Versions Compared

Version Old Version 21 New Version 62
Changes made by

Chris Collins

Chris Collins

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
styledisc
typelist
printabletrue

Securus

NET

Proxy is an explicit proxy that can monitor network traffic from all network based devices.

Packets are subject to Securus analysis, where words and phrases are matched against our proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses the packet information to call on the website to produce an image. Packet information regarding date & time and machine information will also be sent along with the image. The capture can then be viewed within the Securus cloud portal, exactly the same way as Windows or Chromebook captures.

A PAC file is generated during the installation which is used to point the devices to the Securus

NET

Proxy, the file is also hosted on the server directly and can be deployed via MDM. The PAC file can also be used in BYOD environments to point unmanaged devices to the proxy by modifying the Wi-Fi profile.

For the purposes of support and modifications, we recommend that the

NET

proxy is installed to a virtual machine, but it can also be installed to dedicated hardware if required.

Securus

NET

Proxy can also integrate with other existing upstream proxies to form a proxy chain,

NET

Securus will come first in this chain, and then others will follow.

If you have any questions about the installation, please contact the support team at support@securus-software.com or 01372 388 530.

Server Requirements

NET

Securus Proxy can be installed to a virtual machine (HyperV, VMware, Oracle VirtualBox, etc) or onto hardware if preferred.

Note

Note that the below serves as a guideline and is subject to network configuration and is irrespective of device type.

The

NET

ISO will only work for UEFI boot.

Server Specification

Up to 800 connections

  • 4 Core Processor.

  • 8GB RAM (do not use dynamic memory).

  • 100-200GB HDD (captures held in our cloud service).

  • No operating system required.

  • UEFI Boot enabled and Secure Boot disabled

.MAC address spoofing or MAC promiscuous mode enabled

  • .

  • Generation 2 VM (if using HyperV).

Up to 2500 connections

Generation

  • 8 Core Processor.

  • 12GB RAM (do not use dynamic memory).

  • 200GB HDD (captures held in our cloud service).

  • No operating system required.

  • UEFI Boot enabled and Secure Boot disabled.

  • MAC address spoofing or MAC promiscuous mode enabled.

    • Generation 2 VM (if using HyperV).

    2500+ Connections

    • Server specification outlined in each case before implementation.

    Please note that no captures are stored on the

    NET

    proxy server itself, captures will broadcast to our highly secure cloud environment as soon as they are created. You will be provided login details to the Capture Management portal to view the capture data.

    Captures only occur in cases where a library term has been detected over the network.

    Mobile Device Requirements

    • iOS 13 or higher

    • Android 4.4.2 or higher

    Firewall Requirements

    We recommend whitelisting the

    The following addresses and ports will need to be allow listed on the firewall to allow full communication to our services.

    • Net1.securus-software.com (167.99.94.236)

      • Ports 443 and 80 TCP

    • Net-license.securus-software.com (139.59.197.211 and 206.189.27.245)

    Port

      • Ports 443 and 1194 TCP

    • *.nixos.org

    • nixos.org/channels

    Securus

    NET

    Proxy Installation

    Note

    Please read the below instructions carefully to avoid misconfiguration or installation failures.

    The server MUST have unfiltered internet access during the install process to ensure the software and updates are installed properly.

    The VM must have EFI boot enabled (Generation 2 in HyperV) otherwise the install will fail.

    DHCP must be enabled.

    If any of the below options or settings are missing from your installation, please contact the support team to get the most recent copy of the Securus

    NET

    Proxy ISO.

    Virtual Machine Install

    Create a new virtual machine
    Note

    The server will need to be authorised before it will work correctly. This is covered in the Post Install section.

    Virtual Machine Install

    Create a new virtual machine in your preferred virtual environment and ensure that UEFI boot is enabled

    ,

    and disable Secure Boot

    and enable MAC Promiscuous Mode

    .

    HyperV

    For HyperV ensure the VM is a set to Generation 2

    ,

    and disable Secure Boot

    and enable MAC address spoofing under Advanced Settings.image-20240709-121959.pngImage Removedimage-20240709-121843.pngImage Removed

    .

    image-20240712-124742.pngImage Added

    Do not use Dynamic Memory.

    Hardware Install

    If installing onto hardware, burn the ISO to a disc or USB and insert into the device. We recommend balenaEtcher if using a USB for hardware installs.

    Start The Install

    Boot the server from disc or ISO to start. If booted correctly in EFI mode, you will see the NixOS install logo.

    image-20240627-120241.png

    Press Enter or wait 10 seconds for the top option to be selected automatically.

    image-20240627-120356.png

    The installer will attempt to automatically detect the attached storage device. Type y and press Enter to use the selected disk.

    Which Securus Cloud server do you belong to?

    This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.

    Which OU does your school belong to?

    Defines your school's OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.

    Which IP address should I use?

    Type in the IP address that you are allocating to the

    NET

    server installation. This must be a free and unused IP address on your network.

    Which gateway should I use?

    Type in your gateway IP address.

    Which DNS addresses should I use?

    Enter your DNS

    addresses, separated by commas as shown in the example above in priority order. Local DNS addresses should be prioritised first

    address. Please note this can only support one DNS entry only currently.

    If you intend to use Hostname authentication (explained further below), we’d recommend typing in the main DC or DNS only.

    Which Netmask should I use in CIDR format?

    image-20240627-120640.png

    Type in your Subnet in CIDR format and press Enter.

    Do I require a proxy?

    image-20240627-120839.pngImage Removed

    This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.

    Type Y or n and press Enter.

    If pressing Y, enter the upstream proxy address and port number.

    Please note that we do not support authenticated proxies.

    Which authentication method would you like to use?

    Image Removed

    This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.

    1. LDAP

      • Will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.

    2. Google

      • Will use Google’s SSO authentication within the Captive Portal.

        This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

        Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

    3. Azure

      • Will use Azure SSO authentication within the Captive Portal.
        Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

    4. MAC as username

      • Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.

    5. Hostname as username

      • Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

    6. Radius

      • Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

    7. None

      • Will hide the Captive Portal and will display the devices IP address as the username instead.

    Note

    Hostname and MAC address authentication requires Private Wi-Fi Address to be turned off to work correctly. More information here. Hostname authentication also requires a reverse DNS lookup zone to be configured.

    Please type in the student/BYOD WiFi SSID (Optional)

    image-20240627-120953.pngImage Removed

    This is an optional step that is useful BYOD environments. When entered, a QR code will be generated that a BYOD user can scan to connect to the designated Wi-Fi network.

    Type in the SSID name and press Enter, or leave blank and press Enter to skip this step.

    Please type in the password for the above WiFi (Optional)

    image-20240627-121137.pngImage Removed

    As above, this is an optional step. If entering a Wi-Fi SSID, type in the password associated to the SSID.

    Or leave blank and press Enter to skip this step.

    Confirm Installation Information

    You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.

    If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.

    Press:

    1. To change the cloud information or OU name.

    2. To change the network information assigned to the device.

    3. To change the selected authentication method.

    Installation Start

    After this process, the network configuration utility will start and will detect and apply the network adapter that is assigned to the VM. If everything is ok, the installation will begin and can take up to 20 minutes to complete.

    Once the install has finished, you will be presented with the Securus NET console screen.

    Please move onto the Post Install section.

    Installation for BYOD/Unmanaged Device Environments

    Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.

    Follow the steps from the Explicit Setup section as normal, and then move onto the Post Install section to get the certificate and PAC file location.

    BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the Wi-Fi profile to get the proxy information.

    Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
    iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/

    We would recommend the following process for a new BYO device or user joining a monitored network.

    1. New user connects to the network,

    2. User modifies the Wi-Fi profile to add the proxy PAC file into the configuration,

    3. User scans the certificate QR code which links to the onboarding page. The Securus NET SSL certificate will download automatically,

    4. User installs the certificate onto their device,

    5. User opens a new tab and can then log into the captive portal if in use, otherwise they can browse as normal and will now be monitored by Securus NET.

    Post Install

    Once the installation is complete, you will be presented with the Securus NET Terminal Interface.

    Please email the Securus helpdesk with your Authorisation Code displayed on the main menu.

    We will then promptly authorise the new incoming connection and we’ll let you know once this is done. This will trigger the second part of the installation where the NET server will connect to our licensing server and will install the license, pull down the latest monitoring library and allow lists, and then finally Securus NET software libraries. This process can take up to 15 minutes.

    VM Console Options

    See below for a detailed description of each option.

    image-20240627-134618.pngImage Removed

    I - System Information

    This will show which cloud service the NET server is connected to, SSL certificate download link, Admin link and password, PAC file link, system uptime, CPU usage and storage usage.

    image-20240627-141243.pngImage Removed

    S - Securus NET Status

    This will show whether the NET services are up and connected.

    P - Ping any address

    Will allow you to ping internal or external devices to test for connectivity.

    L - Update Licence

    Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.

    N - Network Information

    This will show the network details that are currently assigned to the device. If no tunnel address is shown, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted. If the firewall rules are in place, please contact support to investigate.

    A - Allowlist Changes

    This option allows you to add URL’s into the allow list to stop applications and certain websites from being blocked when using the Securus NET Proxy.

    Press A to enter the configuration menu.

    You will be prompted to edit an existing custom entry, add a new entry or remove an existing entry.

    image-20240627-140015.pngImage Removed

    Add a new entry

    To add a new entry, type new and press Enter.

    image-20240627-140205.pngImage Removed

    You will then be prompted to enter a URL. For example, to allow the YouTube app, type in youtube.com.

    image-20240627-140312.pngImage Removed

    Once the entry has been added, you will be prompted to restart the services to apply the change. If you want to add more entries, type n and press Enter and restart the process.

    If you are done adding new entries, type Y and press Enter. The services will restart and you will be taken back to the main menu. You can press A again and you will see the new entry in the list.

    Edit an entry

    image-20240627-140450.pngImage Removed

    To edit an existing entry, simply in the number of the entry you want to list. In the above example we only have one entry so we will type 1 and press Enter.

    image-20240627-140535.pngImage Removed

    Make your changes and then press Enter.

    image-20240627-140610.pngImage Removed

    As before, if you are happy with the changes, press Y and Enter to restart the services.

    Remove an entry

    To remove an entry, type remove and press Enter.

    image-20240627-140930.pngImage Removed

    Then type the number of the entry you want to remove and press Enter.

    image-20240627-141003.pngImage Removed

    Type Y and then Enter to restart the services and apply the changes.

    Download the Securus NET SSL Certificate

    The Securus NET SSL certificate is generated during the install and is unique to every installation. The certificate will expiree 5 years from the date of installation.

    Please be aware that reinstalling the Securus NET server will generate a new certificate which would need to be deployed to your devices again.

    To get the certificate you will need to open a web browser and go to:

    Code Block
    http://server.ip.address/securus.crt

    In some cases the browser may display the contents of the file instead of download it. If this happens, copy and paste all of the displayed text into a new Notepad file and save it with a .crt format.

    There will also be a link to the certificate on the Onboarding Page.

    You can also find the URL to download the link by pressing I on the console screen for System Information.

    image-20240627-141228.pngImage Removed

    PAC File Location

    The Proxy Auto-Config (PAC) should be used to point devices to the proxy. This is also useful for BYOD environments with unmanaged devices.

    Press I on the VM console to display the system information.

    image-20240603-082223.pngImage Removed

    The PAC file can be applied through an MDM with the certificate at the same time.

    Alternatively the PAC file can be downloaded/saved and hosted elsewhere on the network. You will be given a URL to the PAC file, go to the address in a web browser and the file will download automatically. In some cases it may display the contents of the file instead, if so, copy and paste the entire contents into a new Notepad file and save it as “proxy.pac”.

    Admin Page

    The Admin Page can be used to customise the Captive Portal Accetable Use Policy (AUP) background and logo images, upload a custom upstream proxy certificate (for a filter or firewall etc), and generate a QR code for a Wi-Fi network.

    Please refer to our Admin Page guide here: Admin Page

    Onboarding Page

    The Onboarding Page displays useful information for BYOD users to be able to download the certificate and join a Wi-Fi network.

    Please refer to our Onboarding Page guide here: Onboarding Page

    The format to enter should be /22 or /24 for example, do not type the full address (255.255.x.x) out.

    If you are unsure what your CIDR is, refer to the below article.

    https://www.freecodecamp.org/news/subnet-cheat-sheet-24-subnet-mask-30-26-27-29-and-other-ip-address-cidr-network-references/

    Type in your Subnet CIDR and press Enter.

    If the formatting is wrong an error will show.

    image-20240718-154958.pngImage Added

    Type in the correct CIDR format and press Enter.

    image-20240718-155037.pngImage Added

    Do I require a proxy?

    image-20240627-120839.pngImage Added

    This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.

    Type Y or n and press Enter.

    If pressing Y, enter the upstream proxy address and port number.

    Please note that we do not support authenticated proxies.

    Which authentication method would you like to use?

    image-20241001-082931.pngImage Added

    This section is for the authentication method the Captive Portal will use to provide a username to captures. For more information on the Captive Portal, please click here.

    Please see below for a description of each authentication method.

    1. LDAP

      • This option will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.

    2. Google

      • This option will use Google’s SSO authentication within the Captive Portal.

      • With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus will grab these details from the browser session and use the domain and username for captures.

      • This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device.

      • Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

    3. Azure

      • This option will use Azure SSO authentication within the Captive Portal.

      • Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in within shared device environments.

    4. Hostname as username

      • This option will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

      • Hostname authentication requires Private Wi-Fi Address to be turned off to work correctly, more information here. Hostname authentication also requires a reverse DNS lookup zone to be configured.

    5. Radius

      • Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

    6. None

      • This option will hide the Captive Portal and will display the devices IP address as the username instead.

    Please type in the student/BYOD WiFi SSID (Optional)

    image-20240627-120953.pngImage Added

    This is an optional step that is useful BYOD environments. When entered, a QR code will be generated that a BYOD user can scan to connect to the designated Wi-Fi network.

    Type in the SSID name and press Enter, or leave blank and press Enter to skip this step.

    Please type in the password for the above WiFi (Optional)

    image-20240627-121137.pngImage Added

    As above, this is an optional step. If entering a Wi-Fi SSID, type in the password associated to the SSID.

    Or leave blank and press Enter to skip this step.

    Confirm Installation Information

    You will be asked to confirm that the settings are correct.

    image-20240718-155848.pngImage Added

    Type ‘Y’ and press enter to continue.

    If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.

    Press:

    1. To change the cloud information or OU name.

    2. To change the network information assigned to the device.

    3. To change the selected authentication method.

    Installation Start

    After this process, the network configuration utility will start and will detect the network adapter.

    The server will first grab a DHCP address and will then attempt to apply the IP details that have been assigned to the VM.

    Info

    Sometimes the installer will use this address instead of the static address so you may need to unfilter the DHCP address as well.

    The server will then perform a ping test to make sure the details are correct.

    image-20250219-111107.pngImage Added

    If everything is ok, the installation will begin and can take up to 20 minutes to complete. An error message will show if the configuration has failed, if this is the case, please contact the support team.

    Once the install has finished, you will be presented with the Securus Proxy console screen.

    Please move onto the Post Install section.

    Installation for BYOD/Unmanaged Device Environments

    Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.

    Follow the steps from the Explicit Setup section as normal, and then move onto the /wiki/spaces/SSKB/pages/197052 to get the certificate and PAC file location.

    BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the Wi-Fi profile to get the proxy information.

    Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
    iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/

    We would recommend the following process for a new BYO device or user joining a monitored network.

    1. New user connects to the network,

    2. User modifies the Wi-Fi profile to add the proxy PAC file into the configuration,

    3. User scans the certificate QR code which links to the onboarding page. The Securus Proxy SSL certificate will download automatically,

    4. User installs the certificate onto their device,

    5. User opens a new tab and can then log into the captive portal if in use, otherwise they can browse as normal and will now be monitored by Securus.

    Post Install

    Once the installation is complete, you will be presented with the Securus NET Greetings Page.

    Server Authorisation

    Note

    Please email the Securus helpdesk with your Authorisation Code displayed on the main menu.

    The server will not get a tunnel address or complete setting up until the incoming connection is authorised.

    image-20241001-083354.pngImage Added

    Once we have your authorisation request code we will promptly allow the new incoming connection and will let you know once this is done.

    This will trigger the second part of the installation where the proxy server will connect to our licensing server and will install the license, pull down the latest monitoring library and allow lists, and then finally Securus Proxy software libraries.

    This process can take up to 15 minutes and the server will reboot after successful setup. You will then be presented with the Securus Proxy Terminal Interface.

    Securus Proxy Terminal Interface Options

    See below for a detailed description of each option.

    image-20250219-102450.pngImage Added

    I - System Information

    This will show which cloud service the server is connected to, SSL certificate download link, Admin link and password, PAC file location, system uptime, CPU usage and storage usage.

    image-20240627-141243.pngImage Added

    S - Securus Status

    This will show whether the services are up and connected.

    P - Ping any address

    Will allow you to ping internal or external devices to test for connectivity.

    L - Update Licence

    Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.

    N - Network Information

    This will show the network details that are currently assigned to the device.

    The tunnel address (tun0) will not show until the server connection has been authorised.

    If no tunnel address is shown after authorisation, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted. If the firewall rules are in place, please contact support to investigate.

    A - Allowlist Changes

    Our default allow list covers most popular applications and services from Google, Microsoft and Apple. However you may have some apps unique to your environment or URL’s that are not on our current list. This option allows you to add URL’s into the allow list to stop applications and certain websites from being blocked when using the Securus Proxy.

    Press A to enter the configuration menu.

    You will be prompted to edit an existing custom entry, add a new entry or remove an existing entry.

    image-20240627-140015.pngImage Added

    Add a new entry

    To add a new entry, type new and press Enter.

    image-20240627-140205.pngImage Added

    You will then be prompted to enter a URL. For example, to allow the YouTube app, type in youtube.com.

    Info

    Wildcards are not necessary. To allow an entire domain you can use ‘.apple.com’ or ‘apple.com’ to cover all URL’s.

    image-20240627-140312.pngImage Added

    Once the entry has been added, you will be prompted to restart the services to apply the change. If you want to add more entries, type n to cancel the restart and press Enter to add another entry.

    If you are done adding new entries, type Y and press Enter. The services will restart and you will be taken back to the main menu. You can press A again and you will see the new entry in the list.

    Edit an entry

    image-20240627-140450.pngImage Added

    To edit an existing entry, simply in the number of the entry you want to list. In the above example we only have one entry so we will type 1 and press Enter.

    image-20240627-140535.pngImage Added

    Make your changes and then press Enter.

    image-20240627-140610.pngImage Added

    As before, if you are happy with the changes, press Y and Enter to restart the services.

    Remove an entry

    To remove an entry, type remove and press Enter.

    image-20240627-140930.pngImage Added

    Then type the number of the entry you want to remove and press Enter.

    image-20240627-141003.pngImage Added

    Type Y and then Enter to restart the services and apply the changes.

    E - Edit Config

    This option allows you to change some of the config on the server after installation. Press Escape or Control + C at any time to cancel making changes.

    image-20250219-102652.pngImage Added

    N - Network Config

    image-20250219-102734.pngImage Added

    Press a number to edit that option, type in the new information and then hit enter.

    Info

    If you are changing the IP address of the server, you will also need to up date option 2 (ip_address_cidr) as well with the new address.

    W - WiFi Config

    This option can also be configured on the Admin page.

    L - LDAP Config

    Allows you to add or remove an LDAP server and domain name for the Captive Portal settings.

    P - Proxy Config

    Allows adding an external upstream proxy into the config.

    T - Timezone Config

    Allows changing of the timezone.

    C - Captive Portal Config

    Allows changing of the Captive Portal timeout intervals.

    A - Auth Config

    Allows changing of the authentication method the server is using.

    Options are exactly as written:

    • LDAP

    • Google

    • Azure

    • Hostname

    • Radius

    • None

    Fallback option is ‘IP’.

    To change the authentication method, press 1. Then type in the preferred method using the above options.

    image-20250219-103832.pngImage Added

    Press Enter to confirm the change.

    Then press E to edit another setting or press A to apply the change.

    image-20250219-103926.pngImage Added

    Download the Securus Proxy SSL Certificate

    The Securus Proxy SSL certificate is generated during the install and is unique to every installation. The certificate will expiree 5 years from the date of installation.

    Please be aware that reinstalling the Securus server will generate a new certificate which would need to be deployed to your devices again.

    The certificate can be downloaded from the Onboarding Page by opening a web browser and navigating to:

    Code Block
    http://server.ip.address

    Alternatively, the certificate can be found at:

    Code Block
    http://server.ip.address/securus.crt

    In some cases the browser may display the contents of the file instead of download it. If this happens, copy and paste all of the displayed text into a new Notepad file and save it with a .crt format.

    You can also find the URL to download the link by pressing I on the console screen for System Information.

    image-20240627-141228.pngImage Added

    PAC File Location

    The Proxy Auto-Config (PAC) is be used to point devices to the proxy.

    Press I on the VM console to display the system information.

    image-20240603-082223.pngImage Added

    The PAC file can be applied through an MDM with the certificate at the same time.

    Alternatively the PAC file can be downloaded/saved and hosted elsewhere on the network. You will be given a URL to the PAC file, go to the address in a web browser and the file will download automatically. In some cases it may display the contents of the file instead, if so, copy and paste the entire contents into a new Notepad file and save it as “proxy.pac”.

    Onboarding Page

    The Onboarding Page displays useful information for BYOD users to be able to download the certificate and join a Wi-Fi network.

    Please refer to our Onboarding Page guide here: Onboarding Page

    Admin Page

    The Admin Page can be used to customise the Captive Portal Accetable Use Policy (AUP) background and logo images, upload a custom upstream proxy certificate (for a filter or firewall etc), and generate a QR code for a Wi-Fi network.

    Please refer to our Admin Page guide here: Admin Page

    NixOS Generations

    Generations serve as snapshots and allow the server to be rolled back in case of erroneus configuration changes or corrupted updates. Generations are created when changes are made to the system.

    By default the server will hold on to 15 generations.

    To roll back to a previous generation, either reboot the server or shut it down and start it up again.

    The generation options will show after the VM starts. 

    image-20251202-141338.pngImage Added

    On this screen, press down and select an older generation (usually the second in the list) from the list and allow it to start up.

    It will roll back to the previous generation, and be in the same state it was before the changes were made.

    Capture Testing

    It is recommended that the connection and capture creation be tested once the installation is complete. The below examples apply to school managed devices and BYOD environments.

    Apply the proxy PAC file location to the device’s Wi-Fi profile.

    image-20240627-142707.png

    Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
    iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/

    This will later need to be set for every device being monitored by

    NET

    Securus and can be done via MDM.

    Then install the Securus

    NET

    certificate onto the device as a root authority on the test machine (images for Windows below). If installing onto iOS, the certificate will also need to be trusted.

    Windows
    Mac
    iOS
    Android

    Then go to Wikipedia and search for “AK47” and “Our Secret”.

    If enabled during install, the Captive Portal login prompt will show. Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.

    This should then generate several captures that can be then viewed in the Securus console.

    The proxy can now be deployed site wide using an MDM for managed devices or BYOD users can use the QR Codes to get the certificate and PAC URL.

    Troubleshooting


    Please refer to our Troubleshooting section here:

    NET

    Securus Proxy Troubleshooting

    Useful Information

    Lightspeed MDM

    If using Lightspeed MDM on site you should enable a setting called “Bypass captive login iOS10+”. This will fix any issues with the captive portal not loading or redirecting and WiFi disconnects when not authenticated.

    Meraki MDM

    As above, we’d recommend enabling “Bypass captive portal (for iOS10 and later)” in WiFi settings to ensure the Wifi will connect before authenticating with the captive portal.

    Mosyle MDM

    We would recommend enabling “Disable Captive Network Detection (iOS only)” in the Network information page.

    image-20240603-163316.png

    As above, this will stop the WiFi from disconnecting on a device when the user is not authenticated with Securus

    NET

    .


    Certificate Installation instructions

    iOS: https://support.apple.com/en-gb/HT204477#:~:text=If%20you%20want%20to%20turn,Mobile%20Device%20Management%20(MDM).

    Captive Portal Information

    Captive Portal

    Document number/reference: SEC-KB-INST-001

    Classification Level: Public

    Related Articles

    Page Tree
    root

    Securus NET

    Securus Proxy & Securus iPad Browser App
    spacesSSKB
    startDepth1
    sortnatural

    Expand
    breakoutWidth1011
    titleDocument Change History
    Change History