Access from the Internet to School-based Services

There are many browser-based school services which you may wish your staff, students and others to be able to access from their homes or other off-site locations.  These could include services such as RM EasyLink or a Moodle server.  We generally refer to this requirement as “access from the Internet” because the source of the access is undefined … it’s from anywhere on the Internet.

Access using Secure HTTP (port 443)

The preferred method of access to these services is using HTTPS (Secure HTTP) on port 443.

One possible drawback to using HTTPS is that you must create a public key certificate for your server. This certificate must be signed by a trusted certificate authority for users’ browsers to accept it without always warning them that your server might be dodgy. The authority certifies that the certificate holder is the operator of the web server that presents it.  We are not able to provide these certificates or even officially recommend a provider.  Schools with network support contracts with School IT Systems Support (SITSS) may find that they can help with this.  Several other schools have reported that Go Daddy is a good source. (http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo002b)  If you do go with Go Daddy they will ask you to create a DNS txt record with a particular value just so that you can prove that the domain is yours.  If the domain in question is a “.herts.sch.uk” domain please just send the details of what is required to the Service Desk who will arrange for the DNS record to be created.

Do you need some DNS to go with that?

For visitors to access your server easily you could also request that a DNS record be created.  So for example if your school domain is “butterfield.herts.sch.uk” and you are setting up a Moodle server then you could have a DNS record created so that users would access using “https://moodle.butterfield.herts.sch.uk”  If there is no DNS record then your visitors will have to use the external IP address that Updata will assign to this access.  The Service Desk will be able to tell you what that external IP address is. Or you could just look it up yourself using a free tool such as http://www.mydnstools.info/

Contacting the Service Desk

You can arrange all of this by emailing the Service Desk who will then liaise with Updata make the required changes to the firewall and to DNS.  If for example you were installing a Moodle server which you wanted to make accessible to your students from home you should email the Service Desk with something like this.

We are installing a new Moodle server on internal IP address ?.?.?.?
Please allow access from the Internet to that server on port 443
Please create a corresponding DNS record such that the server can be accessed using https://something.<school domain> 

 You need to supply a description of the server (Moodle, EasyLink, Portal etc), its IP address and the “something” element of the new DNS record.  By convention we always use “folders” as the “something” element for EasyLink servers.

Once Updata have completed the changes, usually just a couple of hours, the Service Desk will let you know that things are ready for you to test.

(Of course if someone other than Updata manages the domain you intend to use then you would have to get them to do this DNS bit.  Updata manage the ” .herts.sch.uk” domains.  If in doubt just ask the Service Desk for advice.)

Access using HTTP (port 80)

We strongly recommend that you do not allow access form the Internet to school-based servers on port 80.  There are two main reasons for this:

  1. The chances are very high that whatever information your users are accessing from the Internet some of it will be personal.  It really isn’t appropriate for access to personal information to be allowed without encryption and that is why we think it should be on port 443.
  2. Servers that are open to the Internet on port 80 are significantly more vulnerable to attack and if located within a school should be properly secured so that they are difficult to compromise and sufficiently isolated from the rest of the network.

So we won’t say “No” to a request for access to school based servers on port 80 but we will want to discuss the implications with your Headteacher/Principal/Site Manager.

Other means of access

It is difficult to generalise about other forms of access.  If you need access from the Internet to school based servers other than on ports 80 or 443  please send a description of your requirement to the Service Desk.

Of course for users who need to manage school-based services from outside of school the best solution is likely to be our staff or third party VPN services.

Leave a Reply