I've been asked to provide a solution for my daughter's school, and I think I've got an answer, but not sure how to impliment it.

The situation is they've bought 15 Ipads, and that the school's proxy and firewall are blocking applications from accessing the internet. The Ipads are being used wirelessly, and the wireless network is distributed across the school using multiple access points(routers in bridged mode) and ethernet switches connected via fibre.

The school's proxy is administered by the local district authority, and the district is not willing to get involved in any capacity to help. Any configuration changes have to be made on the private side of the proxy.

There are two issues involved.

First, any applications not explicitly programmed to use an Ipad's proxy settings will always assume it has a direction connection to the internet. So many of the applications loaded onto the Ipads are unusable since they need internet access. These applications ignore any proxy settings setup in the settings-network tab.

Second, Safari browsing is regulated on a per student basis through usernames and passwords. The Ipad proxy settings are far from adequate in the this regard, leaving students and teachers logged in unless explicitily cleared from the settings.

My solution : Install a Windows 2008 server, setup the Apple Express units (again, a purchasing decision made by the school without my input) into bridged mode and apply a static IP address to their WAN ports on a different subnet to the one that is offered by the district. The Windows 2008 server will handle DHCP requests on the 2nd subnet, and route requests back to the district subnet. The Ipad's don't need to be visible to the PC's located on the district subnet, nor vice versa. They only need internet access. Apply a login script on connection to the wireless network that each student logon's with, this would ideally incorporate their district login.

That would take care of the second issue, and as for the first I believe that forwarding the ports that the Ipad applications are asking for to open ports on the proxy (there are quite a few) should solve those issues.

A long read, and I appreciate people wading through it.

I'm looking for advice on implimentation, or even suggestions of a better way of doing things. Different subnets I believe is the way to go, as it isolates the unsupported network and devices from the district equipment and network. The district's equipment is serviced by the district and the less they have to see, the better.

Are they using Websense? I ran into issues like that quite often

The problems, like you stated, is A) stored credentials and B) respecting proxy settings. What we usually did at Websense was had customers put their Apple devices on a distinct subnet so that we could effectively filter them by IP address specifying subnets. As far as respecting proxy settings... you'll probably need exclusions set up for that, which if all traffic is forced through a proxy, you have no choice but to configure those exclusions at the proxy. Stuff like ITunes isn't very proxy-aware, and usually has trouble.

So, these are Websense-specific... but may help give you some insight. Hope it helps. Unfortunately, the Websense Content Gateway (Proxy) documents requires credentials to access that I no longer have as I am no longer an employee.

http://www.websense.com/support/article ... -filtering

http://www.websense.com/support/article ... from-a-Mac

http://www.websense.com/support/article ... -computers

Good luck.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Thanks for the reply Steven. I'll enquire as to what the proxy server is, and maybe if I can present the case to the district in straightforward terms we may be able to get some restrictions lifted at the proxy server if need be.

While I haven't spoken to the district, best guess so far is that we are being proxied by an Apache server.

Wish I could help you more... my experience with proxies is pretty isolated to Websense. Apple devices and applications were always a challenge.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Further investigation is that they are using Microsoft Forefront.

I'm going to draft an email to the district, speaking with one of the few people in the I.T. department who is onboard with the use of the Ipads in the school. Unfortunately I've been told that this person is not very tech savy, but is in the management position because they do have good educational credentials. If I can try and put it in as much plain speak as possible, and demonstrate the minimised impact on the network, maybe I can make some progress.

I've successfully subnetted the Ipads at this stage, while still using the district proxy. The way that Ipads utilised proxies is next to useless, so my next step is to make a transparent proxy and enable web based logins per session. This will remove the need for the Ipads to use proxy settings, and also give a measure of control by enabling logging of sessions on the Ipads monitored at ths school.

A lot of people, including the teacher who is liasing with me don't see much different with the usage of Ipads versus using a PC. For the most part they are right, but there is a perceived increase in privacy when using an Ipad because the screen can be repositioned so the teacher can't clearly see it. While the district logs all sessions and searchs, I think that the school having access to the same information streamlines the process of the district informing the school, and then the teachers informing parents. I also think a curious kid (we are talking K-6 ) is more likely to look for something inappropriate if they think they aren't being watched. They can't see anything, but if they are looking it does need to talked about why it's not appropriate and that they can be given better information than looking at the web.

Again thanks for the info Steven, in 3 different forums around the web this has been the most helpful !