LDS Extended Access is quite restricted

[techgy]

We are on the LDS Extended Access, and each of the original sites mentioned in the thread work at our building. The familysearch.org site is timing out.

Some corrections were made to Extended Access since my original post a few weeks ago.
However, we continue to have problems with Ancestry.com not letting us log out.
That discussion is on another thread.

According to someone whom I spoke to yesterday at the GSD (Global Service Desk) in SLC, Extended Access will not permit any https site. Family Search doesn't require the security until you login.

I was told that to have access to any page that requires "https" security you need to switch to the "General" access level. Now I state this with a certain intrepidation. Each time I call the GSD I seem to get a slightly different slant on things so my statement might not be 100% correct. I've never pressed them for the details in filtering levels.

[aebrown]

According to someone whom I spoke to yesterday at the GSD (Global Service Desk) in SLC, Extended Access will not permit any https site. Family Search doesn't require the security until you login.

I was told that to have access to any page that requires "https" security you need to switch to the "General" access level. Now I state this with a certain trepidation. Each time I call the GSD I seem to get a slightly different slant on things so my statement might not be 100% correct. I've never pressed them for the details in filtering levels.

The statement given to you that any HTTPS access requires "General Access" level is not true. Certain HTTPS sites may require that level, but certainly not all. A specific counterexample is logging in to ldscatalog.com, which definitely uses HTTPS. That didn't work for a while on the LDS Extended Access filtering level, but multiple people reported the problem and it has been fixed.

I have to think that whatever was done to fix logging in to ldscatalog.com could be done with any other HTTPS site, given enough desire and effort on the part of whoever is in charge of the filtering levels.

[bhfletcher]

We have the Extended Access. We can't get to scout sites like the official BSA site (www.scouting.org) or www.utahscouts.org and several others. The block page states the reason as "Social and Affiliation Organizations - This category is filtered." How do I make requests for sites to be unblocked? I do not have a link on the block page to request it be unblocked. Is my only other option to email websense? Definitely seems like a mistake that scouting sites be blocked behind the church firewall.

Thanks,
Bryan

[aebrown]

We have the Extended Access. We can't get to scout sites like the official BSA site (www.scouting.org) or www.utahscouts.org and several others. The block page states the reason as "Social and Affiliation Organizations - This category is filtered." How do I make requests for sites to be unblocked? I do not have a link on the block page to request it be unblocked. Is my only other option to email websense? Definitely seems like a mistake that scouting sites be blocked behind the church firewall.

Yes, the way to request is to email suggest@websense.com and request recategorization. I have seen quick response (within a day) on sites that are not categorized. Sites where the category needs to be changed might take a bit longer, but that is the way to do it.

If the stake president approves it, another filtering option that is now available is called General Access. This is the filtering level used in Family History Centers, and it is more permissive. I know it allows www.scouting.org, and it might allow the other sites you are interested in.

Definitely seems like a mistake that scouting sites be blocked behind the church firewall.

Remember that the Church is not in the business of designing filtering -- that is a huge job that is not central to the mission of the Church. Thus the Church depends on Cisco to provide hardware, and on Websense to manage filtering. The Church didn't make a decision to include or exclude Scouting sites -- those decisions were made by a third party that the Church relies on. So please be patient and work through the approved process.

[jdlessley]

Definitely seems like a mistake that scouting sites be blocked behind the church firewall.

Remember that the Church is not in the business of designing filtering -- that is a huge job that is not central to the mission of the Church. Thus the Church depends on Cisco to provide hardware, and on Websense to manage filtering. The Church didn't make a decision to include or exclude Scouting sites -- those decisions were made by a third party that the Church relies on. So please be patient and work through the approved process.

Adding to what Alan posted, we have to keep in mind the history of internet access for local units. It wasn't until February of 2008 that local units had access to the internet outside family history centers or FM offices. The Church is still growing in meeting the needs of units through internet access. We also have to remember that the responsibility for internet access has been pushed down to, or left up to, the stake president. He decides what level of filtering is going to be used of the three levels now available. If the filtering seems to be too restrictive you must first contact your stake technology specialist. If you are the stake technology specialist then you should council with the stake president to see what best suits your stake and local unit needs.

[aebrown]

The Church didn't make a decision to include or exclude Scouting sites -- those decisions were made by a third party that the Church relies on.

As I reread what I wrote above, I can see that it might be somewhat misleading. What I meant to say was that the Church did not decide what category to assign to any particular site, including Scouting sites. However, the Church did decide which categories would be included in each filtering level.

So the Church did make a decision that the LDS Extended Access filtering level would not include sites in the Social Networking category. That decision, combined with the decision by Websense to categorize the Scouting sites mentioned above in that category, indirectly excluded the Scouting sites because of their categorization, but not because the Church made the conscious decision to exclude those sites.

I assume that the filtering levels also have behavior specified for a few specific sites. For example, I would guess that the Church made sure that all lds.org sites are allowed, regardless of how Websense might categorize them. But that's just my conjecture.

[bhfletcher]

Thanks for your responses. I understand now from your explanation how the BSA sites are being blocked. I am the Stake Tech Specialist, and I have counseled with our Stake President. When we set up internet, we were only given two options, and the President asked me to set up the less restrictive of the two.

You say that General Access is now an option. How do I find out more about that? What is the difference in filtering level between General and Extended Access? If my President decided to go that route, can I just call HQ and request a change in filtering level?

If I send a message to Websense, to what category do I ask them to recategorize the BSA sites? I haven't seen a category list, nor do I know which ones are blocked and which ones acceptable.

[jdlessley]

You say that General Access is now an option. How do I find out more about that?

If you go back and start from the beginning of this thread you will get an understanding. There is also another thread, Extended Access Problem, that discusses General Access.

What is the difference in filtering level between General and Extended Access?

That is also discussed earlier in this thread and the Extended Access Problem thread.

If my President decided to go that route, can I just call HQ and request a change in filtering level?

Yes, call the GSD. It will require them to script your device for that level of filtering.

[dtaylor26-p40]

Disclaimer: I didn't read every detail of the previous 8 pages of forum posts, so this might conflict with what has been said there.

However, on 1/31/09 I was getting the firewall set up at our stake center. As I spoke with the GSD (it's necessary to call them to get your firewall working), I asked what the procedure was if we find there's a site we want to access. The kind young man on the phone indicated that all that was needed was for me, with Stake President approval, to contact the GSD and the site could be authorized through the firewall local to the building. I THEN asked, "So, is the site access rule script based on a master script that gets uploaded to each firewall, then tweaked by the GSD and reloaded as needed?" The answer was yes.

I have yet to test this, as I am still making a list of sites that we can't get to. (Most of the ones in question are, in fact, BSA sites, but MANY BSA sites are not 'official' sites, but rather supporting sites run by BSA supporters. I don't know if that will be an issue in getting access approved, but as of last Saturday, the procedure was a phone call to the GSD).

Good luck, but whatever you do, DON'T hack the next door neighbor's wireless signal to complete rechartering. (Funny jab, but we had a ward doing that, and more).

[aebrown]

Disclaimer: I didn't read every detail of the previous 8 pages of forum posts, so this might conflict with what has been said there.

However, on 1/31/09 I was getting the firewall set up at our stake center. As I spoke with the GSD (it's necessary to call them to get your firewall working), I asked what the procedure was if we find there's a site we want to access. The kind young man on the phone indicated that all that was needed was for me, with Stake President approval, to contact the GSD and the site could be authorized through the firewall local to the building. I THEN asked, "So, is the site access rule script based on a master script that gets uploaded to each firewall, then tweaked by the GSD and reloaded as needed?" The answer was yes.

That last statement is basically correct, but it gives the impression that once the script has been uploaded, the list of allowed sites is only changed by the GSD reloading or updating the script for that particular firewall. I don't think that's the whole story, since we know that it is possible for Websense to change the categorization of a site, which can make that site accessible for all firewalls on a particular filtering access level. I doubt that a change to Websense categories (which happens every day) requires a modification of the script on every firewall, but rather that part of the filtering script accesses some Websense server for category information.

It is indeed helpful to know that the GSD can program individual exceptions. That might be the most expedient solution for certain sites, and I appreciate your taking the time to post this information.

But changing the categorization of a site at Websense, or having the GSD change the default script to allow or disallow whole categories, will benefit hundreds or thousands of installations. Having the GSD fix one firewall only helps one installation. So where there are obvious sites that should be allowed or disallowed for all installations using a particular filtering level, it would be helpful to the larger community if people would work through the more general solution, even though it may be a bit more work.