internet filtering (lightspeed systems): ssl filtering bring your … · 2017. 8. 9. · 1 byod in...

In confidence

Internet Filtering (Lightspeed Systems): SSL filtering Bring Your Own Device Configuration

Reference: LS_BYOD

Version: V3.1

Date: 27 July 2017

Owner(s): Ash Green/

Colin Helliwell

BT Lancashire Services Education Services SSL Filtering

Bring Your Own Device Configuration

Version 3.1 July 2017

of 14

Contents Page

1 BYOD in schools 5

2 Example configurations 7

2.1 Use of BYOD traffic in schools with no domain server 7

2.2 All traffic on same configuration, allowing SSL filtering. 7

2.2.1 iOS 7

2.2.2 Windows 7

2.2.3 Android 8

2.2.4 Chromebook 8

2.2.5 Kindle Fire 10

2.3 Split traffic and rulesets 11

2.3.1 IP management 11

2.3.2 Rulesets & Assignments 11

2.3.3 Captive Portal 12

2.3.4 Device configuration 13

2.4 All on one network, implications for BYOD 13

2.5 Considerations 13

3 Testing 14




of 14

Audience: These notes are intended to be used by Schools ICT technician, network manager or third party ICT support organisation. These notes are only for schools using a CLEO connection to access the internet.




of 14

Executive summary

Bring Your Own Device (BYOD) refers to the permitting of students and school staff to bring personally

owned devices (laptops, tablets, and smartphones) to school and to use these devices to access school

hosted information, services and applications wirelessly. The advantages of BYOD can include an

increase in device availability and reduction in costs for providing technology in schools. There are

disadvantages as users may have administrator rights to download software that could circumvent the

Lightspeed SSL proxy.

The Lightspeed Systems SSL filtering option allows schools to have their internet filtering policies

applied and to decrypt and report on the content of secure searches to Google, YouTube and Bing.

Schools who opt to use this filtering will need to reconfigure their computers (please see appropriate

BTLS documentation) accordingly. If a school also has a BYOD implementation, this may also need

reconfiguration, depending on how it is implemented.

This document is not a guide to deploying a BYOD implementation within school, more advice relating

on how Lightspeed SSL filtering could be implemented on your existing BYOD system.

This guide should be only used by schools on the CLEO network with an existing BYOD implementation.




of 14

1 BYOD in schools

Some schools heavily use students' own devices through BYOD. If such a school decides to opt for the

SSL filtering through Lightspeed and wish to apply it to devices on their BYOD network, key choices

will need to be made in relation to how the school wishes to handle the BYOD traffic.

Depending on a schools' implementation of BYOD, there are multiple issues which may need to be

addressed, including:

NAT. If a school are using any form of Network Address Translation (for instance, behind their

own Microsoft ISA/TMG server), then SSL filtering may not work correctly. Devices may get

search results through SSL and have the Lightspeed policies applied, however reporting on

usage will not be possible. This is due to the IP address of all devices behind such a NAT device

will display with the IP address of NAT device, and not the client device accessing the content.

A certificate will need to be installed onto each device accessing the school's CLEO connection.

This installation of 3rd party items onto a device owned by a child or parent may require

permission from the owner of that device depending on school policy.

Reconfiguration of the device, to redirect traffic via a PAC file (or a proxy server in the case of

Android devices)

There are many different ways in which a school may have implemented BYOD. We have identified

three* common Lightspeed SSL BYOD deployment scenarios below, although there are other

possibilities. Due to this, the suggested configuration steps required at your school may vary from

those detailed in this document:

Your school handles BYOD traffic separately from the main curriculum traffic. You may be

doing this with a separate IP range or be using a subset of the existing network, employing

separate Lightspeed rulesets to have the option to run separate filtering options on this traffic.

Your school handles BYOD traffic on the school network, the same as any other device. This

allows you to access school resources from BYOD devices.

Your school allows BYOD traffic on the existing network but you wish to filter the internet

searches. This will prevent use of any search engine in school by BYOD devices, but the

devices will be able to access internal resources and internet resources when they know the

URL, have a link to it or have it bookmarked.

* Please note that your school may be using a 3rd party solution to facilitate your BYOD solution. In

such a case please read these notes and work with your provider to configure your solution

appropriately.

All devices that will require SSL filtering and will require a certificate to be installed and must be

directed through a Proxy Auto Config (PAC) or WPAD file.




of 14

BT Lancashire have provided schools with configuration guides for all other common IT systems

connected to the CLEO network.




of 14

2 Example configurations

2.1 Use of BYOD traffic in schools with no domain server

Some schools allow staff and student devices onto their wireless network but do not have a domain server managing their network. In this situation, the devices will manually need to be configured with a certificate and PAC file entry. For these devices, please follow the appropriate BTLS Lightspeed filtering guide, found on the BTLS website.

2.2 All traffic on same configuration, allowing SSL filtering.

This enables schools to keep their existing network configuration and just reconfigure the BYOD

devices. DHCP is amended to provide access to a central WPAD file (A WPAD file enables auto-

detection of proxy settings).

1. Configure WPAD to be served via DHCP on your network (using option 252). Set the WPAD

value to be (http://pac.education.btlsl.co.uk/WPAD.dat)

2.2.1 iOS

1. Ensure the device is connected to your school Wi-Fi network

2. Direct your iPads/pods to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp , and get

the users to follow the instructions, enabling them to install a certificate. Please note that the

user PIN is required to install a certificate.

3. Go to Settings / Wi-Fi, click the (i) icon next to the connect SSID and set the http proxy to auto.

Do not enter a value for the URL.

4. Test Wi-Fi access.

5. Please note that certificates are only trusted in Safari on iOS devices, not for example by other

browsers installed via the app store (e.g. chrome).

2.2.2 Windows

Windows Phone (Windows 10) 1. Open a web browser on the device. On this, navigate to:

http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp. Select Save to download to your

machine.

2. Open Files and Folders, open the downloads folder. Rename the ls-rocket.der file to ls-rocket.cer by pressing and holding the file name and selecting rename.

http://pac.education.btlsl.co.uk/wpad.dat

http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp





of 14

3. Press the ls-rocket file, and select Install to install the certificate. 4. Click ok to confirm. 5. Open the Settings App 6. Select Network & Wireless 7. Select Wi-Fi 8. Select the correct wireless network. Long press on this, then press edit. 9. If using WPAD, Click Automatically Detect Settings. Click the tick to apply. 10. If Using PAC file, click Use Manual Set-up script. Set the script address to

http://pac.education.btlsl.co.uk/cleo.pac Click the tick to apply.

2.2.3 Android

Android systems currently do not have the functionality to permit either PAC or WPAD files to be

processed correctly, meaning that they cannot automatically be directed through the Lightspeed SSL

filtering servers. Until the Android operating system has this functionality, Android devices cannot

automatically be configured, meaning that proxy settings will need to be manually configured on each

device. BTLS can provide the school with the proxy server and port – each school is different. Please

contact BTLS if you require the proxy server and port.

Please note: In order to install a certificate on an Android device, it is necessary for the device to be

set with either a passcode or pincode. If this is not already in place, you will be prompted to set one

when importing the certificate.

2.2.4 Chromebook

Instructions for Chromebooks not managed by a google domain:

Navigate to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp

Click 'Download Certificate'. This will be saved to your downloads folder.

Click the notification area by the clock and click settings.

Click the wireless SSID which you are connected to, and then click on the bold name of the SSID.

Click the proxy tab, then "Automatic Proxy configuration". Tick the "use an autoconfiguration URL" box, and in the text box enter: http://pac.education.btlsl.co.uk/cleo.pac

Click close to return to the settings page.

Scroll to the bottom of the page, and click show advanced settings

Under the HTTPS/SSL heading, click the "manage certificates…" button

Select the authorities tab, and click import.

Select the certificate you downloaded earlier (this should have a .crt extension)

Click open. When prompted, select the "Trust this certificate for identifying websites" checkbox and click save.

In the Authorities section, scroll down and confirm there is a Lightspeed Systems folder with a "Lightspeed Rocket" certificate within it.

Click Done

Close the settings box The reconfiguration is now complete for this Chromebook.

http://pac.education.btlsl.co.uk/


http://pac.education.btlsl.co.uk/cleo.pac




of 14

Instructions for Chromebooks managed by a google domain:

Instruction Screenshot

Obtain a copy of the ls-rocket-chrome.crt (note that the windows certificate will

not work) from http://filter.education.btlsl.co.uk/lsaccess

/proxycerthelp

Log into your google domain console

Go to device management

Under Device settings, click Network

Click Certificates

Click Add certificate

Select the downloaded certificate and click open

After the certificate uploads, click the "Use this certificate as an HTTPS certificate authority" checkbox




of 14

Click Device management

Click Chrome management

Click User settings

Under the network setting, set the proxy mode to "always use the proxy auto-config specified below. In the Proxy

Server Auto Configuration File URL box enter the following:


Click Save at the bottom right of the page

The reconfiguration steps are now

complete.

2.2.5 Kindle Fire

Click on Apps

Select Settings, then "wireless + vpn"

Click Wi-Fi

Long-press on the SSID. Select Modify network

Tick "show advanced options"

Scroll down and select proxy to be "auto".

Set the url to be http://pac.education.btlsl.co.uk/cleo.pac

Click the Save button.

From the Apps, open Silk Browser

Go to http://filter.education.btlsl.co.uk/lsaccess/proxycerthelp

Click "Download Certificate"

Click open

Name the certificate "Lightspeed"

Select Wi-Fi from the Credential box

Click OK The configuration is now complete.


http://pac.education.btlsl.co.uk/





of 14

Please note: In order to install a certificate on a Kindle Fire device, it is necessary for the device to be

set with either a passcode or pincode. If this is not already in place, you will be prompted to set one

when importing the certificate.

2.3 Split traffic and rulesets

2.3.1 IP management

If you wish to be able to process separate Lightspeed rulesets on BYOD traffic, one way to do this is to segregate your IP range internally, with one DHCP range for your domain-managed devices, and a separate DHCP range for BYOD devices. There may be multiple items to consider here, including (but not limited to):

Use of a dedicated VLAN to segregate BYOD traffic

Schools that have merged their networks will likely have their old Admin IP range being unused. This could handle the BYOD traffic if required.

Reconfiguration of your networking hardware (possibly using IP helpers), As each BYOD implementation is likely to be different, BTLS are cannot recommend a particular configuration to schools. However, the items listed above should be considered and may need reconfiguring. Please note that these are all complex steps, and incorrect configuration may put your existing network at risk.

2.3.2 Rulesets & Assignments

A separate ruleset can be configured in the Lightspeed admin panel to configure the rules which you wish to be applied to your BYOD users. By creating a new IP range Assignment, this ruleset can be applied to the IP addresses which you will deploy to the BYOD range. By positioning the BYOD assignment above the main curricular assignment, BYOD traffic will be processed separately (requests to access the internet are processed in a top-down order on the Assignments page).




of 14

2.3.3 Captive Portal

The Lightspeed product has a captive portal which may be used if schools wish to authenticate all

BYOD users on the network. Use of this forces all users (or just BYOD users if applied to the BYOD IP

range only) to authenticate with their school username and password before they are allowed to use

the internet. This aids significantly when running reports via Lightspeed to track usage. The Captive

portal can be enabled through your Lightspeed admin panel. Examples and training can be located on

the Lightspeed website. Lightspeed Systems recommend that a Captive Portal is used with all sites

that use BYOD. A captive portal can only run on domain connected schools, and devices using the

Lightspeed Agent on their systems can be excluded from requiring to use the captive portal.




of 14

2.3.4 Device configuration

2.3.4.1 BYOD using SSL filtering

By following section 2.1 schools can reconfigure devices accordingly.

2.3.4.2 BYOD not using SSL filtering

For this option, devices need no additional configuration. This will permit usage of search engines without decrypting the search queries, although the devices will still only be able to use Google, Bing and YouTube to search.

2.4 All on one network, implications for BYOD

Standard filtering will take place for devices connected to the school's network. This requires no configuration either to Lightspeed or to the devices themselves. Please note that school policies on SSL will not be enforced and reports on SSL traffic will not be available.

2.5 Considerations

Consider setting up BYOD access once you have configured access for the rest of your school owned devices. Consider parents views to deploying certificates onto personal devices. Schools may wish to contact parents to advise them how this works, and may want to add this to their Internet User Acceptance Policy.




of 14

3 Testing

After reconfiguration, schools should test devices to ensure that the SSL filtering is working correctly.

Please follow the steps below:

Instructions Image

On the device to be tested, open a

web browser and navigate to

https://images.google.com/ .

Enter the word "pokerchip".

Correct configuration

If filtering is running correctly,

some of the returned thumbnails

will have a blue cross image.

These blue crosses represent

results from blocked websites.

Incorrect configuration

If filtering is not running correctly,

all images will be returned.

Please check the configuration on

this device.

Please note that if your school has manually enabled the "gambling" category in your Lightspeed console, this

will return all the images whether a client is configured correctly or not. If this is the case, please disable it and

try your testing again.

https://images.google.com/

internet filtering (lightspeed systems): ssl filtering bring your … · 2017. 8. 9. · 1 byod in...

Documents