HfL Broadband firewall enhancements
The HfL Broadband firewall will now permit access to DNS entries, such as example.com. However, it will not allow access to be permitted to wildcards, such as *. example.com
If Schools wish to bypass our firewall completely and manage their security profile themselves, this is achievable. Naturally the Head will need to authorise they are happy for their IT Support Team to manage the assocated risks. If you wish to control your HfL Broadband firewall profile yourself, please get in touch with us and we can provide further information. However, if you are happy for us to do this on your behalf, we will continue to do so.
Information we typically require to set up access through the firewall
When we permit access through the firewall, we usually require the following information:
- Internal IPs from inside the school that will be communicating with the outside world
- What ports need to be opened and will TCP or UDP access be required
- What are the public IP addresses/DNS entries out on the internet you wish to communicate with
Often obtaining these details will be the challenge but if schools can get a clear and accurate firewall instruction with this information, we should then be able to get this in place for you.
The proxies and the firewall
To understand how some particular connectivity issues can be fixed it is important to know how the proxies and the firewall work together to provide a safe and secure online environment.
These problems include:
- You have a device that needs to access the web but doesn’t have the ability to use proxy settings.
- You have some software that needs to access the web but doesn’t work through a browser and has no ability to use proxy settings.
- You have an application that does work through a browser but the proxies seem to be causing problems and you would like to bypass them.
So how do the proxies and the firewall usually work together?
The default position is that the web is accessible (on port 80 for http, or port 443 for https) but only via the proxies. Any requests for access on ports 80 or 443 that are not directed through the proxies will attempt to get to the Internet straight through the firewall. These requests will be rejected as the default position for the firewall is that requests for ports 80 and 443 are only allowed if they have come from a proxy.
Type 1 and 2 problems.
So if you have a problem of type 1 or 2 above the solution is to make a firewall rule to specifically allow the traffic concerned. The Service Desk will be able to raise a service request for this on your behalf. To do this they will need to know:
- Whether access is required on port 80 or 443.
- The source address of the device or devices concerned. This could be the entire subnet of your school or one or more individual IP addresses.
- The specific destination address. This address is essential because if we were to allow access to the whole web on these ports without going through the proxies you would have no protection from the web filtering service.
Occasionally we have to set up firewall rules allowing traffic to avoid the proxies from the entire HfL Broadband subnet rather than just individual schools. If you would like further information on what is currently set up in this way, please get in touch.
But what if the devices you have are such things as iPads or smart phones, you do want them to access the whole web and you have lots of them? In this case what you are looking for is probably our Transparent Proxy Service.
Type 3 problems.
Problems of type 3 above are slightly more complicated. Usually bypassing the proxies is a last resort or sometimes just a temporary diagnostic tool to enable us to determine if the proxies really are the source of a problem. You would still need to ask us to raise a service request as described above. In this case the source address will be your entire subnet and we will still need the specific destination address. But in addition to this you also need to enter a proxy exception into your browser’s proxy settings. (This might appear as “Proxy Exceptions” or as “Proxy Exclusions” it does vary between browsers.) The proxy exception you enter should be for the same destination as we requested in respect of the firewall. So because of your proxy exception your browser will fire the request straight at the firewall and because of our firewall rule the request isn’t rejected.