
What I'd do in your place is make the single machine you are planning on
running squid on into a hardened gateway for the school. No direct login
for anyone outside admin, no superfluous programs, services locked down as
much as possible, etc. That can all be done on a single machine without
affecting the rest of the net.
Then you can request a wider access for just that machine, without the
provider having to worry about any of the students PCs.
Amos
> ~
> Any tips, links or white papers with insights into these kinds of
> setups?
> ~
> The kind of info I have found online seems a bit spotty to me and I
> don't have much time to mess around with this network. I need
> step-by-step types of instructions
> ~
> Thanks
> lbrtchx
>
Received on Sun Nov 04 2007 - 16:07:27 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST