Tip:
Highlight text to annotate it
X
This is a tutorial for administrators of Opendium's Iceni online safety systems.
Iceni's filters work by categorising each web request through a variety of methods,
including a large constantly updated database of web addresses and real-time content analysis.
If a web site is determined to belong to a filtered category, it is blocked and the user
is shown an error explaining why.
Whilst we do our utmost to make Iceni's filters as accurate as possible,
sometimes a web site may be misclassified.
If the whole web page has been misclassified, the user will be shown an error explaining
why it has been blocked. Occasionally, the web page itself will appear
to load, but some of its functionality may not work.
This is often because some content which it relies on, such as a JavaScript file, has
been inadvertently blocked. The first thing to do is check the logs to
see exactly what was blocked. You'll need the user name of the user who
experienced a problem or the IP address of the workstation, tablet or phone that they
were using when the problem occurred. It is also very helpful if the user is able
to give you a rough time window when they were having problems.
Go into Reports, Web Proxy and then Logs. Enter the user name or workstation IP address
and set the filter status to "Denied" so the report will only show denied requests.
Select a time window that covers the period when the user was having problems and click
Submit. Short reports should run quite quickly, but
longer reports can take some time. You can click "Send This Report By Email"
and ask for a notification to be sent to you when the report is complete, or just wait
for it to appear. When a page is blocked, any objects embedded
in the page are also blocked, so this report shows quite a few blocked requests.
Lines which have a light red background were blocked because they were embedded in a blocked
page. If I click one of these lines, an information
box pops up with more details, and it shows that this was categorised as ***,
because of the page it was embedded in. However, the lines of this report that we're
really interested in are the ones with the darker red background.
These are web requests that were originally blocked, and clicking on one of them brings
up more details. This shows that the web site's content was
analysed and it scored very highly for the *** category.
If the total score for any category exceeds 100, the web request will be blocked.
It is advisable to double check the web site itself to ensure it really has been miscategorised
before taking any steps to unblock it. There are two methods of unblocking a website,
and you must decide which is most suitable for the web site in question.
The first method is to tell the system to exclude the website from the *** category,
but to continue to filter it for the other categories.
This is useful for websites which are consistently being miscategorised for one category, but
for which you don't want to completely disable filtering.
Click the "Add Exclusion" button next to the relevant category and another dialogue box
will pop up allowing you to specify exactly what to exclude.
Most of the time, excluding the whole domain from the category is appropriate, but you
can select one of the other options if you would like the exclusion to be more specific.
Add a comment to document why the site was excluded and click Ok.
The second method of unblocking a website is to whitelist it.
This will completely disable filtering in all categories, and is useful for approved
educational websites which you know should never be blocked.
Click the "Add to Whitelist" button and another dialogue box will pop up allowing you to choose
how specific to be. Once you have selected an option, add a comment
and click ok. Some applications are incompatible with active
HTTPS interception, and fail to work even when the logs report shows no web requests
are being blocked. Before starting to diagnose this problem,
ensure that the Iceni's interception certificate is installed correctly on the user's device.
If the application provides any logs, check them to see if it is reporting any errors.
Create a new logs report. As before, enter the user name or workstation
IP address. Leave the Filter Status option set to "Any"
and tick "Only technical warnings". Enter the time window that covers the period
when the user was having problems and click Submit.
The report lists encrypted connections that were made, but then not used.
This is usually an indication that the client has rejected the server's certificate.
Although you can often work around the problem by following this tutorial, this is a problem
with the application itself and should be reported to the vendor of the app.
Clicking on a web request in the report brings up more detail about that request.
By clicking the Disable HTTPS Interception button, you can add an override to prevent
the proxy from intercepting this traffic. You can choose to exclude the whole domain
from being intercepted, or add a more specific exclusion.
Add a comment to document the reason for adding the exclusion and click Ok.
Whilst the web requests will still be filtered, disabling HTTPS interception significantly
reduces the effectiveness of the filters and the amount of information available in reports.
As well as using the logs report to quickly unblock websites, the filtering categories
and overrides can be edited directly. The category and override editors provide
a greater degree of control and the ability to edit or delete configuration that has previously
been added through the logs report. To manually add an exclusion to a filtering
category, go to the Filtering Categories tab and click the appropriate category.
Information about the category will be shown on the right, including any comments associated
with the category, and how it is being used. Click "Edit URIs".
The exclusion that was just added through the logs report is listed here, and could
be edited or deleted, but to add a new exclusion, click "Add URI".
In the pop up box you can enter the criteria that will be matched against the web address.
In this case I'll add the entire website by entering the domain name into the Host box,
but you can be as specific as you like. Keep an eye on the example address at the
top of the box, which explains which addresses will match.
The "All TLDs" checkbox is useful for websites which exist under many top level domains,
such as google.com, google.co.uk, etc. You can also choose how partial matches on
the host and path are handled, but in most cases the defaults are fine.
Tick the Exclude from Category box to tell the system that this is an exclusion.
Add an explanation into the comments box to document why you've added the exclusion, click
Ok, and then Save. The web site has now been excluded from the
selected category, but will continue to be filtered for the other categories.
To manually whitelist a website, go to the Web Proxy tab, and then Filter Override Editor.
By default, Iceni servers have an override called Whitelist, which is applied to everyone,
but you could create other user defined overrides for specific groups of users.
Click the Whitelist override, and further information about it will be shown on the
right. Click "Edit URIs".
The website that was whitelisted through the logs report is listed here.
Click "Add URI". As with the filter categories, enter the criteria
to be matched against the web address, and a comment to document the reason for whitelisting
the website. This time, we want to include the address
in the override, so don't tick the Exclude from Override box.
The web site has now been excluded from all filtering.
Whichever method you choose, you can undo the changes by going to the category or override
again and clicking the Delete button next to the address.
The "Disable HTTPS Interception" override can be edited in exactly the same way as the
whitelist. If you have any questions or would like to
attend an Iceni administrator training course you can email support@opendium.com or call
our usual support number. You can subscribe to our Twitter feed at twitter.com/opendium
to get notifications of new tutorials and general information about Opendium, or visit
our website at opendium.com.