When your Opendium server is first installed, we do a lot of the initial setup for you. Here is a quick check list so you can be sure your network is set up to accommodate the system:
- Pick a fully qualified host name for your Opendium system. This must be within your fully qualified domain, so if your domain is example.com then opendium.example.com is a good choice.
- Add the host name to your domain's DNS servers. Depending on your network, you may need to adjust your internal DNS servers too.
- As standard, we use Let's Encrypt to provide a trusted X.509 SSL certificate for your server. If you already have a certificate that you would prefer to use, let us know and we can install that for you instead.
- If the system is to be integrated into a Windows Active Directory network, the Kerberos authentication tickets must be configured.
- Add DNS records for wpad and proxy to your internal Windows domain. For example, if your Windows domain is internal.example.com, wpad.internal.example.com and proxy.internal.example.com should both resolve to IP address of your Opendium system.
- Configure your DHCP server to announce the wpad path (e.g. http://wpad.internal.example.com/wpad.dat) via option 252.
- Install your unique Opendium Certification Authority certificate on your workstations, tablets, etc.
- Your Opendium system should be installed as a router between your network and your internet router. It is possible to operate the system in a reduced capacity with a non-router configuration, but this is not a recommended configuration.
- We recommend that you disable web filtering for your own domains by adding them to the Whitelisted websites override.
- For customers using the mail server / filter module:
- Change your MX DNS records to direct your email at the system.
- Set up the users and groups.
- Choose a host name to access the web mail system, e.g. mail.example.com.
- If you are using a separate certificate for the web mail address, the system will need to be assigned a separate IP address specifically for the web mail system.
- Add a record to your DNS server that resolves to the system's web mail IP address.
- Since Web Gateway and UTM automatically examine network traffic, including encrypted traffic, you should ensure the users all agree to a usage policy that indicates that their network traffic may be monitored.
Once the basics are set up, the main thing to do first is to go into the Users and Groups module by clicking the tab at the top of the page.
Click on the Networks group and use the Create Network tool to add all of your local networks. Later on, you can create subgroups within the Networks group to manage the settings for subsections of your network. Please see the recommended group structure knowledgebase article to see how we recommend that you set up your groups.
Your Opendium system can be used either as a stand alone system, or integrated into a Windows Active Directory network. We will have discussed this with you and set the system up in the appropriate mode when it was installed.
Using Your Web Gateway or UTM as a Stand Alone System
If you are running in stand alone mode, you will need to create the users and groups manually. For a small number of users it is no problem to add them to the system manually, using the Create User button on the main Users and Groups page. However, for a large number of users, it is often more convenient to import them from a spreadsheet or other application - this can be done by uploading a file in CSV format in the Import Users subsection.
Using Your Web Gateway or UTM With Windows Active Directory
If you have integrated your system with a Windows Active Directory network, you can synchronise the internal user database with Active Directory. In the User Sync Configuration subsection, you can configure the details of the LDAP server that holds your user database. If you only want to synchronise specific organisational units, you can configure them here, but if you leave no OUs configured, everything under the base DN you specify will be synchronised.
Watch out: Windows limits the number of users that can be synchronised to 1000 at a time. Unfortunately, this means that if you have over 1000 users on your existing LDAP server, you will need to synchronise them an OU at a time rather than all in one go. This can easily be done by simply listing all the OUs here that you want to synchronise.
Most people don't need to have all their Active Directory user groups created on the Opendium system, so you can set up group mappings. For each group you want to synchronise, create a group mapping that tells the system what to call the group.
Finally, hit the Save Configuration button.
Now the user synchronisation system is configured, you can go to the User Sync subsection. A list of all the users to by synchronised will be shown and once you're happy with it you can press the Synchronise Selected Users button. The users will be created and moved into the appropriate user groups automatically. If there are any users that you would prefer the system ignored and didn't synchronise, right click them and select Ignore User from the pop up menu. The list of currently ignored users can be viewed and edited in the User Sync Configuration subsection at any time.
Managing User Groups
The user groups are arranged in a hierarchical tree, with the root being the Everyone group. This allows global settings to be set in the Everyone group and overridden or augmented by additional settings further down the tree. For example, in the Web Proxy section you could configure the Everyone group to disallow access to online gaming websites, and this would apply to all users. You could then augment this by specifying that everyone in a certain subgroup also cannot access social networking websites except at lunch times.
After using the Import Users or User Sync function, the new user groups will have initially all been created inside the Everyone group. These need to be organised into a suitable hierarchy. This can be done in the main Users and Groups page - using the mouse, drag the groups in the group list on the left to organise them. If you have followed our recommended group structure, a typical set up in a school would be as follows:
- Lower school
- Upper school
- Sixth form
- Lower school
Users can be dragged between groups in the Users and Groups page. However, remember that if you are integrating with an Active Directory network, the User Sync tool will resynchronise each user's groups with the active directory server, so a more permanent way of moving a user between groups is to do this in Active Directory and then synchronise the users again.
Additionally, you can use the Create Network button to add an IP address or entire IP network to a group.
Right clicking a user or group will pop up a menu allowing you to edit various settings for that user / network / group, or delete it. If you are integrating with an Active Directory network, Web Gateway / UTM is not responsible for authenticating the users, so any password changes should be made in Active Directory rather than on your Opendium system.
Now that you've configured the core system, follow the links below to read the user guides for the individual modules for specific setup instructions relating to them and to learn how to use them.