Chromebook or Chrome agent which is named NxAgent with v2.5.2.

[Jinhee]

With v2.5.2 of NxFilter we supports Chrome agent which is NxAgent for remote filtering and
single sign-on. This is the document I am working on about NxAgent.


-------------------------------------------------------------------------------------------------------------------------------------
NxAgent is the remote filtering agent for Chromebook and Chrome browsers. It also can
be used as a single sign-on agent in local network.


Installation of NxAgent

  NxAgent is basically a Chrome extension. You can install it from Chrome webstore. This
  is the link to where you can download NxAgent.

    https://chrome.google.com/webstore/detail/nxagent/gibapcjkdgdiamgdkbcpgaldogcoldgf


Connection to NxFilter

  After you install it you can see NxAgent on your extension setup panel of Chrome
  or 'chrome://extensions'.

  There is 'options' link under NxAgent icon. When you click it you will get
  NxAgent setup page. You need to setup these parameters for NxFilter connection.

    - Sever IP : The IP address of your NxFilter.

    - Login server IP : This is a local network IP address of NxFilter for single sign-on.

    - Login token : A login-token associated to a user on NxFilter.

  Once you setup these parameters you can test the connectivity using 'Test'
  button. And then use 'Save' button to save and reload the new configuration.

  * Every user on NxFilter has an associated login-token which can be used for
  identifying users with the agents of NxFilter. This login-token can be found on
  user edit page on NxFilter GUI.


Password protection of your setup

  You can protect your NxAgent setup by having password login procedure. Once you setup
  a password and enable it, users will be blocked from accessing NxAgent setup page
  and 'chrome://extension' that is the URL of Chrome extension panel.

  * You can use your admin password from NxFilter once its connection to server is
  established.


Signal of NxClient

  Like NxClient, NxAgent also sends some signals when it's on remote network to help
  you to find out whether a user is using Chrome or not. It sends 'START' and 'PING'
  signals.


User identification

  When you setup NxAgent using a login-token it will be appeared on NxFilter side with
  the username to which the login-token associated. So if you want to setup 10 NxAgent
  the simplest way would be creating 10 users and associate each NxAgent to different
  users. But if there are 1,000 users it could be very confusing.

  So we use Google account to differentiate users while using one common login-token
  for everybody. Suppose you create a user named 'chrome' and setup 1,000 NxAgent
  with the login-token associated to 'chrome'. If these users don't login to Chrome
  they will be appeared on NxFilter side as 'chrome' but if one of them login to Chrome
  using 'john...@gmail.com' for example then he/she will be appeared as 'chrome_john1234'
  on NxFilter log-view.


Single sign-on

  On local network we want to have single sign-on for every device. If it's a Windows
  PC it's possible as we have several Active Directory integration methods. Even if
  it's a Macbook and OpenLdap it is still possible as we have NxClient for that. But
  with Chromebook or Chrome on other device it's bit different as they are using Google
  account for login.

  However what if we can use this Google account for single sign-on? Suppose if there
  is an Active Directory user named 'john1234' and you gave him a Chromebook which can
  be logged in using 'john...@gmail.com' then it might be possible to associate these
  2 username based on the common part which is 'john1234'. And that's the rule we are
  using for implementing single sign-on for Chromebook and Chrome browser in local
  network.

  So when NxAgent starts it firstly try to see if there's 'login server IP' defined for
  it. If there's a login server it tries to create a login-session on that login server
  that is your local NxFilter using the username part of Google account which is currently
  logon to Chrome. But if there's no logged on user on Chrome or if there's no
  corresponding user on NxFilter it will create login session based on login-token.

[Jinhee]

Hi Ashley,

Thanks for the offer. I will think about moving after I finish several things. I need to work on new blacklist option for now.

Jinhee

[Ashley Primo]

No problem, if you change your mind let me know. Offer is always open :D

P.s. Could you check your support email I sent a email regarding Zvelo cloud DB - License which I paid for. I sent the email too sup...@nxfilter.org

[Jinhee]

Sorry There's no email from you in my mailbox yet. Can you send it again?

[Ashley Primo]

Hello,

I sent  again using a different email :D

[Keln Taylor]

I have updated to 2.5.2 and have installed the Chrome extension on a Chromebook and my Windows 7 workstation.  When I fill out my server info and click the test button, I get an error:

Connection Error! - 10.2.10.50

The IP is the correct address of my working NXFilter.  

any ideas?

[Keln Taylor]

BTW I don't think that configuring 1,000 chromebooks manually like this is going to be a great long-term solution. 

In order for it work, I think we are going to need to be able to push the configuration remotely.  Maybe you could have the extension lookup the server via DNS like with "login.example.com."  Also are the tokens necessary? Can't the extension just pass the Chromebook IP and username to the filter?   

BTW you should be able to get the email address with the Chrome Identity API. I think the call is: chrome.identity.getProfileUserInfo

Also I can already push out Chromebook extensions automatically via the Google Admin Console that most school purchase licenses to when they buy Chromebooks.

thanks,

Keln

[Jinhee]

If you try to access this URL on your browser what do you get?

  http://10.2.10.50/wsh

We use WebSocket for the communication between NxFilter and NxAgent.
If you get some protocol error message from that URL it's fine.
But if you get redirected to admin page then there's something wrong.

If it's OK and you still can't connect it you'd need to run it on debug mode.
In /conf/log4j.properties file change INFO to DEBUG.
And restart NxFilter then whenever your NxAgent tries to talk to NxFilter
you will see some message for that.

[Jinhee]

We are already using chrome.identity.getProfileUserInfo to get user info. But even if we get the info
you still need to create corresponding username on NxFilter. That's something different from NxLogon
or NxClient. There's no AD integration or LDAP integration.

So that's why we need login-token. However I can use 'block.nxfilter.org' domain to find out NxFilter
and have some common login-token for Chrome users. This is an old was I tried with NxLogon but
at the time there were several problems. One is DNS cache problem but it might be OK with Chrome.

The other one is that what if someone set some fake DNS record for 'block.nxfilter.org'. Almost not
possible but could be. If I can access system info freely I can solve this kind of problem easily but
with Chrome it's not that easy.

Anyway we can try that. I can add 'chrome_token' option to cfg.properties and if it works we can add
it on 'Policy > proxy'. But we need to solve your connection problem first.

[Jinhee]

When you push an extension to Chrombooks, is there any way to push its settings?
That will make things a lot easier.

[Jinhee]

What's the typical situation when you use Chromebook for your students? Are they using it in school only or you want to filter and monitor them off site that is at home as well? I can make it working without setting up IP and token in local network but you'd need to setup individual login-token for each Chromebook if you want to identify them over Internet.

[Keln Taylor]

This morning I realized I hadn't upgraded Rob's GUI to mod to 1.3 to support NxFilter 2.5.2.  I upgraded it and restarted NXD.   Things appear to be working now.  I'm not sure if it was really related to Rob's GUI or not.  It may have just need the restart. (Although I thought that I had restarted yesterday.)

I will continue my testing on a few Chromebooks.  thanks.

Respectfully, 

Keln Taylor

Network Administrator

Pea Ridge Schools

--
You received this message because you are subscribed to a topic in the Google Groups "NxFilter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nxfilter200/TPkT1gKxz4Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nxfilter200...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Keln Taylor]

Not that I know of.  I can only push out what Google lets me. :)  I have seen extension authors configure extenstions through a web page or via DHCP.

Respectfully, 

Keln Taylor

Network Administrator

Pea Ridge Schools

On Tue, Jan 6, 2015 at 5:31 PM, Jinhee <nxfil...@gmail.com> wrote:

When you push an extension to Chrombooks, is there any way to push its settings?
That will make things a lot easier.

--

[Keln Taylor]

Our school does not currently allow Chromebooks to go home with students.  Students do not have assigned Chromebooks. We have carts of Chromebooks in each class and students will randomly pull a Chromebook out of the cart in a classroom.

Students have to login to a Chromebook with their Google credentials in order to use the device.

We are an active directory environment, but our user credentials are synced one-way to Google.

For example: 

Student name: Mickey Mouse

AD Account: mickeymouse

Email: micke...@prs.k12.ar.us

He can log into Windows computers with his AD account or his email address.

He can log into Google with his email address.

His password is synced from AD to Google, so his password is the same on any device.

Respectfully, 

Keln Taylor

Network Administrator

Pea Ridge Schools

On Wed, Jan 7, 2015 at 12:30 AM, Jinhee <nxfil...@gmail.com> wrote:

What's the typical situation when you use Chromebook for your students? Are they using it in school only or you want to filter and monitor them off site that is at home as well? I can make it working without setting up IP and token in local network but you'd need to setup individual login-token for each Chromebook if you want to identify them over Internet.

--

[Jinhee]

Rob's GUI v1.3 has the mapping for WebSocket but older version doesn't. That was the problem.

Your explanation of how to use Chromebook in your school helped me a lot. But how did you
create all these AD account for students? I mean is there some kind of auto-synch method
between AD and Google accounts?

With current version you still can have single sign-on if you import AD accounts on NxFilter
and your users login to their Chromebook using synchronized Google account. I explained the
method above actually.

The only problem is that we don't want to setup 1,000 Chromebook. I will remove login-server.
And you don't need to setup anything if it's on local network. You might need to create
a default user for Chrome agent which is 'chrome' but in your case it's not necessary as
you have AD synch already.

I am testing new ones.

[Keln Taylor]

Google provides a sync tool. http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/intro_about.html

What you describe sounds great.

I look forward to testing it.

--

You received this message because you are subscribed to a topic in the Google Groups "NxFilter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nxfilter200/TPkT1gKxz4Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nxfilter200...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Jinhee]

Just updated NxFilter and NxAgent. This is new tutorial for NxAgent.

  http://www.nxfilter.org/tutorial.html#agent_nxagent

Now login-server has gone. In your environment just installing NxAgent would
achieve single sign-on. And if you setup server-ip and login-token you can do
remote user filtering as well. Though you don't need it.

The only possible problem is that since we're using 'block.nxfilter.org' as a
pre-defined domain to find local NxFilter there might be some kind of cache
problem. If it's on Windows once you can't resolve hostname then it keeps it
in the cache for some time. But in normal situation you use NxFilter as the
DNS server so this kind of thing will not happen and it might be OK with
Chromebook even if you use another DNS server.

While I am talking I realized that there's one more possibility. Switching
remote filtering from local filtering on Windows. Then it doesn't resolve
'block.nxfilter.org' but it still gets filtered with remote filtering and doesn't
matter if you use NxClient.

Anyway let me know how it works.

[Jinhee]

Just tested with my Chromebook. There's one more thing to consider for having single sign-on.
You'd need to bypass authentication for some google domains. Otherwise OAuth api will not work.
Hence there's no username. I just bypassed *.google.com and it works for me. But I think this is
no good. Maybe I need to introduce some default user for Chrome agent.

[Jinhee]

Maybe it was www.googleapis.com. I tested with this domain bypassed authentication and it seems working.

[Jinhee]

There were some unexpected problems as usual but I made it working anyway. I opened another
thread for new versions.

  https://groups.google.com/forum/?fromgroups=&hl=en#!topic/nxfilter200/iZT0o1NVwaQ

[Keln Taylor]

I look forward to testing it out next week!!

Sent from my iPhone

--

[Keln Taylor]

Jinhee,

I would like to update you on my testing progress.  I have done a little testing with a couple accounts and it seems to be authenticating properly.  However, I am unable to test with a larger number of users.   I am able to forcibly install your Chromebook extension via my Google Admin Console, but I haven't figured out a way to forcibly accept the permissions that the extension needs to run for each user.  

The user has to accept the two permissions before it will work.  The two permissions are "Know who you are Google" and "View your email address."

Until I can figure out a way to forcibly accept the permissions, I won't be able to mass deploy the extension.  :(

Keln

On Friday, January 9, 2015 at 6:46:40 AM UTC-6, Keln Taylor wrote:

I look forward to testing it out next week!!

Sent from my iPhone

On Jan 9, 2015, at 4:18 AM, Jinhee <nxfil...@gmail.com> wrote:

There were some unexpected problems as usual but I made it working anyway. I opened another
thread for new versions.

  https://groups.google.com/forum/?fromgroups=&hl=en#!topic/nxfilter200/iZT0o1NVwaQ

--
You received this message because you are subscribed to a topic in the Google Groups "NxFilter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nxfilter200/TPkT1gKxz4Q/unsubscribe.

To unsubscribe from this group and all its topics, send an email to nxfilter200+unsubscribe@googlegroups.com.

[Jinhee]

Yeah, that might the problem. If they don't confirm it they just go through authentication as you need to set IP range user for oauth working.
And this oauth module require user consent. Something absurd. Maybe using login-page is the best shot at the moment unless Google has
something like trusted extension from your admin console.

[Jinhee]

We can make it blocking all the webpages if there's no credential we can get. Means if they don't confirm it they can't use Internet and will see your block-page. However I am not sure if this is the right choice. Could be annoying. Maybe I can make it optional on Policy > proxy.

[Joseph Macchia]

Jinhee,

A few ideas?

• Wondering if you request identity.email in the manifest, if you could eliminate oAuth all together? I used this method in a history logging extension, and it works without issue.
  
• Could the token in nxFilter actually be mapped from an AD field and be the full google username?
• These few things would allow schools to install remotely with the need for end-user interaction.

If possible I would like to modify your extension and implement/experiment with these ideas. Is the deobfuscated code available anywhere? It would purely stay in-house within my school district.

We got nxFilter up and running today, and would love to make it our filter for approximately 2000 Chromebooks that our students take home every evening.

Additionally, I am receiving the following error while testing:

DEBUG [2015/07/09 23:43:53] nx_lookup for ping.signal.nxfilter.org, 127.100.100.100

WebSocket connection to 'ws://block.nxfilter.org/wsh' failed: Error in connection establishment: net::ERR_NAME_NOT_RESOLVED

INFO [2015/07/09 23:43:54] send_uname, We're on remote network.

Thanks for this awesome product!

Joe

[Jinhee]

Can you explain your idea of 'identity.email'? So we can remove the need of OAuth and not asking anything from users? Right? I will make some research on that.

And the second one. You want to setup AD username or Google email instead of login-token directly in the config?

The error is not an error actually. I am just testing if we are in local network or remote network. Idea is simple. If it can resolve 'block.nxfilter.org' then it uses
NxFilter as its DNS server. Means it's on local network. When it's on local network it tries to login using Google email it acquires from oAuth. That's why
we use oAuth. If you have the same username on NxFilter side then you get the single sign-on. And the username could come from AD. That's AD
integration concept for NxBlock. You don't need to setup each AD username.

If there's a possible way of getting Google email then I will do that.

[Joseph Macchia]

Chrome.identity.getProfileUserInfo(function callback)

string email

"An email address for the user account signed into the current profile.
Empty if the user is not signed in or the identity.email manifest
permission is not specified."

https://developer.chrome.com/extensions/identity

If this was implemented, the SSO would work off network.

However, we would still need a way to hardcode the address of our school
instance of nxfilter to eliminate the need for interaction and setup of
each Chromebook individually.

Hope this helps.

Thanks,
Joe

[Jinhee]

That's actually what we are using. On manifest.json,

  "permissions": [
    "*://*/*",
    "tabs",
    "storage",
    "webRequest",
    "webNavigation",
    "webRequestBlocking",
    "identity"
  ],
  "oauth2": {
    "client_id": "1028893436325-cedfuks5psuf4ob7a0ps220udhqcm5d4.apps.googleusercontent.com",
    "scopes": [
      "https://www.googleapis.com/auth/userinfo.email"
    ]  
  },

And on our source code,

    //-----------------------------------------------
    chrome.identity.getAuthToken({interactive: true},
        function(auth_token){
            if(chrome.runtime.lastError){
                log.error(chrome.runtime.lastError.message);
                return;
            }

            var x = new XMLHttpRequest();
            x.open("GET", "https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=" + auth_token, true);

            x.onload = function(){
                var user = JSON.parse(x.response);
                g_uname = user.email.replace(/@.*$/, "");

                // Refresh username.
                send_uname();
            };
            x.send();
        }
    );

And then you get the permission request for accsessing user info from Chrome. I guess it's
understandable. If I were the Google guy I would make it that way. Any extension or app needs
to get approved by users for accessing their personal info. So I thought it was inevitable
and I couldn't find a way of bypassing it. Actually I didn't try even. If you find a way of bypassing
they will block it as it's against their security policy.

But you're saying that it's possible maybe there's a reason. Or it might have been allowed
when it's on development domain. I mean before officially added into Chrome.

I have spent a lot of time and effort at the time to build NxBlock. But I stopped its development.
Actually if we can solve oAuth problem there's nothing to be added. And the current AD integration
method is way easier than setting up each client with AD username. We also use the same method
with NxClient so it's also good to have some uniformity.

When I started working on NxBlock the main target was not Chromebook. It was iPhone and Android.
On Android Chrome doesn't support extension and on iPhone I don't know if it works as I don't have
iPhone. But if we can have a remote filtering client working on Android and Chromebook and iPhone
with the same source code that'd be great. I don't want to spend too much time for developing clients
for each OS. I think Android version of Chrome will support extension eventually.

However there's some problem with this extension way. Especially when you try to filter your users
when they are away. They can kill the process on Chrome's tasklist. You can force them to use it
on local network if it works as a single sign-on agent but not on remote network. So your plan
for filtering kids when they are home with their Chromebook has some problem. But I guess you can
kill anything on Chrome tasklist and we don't have any other option when it comes to Chromebook.
So you can use it anyway or find a way of blocking kids using the tasklist. On iPhone and Android
it might be OK. On my Android phone I don't see Chrome tasklist.

And another problem is this oAuth permission request problem. All these things happening we play
by Google's rule and we try to do something they don't allow. The best thing would be having
some kind of concept like 'trusted app' which can be setup on Google admin console or some permission
level for users but it's their game.

Any suggestion would be welcome.

Jinhee

[Joseph Macchia]

In addition to declaring "identity" you need to declare "identity.email" in the manifest. You can then retrieve logged in user without oAuth. With students using Chromebook, they are logged in, and with other restrictions available to deploy via the admin console.

Then you can get rid of the oAuth. This is being used in a production extension and is not in the dev api.

With your permission, I would like to attempt to modify some of the extension. Would this be possible? Anything, I develop, I would gladly contribute back to the project. What are your thoughts regarding this request?

Thanks,
Joe

[Jinhee]

OK. Do you have a working code for that? So I fix my manifest.json like this,

  "permissions": [
    "*://*/*",
    "tabs",
    "storage",
    "webRequest",
    "webNavigation",
    "webRequestBlocking",
    "identity"

    "identity.email"
  ],

And on the source code? But we access oAuth URL?

    //-----------------------------------------------
    chrome.identity.getAuthToken({interactive: true},
        function(auth_token){
            if(chrome.runtime.lastError){
                log.error(chrome.runtime.lastError.message);
                return;
            }

            var x = new XMLHttpRequest();
            x.open("GET", "https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=" + auth_token, true);

            x.onload = function(){
                var user = JSON.parse(x.response);
                g_uname = user.email.replace(/@.*$/, "");

                // Refresh username.
                send_uname();
            };
            x.send();
        }
    );

You mean we can have this line without accessing oAuth URL?

                var user = JSON.parse(x.response);

Or we don't need to go through oAuth permission request even if we access oAuth URL?

About giving you the source code. I don't think that's an option at this point. There is something
needs to be hidden. Like communication between NxFilter and NxBlock..

[Jinhee]

Was it about this one?

//-----------------------------------------------
chrome.identity.getProfileUserInfo(function(userInfo) {
    g_uname = userInfo.email.replace(/@.*$/, "");

    // Refresh username.
    send_uname();
});

I could get rid of oAuth actually. I will test it on my Chromebook.

[Jinhee]

Just updated NxBlock to v1.4. It works fine without asking any permission. Next time use the other thread. I created another one.

  https://groups.google.com/forum/?fromgroups=&hl=en#!topic/nxfilter200/asyt96R-Gwk