Troubleshooting Plato and Ironport

Was at a school on Wednesday that had trouble with Plato. Students could not pull up the assessments from the program, but teachers and IT could. The local tech ruled out permissions and was able to narrow the problem down to the Ironport firewall. That's when I walked in. The tech created a new Identity and Access Policy and used an IP address not currently associated with anything in the system. I sat at a workstation and logged in as an admin user and as a student alternately, as we tried to figure things out. With the IP settings wide open, I could go anywhere in Plato I wanted. We started locking things down. I would wait for the tech to make a change, then kill IE and try to get it. The first set of changes allowed me through. We made more changes. Log off/Log on, got through. We did this for a couple hours as we enable each of the settings already in the Student Access Policy. In every case, I was able to get through as a student. Something wasn't right here. At 11 o'clock, Cisco called and we got into a WebEx with them for troubleshooting. On a different machine, Cisco captured packets during a session where the system would not allow a student to take assessments. Then, I suggested we capture packets from a session using the admin account since that WOULD work. Cisco agreed. They said they would look at the data and get back to the tech. After lunch, we thought we had a solution: Windows 7 and IE9. The machine I was using to test had those. The machines in the lab have XP and IE7. We upgraded to IE8 and that did not fix it. We took a couple netbooks with Win7/IE9 and they didn't work either! UGH! Back to the drawing board. Then, as we were talking, the conversation came up about session cookies and the filter. I knew that was part of the key. you see, if the filter was using keys, then my key would still have been active on the test computer (where it worked). Sure enough, we logged in as a DIFFERENT student, and that account couldn't take assessments. Okay, now we were getting somewhere. After some more troubleshooting, we knew we would have to run the tests again. We also surmised that the cookies were being held for about 20 minutes. Surely we would not have to wait 20 minutes between tests, right? Right. Each USER got a cookie! So, the plan was to make a change, log in as a student. Test. If it did not work, make another change and log in as a DIFFERENT student then test. Repeat until it started working. (or vice versa. I think we started with the most open and worked our way to most restrictive in the plan). By the time we came up with the plan, it was 4:15pm and I had to head to the house. The tech and his assistant would work on it the next day (Thursday). I receive a text on Thursday mid-morning, letting me know that they had figured out the issue! The culprit? Bandwidth restrictions! Since the bandwidth was locked down for students, the program (java/flash based) couldn't run! Problem solved! Wahoo!