LGfL 2.0 attempt 1.1

A weekend or so ago, our most excellent technician did the fantastic job of switching our school over to our LGfL 2.0. We were going to wait until the Easter holidays to do it until someone from LGfL pointed out that we were running two broadband connections, which was costing lots of money so please can you switch over as soon as you possibly can, thank you.

The switchover did involve moving all the admin computers into the curriculum subnet as the new firewall couldn’t cope with different subnets using the same cabling. But all seems to be working now. I’ve managed to tame WebScreen enough so that most people can access most of what they need, and we’ve turned off all the proxy servers so that people can even get Internet access.

How has anyone else found the switch?

LGfL 2.0 attempt 1.0.1

Tomorrow we plan to revert back to our old Synetrix broadband. Now that’s what I call a broadband fail! The only advantage for the Admin network was faster broadband, but the downside was no access to Curriculum shared files and no VPN access from our second site. Not a great trade off if you ask me.

Instead we’re going to wait until the next holidays (April) and attempt it then, merging our Admin and Curriculum networks into one and extending our IP range to accommodate more devices as well. It’s a big job – let’s hope that it works better than the last time.

LGfL 2.0 attempt 1.0

We had quite an ambitious but not unreasonable plan today of switching over our broadband at school to LGfL 2.0 by the end of the day. We nearly managed it, but with several large stumbling blocks.

We started out tackling our admin network, as they only have 13 computers and a server. This was working quite well until we realised that users could browse the internet but couldn’t access any services from the server (such as shared documents and databases etc.). Not good. This is because LGfL 2.0 does web filtering by requiring each computer to use a given external DNS rather than a local one, or something like 8.8.8.8 from Google. If you set the external DNS first, then you can’t see the server; if you set the internal DNS first, then you can’t see the Internet. Aaarrrghhhh!

After several fraught conversations with Atomwide we eventually got it to work by getting the server’s DNS to forward external requests to the external DNS. We had tried this previously, but we only got it to work by completely rebuilding the DNS.

After doing a second sweep of the Admin computers to check they worked properly, we moved onto the Curriculum network. At first, this seemed pretty straightforward as the old proxy server could be turned off on the PCs with a judicial tweak of the Group Policies and the Macs could be adjusted by pushing out the following commands using Apple Remote Desktop:

networksetup -setwebproxystate Ethernet off
networksetup -setsecurewebproxystate Ethernet off

Bargain. Changing the DNS settings on the server seemed to be a little more straightforward and soon the Internet was up and running successfully.

Sophos on OSX proved a little more tricky to fix, as I couldn’t convince it to change its preferences with Workgroup Manager. Instead I had to log onto each machine and put in the new update URL, which is now as follows:

http://sophos10.lgfl.org.uk/escosx

The next big problem then struck, in that the Internet connection was flaking out. It would sometimes connect, but would then timeout repeatedly. We tracked down the problem to the fact that both the Curriculum and Admin networks were plugged in at the same time (not unreasonable!). We’re still awaiting a fix on this from Atomwide, so in the meantime we’ve switched the Curriculum back to our old provider.

LGfL 2.0 install tomorrow

Tomorrow I’m helping our genius technician do the switchover of our network to LGfL 2.0. I sure know how to spend a half term!

LGfL 2.0 is a London-wide project where they’re switching over broadband from BT cables to Virgin Media instead. This is an epic undertaking, but from our end it just means that they install lots of new routers and firewall boxes and then let us do the physical switch-over when we’re ready. (In a slightly ironic twist, Virgin Media don’t actually have any fibre-optic cables in our area so we had to use BT’s anyway.) We did a little test a few weeks ago and the speeds are about 4x faster – yay!

The main difference with the setup at school is that there no longer is a proxy server for web filtering but instead Virgin Media’s DNS server blocks or lets sites through. We’ve got our own internal DNS server so hopefully we’ll just have to change the settings on that rather than for every machine. I’m also hoping that a Apple Remote Desktop UNIX command to all the Macs should be enough to turn off the proxy server settings. But we shall see!