Tech Forum

As mentioned in another thread, the Meetinghouse Internet program has been expanded to "the United States and Canada Area". This was announced on Aug 8, 2008. staketech.lds.org has not yet been updated, but the policies are the same as for the Utah and Southwest areas, so you should be able to find the details you need.

Keep in mind that if your facility already has Internet connection, for example, to support a FHC, Institute, or Church employee offices, you are to share those services rather then install a new Internet connection.

As always, a church supplied firewall is required.

Before administrative computers can be connected, they must be updated with either Desktop 5.5, or the security software found on mls.lds.org (The stake clerk has the password.)

Where can i find a copy of the letter oppening up the internet connection to all units in the us?

1historian wrote:Where can i find a copy of the letter oppening up the internet connection to all units in the us?

Your stake president should have a copy on paper; he also has access to the online archive of official letters.

We assume it will be posted at clerk.lds.org eventually (since the other three letters on this topic have all been posted there). But I have no idea when that will happen.

I have a copy of the letter in my possession; if you look at this post, you can tell exactly what it says.

The notice releasing Meetinghouse Internet to the rest of the US and Canada will be posted on clerk.lds.org soon. I would like to add one point of additional clarification. As stated, if you have an approved Internet connection already for Family History or FM office, etc, then yes share it. If you already have an unapproved connection from before this program came out, then please order a firewall and put it on the existing connection. Getting one later is better than not getting one at all.
Thanks

tsheffield wrote:If you already have an unapproved connection from before this program came out, then please order a firewall and put it on the existing connection.

This is what we are in the process of doing, however, when I put the FHC behind the ASA (Extended Access) firewall, I immediately ran into problems with the researchers bitterly complaining they couldn't get to a few important research sites, genealogy tutorials (a couple from BYU), and other things that the firewall now blocked. Granted, most sited worked, but the few that didn't (I don't have their list in front of me) were enough to put a serious dent in their research.

I called GSD back, explained the situation, and asked if there was anything we could do. They first verified we were on "Extended Access", then asked about the firewall itself. The answer was, if this is an "OFFICIAL" Family History Center (I guess there are quite a few UN-official ones around), then we should have ordered the PIX firewall. It uses a different filtering method that is a bit more relaxed than the ASA. The ASA firewall is recommended for all new installations that do NOT have an FHC at the same site.

Just a heads-up for those in a similar situation.

Mike

The only problem with that advice is that Cisco no longer sells the PIX 501 device. See http://www.cisco.com/en/US/products/hw/ ... index.html for details. What units creating an FHC behind an ASA 5505 appliance need to do is get to the second level support team at the Global Service Desk. They will have the knowledge and tools to assist in adapting the security rules on the ASA device.

Mikerowaved wrote:The answer was, if this is an "OFFICIAL" Family History Center (I guess there are quite a few UN-official ones around), then we should have ordered the PIX firewall. It uses a different filtering method that is a bit more relaxed than the ASA. The ASA firewall is recommended for all new installations that do NOT have an FHC at the same site.

Just a heads-up for those in a similar situation.

Mike

James_Francisco wrote:The only problem with that advice is that Cisco no longer sells the PIX 501 device. See http://www.cisco.com/en/US/products/hw/ ... index.html for details. What units creating an FHC behind an ASA 5505 appliance need to do is get to the second level support team at the Global Service Desk. They will have the knowledge and tools to assist in adapting the security rules on the ASA device.

That's who I was working with most of the day yesterday. They had no options for me for the ASA other than swapping it out. They apparently still have an inventory of PIX boxes for the few installations that may require it. (Of course, the answers you get often depend on the person you get on the other end of the line.)

We are currently working on an additional filtering profile that is very similar to that used in the PIX. Unfortunately I cannot give you a date yet on when it will be available. Thank you for bringing this to our attention.

tsheffield wrote:We are currently working on an additional filtering profile that is very similar to that used in the PIX. Unfortunately I cannot give you a date yet on when it will be available. Thank you for bringing this to our attention.

Thanks for letting us know it's being looked into. Even though a date isn't available, just knowing you folks are aware of the problem and are addressing it means a lot. BTW, the head genealogist at our FHC went to another location that was using the PIX firewall and verified the list of websites she needed that was being blocked by the ASA-Extended device were indeed being allowed by the PIX.

Too bad we can't add a 3rd VLAN in the ASA configuration to assign certain ports for PIX-style filtering to be designated for FHC use and other ports with standard ASA filtering for administrative computers. I know, probably asking too much.

Mikerowaved wrote:Too bad we can't add a 3rd VLAN in the ASA configuration to assign certain ports for PIX-style filtering to be designated for FHC use and other ports with standard ASA filtering for administrative computers. I know, probably asking too much.

I am with you Mikerowaved. However, I don't think it is asking too much - if that is what is necessary to effectively manage a network and provide the service to local leaders and members and provide the necessary security from within and from without and be good fuduciary managers of the Lord's money. Do we unwisely expend financial resources as work-arounds for a solution that should require little more than a configuration change? I am hoping not.