A Policy Set is a named collection of web-access rules that can be applied to any number of Policy Groups. Applying a Policy Set to a Policy Group will afford web access to members of that Policy Group according to the rules defined within it.
Policy Sets are accessible from within Policy Groups and can be applied to them in two ways:
As a time-based Policy Set — these will override the default Policy Set on a custom schedule. Multiple Time-based Policy Sets may be configured for a Policy Group as long as the schedules do not overlap.
ProTip: The entire policy configuration is viewable from the Dashboard. You can quickly navigate between Policy Groups and the Policy Sets that are applied to them. If you see a something that you want to change, just click on it and the relevant section of the management interface will be presented.
Click on the Create a new Policy Set button.
ProTip: Consider the portability of new Policy Sets. Don't choose an overly specific name if it can be applied to multiple Policy Groups.
Enter a succinct but descriptive name for the new Policy Set e.g. Student Rules, Teacher Rules, Out-of-hours Rules, Guest Rules
Choose an existing Policy Set with similar rules as a template. If this a brand new installation just select a built-in Set—it's just a starting point before you start editing it.
Your new Policy Set will now be presented for editing.
Content Filtering — determining which content should be outright denied or allowed.
Usage Limits — restricting the quantity of available resources each individual can consume e.g. data (download size) and bandwidth (download speed).
The Policy Set editing interface contains many predefined rules which can be enforced or not. They are separated logically across several tabs.
When you've finished editing a Policy Set just click the contextual Save or Done button in the page header.
The category filters allow you to deny access to specific kinds of websites based on the type of content they contain. There are sixty distinct categories which can be blocked by a Policy Set which are organised by threat level into three groups:
LiveStream 5's real-time URL classification technology, CNS (Category Name Service), instantly looks up each requested URL against a database of over five billion pre-categorised URLs.
If a new, previously uncategorised URL is requested the CNS will algorithmically categorise it based on the contents of the page. Algorithmic categorisations are then latter reviewed by a human being.
These uncategorised URLs will initially be categorised as New URL until the CNS servers have analysed the webpage. This usually occurs before the next request to the URL. You may block the New URL category to ensure that only classified websites are accessible.
To deny access to a category, select the corresponding checkbox in the Categories tab. You can also toggle all the categories for each group on or off using the corresponding links.
The Allow & Deny tab allows you to supplement your category-based filters with customisable lists of content to allow or deny. This feature is powered by your List Groups which let you target web content by domain, URL, IP, media type or expression. We recommend reading the section on List Groups before managing these options.
ProTip: Your List Groups are only as useful as their titles. You should be able to identify the Lists Groups that should be denied and allowed for the Policy Set based on their titles e.g. Student approved content
Put simply, everything on the internet will either match with the content of a List Group or not.
For example, you may wish to deny the Social Networking category but allow access to certain Facebook profiles. To allow those profiles you would add their URLs to a List Group that is allowed by the Policy Set.
Use the respective drop-down menus to select an existing List Group to allow or deny.
If one of your existing List Groups does not satisfy your purposes you can create a new one which will automatically be applied as an allow or deny list depending on which Create button you choose. When you've finished editing the new list you created click Done and you will return to the Policy Set edit page.
By default a Policy set will allow any requests that does not matching any denied Categories or denied List Groups. Whitelist mode flips this paradigm to provide a much stricter level of control, where everything is denied unless specifically allowed in a List Group.
Whitelist mode is primarily designed for kiosk devices which have a specific set of websites they are meant to provide access to. It may also be used to provide highly restricted web access for very young children.
To handle the many allowed and denied lists and categories, the filtering system uses a hierarchy to resolve conflicting rules. Each web request is compared with its Policy Set in this order:
Denied lists — does the request match any of the denied List Groups? If it does, it will be blocked and no further evaluation of the request will occur.
Allowed lists — does the request match any of the allowed List Groups? If it does, it will be allowed and no further evaluation of the request will occur.
At this stage the request has neither been allowed or denied—it will proceed to the final stage of content filtering — Categories.
The quota & credit tab offers a number of options for controlling the amount of internet resources that each client can consume.
This option places a limit on the size of each separate file a client can download from the web.
Most web pages are made up of many individual media files—most which are no more than a few megabytes large. This feature is mainly designed to block larger downloads such as audio and video files, software installers etc.
Download quotas allow you to set a data allowance of accrued downloads. Quotas can ensure that each user gets their fair share of data when an organisation's internet plan is expensive and/or limited.
There are three optional Quota intervals:
When a user exceeds any of their allotted quotas they will be denied unless you have configure speed limiting or credit charging to take place instead.
ProTip: each user's quota usage can be tracked from their profile in the Users section of the management interface.
Each quota interval operates independently of the others.
Some schools and community organisations require users to pay for either some or all of their internet usage. Credit allows you to charge users based on the amount of data they download at a per-gigabyte price.
IMPORTANT: Every user in LiveStream has a credit balance which can be managed from their profile in the Users section. Make sure your users have a positive balance before charging them.
To enable credit charging, first choose a method:
Always charge — always require a user to have a positive credit balance in order to access the web.
Charge when over-quota — only charge users' credit balances when they have exceeded one of their quota intervals.
Finally, set the price for each GB (gigabyte) that a user downloads in dollars ($). You can either define a unique credit price just for this Policy Set or use the global pricing defined by the system Organisation Settings.
ProTip: Enforcing a conservative maximum file size will reduce the probability of credit balances becoming negative when they are depleted.
If charging credit is not appropriate for the Policy Set you're editing, leave the never charge method selected.
Unmetered content uses the List Group system to define content which will not count towards quota or credit usage when downloaded.
Getbusi recommends creating a single unmetered content List Group and applying it to every Policy Set that enforces usage limits, but you may also create separate List Groups of unmetered content if your Policy configuration calls for it.
ProTip: You can add the
edu.audomains to the unmetered List Group to avoid metering Australian government and education web content.
Limiting bandwidth (download speed) is an effective way to ensure that every client gets a fair share of the available internet bandwidth, especially when high-speed broadband availability is limited.
To limit download speed, first choose a method:
Always limit — limits download speed regardless of quota or credit status.
Limit when data-depleted — only enforces the speed limit when users are over-quota (and have zero credit, if applicable).
Finally, set the maximum download speed each client is entitled to in kilobits per second.
Speed limits are applied to the total downstream bandwidth usage of each
client. For example, if a client is downloading two files with a
limit (64KB/s), each download should transfer at approximately 32 KB/s.
Unrestricted content uses the List Group system to define web content which may be downloaded at the maximum possible speed regardless of the enforced speed limit.
Getbusi recommends creating a single unrestricted content List Group and applying it to every Policy Set that enforces usage limits, but you may also create separate List Groups of unrestricted content if your Policy configuration calls for it.
ProTip: You can add the
edu.audomains to your unrestricted List Group to guarantee Australian government and education web content will always download at full speed.
Popular content aggregation vendors sometimes offer their own built-in content filtering options. This is mostly just for search engines, although some video streaming services are beginning to implement this as well.
Note from the development team: We try our best to keep up with these vendors' changes to their safe searching, however the vendors are continually improving and updating their products which can potentially interfere with these tools. For this reason the features are permanently tagged as beta.
Every popular search engine includes a safe searching option, most of which can be forced by rewriting their search URL queries.
LiveStream is able to force strict safe searching for the following search engines:
IMPORTANT: Google currently defaults most web searches to use encrypted SSL connections which prevent the proxies from parsing or rewriting the URLs. To remedy this situation Google have provided a DNS-based work-around which allows organisations to force unencryped searches.
If you want to enforce Google Safe Searching you must implement Option #3 of this work-around.
YouTube for Schools is an initiative that allows schools to provide access only to educational video material on youtube.com. This requires a YouTube for Schools account which includes a unique API key which LiveStream uses to enforce your schools YouTube for Schools restrictions.
For more information on setting up and managing YouTube for Schools visit: https://support.google.com/youtube/answer/2592715?hl=en