internet filtering (lightspeed systems): ssl filtering bring your … · 2017. 8. 9. · 1 byod in...
TRANSCRIPT
In confidence
Internet Filtering (Lightspeed Systems): SSL filtering Bring Your Own Device Configuration
Reference: LS_BYOD
Version: V3.1
Date: 27 July 2017
Owner(s): Ash Green/
Colin Helliwell
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 2 of 14
Contents Page
1 BYOD in schools 5
2 Example configurations 7
2.1 Use of BYOD traffic in schools with no domain server 7
2.2 All traffic on same configuration, allowing SSL filtering. 7
2.2.1 iOS 7
2.2.2 Windows 7
2.2.3 Android 8
2.2.4 Chromebook 8
2.2.5 Kindle Fire 10
2.3 Split traffic and rulesets 11
2.3.1 IP management 11
2.3.2 Rulesets & Assignments 11
2.3.3 Captive Portal 12
2.3.4 Device configuration 13
2.4 All on one network, implications for BYOD 13
2.5 Considerations 13
3 Testing 14
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 3 of 14
Audience: These notes are intended to be used by Schools ICT technician, network manager or third party ICT support organisation. These notes are only for schools using a CLEO connection to access the internet.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 4 of 14
Executive summary
Bring Your Own Device (BYOD) refers to the permitting of students and school staff to bring personally
owned devices (laptops, tablets, and smartphones) to school and to use these devices to access school
hosted information, services and applications wirelessly. The advantages of BYOD can include an
increase in device availability and reduction in costs for providing technology in schools. There are
disadvantages as users may have administrator rights to download software that could circumvent the
Lightspeed SSL proxy.
The Lightspeed Systems SSL filtering option allows schools to have their internet filtering policies
applied and to decrypt and report on the content of secure searches to Google, YouTube and Bing.
Schools who opt to use this filtering will need to reconfigure their computers (please see appropriate
BTLS documentation) accordingly. If a school also has a BYOD implementation, this may also need
reconfiguration, depending on how it is implemented.
This document is not a guide to deploying a BYOD implementation within school, more advice relating
on how Lightspeed SSL filtering could be implemented on your existing BYOD system.
This guide should be only used by schools on the CLEO network with an existing BYOD implementation.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 5 of 14
1 BYOD in schools
Some schools heavily use students' own devices through BYOD. If such a school decides to opt for the
SSL filtering through Lightspeed and wish to apply it to devices on their BYOD network, key choices
will need to be made in relation to how the school wishes to handle the BYOD traffic.
Depending on a schools' implementation of BYOD, there are multiple issues which may need to be
addressed, including:
NAT. If a school are using any form of Network Address Translation (for instance, behind their
own Microsoft ISA/TMG server), then SSL filtering may not work correctly. Devices may get
search results through SSL and have the Lightspeed policies applied, however reporting on
usage will not be possible. This is due to the IP address of all devices behind such a NAT device
will display with the IP address of NAT device, and not the client device accessing the content.
A certificate will need to be installed onto each device accessing the school's CLEO connection.
This installation of 3rd party items onto a device owned by a child or parent may require
permission from the owner of that device depending on school policy.
Reconfiguration of the device, to redirect traffic via a PAC file (or a proxy server in the case of
Android devices)
There are many different ways in which a school may have implemented BYOD. We have identified
three* common Lightspeed SSL BYOD deployment scenarios below, although there are other
possibilities. Due to this, the suggested configuration steps required at your school may vary from
those detailed in this document:
Your school handles BYOD traffic separately from the main curriculum traffic. You may be
doing this with a separate IP range or be using a subset of the existing network, employing
separate Lightspeed rulesets to have the option to run separate filtering options on this traffic.
Your school handles BYOD traffic on the school network, the same as any other device. This
allows you to access school resources from BYOD devices.
Your school allows BYOD traffic on the existing network but you wish to filter the internet
searches. This will prevent use of any search engine in school by BYOD devices, but the
devices will be able to access internal resources and internet resources when they know the
URL, have a link to it or have it bookmarked.
* Please note that your school may be using a 3rd party solution to facilitate your BYOD solution. In
such a case please read these notes and work with your provider to configure your solution
appropriately.
All devices that will require SSL filtering and will require a certificate to be installed and must be
directed through a Proxy Auto Config (PAC) or WPAD file.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 6 of 14
BT Lancashire have provided schools with configuration guides for all other common IT systems
connected to the CLEO network.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 7 of 14
2 Example configurations
2.1 Use of BYOD traffic in schools with no domain server
Some schools allow staff and student devices onto their wireless network but do not have a domain server managing their network. In this situation, the devices will manually need to be configured with a certificate and PAC file entry. For these devices, please follow the appropriate BTLS Lightspeed filtering guide, found on the BTLS website.
2.2 All traffic on same configuration, allowing SSL filtering.
This enables schools to keep their existing network configuration and just reconfigure the BYOD
devices. DHCP is amended to provide access to a central WPAD file (A WPAD file enables auto-
detection of proxy settings).
1. Configure WPAD to be served via DHCP on your network (using option 252). Set the WPAD
value to be (http://pac.education.btlsl.co.uk/WPAD.dat)
2.2.1 iOS
1. Ensure the device is connected to your school Wi-Fi network
2. Direct your iPads/pods to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp , and get
the users to follow the instructions, enabling them to install a certificate. Please note that the
user PIN is required to install a certificate.
3. Go to Settings / Wi-Fi, click the (i) icon next to the connect SSID and set the http proxy to auto.
Do not enter a value for the URL.
4. Test Wi-Fi access.
5. Please note that certificates are only trusted in Safari on iOS devices, not for example by other
browsers installed via the app store (e.g. chrome).
2.2.2 Windows
Windows Phone (Windows 10) 1. Open a web browser on the device. On this, navigate to:
http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp. Select Save to download to your
machine.
2. Open Files and Folders, open the downloads folder. Rename the ls-rocket.der file to ls-rocket.cer by pressing and holding the file name and selecting rename.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 8 of 14
3. Press the ls-rocket file, and select Install to install the certificate. 4. Click ok to confirm. 5. Open the Settings App 6. Select Network & Wireless 7. Select Wi-Fi 8. Select the correct wireless network. Long press on this, then press edit. 9. If using WPAD, Click Automatically Detect Settings. Click the tick to apply. 10. If Using PAC file, click Use Manual Set-up script. Set the script address to
http://pac.education.btlsl.co.uk/cleo.pac Click the tick to apply.
2.2.3 Android
Android systems currently do not have the functionality to permit either PAC or WPAD files to be
processed correctly, meaning that they cannot automatically be directed through the Lightspeed SSL
filtering servers. Until the Android operating system has this functionality, Android devices cannot
automatically be configured, meaning that proxy settings will need to be manually configured on each
device. BTLS can provide the school with the proxy server and port – each school is different. Please
contact BTLS if you require the proxy server and port.
Please note: In order to install a certificate on an Android device, it is necessary for the device to be
set with either a passcode or pincode. If this is not already in place, you will be prompted to set one
when importing the certificate.
2.2.4 Chromebook
Instructions for Chromebooks not managed by a google domain:
Navigate to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp
Click 'Download Certificate'. This will be saved to your downloads folder.
Click the notification area by the clock and click settings.
Click the wireless SSID which you are connected to, and then click on the bold name of the SSID.
Click the proxy tab, then "Automatic Proxy configuration". Tick the "use an autoconfiguration URL" box, and in the text box enter: http://pac.education.btlsl.co.uk/cleo.pac
Click close to return to the settings page.
Scroll to the bottom of the page, and click show advanced settings
Under the HTTPS/SSL heading, click the "manage certificates…" button
Select the authorities tab, and click import.
Select the certificate you downloaded earlier (this should have a .crt extension)
Click open. When prompted, select the "Trust this certificate for identifying websites" checkbox and click save.
In the Authorities section, scroll down and confirm there is a Lightspeed Systems folder with a "Lightspeed Rocket" certificate within it.
Click Done
Close the settings box The reconfiguration is now complete for this Chromebook.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 9 of 14
Instructions for Chromebooks managed by a google domain:
Instruction Screenshot
Obtain a copy of the ls-rocket-chrome.crt (note that the windows certificate will
not work) from http://filter.education.btlsl.co.uk/lsaccess
/proxycerthelp
Log into your google domain console
Go to device management
Under Device settings, click Network
Click Certificates
Click Add certificate
Select the downloaded certificate and click open
After the certificate uploads, click the "Use this certificate as an HTTPS certificate authority" checkbox
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 10 of 14
Click Device management
Click Chrome management
Click User settings
Under the network setting, set the proxy mode to "always use the proxy auto-config specified below. In the Proxy
Server Auto Configuration File URL box enter the following:
http://pac.education.btlsl.co.uk/cleo.pac
Click Save at the bottom right of the page
The reconfiguration steps are now
complete.
2.2.5 Kindle Fire
Click on Apps
Select Settings, then "wireless + vpn"
Click Wi-Fi
Long-press on the SSID. Select Modify network
Tick "show advanced options"
Scroll down and select proxy to be "auto".
Set the url to be http://pac.education.btlsl.co.uk/cleo.pac
Click the Save button.
From the Apps, open Silk Browser
Go to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp
Click "Download Certificate"
Click open
Name the certificate "Lightspeed"
Select Wi-Fi from the Credential box
Click OK The configuration is now complete.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 11 of 14
Please note: In order to install a certificate on a Kindle Fire device, it is necessary for the device to be
set with either a passcode or pincode. If this is not already in place, you will be prompted to set one
when importing the certificate.
2.3 Split traffic and rulesets
2.3.1 IP management
If you wish to be able to process separate Lightspeed rulesets on BYOD traffic, one way to do this is to segregate your IP range internally, with one DHCP range for your domain-managed devices, and a separate DHCP range for BYOD devices. There may be multiple items to consider here, including (but not limited to):
Use of a dedicated VLAN to segregate BYOD traffic
Schools that have merged their networks will likely have their old Admin IP range being unused. This could handle the BYOD traffic if required.
Reconfiguration of your networking hardware (possibly using IP helpers), As each BYOD implementation is likely to be different, BTLS are cannot recommend a particular configuration to schools. However, the items listed above should be considered and may need reconfiguring. Please note that these are all complex steps, and incorrect configuration may put your existing network at risk.
2.3.2 Rulesets & Assignments
A separate ruleset can be configured in the Lightspeed admin panel to configure the rules which you wish to be applied to your BYOD users. By creating a new IP range Assignment, this ruleset can be applied to the IP addresses which you will deploy to the BYOD range. By positioning the BYOD assignment above the main curricular assignment, BYOD traffic will be processed separately (requests to access the internet are processed in a top-down order on the Assignments page).
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 12 of 14
2.3.3 Captive Portal
The Lightspeed product has a captive portal which may be used if schools wish to authenticate all
BYOD users on the network. Use of this forces all users (or just BYOD users if applied to the BYOD IP
range only) to authenticate with their school username and password before they are allowed to use
the internet. This aids significantly when running reports via Lightspeed to track usage. The Captive
portal can be enabled through your Lightspeed admin panel. Examples and training can be located on
the Lightspeed website. Lightspeed Systems recommend that a Captive Portal is used with all sites
that use BYOD. A captive portal can only run on domain connected schools, and devices using the
Lightspeed Agent on their systems can be excluded from requiring to use the captive portal.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 13 of 14
2.3.4 Device configuration
2.3.4.1 BYOD using SSL filtering
By following section 2.1 schools can reconfigure devices accordingly.
2.3.4.2 BYOD not using SSL filtering
For this option, devices need no additional configuration. This will permit usage of search engines without decrypting the search queries, although the devices will still only be able to use Google, Bing and YouTube to search.
2.4 All on one network, implications for BYOD
Standard filtering will take place for devices connected to the school's network. This requires no configuration either to Lightspeed or to the devices themselves. Please note that school policies on SSL will not be enforced and reports on SSL traffic will not be available.
2.5 Considerations
Consider setting up BYOD access once you have configured access for the rest of your school owned devices. Consider parents views to deploying certificates onto personal devices. Schools may wish to contact parents to advise them how this works, and may want to add this to their Internet User Acceptance Policy.
BT Lancashire Services Education Services SSL Filtering
Bring Your Own Device Configuration
Version 3.1 July 2017
Page 14 of 14
3 Testing
After reconfiguration, schools should test devices to ensure that the SSL filtering is working correctly.
Please follow the steps below:
Instructions Image
On the device to be tested, open a
web browser and navigate to
https://images.google.com/ .
Enter the word "pokerchip".
Correct configuration
If filtering is running correctly,
some of the returned thumbnails
will have a blue cross image.
These blue crosses represent
results from blocked websites.
Incorrect configuration
If filtering is not running correctly,
all images will be returned.
Please check the configuration on
this device.
Please note that if your school has manually enabled the "gambling" category in your Lightspeed console, this
will return all the images whether a client is configured correctly or not. If this is the case, please disable it and
try your testing again.