SSL inspection – action required from schools

As you may recall, last year Yahoo made some changes to the way it retrieves search results. It now diverts users to their HTTPS site, rather than the HTTP site that it previously used. The effect of this change compromised eSafety as this disabled some of the safety features available on HICS..

With this in mind, the decision was made by ICT in Schools Partnership Working Group (head teacher and governor representatives) to restrict access to this website and it was subsequently put on our WF1 filtering level. Yahoo were actually following Google’s lead whereby Google had done the same a year or so before. However what Google also done at the same time was to make available a cluster of HTTP servers. This allowed Updata (and other network providers) to set up a DNS record forcing all requests for Google to go through these HTTP servers.

However, we believe that on June 24th, Google will be discontinuing this clusters of servers. Updata will then send all requests back to the HTTPS site. Rather than restrict access to Google, and to combat this growing trend, the decision has been made by ICT in Schools Partnership Working Group to deploy Man in the Middle technology. This technology has already been successfully adopted by a number of other LAs. It has the capability to decrypt the HTTPS session to apply the necessary safety features.

Man in the Middle technology will decrypt all HTTPS traffic. With this in mind, HICS will have a ‘white list’ detailing which websites to decrypt so as data is only decrypted where necessary. For example, even though this technology has the capabilities to decrypt online banking websites, we will leave banking websites from the list of websites that we will decrypt.

To facilitate the change, instructions will soon be provided and a communication will be sent out to all schools. With June 24th approaching, I was hoping for all the communications to go out at once. But I am aware the clock is ticking so I thought it might be wise to prepare the techies out there. Updata are currently trialling the SSL inspection facilities for another LA but I am told all appears to be going well. Assuming Updata are ready to roll this out in Hertfordshire, schools will then need to import a CA Certificate into their server, or import the details individually for standalone machines. Once the certificate has been correctly installed, you will need to contact the SITSS connectivity Service Desk who will raise a service request with Updata for SSL to be enabled.

Without this action, schools will no longer be able to benefit from the filtering and protection that the HICS network offers. As explained previously though, a communication and step by step instructions will soon be sent out.

Please contact me if you have any queries.

Thanks,

Kevin Crawley

Posted in Service Improvements, Web Filtering, Websites | 2 Comments

Intermittent issues browsing to HCC systems

We have received reports that schools are intermittently experiencing ‘proxy error’ messages when accessing HCC systems such as Herts Direct. This is completely separate from the recent issue of the Grid websites being slow to connect (which is now resolved). Updata are currently investigating. For the vast majority, the websites work fine. This has made it problematic to diagnose but I am told that Updata now have the necessary packet captures so I am hoping a fix will be deployed shortly.

Thanks,

Kevin Crawley

Posted in Service | 3 Comments

Problems accessing www.thegrid.org.uk

There have recently been issues trying to the browse to the Grid websites whereby sessions are intermittently timing out or slow to connect.

This is happening on both of the HCC Corporate and HICS networks and Updata and RM are investigating. That said, for the HICS network a work around is now in place, but it will require users entering this into their proxy exceptions (found within their browser): *thegrid.org.uk

This proxy exception will tell the session to bypass the HICS proxy servers. In the meantime a long term solution is being worked on.

Thanks,

Kevin Crawley

Posted in RM | 1 Comment

The Grid website is slow

For a few days now, we have received reports that accessing the Grid website has been slow (sorry, I should have told you about this when it came to light). RM (who host the site) advised me that they cannot see any issue at their end so I logged this with Updata. The Updata engineers have carried out some packet captures and they believe that the HICS network is performing as it should. They can see that as part of the TCP three way handshake, Updata are sending out a packet to RM, but not getting one back. Updata continue to send the initial packet but RM are possibly seeing this as a DDoS attack. I will be sending over Updata’s findings to RM so they can make the necessary fixes. This will no doubt be affecting other RM hosted websites too.

Thanks,

Kev

 

 

 

Posted in RM, Websites | 2 Comments

Q&A forum with Updata

Last November I invited the Middle/Secondary School Network Managers in for a Q&A forum with Updata. Going forward, I am going to try and arrange this sort of thing on a fairly regular basis – maybe twice a year. The next one is scheduled for June 2nd and if you are interested in attending, can you please get in touch with me?

Updata will host this at their office in Reigate. The idea of it being there is to allow the attendees the opportunity to see Updata’s support staff in operation, meet key personnel etc.. I will look into transport options from Stevenage once I know what sort of numbers I am looking at.

Thanks,

Kevin Crawley
kevin.crawley@hertsforlearning.co.uk

Posted in Service | Leave a comment