Students bypassing filtering
-
We are seeing a problem in multiple labs where students are able to bypass filtering. Basically, the firewall shows that the teacher (who is logged into the master) is also logged in to multiple clients, even though they are not. When students login, they are seen as the teacher by the firewall and able to access sites they should not have access to. This seems to be platform independent as one lab is all Windows 10 (latest build). The other is mostly Win10, but the teacher uses Ubuntu 21.04.
Running Veyon 4.5.4
Firewall is a FortiGate 501E v6.2.4 build1112
Domain controllers are Win servers 2012r2 and connect to Fortinet Sign-On Agent. -
When Veyon Master connects to client computers, the Veyon Server/Service on the client computers check the teacher's credentials by performing a temporary internal user logon with the teacher's username and password. However it does not initiate a real user sessions so I wonder why your firewall recognizes the teacher as being logged on (obviously it only tracks login events?). All you can do here Veyon-side is to switch to key file authentication globally. Then client computers simply verify messages from Veyon Master (signed with the private key master-side) instead of the user credentials.
-
@tobydox After further investigation, the student's are able to bypass the firewall. For example, students accounts are prohibited from visiting Reddit.com. However, if the teacher computer is running Veyon, the client can go to Reddit and the firewall records it as traffic under the teachers account. This is a serious issue for us.
If the teacher computer is not turned on, filtering works correctly.
-
Reviving this thread as this is the only one i can find on the matter, but i've been having this same issue, too.
At first, staff would log in to veyon Master with their own account, but i realised that students being monitored by Veyon were able to bypass the Student Web Filter on our Fortigate Firewall because the firewall saw the teachers logon session on the DC and it looks like the teacher has now logged on and is assigned the profile.
To bypass this, i have had to create a generic account for use with Veyon which is set as a student, so this retains the student webfilter, however i can see all the different entries from different devices on the firewall from this user.
@tobydox said in Students bypassing filtering:
the Veyon Server/Service on the client computers check the teacher's credentials by performing a temporary internal user logon with the teacher's username and password. However it does not initiate a real user sessions so I wonder why your firewall recognizes the teacher as being logged on
Are you able to expand on this ^^^? Because the veyon user logon event shows up in the DC's event logs (which are monitored by the firewall to assign user sessions) and there seems to be no difference in this logon to any other domain user logon. The workstations are only checked for logoff events, as these don't appear on the DC.
As far as the firewall is concerned, whenever a client computer is connected to, the logged on user has changed, as this is now the latest logon event seen on the DC for that device.