Kevin Crawley

Author's posts

Speed issues

We believe this has now been resolved. It looks like there were two simultaneous issues;

  • RM’s transit to Google was being maxed out. RM will be implementing new routers with 100G links to deal with the increased traffic volumes. RM is hoping for this will be completed by the end of the month.
  • There were also six minor DDoS attacks to the proxy farm IPs at the same time of high utilisation of Google traffic. RM is working with a third party company to mitigate these attacks. As they were minor attacks, it didn’t trigger the automatic mitigation system. RM will be working closely with their third party to investigate what went wrong and to make sure this doesn’t happen again.

If there are any further queries, please contact the HfL Broadband Team.

Slow internet

Good morning.

We have received multiple reports of slow internet this morning. RM are investigating. Apologies for the disruption.

Thanks,
Kevin Crawley

Possible Google update and reports of slow internet

Yesterday afternoon (18th October) we received some reports of slow internet.

RM suspect that there was a Google update released which resulted in higher than usual volumes of traffic – and this in turn would cause a slow internet experience. Typically, the RM transit (for Google) utilises at a maximum of 8Gbps, but yesterday it went over 10Gbps.

In fact there were three instances yesterday where the transit bandwidth utilisation exceeded the capacity, timescales for which are updated below.

8.48-9.08
11.25-11.40
13.55-14.03

RM is closely monitoring the situation.

Websites that use websockets – Chromebooks

When using Chromebooks, you may experience issues accessing websites that use websockets. In these instances, the browser on the Chromebook attempts to go out to the internet using the SOCKS protocol entry from the proxy settings.

Normally sessions go out to the internet using the top 3 protocols (HTTP and HTTPS especially). Other devices (Windows etc) have the SOCKS protocol blank so it will send the session to the internet via HTTP/HTTPS instead. On Chromebooks if you’ve set a proxy (wf1.thegrid.org.uk etc) via G-Suite it ticks it for all protocols (including SOCKS). However, RM do not support the SOCKS protocol and this makes the outbound connection fail.

There are some high profile websites that use websockets such as SCOMIS, Spotify, and LiveStorm. It may also cause issues when using the remote desktop web client into a LARA server.

There are a couple of fixes!

Option 1) remove the entry from the SOCKS protocol, and leave it blank.
Option 2) schools connect the Chromebooks to a transparent proxy network (typically a 10.* range), instead of the proxied network (172.* range)

If you have any queries, please get in touch with our Service Desk. Thanks

May Half Term – a good time for some housekeeping?

With Half Term on the horizon, it might be a good idea to review the firewall access that you have in place. Are there legacy firewall rules that can be removed? Of course if firewall rules are no longer needed, the access should be disabled. I would encourage you to pay particular attention to inbound access. Have you previously deployed access to an internally hosted server that has since been decommissioned? Or have you provided access for a company to connect into the school network and you no longer work with them? It is the school’s responsibility to let us know if access is no longer required, otherwise it will remain in place.

To find out what is in place at your school, please get in touch with our Broadband Service Desk. We would recommend you viewing this information in SafetyNet and we will be happy to talk you through the information  that you are looking at.

Thanks,

Kev

Self-Service Firewall

I am pleased to confirm that the self-service firewall is now live and users can access this by using their SafetyNet credentials. While access must be turned on by HfL, if you previously had access to the Connectivity area of Safetynet (to make or view DNS records), you will be able to access the self-service firewall in read only mode.

I would encourage all schools, particularly secondary schools, to have read only access. If you want the full read and write access, I will need the Head Teacher to authorise this. Please note that if you want the ability to make DNS changes, this will also give you access to make firewall changes. If you have previously had full access to the DNS platform, you will find that it is now on read only access. As explained above, access is easily reactivated once authorised by the Head Teacher.

Having read only access to the firewall will help keep schools on top of what access is in place. Some schools will have legacy firewall rules that will need tidying up or even removed. Seeing what access is in place can also assist when troubleshooting issues.

This is version 1 and there is a list of roadmap development ideas. So certain firewall requirements will still need to be logged as a change request with HfL, and the RM staff with Fortigate access will then be able to create these for you.

I am happy to carry out some training with you. Depending on numbers, I will either do this on a one-to-one basis or possibly larger groups. If you’re interested in this or you have any further queries, please get in touch with me.

A basic training guide will be added to this site in due course. RM have also added some support documents within SafetyNet.

Thanks,

Kevin Crawley
kevin.crawley@hertsforlearning.co.uk