LiveStream 5 Administration Guide

Managing Policy Sets

A Policy Set is a named collection of web-access rules that can be applied to any number of Policy Groups. Applying a Policy Set to a Policy Group will afford web access to members of that Policy Group according to the rules defined within it.

Policy Sets are accessible from within Policy Groups and can be applied to them in two ways:

  1. As the default Policy Set — every Policy Group must have a base level of access defined for its members so they can be granted access.

  2. As a time-based Policy Set — these will override the default Policy Set on a custom schedule. Multiple Time-based Policy Sets may be configured for a Policy Group as long as the schedules do not overlap.

A default Policy Set is assigned to each Policy Group when it is created but this will typically be edited or replaced with something more specific once the Policy Group has been created.

The default Policy Set is applied to the Policy Group's members at all times except when the (optional) time-based Policy Sets take affect.

ProTip: The entire policy configuration is viewable from the Dashboard. You can quickly navigate between Policy Groups and the Policy Sets that are applied to them. If you see a something that you want to change, just click on it and the relevant section of the management interface will be presented.


PLEASE NOTE:

  • A Policy Set can belong to many different Policy Groups.
  • When a Policy Set is edited, it affects all Policy Groups that use it.
  • A user or device can only be controlled by a single Policy Set at a time.

Creating a Policy Set

Start by opening the Policy Group you wish to create the Policy Set for and select the Access tab.

Screen

  1. Click on the Create a new Policy Set button.

    ProTip: Consider the portability of new Policy Sets. Don't choose an overly specific name if it can be applied to multiple Policy Groups.

  2. Enter a succinct but descriptive name for the new Policy Set e.g. Student Rules, Teacher Rules, Out-of-hours Rules, Guest Rules

  3. Choose an existing Policy Set with similar rules as a template. If this a brand new installation just select a built-in Set—it's just a starting point before you start editing it.

  4. Click Create

Your new Policy Set will now be presented for editing.

Editing a Policy Set

Whether you have just created a new Policy Set or are editing an existing Policy Set this process is the same. The rules that govern a Policy set can generally be divided into two types:

  1. Content Filtering — determining which content should be outright denied or allowed.

  2. Usage Limits — restricting the quantity of available resources each individual can consume e.g. data (download size) and bandwidth (download speed).

The Policy Set editing interface contains many predefined rules which can be enforced or not. They are separated logically across several tabs.

Screen

When you've finished editing a Policy Set just click the contextual Save or Done button in the page header.

Categories (content filtering)

The category filters allow you to deny access to specific kinds of websites based on the type of content they contain. There are sixty distinct categories which can be blocked by a Policy Set which are organised by threat level into three groups:

  • Severe — Dangerous and/or explicit content.
  • Moderate — Content of lesser danger; content that's inappropriate for certain age groups, time-wasting.
  • General — Content appropriate for all ages. They may be denied with your organisation's discretion.

How does it work?

LiveStream 5's real-time URL classification technology, CNS (Category Name Service), instantly looks up each requested URL against a database of over five billion pre-categorised URLs.

If a new, previously uncategorised URL is requested the CNS will algorithmically categorise it based on the contents of the page. Algorithmic categorisations are then latter reviewed by a human being.

These uncategorised URLs will initially be categorised as New URL until the CNS servers have analysed the webpage. This usually occurs before the next request to the URL. You may block the New URL category to ensure that only classified websites are accessible.


To deny access to a category, select the corresponding checkbox in the Categories tab. You can also toggle all the categories for each group on or off using the corresponding links.

Allow & Deny (content filtering)

The Allow & Deny tab allows you to supplement your category-based filters with customisable lists of content to allow or deny. This feature is powered by your List Groups which let you target web content by domain, URL, IP, media type or expression. We recommend reading the section on List Groups before managing these options.

ProTip: Your List Groups are only as useful as their titles. You should be able to identify the Lists Groups that should be denied and allowed for the Policy Set based on their titles e.g. Student approved content

Put simply, everything on the internet will either match with the content of a List Group or not.

For example, you may wish to deny the Social Networking category but allow access to certain Facebook profiles. To allow those profiles you would add their URLs to a List Group that is allowed by the Policy Set.

  1. Use the respective drop-down menus to select an existing List Group to allow or deny.

  2. Click the corresponding Add button to apply the List Group as being allowed or denied for this Policy Set.

If one of your existing List Groups does not satisfy your purposes you can create a new one which will automatically be applied as an allow or deny list depending on which Create button you choose. When you've finished editing the new list you created click Done and you will return to the Policy Set edit page.

Whitelist mode

By default a Policy set will allow any requests that does not matching any denied Categories or denied List Groups. Whitelist mode flips this paradigm to provide a much stricter level of control, where everything is denied unless specifically allowed in a List Group.

Whitelist mode is primarily designed for kiosk devices which have a specific set of websites they are meant to provide access to. It may also be used to provide highly restricted web access for very young children.


To handle the many allowed and denied lists and categories, the filtering system uses a hierarchy to resolve conflicting rules. Each web request is compared with its Policy Set in this order:

  1. Denied lists — does the request match any of the denied List Groups? If it does, it will be blocked and no further evaluation of the request will occur.

  2. Allowed lists — does the request match any of the allowed List Groups? If it does, it will be allowed and no further evaluation of the request will occur.

  3. At this stage the request has neither been allowed or denied—it will proceed to the final stage of content filtering — Categories.

Quota & Credit (usage limits)

The quota & credit tab offers a number of options for controlling the amount of internet resources that each client can consume.

Maximum file size

This option places a limit on the size of each separate file a client can download from the web.

Most web pages are made up of many individual media files—most which are no more than a few megabytes large. This feature is mainly designed to block larger downloads such as audio and video files, software installers etc.

Quota

Download quotas allow you to set a data allowance of accrued downloads. Quotas can ensure that each user gets their fair share of data when an organisation's internet plan is expensive and/or limited.

There are three optional Quota intervals:

  • Daily — resets every night at midnight
  • Weekly — resets every Sunday night at midnight
  • Monthly — resets on the first day of every month

When a user exceeds any of their allotted quotas they will be denied unless you have configure speed limiting or credit charging to take place instead.

ProTip: each user's quota usage can be tracked from their profile in the Users section of the management interface.

Each quota interval operates independently of the others.

Credit

Some schools and community organisations require users to pay for either some or all of their internet usage. Credit allows you to charge users based on the amount of data they download at a per-gigabyte price.

IMPORTANT: Every user in LiveStream has a credit balance which can be managed from their profile in the Users section. Make sure your users have a positive balance before charging them.

  1. To enable credit charging, first choose a method:

    • Always charge — always require a user to have a positive credit balance in order to access the web.

    • Charge when over-quota — only charge users' credit balances when they have exceeded one of their quota intervals.

  2. Finally, set the price for each GB (gigabyte) that a user downloads in dollars ($). You can either define a unique credit price just for this Policy Set or use the global pricing defined by the system Organisation Settings.

    ProTip: Enforcing a conservative maximum file size will reduce the probability of credit balances becoming negative when they are depleted.

If a user's effective Policy Set charges credit and their balance is zero (or negative) they will be denied web access unless their Policy Set enforces a speed limit when data depleted.

If charging credit is not appropriate for the Policy Set you're editing, leave the never charge method selected.

Unmetered content

Unmetered content uses the List Group system to define content which will not count towards quota or credit usage when downloaded.

Getbusi recommends creating a single unmetered content List Group and applying it to every Policy Set that enforces usage limits, but you may also create separate List Groups of unmetered content if your Policy configuration calls for it.

ProTip: You can add the gov.au and edu.au domains to the unmetered List Group to avoid metering Australian government and education web content.

Speed Limit (usage limits)

Limiting bandwidth (download speed) is an effective way to ensure that every client gets a fair share of the available internet bandwidth, especially when high-speed broadband availability is limited.

  1. To limit download speed, first choose a method:

    • Always limit — limits download speed regardless of quota or credit status.

    • Limit when data-depleted — only enforces the speed limit when users are over-quota (and have zero credit, if applicable).

  2. Finally, set the maximum download speed each client is entitled to in kilobits per second.

Speed limits are applied to the total downstream bandwidth usage of each client. For example, if a client is downloading two files with a 512 Kbps limit (64KB/s), each download should transfer at approximately 32 KB/s.

Unrestricted content

Unrestricted content uses the List Group system to define web content which may be downloaded at the maximum possible speed regardless of the enforced speed limit.

Getbusi recommends creating a single unrestricted content List Group and applying it to every Policy Set that enforces usage limits, but you may also create separate List Groups of unrestricted content if your Policy configuration calls for it.

ProTip: You can add the gov.au and edu.au domains to your unrestricted List Group to guarantee Australian government and education web content will always download at full speed.

Safety Mode (content filtering)

Popular content aggregation vendors sometimes offer their own built-in content filtering options. This is mostly just for search engines, although some video streaming services are beginning to implement this as well.

Note from the development team: We try our best to keep up with these vendors' changes to their safe searching, however the vendors are continually improving and updating their products which can potentially interfere with these tools. For this reason the features are permanently tagged as beta.

Enforce safe searching

Every popular search engine includes a safe searching option, most of which can be forced by rewriting their search URL queries.

LiveStream is able to force strict safe searching for the following search engines:

  • Google
  • Bing
  • Yahoo
  • Yandex
  • DuckDuckGo

IMPORTANT: Google currently defaults most web searches to use encrypted SSL connections which prevent the proxies from parsing or rewriting the URLs. To remedy this situation Google have provided a DNS-based work-around which allows organisations to force unencryped searches.

If you want to enforce Google Safe Searching you must implement Option #3 of this work-around.

Enforce YouTube for Schools

YouTube for Schools is an initiative that allows schools to provide access only to educational video material on youtube.com. This requires a YouTube for Schools account which includes a unique API key which LiveStream uses to enforce your schools YouTube for Schools restrictions.

For more information on setting up and managing YouTube for Schools visit: https://support.google.com/youtube/answer/2592715?hl=en

Before enabling YouTube for Schools for your Policy Set(s), you must enter your YouTube for Schools ID key in your Organisation Settings.