Firewall & MIP Guidance

To request changes to your school's firewall settings or to set up a mapped IP address (an IP address created to connect to a device in your school), a support case can be raised by a Nominated Contact. Firewall and MIP requests allow certain software, sites, or exceptions to pass through local firewalls, including services such as VoIP, alarm systems, or cloud mail providers. LGfL deploys a default restrictive firewall policy to protect your school from threats, so any changes should be carefully considered, as they can introduce potential vulnerabilities.

Raising a Request

These requests can be raised by pressing the below button and following the instructions below.

On the LGfL Support Site, select Raise an issue.

You'll then need to select Support request.

From here, you can now see LGfL MIPs.

With sub sections to tailor what you need. A new request will be New MIP request.

You'll find this message after seeing if any existing issues already relate to your query. This will download you the official MIP request document.

The office MIP request document is at the bottom of this page.

If you're unsure on exactly what you need unblocked, you can fill in the next step, which you can then ask for assistance in finding exactly what you need unblocked.

Alternatively call our Support Line on 0208 255 5555, and request for assistance.

Risks of Mapped IPs Accessible from the Internet

Publicly accessible Mapped IPs (MIPs) can pose significant security risks if not carefully managed. When a device or service is exposed directly to the internet without restrictions, such as limiting access to specific source IP addresses, it becomes vulnerable to unauthorised access attempts, automated scans, and exploitation of known software weaknesses. In some cases, it may not be possible to restrict access by source IP address, for example if the connecting IP is dynamic or changes regularly.

Even if a device is protected by a username and password, risks remain, particularly if default credentials have not been changed or if a vulnerability exists in the device’s firmware or software. This is especially concerning for devices in schools, such as cameras, which are common targets for attackers and raise safeguarding concerns.

Where possible, we recommend avoiding the use of public MIPs. Instead, LGfL provides a secure Remote Access solution, including a VPN service, which enables safe and authenticated access to devices within your school network without making them publicly accessible on the internet. More information is available here.

If MIPs are required, we recommend regularly reviewing those currently set up for your school on the LGfL Support Site. This page lists each public IP address, the internal IP address it maps to, the associated ports, and where access is permitted from. After reviewing, please let us know if any of the following apply:

If a service is no longer required, so we can remove the MIP.
If the access can be locked down to specific source IP address(es).
If the ports can be restricted to reduce exposure.
If the internal IP address changes and needs updating.

Please reach out to us for advice, or raise a case on the LGfL Support Site to request any changes.

Example:

In this example, a Mapped IP (171.1.1.1) has been created to allow access to the school’s internal IP address (10.1.1.1) on port 443 from anywhere on the internet. This means that anyone connecting to 171.1.1.1 (or a URL that points to it) can access the school’s camera system. The case reference shown on the page is clickable, allowing you to view the case where it was last created or modified, so you can check when and why this MIP was set up.

Risks of Any to Any Outbound Rules

Outbound firewall rules that allow internal devices to connect to any external IP address on a specific port can pose significant risks. By not restricting the destination, these rules can allow services to be used for purposes other than intended and make it harder to monitor or control network traffic.

Even when only outbound, any to any rules can be abused. For example, students may use them to bypass filtering or access unauthorised services.

LGfL deploys a default restrictive firewall policy to protect schools from these threats. Where possible, outbound rules should be restricted to known, authorised destination IP addresses or ranges, and only the required ports should be open. This helps ensure that services are used safely and for their intended purpose.

We recommend regularly reviewing your outbound firewall rules on the LGfL Support Site. After review, please tell us if any of the following apply:

If a rule is no longer required so we can remove it.
If the source and/or destination IP addresses can be restricted to specific IP addresses or ranges.
If the allowed ports can be limited.

If you need any assistance with this please reach out to us for advice, or raise a case on the LGfL Support Site to request any changes.