Webfiltering is one of those necessary evils and has plagued me in one way other another since I started to do anything with school IT management. On one hand people expect free and easy access to the internet and on the other we are expected to be able to report on every action of every user on the network on any type of device.
This blog post is not about the wrongs and rights of webfiltering, more a technical perspective on the Securly product and some of the features and deployment pitfalls.
We have just moved to using Securly. Previously we were using OpenDNS Umbrella and GoGuardian Admin on ChromeOS devices. We moved due to this combination not providing the level of reporting that is required as of September 2016 (in the UK) and the combined cost of these two produces being considerably higher than Securly.
Onsite its much the same as OpenDNS. We point our Gateways DNS to Securly's DNS servers rather than OpenDNS. This obviously takes a few seconds to do. On ChromeOS, there is a Securly extension to push to all of your users - again takes only a few seconds to do.
However, as Securely intercepts https traffic, you also need to deploy their SSL certificate to your devices. For ChromeOS, this can just be pushed via the management console. For managed PC's, it can be pushed by group policy (note if you have a software restriction policy in place, it will need turning off). For our limited number of Apples, it was a manual job to go round to them all.
On the Securly management console you need to define your policies for different groups. Users are synced from Google Apps. So your OU structure will be brought across and you assign policies based on OUs. So you do have the option to be very granular with your filtering. There is also an option to set a different 'At Home' policy which is great for 1:1 devices.
Being a long time Google Apps school, we already forced Safesearch and YouTube restricted mode by global DNS. You need to remove these settings and set them in Securly otherwise Securly won't work correctly.
Read the document that they provide about which things to turn off and on in Chrome Management - both for PC and ChromeOS. There were a number of existing policies that conflicted with Securly in place that we had to remove.
Google.ie! - Google thinks we are now in Ireland (I'm guessing the Amazon Data Center Securly use?). So we had to set the Omnibox seach provider to google.co.uk by group policy and in Chrome Management.
Force Login - this feature of Securly means that to get anywhere in a browser you must be logged in with your school account. So all activity is then tracked. This is an essential feature for us but breaks several things.
Spiceworks helpdesk. We run Spiceworks on a local server. One of the things it does is send an receive emails from users. Force Login kills this as the server cannot login. There work around for use has been given the Spiceworks VM another nic and pointing its DNS directly to Google. It now works.
Papercut Cloud Printing. If you do nothing, Securly kills this. Without Forced Login, you can make it work by added the Securly SSL certificate to your Papercut Server - they have an article on how to do this. However, with Forced Login, this does not help. To make it work, we had to give the Papercut Server another nic and again point it towards Google DNS. We also had to set the priority of this nic above the original one. We did this with the NetRouteView tool. Look for the 0.0.0.0 entires and set the priority of the nic with Google DNS above the other (a lower number). Once we did this, it sprang back into life.
If you can point these servers at alternative public IPs, Securly can also remove these from forced login.
Securly are still working on a good solution to BYOD. As it stands, users have to manually add the security certificate. I've popped instructions onto a Google Site for users - https://sites.google.com/wheatleypark.org/byod
How users get on with this remains to be seen! They will also need to login with their school account to be able to browse. For guest access I've created a domain Google Account just for guests that has pretty much every service disabled so they can just use it to login.
Hopefully there will be a slicker option soon.
Just an update - I've set our BYOD to redirect users to an internal website that allows them to install the certificate much more easily. So what pops up now after they accept our usage policy is:
These present a problem at the moment. If a user signs in with their school account, all is well as the filtering is done by the extension. However, if they use a private account, then there is no extension and therefore no filtering. Now you can get Securly to turn on ChromeOS DNS filtering, however, this causes lots of problems where the extension is present as well. Securly are currently working on getting the two to play nicely together. For us, almost all of our devices are managed and therefore its not much of an issue - but I will be looking for this loophole to be closed asap.
Securly alerts go to one email address. We needed several users to be able to see the alerts so made the address a collaborative inbox Google Group which seems to work quite well. Delivery to users is sent as a daily digest - so a summary each day.
So a few tips on anyone going down this route that might save you some time.
This blog post is not about the wrongs and rights of webfiltering, more a technical perspective on the Securly product and some of the features and deployment pitfalls.
We have just moved to using Securly. Previously we were using OpenDNS Umbrella and GoGuardian Admin on ChromeOS devices. We moved due to this combination not providing the level of reporting that is required as of September 2016 (in the UK) and the combined cost of these two produces being considerably higher than Securly.
Deployment
However, as Securely intercepts https traffic, you also need to deploy their SSL certificate to your devices. For ChromeOS, this can just be pushed via the management console. For managed PC's, it can be pushed by group policy (note if you have a software restriction policy in place, it will need turning off). For our limited number of Apples, it was a manual job to go round to them all.
On the Securly management console you need to define your policies for different groups. Users are synced from Google Apps. So your OU structure will be brought across and you assign policies based on OUs. So you do have the option to be very granular with your filtering. There is also an option to set a different 'At Home' policy which is great for 1:1 devices.
And thats its - well not quite!
Issues we had to deal with so far
Read the document that they provide about which things to turn off and on in Chrome Management - both for PC and ChromeOS. There were a number of existing policies that conflicted with Securly in place that we had to remove.
Google.ie! - Google thinks we are now in Ireland (I'm guessing the Amazon Data Center Securly use?). So we had to set the Omnibox seach provider to google.co.uk by group policy and in Chrome Management.
Force Login - this feature of Securly means that to get anywhere in a browser you must be logged in with your school account. So all activity is then tracked. This is an essential feature for us but breaks several things.
Forced Login Issues
Papercut Cloud Printing. If you do nothing, Securly kills this. Without Forced Login, you can make it work by added the Securly SSL certificate to your Papercut Server - they have an article on how to do this. However, with Forced Login, this does not help. To make it work, we had to give the Papercut Server another nic and again point it towards Google DNS. We also had to set the priority of this nic above the original one. We did this with the NetRouteView tool. Look for the 0.0.0.0 entires and set the priority of the nic with Google DNS above the other (a lower number). Once we did this, it sprang back into life.
If you can point these servers at alternative public IPs, Securly can also remove these from forced login.
BYOD
How users get on with this remains to be seen! They will also need to login with their school account to be able to browse. For guest access I've created a domain Google Account just for guests that has pretty much every service disabled so they can just use it to login.
Hopefully there will be a slicker option soon.
Just an update - I've set our BYOD to redirect users to an internal website that allows them to install the certificate much more easily. So what pops up now after they accept our usage policy is:
This seems to work rather well and most users have just got on with it.
Unmanaged ChromeOS Devices
Alerts
So a few tips on anyone going down this route that might save you some time.
Comments
Post a Comment