This articles applies to the Barracuda Web Security Gateway running firmware version 8.0 and higher.
For additional information, refer to:
The Temporary Access feature provides a portal where teachers can request and manage temporary access for students to specified domains or categories of domains that are typically blocked by school policy. In this way, students can access web content that may be useful for research projects or other classroom needs on a temporary basis.
If the teacher's requested domains are approved, the Barracuda Web Security Gateway issues a security token to the teacher to give to students to bypass block pages when browsing specific websites.The teacher can specify a time frame during which security tokens are valid, and can disable tokens at will. The administrator can revoke access for any security token, and can grant or revoke access to the Temporary Access portal to teachers. Certain domains or categories of domains can be prohibited by the administrator from ever being granted temporary access.
Workflow for Administrators
- Begin by enabling the Temporary Access portal for teachers from the ADVANCED > Temporary Access page in the Barracuda Web Security Gateway web interface. From this page you can also:
- Create a list of teachers, or specify LDAP Groups (as defined on the USERS > Users/Groups page) and configure whether the teachers log in with their LDAP credentials, or with credentials you create on the ADVANCED > Temporary Access page.
- Specify maximum time frame the teacher can use for student access tokens to remain valid. If you enable Allow Direct Override, then no token is needed and the maximum time frame determines how long a teacher's login is valid for temporary access to the previously blocked website.
- List domains and or categories that will always be prohibited from temporary access.
- Specify maximum number of domains or categories that can be requested by a teacher.
- Use the Limited To field to limit who can use the Temporary Access feature based on local or LDAP users, groups, LDAP organization units (OUs) or IP addresses.
See the ADVANCED > Temporary Access page for details about the configuration.
- Make sure that the email address contact you want attached to the ContactIT link on the Temporary Access portal (see Figure 1 below) is entered in the System Alerts Email Address in the Email Notifications section of the BASIC > Administration page.
- Copy and paste the URL for the Temporary Access Portal from the ADVANCED > Temporary Access page into an email to the teacher. The URL is defined as How to Use Temporary Access for Students - Teacher's Guide, which has step-by-step instructions for the teacher to request domains and get tokens to give their students. This article is also linked from within the help file that appears upon clicking the Help button on the Temporary Access Portal pages. If you enable Allow Direct Override, then instruct the teacher that no token is needed - they simply log in to bypass block pages. . Include in the email the credentials you created on the page for the teacher, or instruct them to use their LDAP credentials if you checked the Use LDAP Authentication checkbox. Also include a link to the article
- Go to the BLOCK/ACCEPT > Configuration page and set Set Enable HTTPS Filtering to Yes and set Enable HTTPS Block Page to Yes, OR go to the ADVANCED > SSL Inspection page and enable SSL Inspection.
- Use the BASIC > Temporary Access Requests page to monitor activity of tokens by teacher username and date/time. You can also revoke tokens on that page.
Prohibited Categories and Domains
If you have specified, from the ADVANCED > Temporary Access page, any categories or domains that are prohibited from temporary student access, be sure to let the teacher know which ones are prohibited; otherwise, if the teacher requests those domains or categories, he/she will receive an error message in the Temporary Access Portal.
Workflow for the Teacher
The workflow documented here helps the administrator to understand how to use the ADVANCED > Temporary Access page to configure this feature, and answers some questions the teachers might have about getting and managing security tokens to give students to access specific websites. For a set of instructions to give to teachers, see How to Use Temporary Access for Students, which can also be printed out as a PDF.
- The teacher receives an email from the system administrator containing:
- URL for the Temporary Access Portal
- Either credentials for logging into the portal, or instructions to use their LDAP credentials
The teacher sees this login page upon browsing the URL and logs in as instructed.
Figure 1: Temporary Access Portal Login page
Once the teacher logs in, the Temporary Access Portal home page appears. In this case, the Display Name entered on the ADVANCED > Temporary Access page for the teacher who is logged in is bjones.
Figure 2: Temporary Access Portal Welcome page
The teacher clicks Submit New Temporary Access Request to begin requesting domains for temporary student access from the Temporary Access Portal Home page.
Figure 3: Temporary Access Portal Home page
Via the portal, the teacher can enter domains and/or select from a list of sub-categories (not categories ) as defined on the BLOCK/ACCEPT > Content Filter page, including any custom categories you have defined. In the example shown in Figure 4, the teacher has requested the Tripadvisor.com domain and is about to request Expedia.com. If the teacher had selected the Travel sub-category (where the category is Leisure) , those domains would have been included along with lots of other domains categorized as 'Travel'. But if the teacher only wants the students to be able to access these two travel domains, then only the explicit domains should be requested. Discussing the Lookup Category option with teachers and educating them about categorization of domains may better prepare them to use it safely.
Figure 4: In this example, the teacher has selected Tripadvisor.com and is about to select Expedia.com for temporary student access.
The teacher cannot actually select an entire category; only sub-categories, as shown below. However, to simplify instructions for teachers, the documentation will refer to selection of categories for an entire set of websites. After selecting the requested domains and/or sub-categories for temporary student access, the teacher selects the time frame for access and optionally enters a comment, such as the reason for access to these domains. All of this data is logged by date and username for the administrator to monitor on the BASIC > Temporary Access Requests page. The domains, sub-categories and comments (if any) entered by the teacher will appear in the Details popup linked to that page.
Figure 5: The teacher has clicked Lookup Category for the domain Expedia.com. Travel is a sub-category of the Leisure category.
After the teacher makes a request for access to one or more sub-categories and/or domains and clicks Submit Request, the Barracuda Web Security Gateway returns a token (as shown in Figure 6), and the teacher can click the Make Another Request link at the bottom of the page for more additions. The teacher gives the domain names and token to the students, who input the token to block pages when accessing those domains.
Alternatively, you can grant the teachers the ability to simply use their temporary access (or LDAP) credentials to bypass block pages, removing the need for tokens. Do this by checking the Allow Direct Override box in the Temporary Access Administrators section of the ADVANCED > Temporary Access page. This simplifies the process, and the same limited time frames for student access are applied after the teacher logs in.
Figure 6: Getting a token that is associated with access to all domains and/or sub-categories in a request.
When the student tries to access a typically blocked website, he or she can enter the token as shown below to bypass the block page and browse the site for the temporary time frame requested by the teacher. If Allow Direct Override is enabled, as mentioned above, the teacher can click the Temporary Access Using User Credentials link as shown in Figure 7, and then log in with their credentials instead of entering a token.
Figure 7: The student enters the token to bypass the block page for sites the teacher has requested
Managing Temporary Access Requests and Tokens
When the teacher logs into the Temporary Access Portal, they can view a list of their temporary access requests on the home page. To view this list from another page, the teacher clicks Home in upper right of the portal. For each request, the status and expiration dates are displayed for the associated tokens.
From this page the teacher can disable a token before it expires, if necessary, by selecting the Disable check box, or can click the Copy link to make a co py of the original request to renew it. Clicking Details for a request displays associated domains, categories, and comments.
The administrator can view the same detail about tokens and revoke tokens from the BASIC > Temporary Access Requests page.
Figure 8: List of temporary access requests made by bjones in the last week