Security Services : Security Services > Content Filter

YouTube for School Content Filtering Support
YouTube for Schools is a service that allows for customized YouTube access for students, teachers, and administrators. YouTube Education (YouTube EDU) provides schools access to hundreds of thousands of free educational videos. These videos come from a number of respected organizations. You can customize the content available in your school. All schools get access to all of the YouTube EDU content, but teachers and administrators can also create playlists of videos that are viewable only within their school's network.
The configuration of YouTube for Schools depends on the method of Content Filtering you are using, which is configured on the Security Services > Content Filter page.
Users that are members of multiple groups, where one policy allows unrestricted access to YouTube, and the other policy restricts access to YouTube for Schools, are filtered by the YouTube for Schools policy and are not allowed unrestricted access to YouTube.
Users cannot be members of multiple groups that have different YouTube for School IDs. While the firewall will accept the configuration, this is not supported.
When you select Via Application Control from the CFS Policy Assignment menu, on the Security Services > Content Filter page, YouTube for Schools Content Filtering is configured as an App Control policy.
YouTube for Schools Content Filtering is configured in two parts:
You first create a match object or multiple match objects. Then, you apply them in the App Rule.
Topics:
Configuring the Firewall Not to Exclude the Administrator
To configure the firewall not to exclude the administrator:
1
Go to the Security Services > Content Filter page.
2
Scroll to the CFS Exclusion for the Administrator section.
3
Select the Do not bypass CFS blocking for the Administrator checkbox.
4
Click the Accept button at the top of the page.
Configuring a Match Object for YouTube for Schools Content Filtering
To configure a match object for YouTube for Schools Content Filtering:
1
Navigate to Firewall > Match Objects.
2
Click Add New Match Object. The Add/Edit Match Object dialog displays.
3
In the Object Name field, type a descriptive name. The minimum length is 1 character, the maximum is 96 characters.
4
From the Match Object Type drop-down menu, select CFS Allow/Forbidden List.
From the Match Type drop-down menu, select Partial Match. A partial match matches the specified pattern to any portion of a given content. For example, given the content “SonicWALL is the leader in Unified Threat Management,” the pattern Sonic results in a match.
5
For Input Representation, select the Alphanumeric option.
6
In the Content field, enter youtube.com.
7
Click Add.
8
In the Content field, enter ytimg.com.
9
Click Add.
10
Click OK to create the Match Object.
Configuring an App Rule for YouTube for Schools Content Filtering
To configure an App Rule for YouTube for Schools Content Filtering:
1
Navigate to the Firewall > App Rules page.
2
Click Add New Policy. The Edit App Control Policy dialog displays.
3
In the Policy Name field, type a descriptive name for this policy, such as CFS YouTube. The minimum length is 0 characters and the maximum is 96.
4
From the Policy Type drop-down menu, select CFS. The options change.
5
From the Address drop-down menu, select the address group to which this policy applies. The default is Any.
6
From the Exclusion Address drop-down menu, select the address group to exclude from this policy. Excluded objects are not affected by the policy. The default is None.
7
From the Match Object drop-down menu, select the object you want to match. The default is Forbidden Content.
8
From the Action Object drop-down menu, select the action you want this policy to perform.In this case select CFS Block Page.
9
From the Users/Groups Included drop-down menu, select the user or user group to which this policy applies. The default is All.
10
From the Users/Groups Excluded drop-down menu, select the user or user group to exclude from this policy. Excluded objects are not affected by the policy. The default is All.
11
From the Schedule drop-down menu, select the schedule that you want. Always on is the default.
12
13
If you want to use logging, select the Enable Logging option. This option is selected by default.
14
If you want to use the CFS format for logging messages, select the Log using CFS message format option. This option is selected by default.
15
To use the global settings for filtering log messages, select the Use Global Settings option (on the same line). The default is 0 seconds.
16
From the Zone menu, select the zone to which this policy applies. The default is Any.
NOTE: For the CFS Allow/Excluded List and the CFS Forbidden/Included List options, you should select the match object you created in Configuring a Match Object for YouTube for Schools Content Filtering . (Our example uses CFS YouTube Filtering.) This match object should be selected to either include or exclude.
17
From the CFS Allow/Excluded List drop-down menu, select the object that you do not want to block with this policy.
18
From the CFS Forbidden/Included List drop-down menu, select the object that you want to block with this policy.
19
If you want to use Safe Search Enforcement for all search engines, select the Enable Safe Search Enforcement option. This setting is disabled by default.
20
To enable YouTube for Schools, select the Enable YouTube for Schools checkbox.
21
In the School ID box, enter the School ID number, which is obtained from www.youtube.com/schools
22
Click OK to create the policy.
Configuring YouTube for Schools in a Content Filter Policy
When the CFS Policy Assignment drop-down menu on the Security Services > Content Filter page is set to Via User and Zone Screens, YouTube for Schools is configured as part of the Content Filter policy.
To configure YouTube for schools in a content filter policy:
1
Navigate to the Security Services > Content Filter page.
2
Select Content Filter Service from the Content Filter Type drop-down menu.
3
Click the Configure button. The Filter Properties dialog displays.
4
Click the Policy tab.
5
Click the Configure icon for the CFS policy on which you want to enable YouTube for Schools. The Edit CFS Policy dialog displays.
6
Click the Settings tab.
7
Select the Enable YouTube for Schools checkbox.
8
9
Click OK. The Edit CFS Policy dialog closes.
10
Click the Custom List tab.
11
Click the Add button for Allowed URL. the Add Allowed URL Entry dialog displays.
12
In the dialog box, enter youtube.com into the URL field.
13
14
Click Add again.
15
Enter ytimg.com into the URL field.
16
17
Click OK.
These settings override any CFS category that blocks YouTube.
When the policy is applied, any existing browser connections are unaffected until the browser is closed and reopened. Also, if you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude you (select the Do not bypass CFS blocking for the Administrator checkbox on the Security Services > Content Filter page).
YouTube for Schools and HTTPS
The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:
Issues
DPI-SSL cannot be used to block https://youtube.com, but only to allow it. So the DPI section above should not be part of the solutions that can be implemented to work around this.
In creating the above rule to block https access to youtube.com or www.youtube.com and s.ytimg.com, we have found that https://www.google.com is now also blocked, as well as https://drive.google.com and https://play.google.com/.
Other Google sites, such as calendar.google.com and gmail, work fine.
Creating FQDNS for the blocked site and creating an allow rule for the group also allows https://youtube.com to be accessed.
In summary, creating the deny rules for https, youtube fqdns also blocks other google ssl sites. So, there is no way that we have found to use YouTube for Schools and block access to SSL YouTube without blocking other Google SSL sites. And there is no way to allow the other sites without also causing SSL YouTube to be allowed as well.