SchoolProtect functionality: Adding your AD into the SchoolProtect portal

To make the changes required in SchoolProtect to use this feature, please first go to Settings >> Active Directory

Please ensure that everything is entered/spelled correctly when completing this setup for this to work correctly.

On this page, you will initially need to add any Active Directory domain(s) with the Add AD Domain button. Please enter your domain and choose whether you would like users on this domain to automatically lose their authenticated browsing every evening on the timeout option.

Once your domain(s) have been added, you will then need to add your security groups. This can be done via the Add Security Group button.

If you have multiple domains please ensure you select the right domain when adding a security group.

In this example, I've selected the domain SCH2 when adding this security group.

You can see that this then is visible in the table on the page.

Once you've added any domains & security groups, you will want to link these security groups to policy groups.

To do this please go to Policies >> Policy Configuration

You will then want to choose Edit on the policy group you wish to link a security group to.

Choose Target AD Group & lastly select the security group you wish to use.

In this example, the earlier Group5 is being linked to a policy group. A user in the Group5 security group in AD would recieve this policy group, if there was not another policy group with a higher priority they were also part of.

Once saved, you can choose the Target AD Group button again to link another security group to this policy group or go back to the Policy Configuration page and link security groups to a different policy group.

Please see the following sections for further guidance.

SchoolProtect functionality: Installing the files on your AD

In order to use AD linked filtering the application will need to be ran when a user logs into a computer & when the user logs out.

If you haven't already, please obtain the application from the Wavenet Education Service Desk.

You will notice that there is one SchoolProtectADLink application, but you will be provided with three files.

The other two files are batch files, pre configured to send the two different parameters, login & logout.

You'll notice this if you go to edit the batch files they will say the following:

•SchoolProtectADLink.exe login

•SchoolProtectADLink.exe logout

The WebScreenADLink application

As well as being used to login & logout of filtering, the application can be used to display the information SchoolProtect will receive when a user logs in to a computer.

To see this, simply double click the application.

This will then display the following information:

•Domain

•Username

•IP addresses

•Security groups

This can be used to check the set up of the AD setup on the SchoolProtect website & for troubleshooting.

An example of the information the application will display.

Once you've obtained the application, you will then need to ensure this runs when a user logs in & logs out of their computer.

The following guidance is one way this can be set up. The process may be different on your network.

1. Copy the application into your server's NETLOGON folder. This is usually located under C:\WINDOWS\sysvol\sysvol\yourdomain\scripts

For logging in, we recommend adding this to the logon script section of the user profile (right click account > properties > profile)

This is more robust than a Group Policy logon script, however there is no reason you cannot use Group Policy to force this

For logging out, we recommend creating a Group Policy entry for the logout.bat. This is applied for the default domain policy so it affects everyone.

To set this please go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff)

Then press Add and point it to the  C:\WINDOWS\sysvol\sysvol\yourdomain\scripts\logout.bat

Once the above has been set, when a user logs into a machine it will run login.bat, which ensures they receive the intended filtering policy. Once they have finished and logout, logout.bat will clear their browsing session in SchoolProtect.

It's highly recommend to check your setup & some useful guidance is available below.

It's highly recommended to check the setup of AD linked filtering.

It's particularly important to check that the domain(s) & security groups have been entered correctly on the Settings >> Active Directory page in order to work correctly.

The spelling of your domain & security groups is very important for AD linked filtering to work.

The domain & security groups can be checked within Active Directory or by running the SchoolProtectADLink application.

Opening this application on a computer will display the information that will be sent to SchoolProtect when the user logs into the machine.

An example of this is below:

Taking this example:

•The domain is "SCH1" & therefore this should be entered into SchoolProtect in this way.

•The username is "user2" & therefore reports should be run against this username.

•The IP address is 172.31.17.4, which is also useful for reports.

•The security groups would be "Domain Users", "Group1", "Group2" & "Group3" & therefore these should be entered into SchoolProtect in this way.

Once you've ensured that everything has been entered correctly onto the Active Directory page, please ensure that the AD Groups are linked correctly to a policy group on Policies >> Policy Configuration.

Please remember that user based policies work on a priority system with the lowest number being the higher priority, with 0 being the highest.

When a AD user logs into their machine, and the application runs, they will receive the policy group on the Policy Configuration page, targeting the AD group they are part of which has the highest priority.

When surfing the internet, the policy group being received can be checked with reports & on the block page.

In this example, if a user was part of Group2 & Group1, the policy group they would recieve would be SLT. This is because SLT has a higher priority, a lower number.

Checking an example setup

We have a user called user4 who is part of the SCH1 domain & two security groups, Domain Users & Group1.

When they log into their computer, this information will be sent to SchoolProtect & can be checked by running the application. This is visible below.

We can use this information to make sure that everything is set up correctly.

Firstly by checking the AD Link Setup page

The domain has been entered correctly & Group1 does appear in the settings. Domain Users isn't entered anywhere in the set up, so won't have an affect on filtering.

We can then check the Policy Configuration page to ensure that this security group is linked to a policy group.

We can see here that Group1 is linked to a policy group & therefore this should be the policy being received.

To check this is actually working as the setup suggests, we can then go to a blocked website whilst logged in as this user & view the information on the block page.

If you ever need to see the information on the block page we suggest going to the following URL which will always display a block page in a school that uses SchoolProtect filtering

http://wsblock.co.uk

This website is not a security threat but is classified in this way to ensure that a block page is received.

On this block page we can see:

•The policy group

•The AD security group that has been used to decide on this policy group

•The username, if we click Display addition information

We can also check this is working correctly with a SchoolProtect user report.

This can be run on Reports > Create Reports & then viewed on the View Reports page.

The steps to run a user report are visible below & the results also demonstrate that the user is receiving the correct policy & that the username used to log into the computer can be queried in the filtering logs if needed to be.

If you do have any questions or queries related to the above, please do not hesitate to contact the Wavenet Education support team for assistance.