youTube_schools

YouTube for School Content Filtering Support

YouTube for Schools is a service that allows for customized YouTube access for students, teachers, and administrators. YouTube Education (YouTube EDU) provides schools access to hundreds of thousands of free educational videos. These videos come from a number of respected organizations. You can customize the content available in your school. All schools get access to all of the YouTube EDU content, but teachers and administrators can also create playlists of videos that are viewable only within their school's network.

Note Before configuring your SonicWALL security appliance for YouTube for Schools, you must first sign up: www.youtube.com/schools

The configuration of YouTube for Schools depends on the method of Content Filtering you are using, which is configured on the Security Services > Content Filter page.

Users that are members of multiple groups, where one policy allows unrestricted access to YouTube, and the other policy restricts access to YouTube for Schools, are filtered by the YouTube for Schools policy and are not allowed unrestricted access to YouTube.

Users cannot be members of multiple groups that have different YouTube for School IDs. While the firewall will accept the configuration, this is not supported.

Note For more information on the general configuration of CFS, refer to the Security Services > Content Filter section in the SonicOS Administrator’s Guide.

When you select Via Application Control from the CFS Policy Assignment menu, on the Security Services > Content Filter page, YouTube for Schools Content Filtering is configured as an App Control policy.

YouTube for Schools Content Filtering is configured in two parts:

• Configuring a Match Object

• Configuring an App Rule

You first create a match object or multiple match objects. Then, you apply them in the App Rule.

Note All browser connections are unaffected until after the App Rule policy is applied and the browser is closed and reopened.

Note If you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude the administrator.

Configuring the Firewall Not to Exclude the Administrator

To configure the firewall not to exclude the administrator:

1. Go to the Security Services > Content Filter page.

2. Under the CFS Exclusion List heading, select the Do not bypass CFS blocking for the Administrator option.

youtube_5_bypass_admin_not.png

 

3. Click the Accept button at the top of the page.

Configuring a Match Object for YouTube for Schools Content Filtering

To configure a match object for YouTube for Schools Content Filtering:

1. Navigate to Firewall > Match Objects.

youtube_0_match_objects.png

 

2. Click Add New Match Object.

youtube_1_match_object_settings.png

 

3. In the Object Name box, type a descriptive name.

4. From the Match Object Type menu, select CFS Allow/Forbidden List.

5. From the Match Type menu, select Partial Match.

6. For Input Representation, select the Alphanumeric option.

7. In the Content box, enter youtube.com.

8. Click Add.

9. In the Content box, enter ytimg.com.

10. Click Add.

11. Click OK to create the Match Object.

Note You can repeat these steps to create multiple match objects.

Configuring an App Rule for YouTube for Schools Content Filtering

To configure an App Rule for YouTube for Schools Content Filtering:

1. Navigate to the Firewall > App Rules page.

2. Click Add New Policy.
The App Control Policy Settings dialog appears.

youtube_2_app_control_policy_settings.png

 

3. In the Policy Name box, type a descriptive name for this policy, such as CFS YouTube.

4. From the Policy Type menu, select CFS.

5. From the Address menu, select the address group to which this policy applies.

6. From the Exclusion Address menu, select the address group to exclude from this policy.
Excluded objects are not affected by the policy.

7. From the Match Object menu, select the object you want to match.

8. From the Action Object menu, select the action you want this policy to perform.
In this case we chose CFS Block Page.

9. From the Users/Groups Included menu, select the user or user group to which this policy applies.

10. From the Users/Groups Excluded menu, select the user or user group to exclude from this policy. Excluded objects are not affected by the policy.

11. From the Schedule menu, select the schedule that you want. Always on is the default.

12. If you want to use flow reporting, select the Enable Flow Reporting option.

13. If you want to use logging, select the Enable Logging option.

14. If you want to use the CFS format for logging messages, select the Log using CFS message format option.

15. If you want to filter redundant log messages, enter the number of seconds for the filter interval in the Log Redundancy Filter (seconds) box. To use the global settings for filtering log messages, select the Use Global Settings option (on the same line).

16. From the Zone menu, select the zone to which this policy applies.

Note For the CFS Allow/Excluded List and the CFS Forbidden/Included List options, you should select the match object you created in Configuring a Match Object for YouTube for Schools Content Filtering on page 861. (Our example uses “CFS Allow YT4S”.) This match object should be selected to either include or exclude.

17. From the CFS Allow/Excluded List menu, select the object that you do not want to block with this policy.

18. From the CFS Forbidden/Included List menu, select the object that you want to block with this policy.

19. If you want to use Safe Search Enforcement, select the Enable Safe Search Enforcement option.

20. To enable YouTube for Schools, select the Enable YouTube for Schools checkbox.

21. In the School ID box, enter the School ID number, which is obtained from www.youtube.com/schools

22. Click OK to create the policy.

Note All browser connections are unaffected until after the App Rule policy is applied and the browser is closed and reopened.

Note If you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude the administrator. See Configuring the Firewall Not to Exclude the Administrator on page 861.

Configuring YouTube for Schools in a Content Filter Policy

When the CFS Policy Assignment pulldown menu is set to Via User and Zone Screens, YouTube for Schools is configured as part of the Content Filter policy.

On the Security Services > Content Filter page, select Content Filter Service for the Content Filter Type pulldown menu.

1. Click the Configure button.

2. On the Policy tab, click the Configure icon for the CFS policy on which you want to enable YouTube for Schools.

3. Click on the Settings tab, and select the Enable YouTube for Schools checkbox.

4. Paste in your School ID, which is obtained from www.youtube.com/schools.

Security_Services_Content_Filter00247.png

 

5. Click OK.

6. On the Custom List tab, click the Add button for Allowed Domains.

7. In the dialog box, type “youtube.com” into the Domain Name field and click OK.

8. Click Add again.

9. Type “ytimg.com” into the Domain Name field and click OK.

Security_Services_Content_Filter00248.png

 

10. Click OK.

These settings will override any CFS category that blocks YouTube.

Once the policy has been applied, any existing browser connections will be unaffected until the browser has been closed and reopened. Also, if you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude you (select the Do not bypass CFS blocking for the Administrator checkbox on the Security Services > Content Filter page).

YouTube for Schools and HTTPS

The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:

• Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NSA 240 and higher models.

• Create a LAN (or DMZ) to WAN Access Rule as under:

– Action: Deny

– Service: HTTPS

– Source: Any

– Destination: Create an FQDN Address Object for youtube.com and ytimg.com

Issues

DPI-SSL cannot be used to block https://youtube.com, but only to allow it. So the DPI section above should not be part of the solutions that can be implemented to work around this.

In creating the above rule to block https access to youtube.com or www.youtube.com and s.ytimg.com, we have found that https://www.google.com is now also blocked, as well as https://drive.google.com  and https://play.google.com/ are blocked also.

Other google sites such as calendar.google.com and gmail work fine.

Creating FQDNS for the blocked site and creating an allow rule for the group, also allows https youtube to be accessed.

In summary, creating the deny rules for https>youtube fqdns also blocks other google ssl sites. So there is no way that we have found to use youtube for schools and block access to ssl youtube without blocking other google ssl sites. And there is no way to allow the other sites without also causing ssl youtube to be allowed as well.