New Internet Filter

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
drepouille
Senior Member
Posts: 2859
Joined: Sun Jul 01, 2007 6:06 pm
Location: Plattsmouth, NE

Re: New Internet Filter

#21

Post by drepouille »

Lynn Shaw just posted the following message to the ldsfhctech Yahoo group.

There is a new web filtering solution that is being rolled out by ICS. Currently they have configured about 13,000 sites (a subset of which includes FHCs) and will continue to roll the new solution. The product is called “zShift” and is a product produced by the company zScaler. (Sometimes ICS will refer to it as “zPath”, although, this is a misnomer because zPath is actually a different solution).

1. zShift is a DNS-based solution (much like OpenDNS, if you are familiar with that service).

2. There are 3 different policies that provide various levels of filtering:
a. Workforce
b. Meeting House (This is the policy that applies to most of our FHCs.)
c. Temple

3. The solution also provides for blacklisting of specific sites.

4. The DNS configuration changes are implemented on each of the Cisco firewalls.

5. In the next few weeks ICS will begin locking down routers so that they will only allow DNS requests to be made to zShift DNS servers. This will be accomplished by using an access-list rule that will limit the destination IP addresses any outgoing DNS traffic may use.

6. If you have configured any of your systems to use static DNS entries, then you need to change the values to the following:
a. Preferred DNS Server: 8.34.34.92
b. Alternate DNS Server: 8.35.35.92

Here is a link to a copy of the email that is being sent out to Meetinghouses regarding this issue: http://us1.campaign-archive1.com/?u=b42 ... a5005cb&e=

I hope you find this information to be helpful.

Lynn Shaw
Engineer
FHC Admin Team
FamilySearch
Dana Repouille, Plattsmouth, Nebraska
aclawson
Senior Member
Posts: 760
Joined: Fri Jan 19, 2007 6:28 pm

Re: New Internet Filter

#22

Post by aclawson »

I have not received a notice via email nor do I see one when logging in to tm.lds.org
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

#23

Post by russellhltn »

aclawson wrote:I have not received a notice via email nor do I see one when logging in to tm.lds.org
I got an initial email saying the filtering was going to change, but I received no further notice that I had to update the DNS for static IPs. Nor did I see anything in tm about the change.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
techgy
Community Moderators
Posts: 3183
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Re: New Internet Filter

#24

Post by techgy »

I haven't seen any notices either nor has anything changed in tm.lds.org

Perhaps it's taking some time to get this out to such a large area.
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: New Internet Filter

#25

Post by lajackson »

russellhltn wrote:
aclawson wrote:I have not received a notice via email nor do I see one when logging in to tm.lds.org
I received no further notice that I had to update the DNS for static IPs. Nor did I see anything in tm about the change.
There has not been anything.

drepouille did us all a favor by posting what Lynn Shaw sent to the Family History Centers to help them deal with the change. It would be a pleasant surprise if anything similar was published on the administrative side. And to pleasantly surprise will save the GSC a whole lot of phone calls as the roll out continues.
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

#26

Post by russellhltn »

lajackson wrote:
russellhltn wrote:
aclawson wrote:I have not received a notice via email nor do I see one when logging in to tm.lds.org
I received no further notice that I had to update the DNS for static IPs. Nor did I see anything in tm about the change.
There has not been anything.
Not quite. As a STS I did get the heads up email that a new filter was coming. That's what started this thread. But the only action item was "Please communicate this change to your stake president. Encourage him to inform other leaders in the stake." Nothing about what changes that need to happen for machines running static IPs.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
lajackson
Community Moderators
Posts: 11460
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: New Internet Filter

#27

Post by lajackson »

russellhltn wrote:
lajackson wrote:There has not been anything.
Not quite. As a STS I did get the heads up email that a new filter was coming. That's what started this thread. But the only action item was "Please communicate this change to your stake president. Encourage him to inform other leaders in the stake." Nothing about what changes that need to happen for machines running static IPs.
Sorry not to be more specific. There has not been anything about what changes need to happen for machines running static IPs. At least until Lynn Shaw's message to an unofficial but very informative email list was posted here.
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

#28

Post by russellhltn »

lajackson wrote:Sorry not to be more specific. There has not been anything about what changes need to happen for machines running static IPs. At least until Lynn Shaw's message to an unofficial but very informative email list was posted here.
Actually, WillClaridge beat him out in message #9 of this thread. That came via help desk.

But the bottom line, there appears to be a significant communication issue. Sadly, that's not unusual.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
joeljt
New Member
Posts: 1
Joined: Wed Mar 05, 2014 10:13 am

Re: New Internet Filter

#29

Post by joeljt »

russellhltn wrote:
eblood66 wrote:I don't know what your Media Servers are running but most newer operating systems should allow you to set a static IP but get the DNS servers from DHCP.
I can't see how to do that with Windows 7. If you select static IP, the DNS switches to static and the choice grays out. I don't see a way around it. At least on the client side. If I could make static assignments on the DHCP, then I could do it.

Fortunately, I think the only reason to do static now is because you need to reach the computer. So unless the clerk computers are being used as a server in some capacity (probably not a good idea), they can be switched to dynamic.
Regardless you are going to have to "touch" every end device that is currently statically configured for dns, even if it means you are just switching it to dynamic. It would be in your own best interest to take the time to statically set your dns servers to the new zpath addresses. whomever said that all 881's will be updating the firewall settings soon to disallow any other dns servers was correct. This means your statically configured end devices will be broken at that point. If you set the dns servers statically you don't have to worry about any weird bugs or issues with the 881's dhcp server. Also, the 881's currently have ip dhcp conflicts logging enabled which over time can fill up and exclude a large amount of addresses from the USER pools which can eventually cause a lack of addresses available. This is a stupid problem that is easy to fix, but a fix has yet to have been rolled out. So to protect yourself from being involved in that problem you can set static ip's. Every 881 has static addresses that won't ever have to worry about that issue because they are excluded from the dhcp pools. Those show in TM as "static" under the "IP Range" column. Although i realize it is a lot of work for some of you, it is in your own best interest in the long run to set clerks computers and any others that don't move out of the building as static, in my opinion. However, there are obviously the possibility that at some point in the future you may have to do this again if they make other changes that affect any dhcp settings... Obviously there are advantages to dhcp... You will probably all be released as STS by that time so it will be someone else's problem... Just kidding... sort of ;)
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

#30

Post by russellhltn »

joeljt wrote:Also, the 881's currently have ip dhcp conflicts logging enabled which over time can fill up and exclude a large amount of addresses from the USER pools which can eventually cause a lack of addresses available. This is a stupid problem that is easy to fix, but a fix has yet to have been rolled out.
First I've heard of that. I believe there is a situation where the 881 won't reuse a IP immediately after it becomes available. So if you have overlapping wards, it can available pool to be exausted even while tm suggests there's still more IP available.

joeljt wrote:Although i realize it is a lot of work for some of you, it is in your own best interest in the long run to set clerks computers and any others that don't move out of the building as static, in my opinion.
I beg to differ. If you set it to static, it will garantee at some point you'll have to go back to change it. The church may decide to change the block assigned to your firewall (perhaps a firewall upgrade), or change the DNS (perhaps another change to the filter used). If you set to DHCP, you'll never have to go back. As for the problems with DHCP, you need to be aware of them, and they can be fixed with a phone call. So from my standpoint, I'd only use static if the device is acting as a server in some capacity so that other devices can locate it reliably.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Meetinghouse Internet”