Informatization of the university. Providing access to the Internet. Setting up ICS, GPO

Hello, in the last article I went over the legal aspects of Internet access, the architecture and the stack of necessary software. In this article, we will configure X and actually do the following:

  1. configure group policies to automatically assign proxies to clients

  2. create rules for the proxy and for the ME and learn how to distinguish them

  3. connect https certificate for traffic filtering

Prepared for this article video on rutube

So, we have the following test infrastructure:

The DHCP server distributes the following dynamics:
ip addresses ranging from 192.168.200.30 – 192.168.200.200
gateway – 192.168.200.10 – ICS will be both a proxy server and a gateway
dns1: 192.168.200.1
dns2: 192.168.200.2

In this case, the ICS is both a gateway and a proxy server.

The proxy server supports TCP tunnel connections using the CONNECT method, allowing you to work with the SSL protocol. A proxy is a service that listens on port 3128 (the default) and applies rules to traffic that arrives on that port.

How is traffic redirected to port 3128? – all thanks to this browser setting:

We automate this setting by creating a group policy on the domain controller and applying it to the organizational unit where the user is located.

Group Policy Management – Right-click an OU and select Create a GPO in this domain and link it…

I clarify – we apply group policy to the unit in which our users. Therefore, in group policy, go to Configuration user – Settings – control panel settings – Internet Options – create a configuration for IE 10

Pay attention to the options underlined in red – these are inactive options – they must be activated by pressing F8.

Let’s make a proxy exception in this group policy – now traffic to *.a-real.ru will go through the gateway of the PC network card and get to the ICS firewall. At first, this page will not open, because you need to create an allow rule on the firewall.

First, let’s create a custom range and add a-real.ru there

Let’s create a rule on the ME

Thus, this site will be opened for all clients and traffic will not be intercepted by the proxy.

Let’s now understand the proxy rules. To begin with, let’s create a list of sites that need to be banned – create a category:

Users and statistics -> Traffic categories

Create a set of rules and add a deny proxy rule there

This rule disallows listed urls from the selected category. But there are situations when there is a huge list of url in some prohibition rule (in the category in the rule) and you need to allow some site from this list, but there is no time and desire to dig, then you can create a proxy allow rule and add the site there , to which you want to open access. The allow proxy rule is needed in order to make an exception from prohibition proxy ruleset to a user or group.

The basics have been sorted out, now let’s dive into the topic of https filtering …

If this functionality is enough for you, then you can not enable https filtering.

What is https filtering – if simplified, then this is traffic decryption by replacing the https certificate. A certificate is created on the ICS, it is distributed to clients using group policy, and, as a result, the ICS is able to decrypt pages. Why is this needed – for example, to analyze user actions – whether he accurately uses the Internet for work tasks – when we turned on this technology and saw what search queries users enter … I will not comment further … in general, it was fun … But you must understand that this increases the load on the server, increases the logs and slows down the Internet, that is, such a configuration requires more resources – a virtual machine may not be able to cope here – an iron server can be a solution, but it all depends on the specific configuration and load. We use a virtual machine, but the Internet is not often used in computer classes, which is why we chose virtualization.

But still, there is a more important task that needs to be solved using exactly https filtering – this is the task of controlling Internet traffic in computer classes – according to 436-FZ “On the protection of children from information that is harmful to their health and development” it is necessary to block the content according to the lists of Roskomnadzor and the Ministry of Justice. The list of Roskomnadzor is a list of sites, but the list of the Ministry of Justice is a list of words and phrases – these are templates by which you need to scan the page and block it if the template is found. Since most sites nowadays use https certificates, it is necessary to decrypt them – this is exactly what the https filtering on the IKS does.

To enable page decryption using an https certificate, you must:

  1. create an https-certificate on IKS,

  2. distribute the https certificate using group policy to clients,

  3. enable page decryption using an https-certificate in the IKS proxy service

To enable the content filter, you must:

  1. create a content filtering rule in the rule set

  2. in the proxy service, enable the checkbox: Use content filter

  3. enable the content filter service and configure it.

To make an exception from the content filtering rules, you need to create a rule – Proxy exclusion in the rule set (do not confuse with proxy exclusions in the browser settings), enter the url to which you do not need to apply filtering.

SkyDNS is also enabled in the proxy service – it blocks sites from the list of sites from Roskomnadzor (but for this you need to buy an IKS license that includes SkyDNS).

I have also prepared videowhich shows the configuration of the ICS and policies.

Let’s summarize:

if everyone needs the site and does not need to be filtered (or the site does not work through a proxy), then open it on the ME and add the proxy to the group policy exceptions – traffic will go past the proxy service

if the site needs to be blocked, we create a blocking proxy rule in the ICS.

if the site is blocked by a prohibiting rule, and it needs to be opened, we create an allowing one.

if you need to decrypt user pages, we use page decryption using an https certificate.

if you do not need to apply a content filter to the url, create a proxy exception in the rule set.

in computer classes we always enable https filtering, for ordinary users it all depends on the policy of your institution.

IKS allows you to quickly and easily set up Internet access while observing all the necessary legal norms, but thanks to these norms, a trivial task is overgrown with numerous nuances – I won’t even comment further – I’ll give this right to you my dear readers))). I described everything step by step, if you forgot something – write, I’ll take it into account.

Link to off site X

Link to ICS documentation

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *