Internet Filtering (Lightspeed Systems): SSL filtering
23
In confidence Internet Filtering (Lightspeed Systems): SSL filtering Microsoft Windows Domain Schools Reference: BTLS_LS_domain Version: 2.4 Date: 31 July 2017 Owner(s): Ash Green/ Colin Helliwell
Internet Filtering (Lightspeed Systems): SSL filtering
In strictest confidenceReference: BTLS_LS_domain
Version: 2.4
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 2 of 23
1.4 Mozilla Firefox 6
1.6 Intended Audience 6
1.7 Administrative Rights 6
2.1 How do I make this work? 7
2.2 Testing 12
3.2 DNS configuration 16
3.3 Wireless devices 17
3.4 Faulty websites 18
4.1 GPO settings – detail 21
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 3 of 23
Audience: These notes are intended to be used by your ICT
technician, network manager or third party ICT support
organisation
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 4 of 23
Executive summary
The purpose of this document is to assist schools in enabling SSL
filtering.
This document details a tool designed to assist schools in the
deployment of changes required to school
Microsoft Windows based computers that are part of a domain and not
managed by an MDM tool.
Following the running of this tool, schools will be able to use
their Lightspeed admin console reports
(at http://filter.education.btlsl.co.uk) to view the contents of
secure searches run on their computers.
Additionally Google and Bing search results will reflect your
schools filtering policy
These notes are for use by domain schools (those schools who have
all their Windows computers
managed by a central Windows server), and cover the steps needed to
prepare your Windows
computers for the Lightspeed SSL filtering facility.
This must not be run in a school which is not connected to the CLEO
network.
This document is for Windows computers, tablets, laptops and
servers only. Please see the other SSL
documentation on the BTLS website for enabling SSL filtering on
different devices.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 5 of 23
1.1 CLEO connection
This tool should only be run on Microsoft Windows based machines
connected to the CLEO network.
If your school obtains it's internet access from another provider,
do not follow these notes.
1.2 Operating systems
These notes are designed to be used with the following operating
systems:
Windows XP *
Windows Vista *
Windows 7
Windows 8
Windows 8.1
Windows 10
Server 2016
Although Windows XP and Vista have been tested, these are no longer
supported by Microsoft or
BTLS. As such, BTLS will not support any issues relating to the
implementation of these Group
Policies on those operating systems, and we recommend you upgrade
or replace these operating
systems.
1.2.1 Windows XP
XP requires two files to be installed prior to using these Group
Policies: These can be located on the
Microsoft download site at
https://www.microsoft.com/en-gb/download. Schools obtaining
updates
from both BTLS and Microsoft should already have applied these
automatically – any schools running
their own Windows Software Update Service (WSUS) server should
authorise these software updates
or manually download to individual computers.
Microsoft .net Framework 2.0 Service Pack 1.
Windows Management Framework (KB968930).
Vista requires the Windows Management Framework to be installed
(KB968930).
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 6 of 23
1.3 BTLS SSL filtering option
These notes relate to the secure search filtering option. This
enables searches to common search
engines (Google/Bing/YouTube) to be decrypted when a secure search
is conducted (a secure search
will begin with https:// rather than http://). As these searches
can be decrypted, schools can use the
Lightspeed reporting functions to see what their students and staff
have been searching for, and have
school policies applied. This patch can be run either before or
after having this service enabled for the
school, but it cannot be tested successfully until the service has
been enabled by BTLS.
All other search engines will be disabled as part of this
change.
1.4 Mozilla Firefox
Firefox uses its own certificate store and proxy auto configuration
(PAC) settings. A separate group
policy for Firefox is available in our GPO pack provided to. This
utilises an auto-config method,
created by using the CCK2 plugin (https://mike.kaply.com). If
schools wish to amend these settings,
please follow the link for associated documentation. BTLS cannot
offer support on the CCK2 plugin
1.5 Active Directory Domain
These notes and scripts are only to be use on Microsoft Windows
computers that are part of a domain
and not managed by a mobile device management system. Typically if
you your staff and students
each use unique usernames and passwords then you will have a
domain.
1.6 Intended Audience
This change should be undertaken by your local ICT Technician,
Network Manager or Third party ICT
support team.
You must have domain administrator rights. Without domain
administrative rights these
reconfiguration steps will not function correctly.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 7 of 23
2 Importing the settings
Please be aware the following instructions require reconfiguration
steps to your domain controller and misconfiguration may cause your
domain to experience issues or fail. These steps should only be
conducted by someone with the appropriate skills. Please also
ensure that you have a full WORKING backup, including the System
State on the server which you reconfigure.
2.1 How do I make this work?
We have produced a set of Group policy objects which can be
imported directly into your domain.
These Group Policy Objects should only be imported for use with
operating systems listed in section
1.2 of this guide. We recommend that you pass these guidelines to
your network manager, ICT
technician or third party support organisation to complete.
Instructions Screenshot
1. Log onto your domain server as a domain administrator and copy
the Lightspeed GPO file from the BTLS website to your desktop. This
single file will contain multiple Group
Policy Objects. https://education.btlancashire.co.uk/support/f
iltering.aspx
2. Right-click the downloaded zip file and click extract all. Click
extract to confirm extraction
directory (use the default).
4. Expand Group policy objects
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 8 of 23
5. Right-click Group Policy Objects and click "New"
6. Set the title of the GPO to be "Computers – Lightspeed SSL
filtering" and click OK to save
7. Repeat steps 5 and 6, naming the new policy "Users – Lightspeed
SSL filtering"
8. Right-click the "Computers – Lightspeed SSL filtering" policy
and click "import settings"
9. Click Next on the Import Settings Wizard
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 9 of 23
10. As this is a newly created blank GPO disregarded the warning
message and Click
Next on the Backup GPO tab
11. Click browse and navigate to the folder which contains the
files you extracted above.
Click next.
12. Select the "Computers – Lightspeed SSL filtering" GPO and click
next.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 10 of 23
14. Click Finish.
15. The policy is now imported. Click ok when finished.
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 11 of 23
16. Repeat steps 9-15 to import the backed up Users – Lightspeed
SSL filtering policy into your new Users - Lightspeed SSL
filtering
policy.
17. If you do not use Firefox in your school, please skip to step
18.
If you do use Firefox, repeat the steps 9-15 to create a new
"Computers – Firefox SSL" GPO. Import the backed up Firefox CCK2
template from the downloaded .zip file
18. Link the policies into your structure. This structure will
differ for every site. If in doubt,
check in Active Directory Users and Computers to identify where
computers and
users are managed in the domain's hierarchy.
For BTLS domains, the "computers – Lightspeed SSL filtering" should
be linked to the allcomputers OU, and the "users – Lightspeed SSL
filtering" should be linked to the alluser OU.
Link the "computers – Lightspeed SSL filtering" to the Domain
Controllers OU
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 12 of 23
Link the "Users- Lightspeed SSL filtering" policy to the OU which
contains your Administrators.
Do not link any other group policy objects, and do not remove any
existing links.
19. If you have created GPOs for Firefox, then link them to the
allcomputers OU (or your
equivalent)
20. In addition to the steps above, please check the other GPOs
applied to the user, to check
that: a. There are no other proxy settings
being applied. b. The school homepage is not set to a
site which is now blocked from use (i.e. yahoo.com)
You can either check each policy manually or via the group policy
modelling tool in the Group Policy Management console.
Follow this link for assistance with Group Policy Modeling :
https://technet.microsoft.com/en-
us/library/cc771389(v=ws.11).aspx
21. The main Active Directory Policy configuration is now complete.
If you have not already updated your Rocket configuration, you
should now do so (notes available on BTLS website).
2.2 Testing
After reconfiguration, schools should test devices to ensure that
the SSL filtering is working correctly.
Please follow the steps below:
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 13 of 23
Instructions Screenshot On the device to be tested, open a
web browser and navigate to
http://images.google.com .
will have a blue cross image.
These blue crosses represent
results from blocked websites.
all images will be returned.
Please check the configuration on
this device.
2.3 Follow-up actions
Due to the nature of PAC files being automatically cached by
Internet Explorer, one of the settings
which these GPOs make is to disable this caching – thus forcing a
refresh of the PAC contents
(required to enable the SSL service). Due to this, an additional
configuration step is required to re-
enable the PAC caching. Please complete the following steps to
enable proxy caching two weeks after
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 14 of 23
the main configuration steps are completed and when you are sure
all users and machines have
logged in at least once. Follow the steps in the following table to
complete this:
Instruction Screenshot
the Group Policy Management Console
and right-click and edit the "Users –
Lightspeed SSL filtering policy".
Navigate to: User configuration >
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 15 of 23
In the Value data box, replace the 0 with a
1.Click Apply followed by ok, then close
the group policy editor
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 16 of 23
3.2 DNS configuration
If DNS contains entries for non-existent domain servers, devices
can have trouble resolving the
domain and hence can delay or fail to apply the group policies. If
you are finding that policies do not
seem to be applying correctly, DNS will need examining and some
items may need to be reconfigured.
BTLS have developed a tool which will check your DNS configuration
and advise of any entries for
servers with Active Directory roles which are no longer responding.
This only works on Server 2012
R2 servers – schools with Server 2008 R2 servers will need to
perform this test manually. The tool can
be downloaded from the BTLS website.
Please be aware these are high-risk steps, and an incorrect action
may render your whole network
unusable. The tool makes no changes to your system and any changes
you make are at your own
risk. BTLS cannot accept any responsibility for any changes you
make to your DNS configuration
3.2.1 Check DNS via BTLS DNS check tool
Instruction Screenshot 1. Download the tool to your
domain server from the
BTLS website, whilst being
logged in as an
all the forward DNS zones
found on this server.
a zone named
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 17 of 23
zone and press enter
and list all server entries.
Correct entries are in
cannot be contacted and
so need investigation.
The tool does not make any changes to DNS. By using the results
returned by the tool, a technician
with the appropriate skills may identify the correct DNS zone and
investigate the entries which have
shown as red text. In order for DNS to function correctly, there
should be no entries for non-
responsive servers within DNS.
3.2.2 Manually check DNS:
1. On the faulty client, open a command prompt and run nslookup
FQDN (where FQDN is the
fully qualified domain name for your network). Examine the
addresses that are returned.
These are the DNS servers that DNS believes exist. If some of these
are incorrect then DNS
resolution will likely be intermittently failing. This needs to be
rectified, but should only be
attempted by a technician with experience of configuring DNS.
Deleting incorrect records
can result in a broken domain, meaning that users cannot
logon.
2. On your primary DNS server, check within the Forward Lookup Zone
for your domain that the
only DNS servers logged as name servers are ones which exist. You
may find that you need to
run DNS scavenging on the DNS server, as well as restarting the DNS
service. Ensure that only
active name servers are registered under the name servers tab on
the forward lookup zone
properties.
3. Ensure that any secondary DNS servers are set up correctly, and
that Zone Transfers are
permitted between servers.
3.3 Wireless devices
If you are finding that the certificates are not deploying to
wirelessly connected devices (and that user
settings may not be applied) then you may need to tell devices to
wait for the network before starting
up.
Instruction Screenshot
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 18 of 23
target machines reside, and
naming it "Computers – Wait
at computer startup and
confirm.
Object.
3.4 Faulty websites
Some schools have experienced issues with some websites not
displaying correctly following the
transfer to the SSL filtering system. These have related to the
incorrect detection of zone by internet
explorer; parts of the website have been detected as in the
"Intranet zone" rather than the "Internet
Zone". Examples of sites presenting with such issues are "Teachers
2 Parents" and "Mymaths"
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 19 of 23
If your school experiences similar issues, please follow the steps
below. The steps below use the
www.mymaths.co.uk website as an example site:
Instruction Screenshot
Unit (OU) containing the user accounts.
Right-click the OU name and click "Create
a GPO in this domain, and Link it here…"
Name the policy "Users – Lightspeed
Intranet Zone settings" and click OK
Right-click the new GPO and click edit.
Navigate to User configuration > Policies > Administrative
Templates > Windows Components > Internet Explorer >
Internet Control Panel > Security Page
Open each of the following policies and set them to enabled: •
Intranet sites: Include all local (intranet) sites not listed in
other zones • Intranet sites: Include all network paths (UNCs) Open
each of the following policies and set them do disabled: • Intranet
sites: Include all sites that bypass the proxy server • Turn on
automatic detection of intranet
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 20 of 23
Open the "site to zone assignment list" policy, click Enabled and
click "show".
In the value name box, enter the name of the faulty website without
http://, https:// or any subfolders (i.e. www.mymaths.co.uk , not
http://www.mymaths.co.uk/a/res/1.htm l). Enter a value of 3 in the
value box. Repeat for any other faulty websites. Click OK to close
the Show Contents box, OK to close the Site to Zone assignment list
and then close the Group Policy.
After completing these steps, reboot a computer which has been
experiencing problems with this website, log in and try the website
again. As this remedy is through a GPO, it may take up to 15 mins
for the setting to be applied on the computer.
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 21 of 23
4 Appendix - What do the GPOs do?
The supplied Group Policy Objects (GPO) enable schools to be able
to filter the contents of secure
searches on Bing and Google (using https traffic). This requires a
certificate to be installed on your
machines, as well as using a PAC file to configure internet
access:
a. The Computers – Lightspeed SSL filtering GPO issues the
Lightspeed certificate to each
computer.
b. The Users – Lightspeed SSL filtering GPO sets the auto
configuration URL, disables the
auto-detection of internet settings and disables automatic caching
of PAC files.
c. The Computers – Firefox SSL filtering GPO runs a login script
which imports the
certificate and PAC settings into Firefox (tested with build 48 of
Firefox). These settings
were made with the CCK2 add-in, using the autoconfig option. This
script is set to
execute the copy command once only.
4.1 GPO settings – detail
The following images show the settings which are made with the
supplied Group Policy Objects. Setting list in GPO
BT Lancashire Services Education Services SSL Filtering
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 22 of 23
Microsoft Windows Domain Schools
Version 2.4 July 2017
Page 23 of 23