Recommended Minimal Configuration

From Opendium Documentation
Revision as of 17:53, 6 October 2022 by Steve (talk | contribs) (Initial page - to be completed)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Following installation, we recommend configuring the system as described on this page.

Firewall zones

The Firewall Zones come preconfigured to consider all private addresses to be part of the LAN. This should be reconfigured to match the real layout of your internal networks.

Opendium Web Gateway does not support multiple internal network zones, so all of the internal networks must be added to the LAN zone.

Opendium UTM can segregate the internal networks, so the Bring Your Own Device wifi network can be isolated from the wired network, for example. Networks which should be isolated from each other should be placed in different zones, whereas networks that need no isolation should be placed in the same zone.

Group configuration

Opendium systems have a powerful grouping mechanism which is configured on the Users and Groups page, with groups organised into a tree, and users, networks and individual computers assigned to one or more of the groups. Settings, such as web filtering, permissions, etc. can be set on each group and by default are inherited by the groups, users and networks within. Please refer to the Group Inheritance knowledgebase article for more in depth information about how group inheritance works.

There are very few restrictions placed on the groups and you are therefore free to arrange the groups as you wish, but the recommendations below provide a good starting point and are formed by many years of experience. This is a typical structure for a secondary school:

  • GROUP: Everyone
    • GROUP: Administrators
    • GROUP: Anonymous
    • GROUP: Networks
      • NETWORK: 10.0.0.0/8
      • GROUP: LAN
        • NETWORK: 10.1.0.0/16
        • GROUP: Servers
          • NETWORK: 10.1.254.0/24
      • GROUP: Wifi
        • GROUP: Staff wifi
          • NETWORK: 10.1.0.0/16
        • GROUP: Student wifi
          • NETWORK: 10.2.0.0/16
        • GROUP: Guest wifi
          • NETWORK: 10.1.0.0/16
    • GROUP: Users
      • GROUP: Staff
      • GROUP: Students
        • GROUP: Lower school
          • GROUP: Year7
          • GROUP: Year8
          • GROUP: Year9
        • GROUP: Upper school
          • GROUP: Year10
          • GROUP: Year11
        • GROUP: Sixth form
          • GROUP: Year12
          • GROUP: Year13

There are a few special groups - Everyone is always at the root of the tree. Users within the Administrators group have administrative access to the system. The Anonymous group is also a special case and is used in situations where no other groups are applicable. Typically, the Anonymous group is left empty.

Whilst there are no restrictions regarding mixing users and networks within a group, we recommend keeping them separate in most cases by placing networks under the Networks group and users under the Users group.

The system comes preconfigured with all private addresses in the Networks group, but it is a good idea to trim this down to better match your network's configuration. Often the overarching network will be a single entry for the IPv4 network, such as 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16, and a single entry for the IPv6 prefix (if there is one). However, some schools may have more complex networks that require multiple network objects to be created. In the example above, we have defined a single 10.0.0.0/8 network.

You can create subgroups for specific parts of your network. In the example above, we have created groups Staff wifi, Student wifi and Guest wifi and added an appropriate network within each. This allows us to set specific configuration for those networks. For example, in the web proxy module, we may disable authentication and active HTTPS interception for Guest wifi, or set the proxy's authentication profile to Single user devices for Staff wifi and Student wifi. We have also created a Trusted mail senders group that can be used to turn off the mail server's authentication for specific devices.

If your network is divided into subnets geographically - e.g. a separate subnet for each classroom - configuring each subnet here will also allow you to use Virtual Groups to apply custom configuration based on location. For example, you may want to relax the filtering in locations which will always be supervised.

The remaining groups will contain your users. Some schools may choose to create subgroups within the Staff group in order to subdivide the staff, whilst prep schools often organise all of the students under a single Students group rather than dividing them into year groups. There is a balance to be struck between the flexibility of a group tree that is subdivided into many groups versus the management overhead of maintaining that structure, and this will vary from school to school.

Whitelist

We recommend that you disable web filtering for your own domains by adding them to the Whitelisted websites override.

Retrieved from ‘https://docs.opendium.com/w/index.php?title=Recommended_Minimal_Configuration&oldid=30