internet filtering (lightspeed systems): ssl filtering
TRANSCRIPT
In strictest confidenceReference: BTLS_LS_domain
Version: 2.4
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 2 of 23
1.4 Mozilla Firefox 6
1.6 Intended Audience 6
1.7 Administrative Rights 6
2.1 How do I make this work? 7
2.2 Testing 12
3.2 DNS configuration 16
3.3 Wireless devices 17
3.4 Faulty websites 18
4.1 GPO settings – detail 21
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 3 of 23
Audience: These notes are intended to be used by your ICT technician, network manager or third party ICT support organisation
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 4 of 23
Executive summary
The purpose of this document is to assist schools in enabling SSL filtering.
This document details a tool designed to assist schools in the deployment of changes required to school
Microsoft Windows based computers that are part of a domain and not managed by an MDM tool.
Following the running of this tool, schools will be able to use their Lightspeed admin console reports
(at http://filter.education.btlsl.co.uk) to view the contents of secure searches run on their computers.
Additionally Google and Bing search results will reflect your schools filtering policy
These notes are for use by domain schools (those schools who have all their Windows computers
managed by a central Windows server), and cover the steps needed to prepare your Windows
computers for the Lightspeed SSL filtering facility.
This must not be run in a school which is not connected to the CLEO network.
This document is for Windows computers, tablets, laptops and servers only. Please see the other SSL
documentation on the BTLS website for enabling SSL filtering on different devices.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 5 of 23
1.1 CLEO connection
This tool should only be run on Microsoft Windows based machines connected to the CLEO network.
If your school obtains it's internet access from another provider, do not follow these notes.
1.2 Operating systems
These notes are designed to be used with the following operating systems:
Windows XP *
Windows Vista *
Windows 7
Windows 8
Windows 8.1
Windows 10
Server 2016
Although Windows XP and Vista have been tested, these are no longer supported by Microsoft or
BTLS. As such, BTLS will not support any issues relating to the implementation of these Group
Policies on those operating systems, and we recommend you upgrade or replace these operating
systems.
1.2.1 Windows XP
XP requires two files to be installed prior to using these Group Policies: These can be located on the
Microsoft download site at https://www.microsoft.com/en-gb/download. Schools obtaining updates
from both BTLS and Microsoft should already have applied these automatically – any schools running
their own Windows Software Update Service (WSUS) server should authorise these software updates
or manually download to individual computers.
Microsoft .net Framework 2.0 Service Pack 1.
Windows Management Framework (KB968930).
Vista requires the Windows Management Framework to be installed (KB968930).
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 6 of 23
1.3 BTLS SSL filtering option
These notes relate to the secure search filtering option. This enables searches to common search
engines (Google/Bing/YouTube) to be decrypted when a secure search is conducted (a secure search
will begin with https:// rather than http://). As these searches can be decrypted, schools can use the
Lightspeed reporting functions to see what their students and staff have been searching for, and have
school policies applied. This patch can be run either before or after having this service enabled for the
school, but it cannot be tested successfully until the service has been enabled by BTLS.
All other search engines will be disabled as part of this change.
1.4 Mozilla Firefox
Firefox uses its own certificate store and proxy auto configuration (PAC) settings. A separate group
policy for Firefox is available in our GPO pack provided to. This utilises an auto-config method,
created by using the CCK2 plugin (https://mike.kaply.com). If schools wish to amend these settings,
please follow the link for associated documentation. BTLS cannot offer support on the CCK2 plugin
1.5 Active Directory Domain
These notes and scripts are only to be use on Microsoft Windows computers that are part of a domain
and not managed by a mobile device management system. Typically if you your staff and students
each use unique usernames and passwords then you will have a domain.
1.6 Intended Audience
This change should be undertaken by your local ICT Technician, Network Manager or Third party ICT
support team.
You must have domain administrator rights. Without domain administrative rights these
reconfiguration steps will not function correctly.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 7 of 23
2 Importing the settings
Please be aware the following instructions require reconfiguration steps to your domain controller and misconfiguration may cause your domain to experience issues or fail. These steps should only be conducted by someone with the appropriate skills. Please also ensure that you have a full WORKING backup, including the System State on the server which you reconfigure.
2.1 How do I make this work?
We have produced a set of Group policy objects which can be imported directly into your domain.
These Group Policy Objects should only be imported for use with operating systems listed in section
1.2 of this guide. We recommend that you pass these guidelines to your network manager, ICT
technician or third party support organisation to complete.
Instructions Screenshot
1. Log onto your domain server as a domain administrator and copy the Lightspeed GPO file from the BTLS website to your desktop. This single file will contain multiple Group
Policy Objects. https://education.btlancashire.co.uk/support/f iltering.aspx
2. Right-click the downloaded zip file and click extract all. Click extract to confirm extraction
directory (use the default).
4. Expand Group policy objects
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 8 of 23
5. Right-click Group Policy Objects and click "New"
6. Set the title of the GPO to be "Computers – Lightspeed SSL filtering" and click OK to save
7. Repeat steps 5 and 6, naming the new policy "Users – Lightspeed SSL filtering"
8. Right-click the "Computers – Lightspeed SSL filtering" policy and click "import settings"
9. Click Next on the Import Settings Wizard
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 9 of 23
10. As this is a newly created blank GPO disregarded the warning message and Click
Next on the Backup GPO tab
11. Click browse and navigate to the folder which contains the files you extracted above.
Click next.
12. Select the "Computers – Lightspeed SSL filtering" GPO and click next.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 10 of 23
14. Click Finish.
15. The policy is now imported. Click ok when finished.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 11 of 23
16. Repeat steps 9-15 to import the backed up Users – Lightspeed SSL filtering policy into your new Users - Lightspeed SSL filtering
policy.
17. If you do not use Firefox in your school, please skip to step 18.
If you do use Firefox, repeat the steps 9-15 to create a new "Computers – Firefox SSL" GPO. Import the backed up Firefox CCK2 template from the downloaded .zip file
18. Link the policies into your structure. This structure will differ for every site. If in doubt,
check in Active Directory Users and Computers to identify where computers and
users are managed in the domain's hierarchy.
For BTLS domains, the "computers – Lightspeed SSL filtering" should be linked to the allcomputers OU, and the "users – Lightspeed SSL filtering" should be linked to the alluser OU.
Link the "computers – Lightspeed SSL filtering" to the Domain Controllers OU
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 12 of 23
Link the "Users- Lightspeed SSL filtering" policy to the OU which contains your Administrators.
Do not link any other group policy objects, and do not remove any existing links.
19. If you have created GPOs for Firefox, then link them to the allcomputers OU (or your
equivalent)
20. In addition to the steps above, please check the other GPOs applied to the user, to check
that: a. There are no other proxy settings
being applied. b. The school homepage is not set to a
site which is now blocked from use (i.e. yahoo.com)
You can either check each policy manually or via the group policy modelling tool in the Group Policy Management console.
Follow this link for assistance with Group Policy Modeling :
https://technet.microsoft.com/en- us/library/cc771389(v=ws.11).aspx
21. The main Active Directory Policy configuration is now complete. If you have not already updated your Rocket configuration, you should now do so (notes available on BTLS website).
2.2 Testing
After reconfiguration, schools should test devices to ensure that the SSL filtering is working correctly.
Please follow the steps below:
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 13 of 23
Instructions Screenshot On the device to be tested, open a
web browser and navigate to
http://images.google.com .
will have a blue cross image.
These blue crosses represent
results from blocked websites.
all images will be returned.
Please check the configuration on
this device.
2.3 Follow-up actions
Due to the nature of PAC files being automatically cached by Internet Explorer, one of the settings
which these GPOs make is to disable this caching – thus forcing a refresh of the PAC contents
(required to enable the SSL service). Due to this, an additional configuration step is required to re-
enable the PAC caching. Please complete the following steps to enable proxy caching two weeks after
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 14 of 23
the main configuration steps are completed and when you are sure all users and machines have
logged in at least once. Follow the steps in the following table to complete this:
Instruction Screenshot
the Group Policy Management Console
and right-click and edit the "Users –
Lightspeed SSL filtering policy".
Navigate to: User configuration >
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 15 of 23
In the Value data box, replace the 0 with a
1.Click Apply followed by ok, then close
the group policy editor
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 16 of 23
3.2 DNS configuration
If DNS contains entries for non-existent domain servers, devices can have trouble resolving the
domain and hence can delay or fail to apply the group policies. If you are finding that policies do not
seem to be applying correctly, DNS will need examining and some items may need to be reconfigured.
BTLS have developed a tool which will check your DNS configuration and advise of any entries for
servers with Active Directory roles which are no longer responding. This only works on Server 2012
R2 servers – schools with Server 2008 R2 servers will need to perform this test manually. The tool can
be downloaded from the BTLS website.
Please be aware these are high-risk steps, and an incorrect action may render your whole network
unusable. The tool makes no changes to your system and any changes you make are at your own
risk. BTLS cannot accept any responsibility for any changes you make to your DNS configuration
3.2.1 Check DNS via BTLS DNS check tool
Instruction Screenshot 1. Download the tool to your
domain server from the
BTLS website, whilst being
logged in as an
all the forward DNS zones
found on this server.
a zone named
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 17 of 23
zone and press enter
and list all server entries.
Correct entries are in
cannot be contacted and
so need investigation.
The tool does not make any changes to DNS. By using the results returned by the tool, a technician
with the appropriate skills may identify the correct DNS zone and investigate the entries which have
shown as red text. In order for DNS to function correctly, there should be no entries for non-
responsive servers within DNS.
3.2.2 Manually check DNS:
1. On the faulty client, open a command prompt and run nslookup FQDN (where FQDN is the
fully qualified domain name for your network). Examine the addresses that are returned.
These are the DNS servers that DNS believes exist. If some of these are incorrect then DNS
resolution will likely be intermittently failing. This needs to be rectified, but should only be
attempted by a technician with experience of configuring DNS. Deleting incorrect records
can result in a broken domain, meaning that users cannot logon.
2. On your primary DNS server, check within the Forward Lookup Zone for your domain that the
only DNS servers logged as name servers are ones which exist. You may find that you need to
run DNS scavenging on the DNS server, as well as restarting the DNS service. Ensure that only
active name servers are registered under the name servers tab on the forward lookup zone
properties.
3. Ensure that any secondary DNS servers are set up correctly, and that Zone Transfers are
permitted between servers.
3.3 Wireless devices
If you are finding that the certificates are not deploying to wirelessly connected devices (and that user
settings may not be applied) then you may need to tell devices to wait for the network before starting
up.
Instruction Screenshot
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 18 of 23
target machines reside, and
naming it "Computers – Wait
at computer startup and
confirm.
Object.
3.4 Faulty websites
Some schools have experienced issues with some websites not displaying correctly following the
transfer to the SSL filtering system. These have related to the incorrect detection of zone by internet
explorer; parts of the website have been detected as in the "Intranet zone" rather than the "Internet
Zone". Examples of sites presenting with such issues are "Teachers 2 Parents" and "Mymaths"
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 19 of 23
If your school experiences similar issues, please follow the steps below. The steps below use the
www.mymaths.co.uk website as an example site:
Instruction Screenshot
Unit (OU) containing the user accounts.
Right-click the OU name and click "Create
a GPO in this domain, and Link it here…"
Name the policy "Users – Lightspeed
Intranet Zone settings" and click OK
Right-click the new GPO and click edit.
Navigate to User configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Open each of the following policies and set them to enabled: • Intranet sites: Include all local (intranet) sites not listed in other zones • Intranet sites: Include all network paths (UNCs) Open each of the following policies and set them do disabled: • Intranet sites: Include all sites that bypass the proxy server • Turn on automatic detection of intranet
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 20 of 23
Open the "site to zone assignment list" policy, click Enabled and click "show".
In the value name box, enter the name of the faulty website without http://, https:// or any subfolders (i.e. www.mymaths.co.uk , not http://www.mymaths.co.uk/a/res/1.htm l). Enter a value of 3 in the value box. Repeat for any other faulty websites. Click OK to close the Show Contents box, OK to close the Site to Zone assignment list and then close the Group Policy.
After completing these steps, reboot a computer which has been experiencing problems with this website, log in and try the website again. As this remedy is through a GPO, it may take up to 15 mins for the setting to be applied on the computer.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 21 of 23
4 Appendix - What do the GPOs do?
The supplied Group Policy Objects (GPO) enable schools to be able to filter the contents of secure
searches on Bing and Google (using https traffic). This requires a certificate to be installed on your
machines, as well as using a PAC file to configure internet access:
a. The Computers – Lightspeed SSL filtering GPO issues the Lightspeed certificate to each
computer.
b. The Users – Lightspeed SSL filtering GPO sets the auto configuration URL, disables the
auto-detection of internet settings and disables automatic caching of PAC files.
c. The Computers – Firefox SSL filtering GPO runs a login script which imports the
certificate and PAC settings into Firefox (tested with build 48 of Firefox). These settings
were made with the CCK2 add-in, using the autoconfig option. This script is set to
execute the copy command once only.
4.1 GPO settings – detail
The following images show the settings which are made with the supplied Group Policy Objects. Setting list in GPO
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 22 of 23
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 23 of 23
Version: 2.4
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 2 of 23
1.4 Mozilla Firefox 6
1.6 Intended Audience 6
1.7 Administrative Rights 6
2.1 How do I make this work? 7
2.2 Testing 12
3.2 DNS configuration 16
3.3 Wireless devices 17
3.4 Faulty websites 18
4.1 GPO settings – detail 21
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 3 of 23
Audience: These notes are intended to be used by your ICT technician, network manager or third party ICT support organisation
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 4 of 23
Executive summary
The purpose of this document is to assist schools in enabling SSL filtering.
This document details a tool designed to assist schools in the deployment of changes required to school
Microsoft Windows based computers that are part of a domain and not managed by an MDM tool.
Following the running of this tool, schools will be able to use their Lightspeed admin console reports
(at http://filter.education.btlsl.co.uk) to view the contents of secure searches run on their computers.
Additionally Google and Bing search results will reflect your schools filtering policy
These notes are for use by domain schools (those schools who have all their Windows computers
managed by a central Windows server), and cover the steps needed to prepare your Windows
computers for the Lightspeed SSL filtering facility.
This must not be run in a school which is not connected to the CLEO network.
This document is for Windows computers, tablets, laptops and servers only. Please see the other SSL
documentation on the BTLS website for enabling SSL filtering on different devices.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 5 of 23
1.1 CLEO connection
This tool should only be run on Microsoft Windows based machines connected to the CLEO network.
If your school obtains it's internet access from another provider, do not follow these notes.
1.2 Operating systems
These notes are designed to be used with the following operating systems:
Windows XP *
Windows Vista *
Windows 7
Windows 8
Windows 8.1
Windows 10
Server 2016
Although Windows XP and Vista have been tested, these are no longer supported by Microsoft or
BTLS. As such, BTLS will not support any issues relating to the implementation of these Group
Policies on those operating systems, and we recommend you upgrade or replace these operating
systems.
1.2.1 Windows XP
XP requires two files to be installed prior to using these Group Policies: These can be located on the
Microsoft download site at https://www.microsoft.com/en-gb/download. Schools obtaining updates
from both BTLS and Microsoft should already have applied these automatically – any schools running
their own Windows Software Update Service (WSUS) server should authorise these software updates
or manually download to individual computers.
Microsoft .net Framework 2.0 Service Pack 1.
Windows Management Framework (KB968930).
Vista requires the Windows Management Framework to be installed (KB968930).
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 6 of 23
1.3 BTLS SSL filtering option
These notes relate to the secure search filtering option. This enables searches to common search
engines (Google/Bing/YouTube) to be decrypted when a secure search is conducted (a secure search
will begin with https:// rather than http://). As these searches can be decrypted, schools can use the
Lightspeed reporting functions to see what their students and staff have been searching for, and have
school policies applied. This patch can be run either before or after having this service enabled for the
school, but it cannot be tested successfully until the service has been enabled by BTLS.
All other search engines will be disabled as part of this change.
1.4 Mozilla Firefox
Firefox uses its own certificate store and proxy auto configuration (PAC) settings. A separate group
policy for Firefox is available in our GPO pack provided to. This utilises an auto-config method,
created by using the CCK2 plugin (https://mike.kaply.com). If schools wish to amend these settings,
please follow the link for associated documentation. BTLS cannot offer support on the CCK2 plugin
1.5 Active Directory Domain
These notes and scripts are only to be use on Microsoft Windows computers that are part of a domain
and not managed by a mobile device management system. Typically if you your staff and students
each use unique usernames and passwords then you will have a domain.
1.6 Intended Audience
This change should be undertaken by your local ICT Technician, Network Manager or Third party ICT
support team.
You must have domain administrator rights. Without domain administrative rights these
reconfiguration steps will not function correctly.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 7 of 23
2 Importing the settings
Please be aware the following instructions require reconfiguration steps to your domain controller and misconfiguration may cause your domain to experience issues or fail. These steps should only be conducted by someone with the appropriate skills. Please also ensure that you have a full WORKING backup, including the System State on the server which you reconfigure.
2.1 How do I make this work?
We have produced a set of Group policy objects which can be imported directly into your domain.
These Group Policy Objects should only be imported for use with operating systems listed in section
1.2 of this guide. We recommend that you pass these guidelines to your network manager, ICT
technician or third party support organisation to complete.
Instructions Screenshot
1. Log onto your domain server as a domain administrator and copy the Lightspeed GPO file from the BTLS website to your desktop. This single file will contain multiple Group
Policy Objects. https://education.btlancashire.co.uk/support/f iltering.aspx
2. Right-click the downloaded zip file and click extract all. Click extract to confirm extraction
directory (use the default).
4. Expand Group policy objects
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 8 of 23
5. Right-click Group Policy Objects and click "New"
6. Set the title of the GPO to be "Computers – Lightspeed SSL filtering" and click OK to save
7. Repeat steps 5 and 6, naming the new policy "Users – Lightspeed SSL filtering"
8. Right-click the "Computers – Lightspeed SSL filtering" policy and click "import settings"
9. Click Next on the Import Settings Wizard
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 9 of 23
10. As this is a newly created blank GPO disregarded the warning message and Click
Next on the Backup GPO tab
11. Click browse and navigate to the folder which contains the files you extracted above.
Click next.
12. Select the "Computers – Lightspeed SSL filtering" GPO and click next.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 10 of 23
14. Click Finish.
15. The policy is now imported. Click ok when finished.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 11 of 23
16. Repeat steps 9-15 to import the backed up Users – Lightspeed SSL filtering policy into your new Users - Lightspeed SSL filtering
policy.
17. If you do not use Firefox in your school, please skip to step 18.
If you do use Firefox, repeat the steps 9-15 to create a new "Computers – Firefox SSL" GPO. Import the backed up Firefox CCK2 template from the downloaded .zip file
18. Link the policies into your structure. This structure will differ for every site. If in doubt,
check in Active Directory Users and Computers to identify where computers and
users are managed in the domain's hierarchy.
For BTLS domains, the "computers – Lightspeed SSL filtering" should be linked to the allcomputers OU, and the "users – Lightspeed SSL filtering" should be linked to the alluser OU.
Link the "computers – Lightspeed SSL filtering" to the Domain Controllers OU
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 12 of 23
Link the "Users- Lightspeed SSL filtering" policy to the OU which contains your Administrators.
Do not link any other group policy objects, and do not remove any existing links.
19. If you have created GPOs for Firefox, then link them to the allcomputers OU (or your
equivalent)
20. In addition to the steps above, please check the other GPOs applied to the user, to check
that: a. There are no other proxy settings
being applied. b. The school homepage is not set to a
site which is now blocked from use (i.e. yahoo.com)
You can either check each policy manually or via the group policy modelling tool in the Group Policy Management console.
Follow this link for assistance with Group Policy Modeling :
https://technet.microsoft.com/en- us/library/cc771389(v=ws.11).aspx
21. The main Active Directory Policy configuration is now complete. If you have not already updated your Rocket configuration, you should now do so (notes available on BTLS website).
2.2 Testing
After reconfiguration, schools should test devices to ensure that the SSL filtering is working correctly.
Please follow the steps below:
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 13 of 23
Instructions Screenshot On the device to be tested, open a
web browser and navigate to
http://images.google.com .
will have a blue cross image.
These blue crosses represent
results from blocked websites.
all images will be returned.
Please check the configuration on
this device.
2.3 Follow-up actions
Due to the nature of PAC files being automatically cached by Internet Explorer, one of the settings
which these GPOs make is to disable this caching – thus forcing a refresh of the PAC contents
(required to enable the SSL service). Due to this, an additional configuration step is required to re-
enable the PAC caching. Please complete the following steps to enable proxy caching two weeks after
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 14 of 23
the main configuration steps are completed and when you are sure all users and machines have
logged in at least once. Follow the steps in the following table to complete this:
Instruction Screenshot
the Group Policy Management Console
and right-click and edit the "Users –
Lightspeed SSL filtering policy".
Navigate to: User configuration >
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 15 of 23
In the Value data box, replace the 0 with a
1.Click Apply followed by ok, then close
the group policy editor
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 16 of 23
3.2 DNS configuration
If DNS contains entries for non-existent domain servers, devices can have trouble resolving the
domain and hence can delay or fail to apply the group policies. If you are finding that policies do not
seem to be applying correctly, DNS will need examining and some items may need to be reconfigured.
BTLS have developed a tool which will check your DNS configuration and advise of any entries for
servers with Active Directory roles which are no longer responding. This only works on Server 2012
R2 servers – schools with Server 2008 R2 servers will need to perform this test manually. The tool can
be downloaded from the BTLS website.
Please be aware these are high-risk steps, and an incorrect action may render your whole network
unusable. The tool makes no changes to your system and any changes you make are at your own
risk. BTLS cannot accept any responsibility for any changes you make to your DNS configuration
3.2.1 Check DNS via BTLS DNS check tool
Instruction Screenshot 1. Download the tool to your
domain server from the
BTLS website, whilst being
logged in as an
all the forward DNS zones
found on this server.
a zone named
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 17 of 23
zone and press enter
and list all server entries.
Correct entries are in
cannot be contacted and
so need investigation.
The tool does not make any changes to DNS. By using the results returned by the tool, a technician
with the appropriate skills may identify the correct DNS zone and investigate the entries which have
shown as red text. In order for DNS to function correctly, there should be no entries for non-
responsive servers within DNS.
3.2.2 Manually check DNS:
1. On the faulty client, open a command prompt and run nslookup FQDN (where FQDN is the
fully qualified domain name for your network). Examine the addresses that are returned.
These are the DNS servers that DNS believes exist. If some of these are incorrect then DNS
resolution will likely be intermittently failing. This needs to be rectified, but should only be
attempted by a technician with experience of configuring DNS. Deleting incorrect records
can result in a broken domain, meaning that users cannot logon.
2. On your primary DNS server, check within the Forward Lookup Zone for your domain that the
only DNS servers logged as name servers are ones which exist. You may find that you need to
run DNS scavenging on the DNS server, as well as restarting the DNS service. Ensure that only
active name servers are registered under the name servers tab on the forward lookup zone
properties.
3. Ensure that any secondary DNS servers are set up correctly, and that Zone Transfers are
permitted between servers.
3.3 Wireless devices
If you are finding that the certificates are not deploying to wirelessly connected devices (and that user
settings may not be applied) then you may need to tell devices to wait for the network before starting
up.
Instruction Screenshot
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 18 of 23
target machines reside, and
naming it "Computers – Wait
at computer startup and
confirm.
Object.
3.4 Faulty websites
Some schools have experienced issues with some websites not displaying correctly following the
transfer to the SSL filtering system. These have related to the incorrect detection of zone by internet
explorer; parts of the website have been detected as in the "Intranet zone" rather than the "Internet
Zone". Examples of sites presenting with such issues are "Teachers 2 Parents" and "Mymaths"
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 19 of 23
If your school experiences similar issues, please follow the steps below. The steps below use the
www.mymaths.co.uk website as an example site:
Instruction Screenshot
Unit (OU) containing the user accounts.
Right-click the OU name and click "Create
a GPO in this domain, and Link it here…"
Name the policy "Users – Lightspeed
Intranet Zone settings" and click OK
Right-click the new GPO and click edit.
Navigate to User configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Open each of the following policies and set them to enabled: • Intranet sites: Include all local (intranet) sites not listed in other zones • Intranet sites: Include all network paths (UNCs) Open each of the following policies and set them do disabled: • Intranet sites: Include all sites that bypass the proxy server • Turn on automatic detection of intranet
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 20 of 23
Open the "site to zone assignment list" policy, click Enabled and click "show".
In the value name box, enter the name of the faulty website without http://, https:// or any subfolders (i.e. www.mymaths.co.uk , not http://www.mymaths.co.uk/a/res/1.htm l). Enter a value of 3 in the value box. Repeat for any other faulty websites. Click OK to close the Show Contents box, OK to close the Site to Zone assignment list and then close the Group Policy.
After completing these steps, reboot a computer which has been experiencing problems with this website, log in and try the website again. As this remedy is through a GPO, it may take up to 15 mins for the setting to be applied on the computer.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 21 of 23
4 Appendix - What do the GPOs do?
The supplied Group Policy Objects (GPO) enable schools to be able to filter the contents of secure
searches on Bing and Google (using https traffic). This requires a certificate to be installed on your
machines, as well as using a PAC file to configure internet access:
a. The Computers – Lightspeed SSL filtering GPO issues the Lightspeed certificate to each
computer.
b. The Users – Lightspeed SSL filtering GPO sets the auto configuration URL, disables the
auto-detection of internet settings and disables automatic caching of PAC files.
c. The Computers – Firefox SSL filtering GPO runs a login script which imports the
certificate and PAC settings into Firefox (tested with build 48 of Firefox). These settings
were made with the CCK2 add-in, using the autoconfig option. This script is set to
execute the copy command once only.
4.1 GPO settings – detail
The following images show the settings which are made with the supplied Group Policy Objects. Setting list in GPO
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 22 of 23
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 23 of 23