Changes to Web Proxy Overrides

We have recently rolled out some updates to our default web proxy overrides, which are explained in this blog article.

Overview

Both Web Gateway and UTM provide the same overrides system under the Web Proxy -> Filter Override Editor and Web Proxy -> Filter Overrides & Walled Garden pages.  The overrides allow parts of the system's functionality to be disabled for requests to certain types of content.  Overrides are usually used for the following purposes:

  • Whitelisting websites (i.e. disabling all filtering for specific URIs).
  • Allowing access to specific websites for users that have the Walled Garden enabled.
  • Reducing false positives (i.e. disabling content filtering for certain content that is known to cause a high number of false positives).
  • Compatibility (i.e. changing HTTPS interception and authentication settings for traffic that is associated with apps that are incompatible with this functionality).

What's Changed?

The Content types with reduced filtering override has been renamed to Reduced filtering.  The web filter will attempt to examine and filter all text content, but some types of text content is known to cause a significant number of false positives, whilst providing very little filtering value.  This override was originally used to disable content filtering of certain text based content types, such as Javascript.  This is still the case, but going forward we will also be using this override to disable content filtering on specific URIs that are known to create false positives.  This override does not whitelist any content; the web filter uses a variety of methods to categorise web sites, and this override just disables one of those methods for certain content.  A website that is listed in this override may still be categorised appropriately and blocked by the configured categories.  It is recommended that this override always be enabled, which is the default configuration.

A new Essential services override has been introduced.  This reduces how much the web proxy will interfere with traffic that is considered essential for devices to function correctly.  Content listed in this override includes:

  • Software updates
  • Antivirus updates
  • Certification authorities
  • Parental control systems (* see below)

Depending on the exact circumstances, content listed in this override may not be authenticated and HTTPS connections may not be intercepted.  Therefore this content may not appear in a user's reports or count towards their quota.  It is recommended that this override always be enabled, which is the default configuration.

* Please note that not all parental control systems are compatible with school online safety systems and their use may significantly impact the school's ability to meet their safeguarding responsibilities. Please contact Opendium Support for further information.

Summary of Default Overrides

Opendium provide a number of overrides and actively manage their content to ensure that they accommodate the requirements of third party software as quickly as possible as those requirements change.  Note that for any of these overrides to work, they must be enabled on the appropriate group, user, network or virtual group on the Web Proxy -> Filter Override Editor page, and that this list only reflects their default functionality, which can be edited by the system administrator.

  • Allow in walled garden - This contains a list of URIs that are allowed for any users that have the Walled Garden enabled on the Web Proxy -> Filter Overrides & Walled Garden page, in addition to any listed in the Whitelist.  Opendium does not populate this override and leaves it up to the individual customers to decide which web sites these users should have access to.  Customers are free to create additional overrides for this purpose, if they require different groups to have walled garden access to different content.
  • App: * - These overrides significantly reduce the system's ability to filter and log certain traffic, but are required to provide compatibility with certain mobile apps.  Schools should be mindful of their ability to meet their safeguarding obligations when enabling these overrides.  Usually we recommend enabling these only for networks that contain mobile devices, so that web browsing from workstations is not affected.  Please see the descriptions for the individual overrides for more information.
  • ChromeOS onboarding - ChromeOS allows single signon user authentication using 802.1x (known as "passthrough authentication"), but requires a separate "onboarding" network that is used by the devices prior to a user logging in.  This override is used as part of that configuration.  We will be publishing a configuration guide for this in the future.
  • Disable auth - URIs contained in this override will not be asked to authenticate.  If the system already knows which user is making a request, their user name will still be used, but the system will not demand authentication if the user is not already known.
  • Disable HTTP auth - The system will not use HTTP proxy authentication (HTTP Basic, Kerberos or NTLM) for URIs contained in this override, but will identify the user via another method.  This is for compatibility with some buggy applications, but is largely unnecessary since the web proxy also uses heuristics to determine when the traffic is associated with a broken application.
  • Essential services - Maximises compatibility with network traffic that is required for devices to function.  As described above.
  • Reduced filtering - Reduces filtering for content that is known to cause false positives.
  • Whitelist - This contains a list of URIs that will not be blocked, irrespective of filter category or walled garden settings.  With a small number of minor exceptions, Opendium does not populate this override and leaves it up to the individual customers to decide which web sites these users should have access to.  Customers are free to create additional overrides for this purpose, if they require different groups to have whitelisted access to different content.

In addition to these default overrides, customers can create additional overrides to fulfil their requirements.