Page 2 of 8

Re: New Internet Filter

Posted: Wed Feb 26, 2014 4:42 pm
by johnshaw
This is a HUGE FAIL if accurate.... Anyone worth a dime during the last 4-5 years put their clerk computers on static because the dhcp pools were so small with the ASA and PIX firewalls.

I'd say it's a comedy, but really its a tragedy.

Re: New Internet Filter

Posted: Thu Feb 27, 2014 6:33 am
by drepouille
How will this affect all the new Lexmark printers I have set to static IP addresses?
We were required to use static IPs for those printers so new toner could be automatically ordered. I haven't seen that process actually work yet, though.

Re: New Internet Filter

Posted: Thu Feb 27, 2014 10:42 am
by russellhltn
drepouille wrote:How will this affect all the new Lexmark printers I have set to static IP addresses?

I was under the impression that "they" poll the printers on the internal network, so DNS doesn't affect them. But I would double check to see if DNS is programmed and update if needed.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 6:51 am
by drepouille
When I read the OP yesterday, I checked tm.lds.org and found that the 881W firewall in my stake center displayed a red triangle, indicating content filtering was not working. Last night, the stake was audited, and we had to record an exception because the filter indeed was not working.

After the audit, I tried rebooting the firewall, but that didn't fix it. So I called the GSC, and the tech said he would reconfigure all 8 firewalls in my stake to use the new zPath filter. By the time I got home last night, the problem in the stake center had been corrected.

I asked him about all the computers I had set to use static IP addresses as well as static DNS IP addresses. He said I could use static IP addresses as long as I set the DNS to dynamic IP. I told him that all the computers in my stake are still running Windows XP, so I didn't have that option.

My only choices are to change the static DNS IP addresses in every computer in the stake, or to change them all to use dynamic IP addresses for everything. Since the 881W has larger dynamic IP address pools than the PIX or the ASA, I think it may be safe to change all the computers back to full dynamic IP addresses. Only the new printers need to be set to static IP addresses.

During our last stake conference in August 2013, the firewall connections peaked at 157 during the Sunday general session. It seemed like the 881W handled that load pretty well.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 9:22 am
by johnshaw
Should be a Policy set at CHQ. I agree with the fact that DHCP is likely not needed anymore because we can just add more USER scopes.

Not a preference for me... we'll need to have and manage static ip's when the new Media Servers arrive at our meetinghouses. Seems like we need some strategy...

Re: New Internet Filter

Posted: Fri Feb 28, 2014 9:27 am
by lajackson
drepouille wrote:Last night, the stake was audited, and we had to record an exception because the filter indeed was not working.

We passed the filter test, and then could not get to the Church Audit site to enter the audit. The site was blocked by the new firewall. Haven't figured that one out just yet. We used a workaround while trying to figure out what was really happening.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 10:11 am
by eblood66
johnshaw wrote:Should be a Policy set at CHQ. I agree with the fact that DHCP is likely not needed anymore because we can just add more USER scopes.

Not a preference for me... we'll need to have and manage static ip's when the new Media Servers arrive at our meetinghouses. Seems like we need some strategy...

I don't know what your Media Servers are running but most newer operating systems should allow you to set a static IP but get the DNS servers from DHCP.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 10:27 am
by russellhltn
eblood66 wrote:I don't know what your Media Servers are running but most newer operating systems should allow you to set a static IP but get the DNS servers from DHCP.

I can't see how to do that with Windows 7. If you select static IP, the DNS switches to static and the choice grays out. I don't see a way around it. At least on the client side. If I could make static assignments on the DHCP, then I could do it.

Fortunately, I think the only reason to do static now is because you need to reach the computer. So unless the clerk computers are being used as a server in some capacity (probably not a good idea), they can be switched to dynamic.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 10:37 am
by eblood66
russellhltn wrote:
eblood66 wrote:I don't know what your Media Servers are running but most newer operating systems should allow you to set a static IP but get the DNS servers from DHCP.

I can't see how to do that with Windows 7. If you select static IP, the DNS switches to static and the choice grays out. I don't see a way around it. At least on the client side. If I could make static assignments on the DHCP, then I could do it.

You're right. I had seen that someone had said it was possible on Windows 7 and I looked at the configuration screen and there were independent radio buttons and assumed that it was true. I didn't try it out. It looks like you can use static DNS with dynamic IP but not the other way around.

Re: New Internet Filter

Posted: Fri Feb 28, 2014 2:34 pm
by johnshaw
Confirmed Windows 8 and 8.1 the case is the same