SMTP connections over the HICS network

Recently it has come to our attention that certain devices within the HICS network have been responsible for sending large amounts of email. This has resulted in one of the HICS public facing IP addresses being put on a well-respected email blacklist.

The implications of this mean that all sites within the network may potentially be prevented from accessing Internet based services even if the devices they use were not responsible for causing this.  Obviously this is a grave concern. Updata have worked hard to analyse where this traffic is coming from but have not been able to identify anything.

With this mind, Updata are going to put some restrictions through on the firewall. They are going to block all outbound connection running over TCP port 25 that are not locked down to a destination IP address – I think the majority of these are legacy firewall rules copied over from when Virgin were the broadband provider. Most of the firewall rules for SMTP access is to Office365 and Google Apps, access will be left in place allowing communication to these providers (and the few other random ones in the list).

It may be that certain applications that are configured to use outbound SMTP access can be changed to run using ‘SMTP over TLS/SSL’ which runs on a different TCP Port (TCP 587 or TCP 465) and with authentication. However, the vendor of the software will be able to confirm this.

I am hoping related problems will kept to a minimum but let us know if you encounter any issues. If you do need SMTP access set up, please raise a request with the HICS support desk in the usual way, providing: the internal IP address(es) and destination IP address(es).

Thanks,
Kevin Crawley

Posted in Email, SMTP mail | Leave a comment

Pro active internet monitoring on HICS

I am regularly being asked what radicalisation monitoring HICS schools can deploy so I thought I should blog on the subject.

Whilst no filtering service is 100% reliable, I am confident that the existing filtering platform (Netsweeper) currently protects children sufficiently. I have previously been told the filtering platform that protects Hertfordshire schools, also protects one in three children nationwide, although I haven’t been able to verify this. Filtering is delivered through the central filtering levels – WF1, WF2, WF3 etc and for added flexibility schools can modify these locally, if they’d prefer. HICS also offers the functionality whereby schools can sync network IDs to tailored  filtering levels. Reports can then be ran against specific network users. That said, we are always looking at ways to enhance the service. Certainly from the next contract HICS contract  – either with Updata or someone else, (September 30th 2017 onwards) I will be looking for improvements, such as (but not limited to):

1) a more user-friendly way for the filtering platform to sync with network IDs

2) a sophisticated reporting tool whereby if a user enters a banned word into a search engine, this is immediately brought to the attention of a designated person at each school

The good news is that we may be able to get this rolled out prior to the end of the contract. I am in talks with Updata about upgrading the existing Netsweeper platform. I am advised that when this goes ahead HICS schools can then have some of this the functionality deployed. One of the things that will then happen is for alarms to be generated when banned words are searched on. The alarms can go to HfL, to schools, or to both. Schools will need to have SSL inspection deployed for this to work.

If schools have the filtering platform, synced to network IDs, the alarms will be generated against the network ID. If not, it will report against the internal IP address and schools will have to cross reference their data.

For Updata to upgrade the filtering platform, the 12 HICS proxy servers (servers that deal with the internet traffic) require a CPU upgrade prior to the next version being rolled out. I am going  to try and get this done ASAP. It sounds like a large job and I am told that it is best carried out in the holiday period. The Easter holidays may come too soon and the summer holidays may be a more realistic target. I will update you all in due course and of course in the meantime, if you have any questions, please get in touch.

Thanks,

Kev
kevin.crawley@hertsforlearning.co.uk

Posted in Internet access, Service Improvements, Web Filtering | Leave a comment

Christmas opening hours

Well that time of year is nearly upon us once again. Can I take this opportunity to wish everyone a Merry Christmas. I hope you all come back to work in January feeling recharged after a peaceful break.

Thanks,

Kev

The HICS/SITSS Service Desk opening hours over Christmas are:

Date Connectivity Opening Hours Technical & MIS Opening Hours
Monday 21st December 8:00-6:00pm 8.30am – 5.00pm
Tuesday 22nd December 8:00-6:00pm 8.30am – 5.00pm
Wednesday 23rd December 8:00-6:00pm 8.30am – 5.00pm
Thursday 24th December 8:00-12:00pm 8.30am – 12.00pm
Christmas Day Closed Closed
.
Monday 28th December Closed Closed
Tuesday 29th December 8:00-4:00pm Closed
Wednesday 30th December 8:00-4:00pm Closed
Thursday 31st December 8:00-12:00pm Closed
New Years Day Closed Closed
Posted in Service Desk | Leave a comment

accessing .ac.uk websites

Earlier on today, there was an issue whereby users of the network were receiving a DNS error when trying to browse to .ac.uk websites (such as: www.londonmet.ac.uk).

This has been passed to Updata for them to investigate further, although the issue was fixed at the same time as I was logging the incident. With this in mind, as far I know all is working well. We are obviously keen to find out what happened and when I have further information on this, I’ll add it to this post.

Thanks,

Kevin Crawley

Posted in Websites | 1 Comment

Upgrade paths for schools on 100mbps

Secondary schools all have 100mbps links… or at least they did. We have had our first school upgrade to a 1gbps link, although to protect the HICS core, this school has had their speed capped at 200mbps. However, the point of this post is to make sure you are aware that there is an upgrade path available to increase from 100mbps.

That said, the first thing you should do, if you want to go ahead with this, is to log into Solar Winds (the HICS network monitoring tool) and check that you would indeed benefit from an upgrade. By and large, schools do not need to upgrade.

If you want to discuss this further, or have any questions about logging into the HICS network monitoring tool, please get in touch with me to discuss this in more detail.

Thanks,

Kevin Crawley
kevin.crawley@hertsforlearning.co.uk

Posted in Bandwidth monitoring, Service Improvements | Leave a comment