Securus NET is an explicit proxy that can monitor network traffic from all network based devices.
Packets are subject to Securus analysis, where words and phrases are matched against our proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses the packet information to call on the website to produce an image. Packet information regarding date & time and machine information will also be sent along with the image. The capture can then be viewed within the Securus cloud portal, exactly the same way as Windows or Chromebook captures.
A PAC file is generated during the installation which is used to point the devices to the Securus NET Proxy, the file is also hosted on the server directly and can be deployed via MDM. The PAC file can also be used in BYOD environments to point unmanaged devices to the proxy by modifying the Wi-Fi profile.
For the purposes of support and modifications, we recommend that the NET proxy is installed to a virtual machine, but it can also be installed to dedicated hardware if required.
Securus NET can also integrate with other existing upstream proxies to form a proxy chain, NET will come first in this chain, and then others will follow.
Server Requirements
NET can be installed to a virtual machine (HyperV, VMware, Oracle VirtualBox, etc) or hardware in explicit mode.
Note that the below serves as a guideline and is subject to network configuration and is irrespective of device type.
The NET ISO will only work for UEFI boot.
Server Specification
Up to 800 connections
4 Core Processor.
8GB RAM.
200GB HDD (captures held in our cloud service).
No operating system required.
Generation 2 VM (if using HyperV).
Up to 2500 connections
8 Core Processor.
12GB RAM.
200GB HDD (captures held in our cloud service).
No operating system required.
Generation 2 VM (if using HyperV).
2500+ Connections
Server specification outlined in each case before implementation.
Please note that no captures are stored on the NET server itself, captures will broadcast to our highly secure cloud environment as soon as they are created. You will be provided login details to the Capture Management portal to view the capture data.
Captures only occur in cases where a library term has been detected over the network.
Mobile Device Requirements
iOS 13 or higher
Android 4.4.2 or higher
Firewall Requirements
We recommend whitelisting the following addresses and ports on the firewall to allow full communication to our services.
Net1.securus-software.com
IP: 167.99.94.236
Port: 443 and 80 TCP
Net-license.securus-software.com
IP: 206.189.27.245
Port: 1195
Securus NET Installation
Please read the below instructions carefully to avoid misconfiguration or installation failures.
The server MUST have unfiltered internet access during the install process to ensure the software and updates are installed properly.
The VM must have EFI boot enabled (Generation 2 in HyperV) otherwise the install will fail.
If any of the below options or settings are missing from your installation, please contact the support team to get the most recent copy of the Securus NET ISO.
Installation – Explicit Mode (VM or hardware)
Burn the ISO to a disc or USB and insert if installing to hardware, or simply mount it to a new Virtual Machine.
We recommend balenaEtcher if using a USB for hardware installs.
Boot the server from disc or ISO to start. If booted correctly in EFI mode, you will see the NixOS install logo.
Press Enter or wait 10 seconds for the top option to be selected automatically.
The installer will attempt to automatically detect the attached storage device. Type y and press Enter to use the selected disk.
Which Securus Cloud server do you belong to?
This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.
Which OU does your school belong to?
Defines your school's OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.
Which IP address should I use?
Type in the IP address that you are allocating to the NET installation. This must be a free an unused IP address on your network.
Which gateway should I use?
Type in your gateway IP address.
Which DNS addresses should I use?
Enter your DNS addresses, separated by commas as shown in the example above in priority order. Local DNS addresses should be prioritised first.
If you intend to use Hostname authentication (explained further below), we’d recommend typing in the main DC or DNS only.
Which Netmask should I use in CIDR format?
Type in your Subnet in CIDR format and press Enter.
Do I require a proxy?
This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.
Type Y or n and press Enter.
If pressing Y, enter the upstream proxy address and port number.
Please note that we do not support authenticated proxies.
Which authentication method would you like to use?
This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.
LDAP
Will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.
Google
Will use Google’s SSO authentication within the Captive Portal.
This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.
Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.
Azure
Will use Azure SSO authentication within the Captive Portal.
Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.
MAC as username
Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.
Hostname as username
Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.
Radius
Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.
None
Will hide the Captive Portal and will display the devices IP address as the username instead.
Hostname and MAC address authentication requires Private Wi-Fi Address to be turned off to work correctly. More information here. Hostname authentication also requires a reverse DNS lookup zone to be configured.
Please type in the student/BYOD WiFi SSID (Optional)
This is an optional step that is useful BYOD environments. When entered, a QR code will be generated that a BYOD user can scan to connect to the designated Wi-Fi network.
Type in the SSID name and press Enter, or leave blank and press Enter to skip this step.
Please type in the password for the above WiFi (Optional)
As above, this is an optional step. If entering a Wi-Fi SSID, type in the password associated to the SSID.
Or leave blank and press Enter to skip this step.
Confirm Installation Information
You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.
If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.
Press:
To change the cloud information or OU name.
To change the network information assigned to the device.
To change the selected authentication method.
Installation Start
After this process, the network configuration utility will start and will detect and apply the network adapter that is assigned to the VM. If everything is ok, the installation will begin and can take up to 20 minutes to complete.
Once the install has finished, you will be presented with the Securus NET console screen.
Please move onto the Post Install section.
Installation for BYOD Environments
Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.
Follow the steps from the Explicit Setup section as normal, and then move onto the Post Install section to get the certificate and PAC file location.
BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the Wi-Fi profile to get the proxy information.
Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/
Post Install
Once the installation is complete, you will be presented with the Securus NET Terminal Interface.
Please email the Securus helpdesk with your Authorisation Code displayed on the main menu.
We will then promptly authorise the new incoming connection and we’ll let you know once this is done. This will trigger the second part of the installation where the NET server will connect to our licensing server and will install the license, pull down the latest monitoring library and allow lists, and the Securus NET software libraries. This process can take up to 15 minutes.
VM Console Options
See below for a detailed description of each option.
I - System Information
This will show which cloud service the NET server is connected to, SSL certificate download link, Admin link and password, PAC file link, system uptime, CPU usage and storage usage.
S - Securus NET Status
This will show whether the NET services are up and connected.
P - Ping any address
Will allow you to ping internal or external devices to test for connectivity.
L - Update Licence
Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.
N - Network Information
This will show the network details that are currently assigned to the device. If no tunnel address is shown, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted. If the firewall rules are in place, please contact support to investigate.
A - Allowlist Changes
This option allows you to add URL’s into the allow list to stop applications and certain websites from being blocked when using the Securus NET Proxy.
Press A to enter the configuration menu.
You will be prompted to edit an existing custom entry, add a new entry or remove an existing entry.
Add a new entry
To add a new entry, type new and press Enter.
You will then be prompted to enter a URL. For example, to allow the YouTube app, type in youtube.com.
Once the entry has been added, you will be prompted to restart the services to apply the change. If you want to add more entries, type n and press Enter and restart the process.
If you are done adding new entries, type Y and press Enter. The services will restart and you will be taken back to the main menu. You can press A again and you will see the new entry in the list.
Edit an entry
To edit an existing entry, simply in the number of the entry you want to list. In the above example we only have one entry so we will type 1 and press Enter.
Make your changes and then press Enter.
As before, if you are happy with the changes, press Y and Enter to restart the services.
Remove an entry
To remove an entry, type remove and press Enter.
Then type the number of the entry you want to remove and press Enter.
Type Y and then Enter to restart the services and apply the changes.
Download the Securus NET SSL Certificate
The Securus NET SSL certificate is generated during the install and is unique to every installation. The certificate will expiree 5 years from the date of installation.
Please be aware that reinstalling the Securus NET server will generate a new certificate which would need to be deployed to your devices again.
To get the certificate you will need to open a web browser and go to:
http://server.ip.address/securus.crt
In some cases the browser may display the contents of the file instead of download it. If this happens, copy and paste all of the displayed text into a new Notepad file and save it with a .crt format.
There will also be a link to the certificate on the Onboarding Page.
You can also find the URL to download the link by pressing I on the console screen for System Information.
PAC File Location
The Proxy Auto-Config (PAC) should be used to point devices to the proxy. This is also useful for BYOD environments with unmanaged devices.
Press I on the VM console to display the system information.
The PAC file can be applied through an MDM with the certificate at the same time.
Alternatively the PAC file can be downloaded/saved and hosted elsewhere on the network. You will be given a URL to the PAC file, go to the address in a web browser and the file will download automatically. In some cases it may display the contents of the file instead, if so, copy and paste the entire contents into a new Notepad file and save it as “proxy.pac”.
Admin Page
The Admin Page can be reached by going to:
http://server.ip.address:8000/admin.html
Here you can upload AUP background and logo images, a custom upstream proxy certificate (for a filter or firewall etc), and generate a QR code for a Wi-Fi network.
Change AUP Images
The AUP can be customised by uploading a custom background and logo image.
To start click on Browse and locate the file you want to upload. Note that jpg/jpeg/png file formats are fine but must be under 2MB in size. Select the file you want to upload and then select the type of image from the dropdown menu below.
For a background image, select Background. For a logo, select Logo.
Type in the Admin password found on the System Information screen and click Upload Image.
If the file upload was completed, you will be shown a success page.
To upload another image, click back on the browser and start the process again.
Upload Upstream Proxy Certificate
The Admin page supports uploading a custom certificate for a filter or upstream proxy. The file should be a .crt file format if possible.
To upload a certificate, click Browse to locate the file you want to upload. Once selected, change the dropdown option to Certificate, type in the Admin Password and click Upload.
The upload may take a few seconds as a service needs to also restart to apply the certificate. Once completed you will receive a success page.
Generate Wi-Fi QR Code (Optional)
If not done during the install, a QR code can be generated for the pupil Wi-Fi network on the admin page. This is an optional step and can be skipped if not needed.
Type in the required details for the SSID name and Password. Then type in the Admin Password and click Generate QR Code.
A success page will show once complete.
The QR code will update on the Onboarding Page.
Onboarding Page
The Onboarding Page displays useful information for BYOD users to be able to download the certificate and join a Wi-Fi network.
The onboarding page can be reached by going to:
http://server.ip.address/
To the left is a QR code which links to the Securus NET SSL certificate. To the right is a QR code for the Wi-Fi SSID if generated.
At the bottom of the page you will find a link to the proxy PAC file location and another download link to the Securus NET SSL certificate.
This page is printable (landscape recommended) and hung around the school in BYOD environments to allow users to quickly download the SSL certificate and find the location of the PAC file. For BYOD environments, the PAC file will also need to be defined against the WiFi profile in order to receive the proxy information.
Capture Testing
It is recommended that the connection and capture creation be tested once the installation is complete. The below examples apply to school managed devices and BYOD environments.
Apply the proxy PAC file location to the device’s Wi-Fi profile.
Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/
This will later need to be set for every device being monitored by NET and can be done via MDM.
Then install the Securus NET certificate onto the device as a root authority on the test machine (images for Windows below). If installing onto iOS, the certificate will also need to be trusted.
Then go to Wikipedia and search for “AK47” and “Our Secret”.
If enabled during install, the Captive Portal login prompt will show. Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.
This should then generate several captures that can be then viewed in the Securus console.
The proxy can now be deployed site wide using an MDM for managed devices or BYOD users can use the QR Codes to get the certificate and PAC URL.
Troubleshooting and FAQ
I selected hostname authentication selected during install but I am still seeing the captive portal.
The captive portal will display when the hostname authentication fails on the device. This usually happens if Private WiFi is enabled on the iPad or the iPads are not registered correctly within your DNS.
If the hostname still fails with Private WiFi disabled then please contact the support team for further investigation.
Hostname authentication will also require a Reverse Lookup Zone within your DNS to properly populate the iPad hostnames within DNS.
https://activedirectorypro.com/configure-dns-reverse-lookup-zones-ptr-records/
https://bobcares.com/blog/set-rdns-in-windows-name-servers/
Useful Information
Lightspeed MDM
If using Lightspeed MDM on site you should enable a setting called “Bypass captive login iOS10+”. This will fix any issues with the captive portal not loading or redirecting and WiFi disconnects when not authenticated.
Meraki MDM
As above, we’d recommend enabling “Bypass captive portal (for iOS10 and later)” in WiFi settings to ensure the Wifi will connect before authenticating with the captive portal.
Mosyle MDM
We would recommend enabling “Disable Captive Network Detection (iOS only)” in the Network information page.
As above, this will stop the WiFi from disconnecting on a device when the user is not authenticated with Securus NET.