Opendium systems allow you to control and audit your users' access to the world wide web. This is done by passing all web traffic through a proxy server, which analyses each web request in a variety of ways to heuristically categorise it. In addition to analysing unencrypted traffic, the system will decrypt, analyse and filter encrypted HTTPS traffic in real time. The traffic can be restricted based on the categorisation that the system has determined for each web request.
There are two mechanisms for intercepting and filtering web traffic: A traditional (non-transparent) web proxy server and a transparent proxy.
The non-transparent web proxy is the preferred system, as it includes some capabilities which cannot be performed by the transparent proxy, such as Kerberos single sign-on authentication. However, it does require software to understand how to find and talk to the proxy. Workstations usually use the non-transparent proxy for the majority of their traffic, whereas tablets and phones usually rely more on transparent proxy.
In order for the Opendium system to be able to decrypt HTTPS traffic, devices on your network must have the inspection certificate installed.
For devices connected to your Windows domain, this should be done through Group Policy by downloading the certificate using the link on the Web Proxy page and importing it into the domain's Trusted Root Certification Authorities.
The certificate will need to be installed manually onto stand-alone devices. There are a number of ways to make this easier, such as using the QR code which is displayed on the Web tab, or using the Splash Page.
This certificate is unique to your Opendium system, and is separate from any certificate that is required to connect to your wifi network.
The web filter works on three levels:
- Blocked Categories - This is the primary method of filtering. The system categorises content as it is being accessed and blocks content which is deemed to belong to an unacceptable category according to the user group's settings. If certain web content is being incorrectly categorised or not categorised at all, the first thing to do is edit the Filtering Categories manually exclude the content from categories it does not belong to, and include it in categories that it does belong to.
- Enforcement of Safe Search - The web filter can demand that some search engines, such as Google, enable strict Safe Search irrespective of the user's own preferences.
- Overrides - These are used to completely disable parts of the filtering system. If certain web content is being incorrectly categorised, it is recommended that you edit the appropriate categories rather than using an override to disable the filtering entirely. However, it is appropriate to use an override in the following circumstances:
- If you need to ensure that certain HTTPS requests are not decrypted, add their URIs to an override which has the Disable HTTPS decryption setting ticked. Certain applications are incompatible with HTTPS decryption and require such an override.
- When setting up a walled garden, add URIs which are to be allowed to an override which has the Allow in the walled garden setting ticked.
- Trusted websites that must never be filtered, such as the school's own website, can be added to an override which has the Disable all filters setting ticked.
- Certain applications are incompatible with authentication, and you can add the URIs that they contact to an override that selects an appropriate Authentication setting.
As well as blocking pages, you can also set up Reporting Categories, which trigger automated reports based on which categories are being triggered.
There are also settings affecting a user's Permissions & Limits, such as bandwidth quotas.