SchoolProtect - Settings Active Directory

SchoolProtect allows users to be filtered by the policy you intend as soon as they log into a computer with AD Linked filtering.

To use this functionality, a simple setup on the SchoolProtect site needs to be completed & an application needs to be run on your network when a user logs in & out of a machine.

To obtain the SchoolProtect AD Link application, please download it from here!

How does it work?

Simply complete the setup within the SchoolProtect site & set the application to run when a user logs in and out of a computer on your network.

On the SchoolProtect website you just need to specify the Active Directory domain(s) used on your network & any Active Directory security groups you want to filter based on. The security groups used for filtering purposes can be existing security groups, or as we recommend, new security groups created & then populated with users just for the purpose of filtering. Once defined within SchoolProtect, these security groups can be tied to a SchoolProtect policy group. If required, multiple security groups can be tied to a single policy group. See "Configuration On SchoolProtect" below.

Once the SchoolProtect configuration changes have been made, the application will need to be configured to run when a user logs in and out of a computer on your network.

The application when ran on log in, sends information to SchoolProtect to work out what policy to give the user. This information is sent securely over HTTPS.

The following is the only information that is collected and sent by the application:

IP of the machine
User name logged into the computer
Domain being used
Any security groups the user is part of

With this information SchoolProtect works out what policy to give, if any.

If multiple security groups are sent by the application. that are setup in SchoolProtect, the policy received will depend on the priority of the policy group. If no matching policy is found, the user will be filtered by the default IP Policy for that IP address. They will not be 'unfiltered'.

Once the application is run, the browsing session will be tied to their AD username & a SchoolProtect user report can be run against this username.

The application is also run on log out & simply clears the browsing session, to ensure that user is no longer authenticated.

Please note: that in the event that this doesn't run, the machine loses power for example and so doesn't log out, the running of the application by the next person logging in, will clear and overwrite the previous session.

See Configuration On Local Network section below for some general guidance on configuring the application to run on your network.

Configuration On SchoolProtect

SchoolProtect functionality: Adding your AD into the SchoolProtect portal

To make the changes required in SchoolProtect to use this feature, please first go to Settings >> Active Directory

Please ensure that everything is entered/spelled correctly when completing this setup for this to work correctly.

On this page, you will initially need to add any Active Directory domain(s) with the Add AD Domain button. Please enter your domain and choose whether you would like users on this domain to automatically lose their authenticated browsing every evening on the timeout option.

Once your domain(s) have been added, you will then need to add your security groups. This can be done via the Add Security Group button.

If you have multiple domains please ensure you select the right domain when adding a security group.

In this example, I've selected the domain SCH2 when adding this security group.

You can see that this then is visible in the table on the page.

Once you've added any domains & security groups, you will want to link these security groups to policy groups.

To do this please go to Policies >> Policy Configuration

You will then want to choose Edit on the policy group you wish to link a security group to.

Choose Target AD Group & lastly select the security group you wish to use.

In this example, the earlier Group5 is being linked to a policy group. A user in the Group5 security group in AD would recieve this policy group, if there was not another policy group with a higher priority they were also part of.

Once saved, you can choose the Target AD Group button again to link another security group to this policy group or go back to the Policy Configuration page and link security groups to a different policy group.

Please see the following sections for further guidance.

Configuration On Local Network

SchoolProtect functionality: Installing the files on your AD

In order to use AD linked filtering the application will need to be ran when a user logs into a computer & when the user logs out.

If you haven't already, please obtain the application from the AdEPT Education Service Desk.

You will notice that there is one WebScreenADLink application, but you will be provided with three files.

The other two files are batch files, pre configured to send the two different parameters, login & logout.

You'll notice this if you go to edit the batch files they will say the following:

WebScreenADLink.exe login
WebScreenADLink.exe logout

The WebScreenADLink application

As well as being used to login & logout of filtering, the application can be used to display the information SchoolProtect will receive when a user logs in to a computer.

To see this, simply double click the application.

This will then display the following information:

Domain
Username
IP addresses
Security groups

This can be used to check the set up of the AD setup on the SchoolProtect website & for troubleshooting.

An example of the information the application will display.

Once you've obtained the application, you will then need to ensure this runs when a user logs in & logs out of their computer.

The following guidance is one way this can be set up. The process may be different on your network.

1. Copy the application into your server's NETLOGON folder. This is usually located under C:\WINDOWS\sysvol\sysvol\yourdomain\scripts

For logging in, we recommend adding this to the logon script section of the user profile (right click account > properties > profile)

This is more robust than a Group Policy logon script, however there is no reason you cannot use Group Policy to force this

For logging out, we recommend creating a Group Policy entry for the logout.bat. This is applied for the default domain policy so it affects everyone.

To set this please go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff)

Then press Add and point it to the C:\WINDOWS\sysvol\sysvol\yourdomain\scripts\logout.bat

Once the above has been set, when a user logs into a machine it will run login.bat, which ensures they receive the intended filtering policy. Once they have finished and logout, logout.bat will clear their browsing session in SchoolProtect.

It's highly recommend to check your setup & some useful guidance is available below.

Checking The Setup

It's highly recommended to check the setup of AD linked filtering.

It's particularly important to check that the domain(s) & security groups have been entered correctly on the Settings >> Active Directory page in order to work correctly.

The spelling of your domain & security groups is very important for AD linked filtering to work.

The domain & security groups can be checked within Active Directory or by running the WebScreenADLink application.

Opening this application on a computer will display the information that will be sent to SchoolProtect when the user logs into the machine.

An example of this is below:

ad11_zoom92

Taking this example:

The domain is "SCH1" & therefore this should be entered into SchoolProtect in this way.

domain

The username is "user2" & therefore reports should be run against this username.

findad

The IP address is 172.31.17.4, which is also useful for reports.

defineip

The security groups would be "Domain Users", "Group1", "Group2" & "Group3" & therefore these should be entered into SchoolProtect in this way.

hmfile_hash_0a768897

Once you've ensured that everything has been entered correctly onto the Active Directory page, please ensure that the AD Groups are linked correctly to a policy group on Policies >> Policy Configuration.

Please remember that user based policies work on a priority system with the lowest number being the higher priority, with 0 being the highest.

When a AD user logs into their machine, and the application runs, they will receive the policy group on the Policy Configuration page, targeting the AD group they are part of which has the highest priority.

When surfing the internet, the policy group being received can be checked with reports & on the block page.

In this example, if a user was part of Group2 & Group1, the policy group they would recieve would be SLT. This is because SLT has a higher priority, a lower number.

Checking an example setup

We have a user called user4 who is part of the SCH1 domain & two security groups, Domain Users & Group1.

When they log into their computer, this information will be sent to SchoolProtect & can be checked by running the application. This is visible below.

adlink5

We can use this information to make sure that everything is set up correctly.

Firstly by checking the AD Link Setup page

The domain has been entered correctly & Group1 does appear in the settings. Domain Users isn't entered anywhere in the set up, so won't have an affect on filtering.

We can then check the Policy Configuration page to ensure that this security group is linked to a policy group.

adlink7_zoom66

We can see here that Group1 is linked to a policy group & therefore this should be the policy being received.

To check this is actually working as the setup suggests, we can then go to a blocked website whilst logged in as this user & view the information on the block page.

If you ever need to see the information on the block page we suggest going to the following URL which will always display a block page in a school that uses SchoolProtect filtering

http://wsblock.co.uk

This website is not a security threat but is classified in this way to ensure that a block page is received.

On this block page we can see:

•The policy group

•The AD security group that has been used to decide on this policy group

•The username, if we click Display addition information

We can also check this is working correctly with a SchoolProtect user report.

This can be run on Reports > Create Reports & then viewed on the View Reports page.

The steps to run a user report are visible below & the results also demonstrate that the user is receiving the correct policy & that the username used to log into the computer can be queried in the filtering logs if needed to be.

If you do have any questions or queries related to the above, please do not hesitate to contact the AdEPT Education support team for assistance.