How good is your 3rd party web filtering system?

Ok – my position in this game? I work for a Local Education Authority, I started working here about 6 years ago and at this time we had just installed a new proxy server (called a CachePilot) in every school (lovingly renamed a Crash-Pilot) due to its ability to fall over ever few weeks!

Back in those days it used black and white lists and quickly evolved to use Smart Filter and now Smoothwall in the latest release. Smoothwall and Smart Filter are both very good heuristic based filtering systems that initially worked very well and give exactly what we wanted, not only for us as a LA but also met the requirements of the regional grid for learning we are part of.

So why look at something else if this does the job? Ultimately the 2 biggest reasons are the cost and the ability to control what’s filtered. Breaking it down:

Cost – over £1k per primary school and almost £1800 per secondary every 3 years for a new unit. Plus £200-£400  on yearly maintenance fees

Support – completely cr@p, 12+ weeks turnaround from Equiinet in some cases for nothing more than HDD failures leaving schools with no internet filtering during this time

Control – these things are hard to manage when you have 80+ of them, making changes manually on each one takes days and many man hours, or takes a few days to get an update sent out from the regional grid for learning we are part of.  Also ensuring that we have a consistent configuration became a never ending challenge

So what options do you have? I guess it depends on your position – an individual school or a LA?

#As an individual school you probably have a choice as to what you do, you could put your own system in, buy a system such as the Cachepilot or just go with what the LA provide

#As a LA you may make the decision, or you may have to go with what your schools / customers want

Either way, where next? Regardless of being a school or LA you as an IT manager have to consider this – whatever you decide it puts you in the firing line if it goes wrong!! BECTA may be gone but it’s always worth following what advice is left behind, also you don’t want to put in a web filtering system written for an operating system you’re not familiar with by a 18 year old college dropout who will offer you no support when it goes wrong!

What we did – well for 6 years we moaned about how cr@p the support and filtering was. And we looked at filtering systems such as Blox and Dans Guardian but they either didn’t do what we wanted or we didn’t have the expertise to support them. Then along came an unlikely solution. Microsoft! Now I’m a Microsoft guy, always have been, and probably always will be, but even I was surprised to find that with the release of Forefront Threat Management Gateway 2010 there is now a web filtering system!

Heuristic scanning? White & Black Lists? Content Categories? Malware detection? User based filtering? Active Directory integration? Reporting? Ability to cluster / high availability and central configuration? Yep it’s got it all, even the ability to force Safe Search (on search engines that support it) it has all that we need!

Still, in a state of shock that this could all be possible with a Microsoft product we proceeded with caution, scepticism and a bit more caution just to be safe!

So one Thursday morning (me sleep deprived from 2 weeks of insomnia and my colleague very hung over from a night out) we installed a TMG box, enabled web access protection with the recommended block list, added a few changes of our own and played around with some test machines / users.

By the end of the day we moved one of our schools over to the TMG proxy and never looked back! All primary schools in our LA will remove the Cachepilots by April 2011 and move to a centrally hosted solution and the secondary’s will move when they want to or when they are due hardware refreshes

We customise it as we need it, report sites to help improve the service and have cut helpdesk calls and management drastically!

Summing up: as I said, im a Microsoft guy and generally like all things Microsoft but I think this is worth a look at, especially if you have experience with ISA server 2004+, the config is easy and the power of the filtering is excellent, so is the reporting. The costs are also far less than that of a Cachepilot and probably less than a lot of other filtering options as well so take a look! You may not only make your life easier and cut support time but also lower costs as well