Securus NET is an explicit proxy that can monitor network traffic from all network based devices.
Packets are subject to Securus analysis, where words and phrases are matched against our proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses the packet information to call on the website to produce an image. Packet information regarding date & time and machine information will also be sent along with the image. The capture can then be viewed within the Securus cloud portal, exactly the same way as Windows or Chromebook captures.
A PAC file is generated on installation which is used to point the devices to the Securus NET Proxy, the file is also hosted on the server directly and can be deployed via MDM. The PAC file can also be used in BYOD environments to point unmanaged devices to the proxy by modifying the Wi-Fi profile.
For the purposes of support and modifications, we recommend that the NET proxy is installed to a virtual machine, but it can also be installed to dedicated hardware if required.
Securus NET can also integrate with other existing upstream proxies to form a proxy chain, NET will come first in this chain, and then others will follow.
Server Requirements
NET can be installed to a virtual machine (HyperV, VMware, Oracle VirtualBox, etc) or hardware in explicit mode.
Note that the below serves as a guideline and is subject to network configuration and is irrespective of device type.
The NET ISO will only work for UEFI boot.
Server Specification
Up to 800 connections
4 Core Processor.
8GB RAM.
200GB HDD (captures held in our cloud service).
No operating system required.
Generation 2 VM (if using HyperV).
Up to 2500 connections
8 Core Processor.
12GB RAM.
200GB HDD (captures held in our cloud service).
No operating system required.
Generation 2 VM (if using HyperV).
2500+ Connections
Server specification outlined in each case before implementation.
Please note that no captures are stored on the NET server itself, captures will broadcast to our highly secure cloud environment as soon as they are created. You will be provided login details to the Capture Management portal to view the capture data.
Captures only occur in cases where a library term has been detected over the network.
Mobile Device Requirements
iOS 13 or higher
Android 4.4.2 or higher
Firewall Requirements
We recommend whitelisting the following addresses and ports on the firewall to allow full communication to our services.
Net1.securus-software.com
IP: 167.99.94.236
Port: 443 and 80 TCP
Net-license.securus-software.com
IP: 206.189.27.245
Port: 1195
Securus NET Installation
Please read the below instructions carefully to avoid misconfiguration or installation failures.
The server MUST have unfiltered internet access during the install process to ensure the software and updates are installed properly.
The VM must have EFI boot enabled (Generation 2 in HyperV) otherwise the install will fail.
If any of the below options or settings are missing from your installation, please contact the support team to get the most recent copy of the Securus NET ISO.
Installation – Explicit Mode (VM or hardware)
Burn the ISO to a disc or USB and insert if installing to hardware, or simply mount it to a new Virtual Machine.
We recommend balenaEtcher if using a USB for hardware installs.
Boot the server from disc or ISO to start. If booted correctly in EFI mode, you will see the NixOS install logo.
Press Enter or wait 10 seconds for the top option to be selected automatically.
The installer will attempt to automatically detect the attached storage device. Type y and press Enter to use the selected disk.
Which Securus Cloud server do you belong to?
This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.
Which OU does your school belong to?
Defines your school's OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.
Which IP address should I use?
Type in the IP address that you are allocating to the NET installation. This must be a free an unused IP address on your network.
Which gateway should I use?
Type in your gateway IP address.
Which DNS addresses should I use?
Enter your DNS addresses, separated by commas as shown in the example above in priority order. Local DNS addresses should be prioritised first.
If you intend to use Hostname authentication (explained further below), we’d recommend typing in the main DC or DNS only.
Which Netmask should I use in CIDR format?
Type your CIDR and press Enter.
Do I require a proxy?
This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.
Type Y or n and press Enter.
If pressing Y, enter the upstream proxy address and port number.
Please note that we do not support authenticated proxies.
Which authentication method would you like to use?
This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.
LDAP
Will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.
Google
Will use Google’s SSO authentication within the Captive Portal.
This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.
Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.
Azure
Will use Azure SSO authentication within the Captive Portal.
Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.
MAC as username
Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.
Hostname as username
Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.
Radius
Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.
None
Will disable the Captive Portal entirely and will display the devices IP address as the username instead.
Hostname and MAC address authentication requires Private Wi-Fi Address to be turned off to work correctly. More information here. Hostname authentication also requires a reverse DNS lookup zone to be configured.
Please type in the student/BYOD WiFi SSID (Optional)
This is an optional step that is useful BYOD environments. When entered, a QR code will be generated that a BYOD user can scan to connect to the designated Wi-Fi network.
Type in the SSID name and press Enter, or leave blank and press Enter to skip this step.
Please type in the password for the above WiFi (Optional)
As above, this is an optional step. If entering a Wi-Fi SSID, type in the password associated to the SSID.
Or leave blank and press Enter to skip this step.
Confirm Installation Information
You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.
If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.
Press:
To change the cloud information or OU name.
To change the network information assigned to the device.
To change the selected authentication method.
Installation Start
After this process, the network configuration utility will start and will detect and apply the network adapter that is assigned to the VM. If everything is ok, the installation will begin and can take up to 20 minutes to complete.
Once the install has finished, you will be presented with the Securus NET console screen.
Please move onto the Post Install section.
Installation for BYOD Environments
Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.
Follow the steps from the Explicit Setup section as normal, and then move onto the Post Install section to get the certificate and PAC file location.
BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the Wi-Fi profile to get the proxy information.
Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/