familysearch indexing through Cisco ASA 5505 Firewall

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
LakeyTW
Member
Posts: 86
Joined: Fri Jan 19, 2007 3:29 pm
Location: Salt Lake City, UT

#11

Post by LakeyTW »

genman99 wrote:FYI. In case nobody else has done it, I went ahead just now and sent the following email to Websense at suggest@websense.com:
LDSAccess Problem Report

Websense representative:

I understand that Websense manages the firewall filter settings for LDSAccess used for meetinghouse internet access throughout the various local buildings for The Church of Jesus Christ of Latter-day Saints. Is that correct? My understanding is that there are three levels of security filter settings for LDSAccess:

1) "LDS Restricted Access" - Only allows access to LDS Church sites and web-mail sites
2) "LDS Extended Access" - More open, but blocks known inappropriate material
3) "General Access" - More open yet, but still blocks known inappropriate material

Many people have experienced problems of being blocked when going to the LDS website for FamilySearch Indexing. Getting to the Indexing site should be something that should work for all three security levels since it is an LDS Church site. It currently is only working for the "General Access" level.

Please resolve this problem and allow Indexing to work for LDS Restricted Access and LDS Extended Access levels. The following is the website, and the problem occurs after trying to Sign In (upper right):

http://indexing.familysearch.org

Has a problem report been written for this problem? If not, please write one. When will it be resolved and pushed out to the firewall routers in all of the LDS Church buildings?

Thanks.
Websense will have no idea of what sites are allowed or disallowed by various filtering policies. Nor does Websense manage those policies. Websense categorizes sites. The Church chooses which categories of sites are allowed for each profile. Then the Stake chooses which profile they want applied locally.

Websense cannot resolve this as they have likely categorized the site correctly.
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

Indexing via meetinghouse internet - Websense Response

#12

Post by genman99-p40 »

Alan, thanks for the clarification on terminology.

FYI, I received a response email back from Websense as follows:
-----------------

Thank you for writing to Websense.

The site you submitted has been reviewed. We have made an update to the following URL in our master database to address this issue:

http://indexing.familysearch.org/ - Reference Materials

Please note that it is your organization’s local administrator who determines what categories are to be restricted. If you would like to access this site, we recommend that you contact this person and request that either the category or specific URL be custom-permitted.

Categorization updates should be available in the next scheduled publication of the database. A new database is published every business day, five days a week, Pacific Standard Time. You should notice any updates referred to in this message within 72 hours.

Thank you for your assistance,

The Websense Database Services Staff
S.G
Monday, January 18, 2010 6:20:31 AM

**************************************************************************
The new and improved online Site Lookup and Category Suggestion Tool provides easy and fast support for all your categorization-related needs. To start using the tool today, please visit https://www.websense.com/SupportPortal/SiteLookup.aspx

**************************************************************************

-----------------
FYI, I wrote them back and asked them to add the secure URL to the master database also:
https://indexing.familysearch.org
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

Re: Indexing via meetinghouse internet - Websense Response

#13

Post by genman99-p40 »

Follow-up questions on the following couple of quotes in this thread:
jdlessley wrote:The firewall filtering is done through a service called Websense. Changes in the levels of filtering are done by Websense. ... The Global Service Center cannot change the categories for filtering levels. We can submit requests to Websense to have websites considered for inclusion or removal from a category.
genman99 wrote:(From Websense email reply): ... Please note that it is your organization’s local administrator who determines what categories are to be restricted. If you would like to access this site, we recommend that you contact this person and request that either the category or specific URL be custom-permitted.

Categorization updates should be available in the next scheduled publication of the database. A new database is published every business day, five days a week, Pacific Standard Time. You should notice any updates referred to in this message within 72 hours.
Not sure that I completely understand that ambiguity. Seems like Websense is saying they can add URLs to their master database, but they also say that "your organization's local administrator" can make a "category or specific URL be custom-permitted". But it sounds like WE are saying that our "local administrator" (i.e. I assume that means the Global Service Center?) is NOT setup to do this tailoring, even though most of Websense clients can. In any case, Websense has added http://indexing.familysearch.org (and hopefully also the https version of the URL) to the list of allowable URLs. Somebody who has LDS Restricted Access or LDS Extetnded Access filter level in their meetinghouse can test this out after 72 hours (i.e. after Thursday) and see if it now works. If not, we need to figure out what additional server URL needs to be forwarded to Websense to be added to their master database.

If you test in your meetinghouse (that previously wasn't allowing access to Indexing) after Thursday, please post results here so we minimize duplicated effort. I really appreciate this forum and this thread in particular.
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

Indexing via meetinghouse internet - How to fix for all filter levels?

#14

Post by genman99-p40 »

Nevermind testing this Thursday yet. I didn't see the following post from lakeytw until just now.
lakeytw wrote:Websense will have no idea of what sites are allowed or disallowed by various filtering policies. Nor does Websense manage those policies. Websense categorizes sites. The Church chooses which categories of sites are allowed for each profile. Then the Stake chooses which profile they want applied locally.

Websense cannot resolve this as they have likely categorized the site correctly.
So, I'll go back to my original question. Why can't the Global Service Center, or whoever has responsibility for tailoring the filter levels (LDS Restricted, LDS Extended, and General Access) fix/tweak the filter setting levels to also allow access to the Church's indexing server? Who is the contact person for that? Does anybody know? Does anybody know who would know?
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#15

Post by aebrown »

genman99 wrote:Seems like Websense is saying they can add URLs to their master database, but they also say that "your organization's local administrator" can make a "category or specific URL be custom-permitted". But it sounds like WE are saying that our "local administrator" (i.e. I assume that means the Global Service Center?) is NOT setup to do this tailoring, even though most of Websense clients can. In any case, Websense has added http://indexing.familysearch.org (and hopefully also the https version of the URL) to the list of allowable URLs. Somebody who has LDS Restricted Access or LDS Extetnded Access filter level in their meetinghouse can test this out after 72 hours (i.e. after Thursday) and see if it now works. If not, we need to figure out what additional server URL needs to be forwarded to Websense to be added to their master database.
You are combining two distinct elements of the filtering, which I think is leading to some confusion.
  1. Websense is responsible only for categorizing websites. They have a whole list of their standard categories, which you can see here. You can ask Websense to categorize uncategorized sites, or to change the category of a particular site, by sending a request to suggest@websense.com, as you have done in this case.
  2. The Church-managed firewalls then use these categories to decide whether to allow access to a particular site. There are different sets of categories allowed for the three filtering levels (LDS Restricted Access, LDS Extended Access, and General Access).
The Church doesn't get in the business of categorizing sites, and Websense doesn't get in the business of deciding which categories are allowed on Church-managed firewalls for particular filtering levels.

So just because Websense has assigned a category to a particular site, you can't then assume that that site will be unblocked for any particular filtering level. Uncategorized sites are always blocked (I'm pretty sure this is true), so it may well help to categorize an uncategorized site. But there's no guarantee that it will then be allowed.

Unfortunately, there is no way that I know of to determine which of Websense's categories are blocked or allowed by each of the three firewall filtering levels. That would be nice to know, but it may be that the Church has good reasons for not publishing that list.
genman99 wrote:So, I'll go back to my original question. Why can't the Global Service Center, or whoever has responsibility for tailoring the filter levels (LDS Restricted, LDS Extended, and General Access) fix/tweak the filter setting levels to also allow access to the Church's indexing server? Who is the contact person for that? Does anybody know? Does anybody know who would know?
The filtering is done on a category basis. So if a particular site, such as familysearchindexing.org, is in category X, then it would be allowed for a particular filtering level only by allowing all sites in category X. There may be reasons why the Church chooses to block category X for a particular filtering level.

Of course you could game the system by saying that category Y is allowed for a particular filtering level, so familysearchindexing.org should be in category Y, but that's not how Websense works -- they use their guidelines to put each site in what they consider to be the correct category.

I suppose it's possible that the Church can make exceptions for sites in the filtering profiles that would allow some sites, even though their category is blocked. But if that were the case, it seems to me that they would have allowed all Church-owned sites long ago. Since they haven't done that, I suspect that the current system requires them to work with categories determined by Websense.

The Global Service Center either can make the changes in what categories are allowed for each filtering level, or would know who would be able to do so. I'm sure it would require some authorization higher than just the GSC.
LakeyTW
Member
Posts: 86
Joined: Fri Jan 19, 2007 3:29 pm
Location: Salt Lake City, UT

#16

Post by LakeyTW »

Alan_Brown wrote:I'm sure it would require some authorization higher than just the GSC.
I have escalated these URLs to those who can make that decision.
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

Indexing via meetinghouse internet - How to fix for all filter levels?

#17

Post by genman99-p40 »

Alan_Brown wrote:... I suppose it's possible that the Church can make exceptions for sites in the filtering profiles that would allow some sites, even though their category is blocked. But if that were the case, it seems to me that they would have allowed all Church-owned sites long ago. Since they haven't done that, I suspect that the current system requires them to work with categories determined by Websense.
According to Websense's email response, the local administrator (the Church) can make exceptions by URL even if the rest of the category for that URL is blocked. The URL(s) for the indexing site have changed "recently", so I just suspect that this fell through the cracks and the URLs are/were both uncategories by Websense and/or not updated in the LDS Restricted and LDS Extended database for church-site exceptions. Now is a good time to fix that.
-----------
I appreciate your patience with me as I come up to speed on this and try to get it resolved. In summary, I glean then that there three possible paths to get this resolved:

1) Change level in your local building meetinghouse internt to "General Access". That works for sure. Requires Stake President to ask STS to ask GSC to remotely change the filter level. If your building is a FHC, then you already have this. That's the current way around this problem.

2) Have whoever is responsible for the filter level settings (LDS Restricted, LDS Extended, and General Access) tweak the filter settings to specifically allow the Church's new indexing server URL(s). Seems reasonable, but don't know who that is nor how to contact them. Thanks for forwarding this issue up the line lakeytw

3) Have Websense categorize the Church's indexing server URL(s) (which were likely currently uncategories) and hope that that will then allow the current filter settings of LDS Restricted and LDS Extended to then not "block by category". This is sort of hit-and-miss and trial-and-error to get the right category. But I imagine that it will work since I can't image that Websense will categorize the Church's indexing site as something that would be an offensive category.

So since I made an attempt at #3, maybe we should test Indexing via meetinghouse internet again after Thursday. I think we are converging on the solution. Thanks for all the inputs.
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

How do Websense database updates get distributed to meetinghouses?

#18

Post by genman99-p40 »

I received email confirmation back from Websense that they are categorizing both of the following URLs as "Reference Materials":

http://indexing.familysearch.org/
https://indexing.familysearch.org/

They said the categorization updates should be available in the next scheduled publication of the database (e.g. by Thursday). It is not clear to me if that means it automatically gets pushed to all of the firewall equipment in each of the meetinghouses. Does GSC (or some Church IT admin) need to do something to push that, or is it automatic when Websense "publishes"?

By the way, "Reference Materials" sounds so generic that it probably isn't much better than "Uncategorized". So I don't out much hope that Indexing will start working for LDS Restricted and LDS Extended on Thursday.

We just need to get the LDS Restricted and LDS Extended trusted site list updated to include those trusted URLs.

In the meantime, I'm not going to hold my breath, and we will probably go with the current known workaround and get the filter level changed to "General Access" for all of the buildings in our stake.

Thanks.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#19

Post by aebrown »

genman99 wrote:It is not clear to me if that means it automatically gets pushed to all of the firewall equipment in each of the meetinghouses. Does GSC (or some Church IT admin) need to do something to push that, or is it automatic when Websense "publishes"?
It's automatic.
genman99 wrote:By the way, "Reference Materials" sounds so generic that it probably isn't much better than "Uncategorized". So I don't out much hope that Indexing will start working for LDS Restricted and LDS Extended on Thursday.
I assure you that "Reference Materials" is much better than "Uncategorized." When a site is uncategorized, the risk is unknown, so it's automatically blocked. If a site is categorized as "Gambling" it will be blocked. But a generic-sounding category like "Reference materials" has a decent chance of being allowed. However, as I said before, I don't know which categories are allowed by which filtering level, so I certainly make no guarantees.
genman99 wrote:We just need to get the LDS Restricted and LDS Extended trusted site list updated to include those trusted URLs.
That's if there even is such a list. I haven't seen any documents or posts that indicate that such a list exists (but I don't know it doesn't exist, either).
genman99 wrote:In the meantime, I'm not going to hold my breath, and we will probably go with the current known workaround and get the filter level changed to "General Access" for all of the buildings in our stake.
That's certainly the simplest choice, if your stake president is comfortable with it. We have found in all our buildings (even those without a FHC), the wards teach family history classes where it's helpful to have a wider range of sites available. So far we have had no problems caused by the less restrictive filtering.
genman99-p40
New Member
Posts: 9
Joined: Sat Jan 16, 2010 5:09 pm
Location: USA

Indexing access for meetinghouse internet - Filter levels

#20

Post by genman99-p40 »

Alan_Brown wrote:That's if there even is such a list. I haven't seen any documents or posts that indicate that such a list exists
By definition the list must exist, at least for the "LDS Restricted Access" filter level, because it is advertized as being just LDS Church sites plus web-mail. Not sure how you would do that without a list of the site URLs, unless there is actually a Websense category called "LDS Sites", which is not likely.
Alan_Brown wrote:We have found in all our buildings (even those without a FHC), the wards teach family history classes where it's helpful to have a wider range of sites available. So far we have had no problems caused by the less restrictive filtering.
That's a good point. We teach family history classes in our ward building (non-FHC) too and have been hampered by the filter blocking. Your experience provides further reason for us to just go with "General Access" for all of the buildings in our stake, even if they fix the other two filter levels.
Post Reply

Return to “Meetinghouse Internet”