Web Filtering: Transparent proxy

This service allows schools to deploy an Internet service for which no proxy settings are required.  All access through this service will be filtered by a chosen policy with the central WF1 policy still providing the baseline level of filtering.  There are no additional charges for the service except for the cost of a router where one is required (see below).

The service is deployed by using a second port on your router and a separate subnet (it will be a 10. subnet rather than a 172. subnet).  This makes it ideal for deploying for wireless Internet access with school laptops and tablets.  Such a service could be used by staff and students to access the Internet from their own devices, including smart phones, whilst still receiving an appropriately filtered service.  It might also improve your attractiveness for evening and weekend lettings where visitors could safely use the Internet without needing access to your computers … they could bring their own.

There will be no access between this service and other devices in your school which are on your original subnet unless those devices have been deliberately set up to allow access from the Internet.  This means that your main school systems will be secure from your transparent proxy users but if staff and students can access certain services from home (eg RM EasyLink or your Moodle server) then they will also be able to access them through the transparent proxy service.

The Transparent Proxy Service can have any central web filtering policy applied to it or any of your own policies (if you are signed up for either or both of the IP Level and AD Integrated local filtering).  But it is one-size-fits-all … all of the users will be filtered by whichever policy you choose to have applied to the service.  Some schools have asked about the possibility of staff own wireless devices and student own wireless devices being filtered by two different policies.  This is also possible but you will have to request two separate Transparent Proxy Services which will then be delivered on two separate ports on two separate subnets … but you can choose a particular policy for each.

Of course this service does depend upon you having a suitable wireless infrastructure.  It also requires a router for which there will be a charge if your school is currently connected without one.  The router will form part of your managed connectivity service and so needs to be ordered through the Service Desk.  It will be installed in series between the Updata Zhone box and your main school switch and will require rack space and power.

If you are interested in using this then please discuss it with your ICT support provider and then contact the Service Desk if you would like to proceed.  You will need to tell the Service Desk:

  1. How big a subnet you would like to be allocated to this service. (eg /24 for 256 addresses or /23 for 512 addresses … or whatever.)
  2. Which central web filtering policy you would like to be applied to the service.
  3. Whether and by how much you would like the service to be rate limited. (See below)

Update: 9th May 2012: How do I stop my Transparent Proxy users guzzling all of my bandwidth?

Some schools have asked if it is possible to limit the amount of their total available bandwidth which is available to the Transparent Proxy Service.  This seems like a perfectly reasonable request because, after all, your Transparent Proxy Service users are likely to be an unknown quantity with an unknown number of devices and an unknown demand for bandwidth.  They are also possibly not your highest priority users.

The simplest solution to this is to rate limit the port through which the Transparent Proxy Service is delivered.  So if you have a total bandwidth of 100 Mbps then you could limit your Transparent Proxy users to, say, 30 Mbps.  They would then never have more than 30 Mbps and the rest of your users, on the regular service, would always have 70 Mbps plus whatever part of their 30 Mbps the Transparent Proxy users were not using.

6 Responses to Web Filtering: Transparent proxy

  1. Rod says:

    Could someone please confirm whether using this option would require a second infrastructure of wireless access points, or whether there are managed solutions that will allow connection to different VLANs depending on the SSID connected to?


    • I’m no expert on this but my SITSS colleagues tell me that there are managed solutions that do exactly that. They support about 10 schools using the Transparent Proxy service that way. There could well be other schools doing this and suported by other organisations.

  2. grahh23 says:

    I’m assuming we’d need to put in another DHCP server sitting on the 10 network? Can somebody confirm that for me please?

    • Again … my SITSS colleagues say “Yes”. If your managed wireless system includes a wireless controller that could do it. Otherwise an old workstation turned into an Ubuntu box works perfectly well. It is possible for your router (if you are a fibre connected school) to do it but then we would have to raise a service request with Updata every time you wanted to make a change … so I really don’t recommend that solution if you want immediate control.

  3. maria.aguado says:

    We have just been given lottery funding for 20 iPod Touchs and a charging/downloading ‘box’. This connects cabled to a dedicated PC with iPlayer while the iPod Touchs connect wirelessly. Is there a way we could use Transparent Filtering for the individual iPods though not necessarily for the charging/downloading? We have no wireless access in school and were going to buy a couple of WAPs and a little switch to connect them.

  4. Chris Carter says:

    Hi Maria

    Each iPod touch can be configured with the usual HGfL proxy settings so you could use this rather than a transparent proxy, and your internet access would be filtered through whichever level you use (eg WF3). They can either be configured one by one or there is a free tool called the iPhone Configuration Utility that enables you to set up profiles which can be copied out to each iPod, which can enable more control and restrictions than the standard settings available from the devices themselves.

    With regards to the wifi, just make sure that the WAPs you get are capable of handling all those devices concurrently. There are a lot of other considerations too, when looking at iOS and other mobile devices. iOS app licensing is a particular headache, as there is no apps volume licensing system in the UK. Do get in touch directly if you’d like more info and guidance. There is an ever growing number of schools in Herts using iPods and iPads, with these charging and syncing solutions. There is also info on the Grid here: http://www.thegrid.org.uk/learning/ict/technologies/handheld/ipod_touch/index.shtml

Leave a Reply