Skip to main content

Securly Web Filtering - some deployment thoughts

Webfiltering is one of those necessary evils and has plagued me in one way other another since I started to do anything with school IT management. On one hand people expect free and easy access to the internet and on the other we are expected to be able to report on every action of every user on the network on any type of device.

This blog post is not about the wrongs and rights of webfiltering, more a technical perspective on the Securly product and some of the features and deployment pitfalls.

We have just moved to using Securly. Previously we were using OpenDNS Umbrella and GoGuardian Admin on ChromeOS devices. We moved due to this combination not providing the level of reporting that is required as of September 2016 (in the UK) and the combined cost of these two produces being considerably higher than Securly.

Deployment


Onsite its much the same as OpenDNS. We point our Gateways DNS to Securly's DNS servers rather than OpenDNS. This obviously takes a few seconds to do. On ChromeOS, there is a Securly extension to push to all of your users - again takes only a few seconds to do.
However, as Securely intercepts https traffic, you also need to deploy their SSL certificate to your devices. For ChromeOS, this can just be pushed via the management console. For managed PC's, it can be pushed by group policy (note if you have a software restriction policy in place, it will need turning off). For our limited number of Apples, it was a manual job to go round to them all.
On the Securly management console you need to define your policies for different groups. Users are synced from Google Apps. So your OU structure will be brought across and you assign policies based on OUs. So you do have the option to be very granular with your filtering. There is also an option to set a different 'At Home' policy which is great for 1:1 devices.  

And thats its - well not quite!


Issues we had to deal with so far


Being a long time Google Apps school, we already forced Safesearch and YouTube restricted mode by global DNS. You need to remove these settings and set them in Securly otherwise Securly won't work correctly.
Read the document that they provide about which things to turn off and on in Chrome Management - both for PC and ChromeOS. There were a number of existing policies that conflicted with Securly in place that we had to remove.
Google.ie! - Google thinks we are now in Ireland (I'm guessing the Amazon Data Center Securly use?). So we had to set the Omnibox seach provider to google.co.uk by group policy and in Chrome Management.
Force Login - this feature of Securly means that to get anywhere in a browser you must be logged in with your school account. So all activity is then tracked. This is an essential feature for us but breaks several things.

Forced Login Issues


Spiceworks helpdesk. We run Spiceworks on a local server. One of the things it does is send an receive emails from users. Force Login kills this as the server cannot login. There work around for use has been given the Spiceworks VM another nic and pointing its DNS directly to Google. It now works.
Papercut Cloud Printing. If you do nothing, Securly kills this. Without Forced Login, you can make it work by added the Securly SSL certificate to your Papercut Server - they have an article on how to do this. However, with Forced Login, this does not help. To make it work, we had to give the Papercut Server another nic and again point it towards Google DNS. We also had to set the priority of this nic above the original one. We did this with the NetRouteView tool. Look for the 0.0.0.0 entires and set the priority of the nic with Google DNS above the other (a lower number). Once we did this, it sprang back into life.
If you can point these servers at alternative public IPs, Securly can also remove these from forced login.

BYOD


Securly are still working on a good solution to BYOD. As it stands, users have to manually add the security certificate. I've popped instructions onto a Google Site for users - https://sites.google.com/wheatleypark.org/byod
How users get on with this remains to be seen! They will also need to login with their school account to be able to browse. For guest access I've created a domain Google Account just for guests that has pretty much every service disabled so they can just use it to login.
Hopefully there will be a slicker option soon.
Just an update - I've set our BYOD to redirect users to an internal website that allows them to install the certificate much more easily. So what pops up now after they accept our usage policy is:
This seems to work rather well and most users have just got on with it.

Unmanaged ChromeOS Devices


These present a problem at the moment. If a user signs in with their school account, all is well as the filtering is done by the extension. However, if they use a private account, then there is no extension and therefore no filtering. Now you can get Securly to turn on ChromeOS DNS filtering, however, this causes lots of problems where the extension is present as well. Securly are currently working on getting the two to play nicely together. For us, almost all of our devices are managed and therefore its not much of an issue - but I will be looking for this loophole to be closed asap.

Alerts


Securly alerts go to one email address. We needed several users to be able to see the alerts so made the address a collaborative inbox Google Group which seems to work quite well. Delivery to users is sent as a daily digest - so a summary each day.


So a few tips on anyone going down this route that might save you some time.

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command.
Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message.
Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com
Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file.
Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv
Run:
gam csv mail.csv gam user ~mail delete messages query rfc822msgid:MESSAGEIDHERE doit

The alternative nuke option is:
gam all users delete messages query rfc822msgid:MESSAGEI…

How to push bookmarks to users in Chrome via the management console

With the release of Chrome and ChomeOS 37 an update to the management console has arrived that allows you to push bookmarks to users.

Under Device Management > Chrome > User Settings > User Experience you will now find the option to add managed bookmarks.


In the example above, the bookmarks are applied to the sub-OU of 'students' - so all our students will get these bookmarks. Simply add your url and the bookmark name, click the + and save. These will appear in a folder called 'yourdomain bookmarks' - see below:



Be aware that to get these bookmarks applied on a Windows/OS-X device the user must be signed into Chrome. Update: if you install the latest group policy template you can push the bookmarks via policy on PCs - details are given here.
Video Guide:

ClearOS 7.1 as a Windows Domain Controller

I've been a long time user of ClearOS for gateway, DNS,DHCP, backup and a variety of other services. It is a Linux distro that is backed up with a marketplace of great apps that can be easily managed via a web config (although you can drop into cli whenever you want more control). The new samba directory app allows ClearOS to behave as a full on Windows Domain controller and file server without the cost of Windows Server.

So this is a demo from installation to a working DC and files server. Its about 40 mins for the full job - so skip though bits - gives you an example of what you can do. Please note the the Samba Directory App is currently in beta - but I've not spotted any bugs in a my test setup yet.