Securus NET is an explicit proxy that can monitor network traffic from all network based devices.
Packets are subject to Securus analysis, where words and phrases are matched against our proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses the packet information to call on the website to produce an image. Packet information regarding date & time and machine information will also be sent along with the image. The capture can then be viewed within the Securus cloud portal, exactly the same way as Windows or Chromebook captures.
A PAC file is generated during the installation which is used to point the devices to the Securus NET Proxy, the file is also hosted on the server directly and can be deployed via MDM. The PAC file can also be used in BYOD environments to point unmanaged devices to the proxy by modifying the Wi-Fi profile.
For the purposes of support and modifications, we recommend that the NET proxy is installed to a virtual machine, but it can also be installed to dedicated hardware if required.
Securus NET can also integrate with other existing upstream proxies to form a proxy chain, NET will come first in this chain, and then others will follow.
If you have any questions about the installation, please contact the support team at support@securus-software.com or 01372 388 530.
Server Requirements
NET can be installed to a virtual machine (HyperV, VMware, Oracle VirtualBox, etc) or onto hardware if preferred.
Note that the below serves as a guideline and is subject to network configuration and is irrespective of device type.
The NET ISO will only work for UEFI boot.
Server Specification
Up to 800 connections
4 Core Processor.
8GB RAM.
100-200GB HDD (captures held in our cloud service).
No operating system required.
UEFI Boot enabled and Secure Boot disabled.
Generation 2 VM (if using HyperV).
Up to 2500 connections
8 Core Processor.
12GB RAM.
200GB HDD (captures held in our cloud service).
No operating system required.
UEFI Boot enabled and Secure Boot disabled.
Generation 2 VM (if using HyperV).
2500+ Connections
Server specification outlined in each case before implementation.
Please note that no captures are stored on the NET server itself, captures will broadcast to our highly secure cloud environment as soon as they are created. You will be provided login details to the Capture Management portal to view the capture data.
Captures only occur in cases where a library term has been detected over the network.
Mobile Device Requirements
iOS 13 or higher
Android 4.4.2 or higher
Firewall Requirements
The following addresses and ports will need to be allow listed on the firewall to allow full communication to our services.
Net1.securus-software.com (167.99.94.236)
Ports 443 and 80 TCP
Net-license.securus-software.com (139.59.197.211 and 206.189.27.245)
Ports 443 and 1194 TCP
*.nixos.org
Securus NET Installation
Please read the below instructions carefully to avoid misconfiguration or installation failures.
The server MUST have unfiltered internet access during the install process to ensure the software and updates are installed properly.
The VM must have EFI boot enabled (Generation 2 in HyperV) otherwise the install will fail.
If any of the below options or settings are missing from your installation, please contact the support team to get the most recent copy of the Securus NET ISO.
Virtual Machine Install
Create a new virtual machine in your preferred virtual environment and ensure that UEFI boot is enabled and disable Secure Boot.
HyperV
For HyperV ensure the VM is a set to Generation 2 and disable Secure Boot.
Hardware Install
If installing onto hardware, burn the ISO to a disc or USB and insert into the device. We recommend balenaEtcher if using a USB for hardware installs.
Start The Install
Boot the server from disc or ISO to start. If booted correctly in EFI mode, you will see the NixOS install logo.
Press Enter or wait 10 seconds for the top option to be selected automatically.
The installer will attempt to automatically detect the attached storage device. Type y and press Enter to use the selected disk.
Which Securus Cloud server do you belong to?
This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.
Which OU does your school belong to?
Defines your school's OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.
Which IP address should I use?
Type in the IP address that you are allocating to the NET installation. This must be a free and unused IP address on your network.
Which gateway should I use?
Type in your gateway IP address.
Which DNS addresses should I use?
Enter your DNS address. Please note this can only support one DNS entry only currently.
If you intend to use Hostname authentication (explained further below), we’d recommend typing in the main DC or DNS only.
Which Netmask should I use in CIDR format?
The format to enter should be /22 or /24 for example, do not type the full address (255.255.x.x) out.
If you are unsure what your CIDR is, refer to the below article.
Type in your Subnet CIDR and press Enter.
If the formatting is wrong an error will show.
Type in the correct CIDR format and press Enter.
Do I require a proxy?
This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.
Type Y or n and press Enter.
If pressing Y, enter the upstream proxy address and port number.
Please note that we do not support authenticated proxies.
Which authentication method would you like to use?
This section is for the authentication method the Captive Portal will use to provide a username to captures. For more information on the Captive Portal, please click here.
Please see below for a description of each authentication method.
LDAP
This option will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.
Google
This option will use Google’s SSO authentication within the Captive Portal.
With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.
This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device.
Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.
Azure
This option will use Azure SSO authentication within the Captive Portal.
Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in within shared device environments.
Hostname as username
This option will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures. This option requires prerequisites which are described below.
Radius
Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.
None
This option will hide the Captive Portal and will display the devices IP address as the username instead.
Hostname and MAC address authentication requires Private Wi-Fi Address to be turned off to work correctly. More information here.
Hostname authentication also requires a reverse DNS lookup zone to be configured.
Please type in the student/BYOD WiFi SSID (Optional)
This is an optional step that is useful BYOD environments. When entered, a QR code will be generated that a BYOD user can scan to connect to the designated Wi-Fi network.
Type in the SSID name and press Enter, or leave blank and press Enter to skip this step.
Please type in the password for the above WiFi (Optional)
As above, this is an optional step. If entering a Wi-Fi SSID, type in the password associated to the SSID.
Or leave blank and press Enter to skip this step.
Confirm Installation Information
You will be asked to confirm that the settings are correct.
Type ‘Y’ and press enter to continue.
If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.
Press:
To change the cloud information or OU name.
To change the network information assigned to the device.
To change the selected authentication method.
Installation Start
After this process, the network configuration utility will start and will detect the network adapter and will then apply the IP details that have been assigned to the VM.
If everything is ok, the installation will begin and can take up to 20 minutes to complete. An error message will show if the configuration has failed, if this is the case, please contact the support team.
Once the install has finished, you will be presented with the Securus NET console screen.
Please move onto the Post Install section.
Installation for BYOD/Unmanaged Device Environments
Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.
Follow the steps from the Explicit Setup section as normal, and then move onto the Post Install section to get the certificate and PAC file location.
BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the Wi-Fi profile to get the proxy information.
Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/
We would recommend the following process for a new BYO device or user joining a monitored network.
New user connects to the network,
User modifies the Wi-Fi profile to add the proxy PAC file into the configuration,
User scans the certificate QR code which links to the onboarding page. The Securus NET SSL certificate will download automatically,
User installs the certificate onto their device,
User opens a new tab and can then log into the captive portal if in use, otherwise they can browse as normal and will now be monitored by Securus NET.
Post Install
Once the installation is complete, you will be presented with the Securus NET Terminal Interface.
Please email the Securus helpdesk with your Authorisation Code displayed on the main menu.
We will then promptly authorise the new incoming connection and we’ll let you know once this is done. This will trigger the second part of the installation where the NET server will connect to our licensing server and will install the license, pull down the latest monitoring library and allow lists, and then finally Securus NET software libraries. This process can take up to 15 minutes.
Note that the server will not get a tunnel address or complete setting up until the incoming connection is authorised.
VM Console Options
See below for a detailed description of each option.
I - System Information
This will show which cloud service the NET server is connected to, SSL certificate download link, Admin link and password, PAC file location, system uptime, CPU usage and storage usage.
S - Securus NET Status
This will show whether the NET services are up and connected.
P - Ping any address
Will allow you to ping internal or external devices to test for connectivity.
L - Update Licence
Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.
N - Network Information
This will show the network details that are currently assigned to the device.
The tunnel address (tun0) will not show until the server connection has been authorised. If no tunnel address is shown after authorisation, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted. If the firewall rules are in place, please contact support to investigate.
A - Allowlist Changes
This option allows you to add URL’s into the allow list to stop applications and certain websites from being blocked when using the Securus NET Proxy.
Press A to enter the configuration menu.
You will be prompted to edit an existing custom entry, add a new entry or remove an existing entry.
Add a new entry
To add a new entry, type new and press Enter.
You will then be prompted to enter a URL. For example, to allow the YouTube app, type in youtube.com.
Once the entry has been added, you will be prompted to restart the services to apply the change. If you want to add more entries, type n and press Enter and restart the process.
If you are done adding new entries, type Y and press Enter. The services will restart and you will be taken back to the main menu. You can press A again and you will see the new entry in the list.
Edit an entry
To edit an existing entry, simply in the number of the entry you want to list. In the above example we only have one entry so we will type 1 and press Enter.
Make your changes and then press Enter.
As before, if you are happy with the changes, press Y and Enter to restart the services.
Remove an entry
To remove an entry, type remove and press Enter.
Then type the number of the entry you want to remove and press Enter.
Type Y and then Enter to restart the services and apply the changes.
Download the Securus NET SSL Certificate
The Securus NET SSL certificate is generated during the install and is unique to every installation. The certificate will expiree 5 years from the date of installation.
Please be aware that reinstalling the Securus NET server will generate a new certificate which would need to be deployed to your devices again.
To get the certificate you will need to open a web browser and go to:
http://server.ip.address/securus.crt
Alternatively, the certificate can be downloaded from the Onboarding Page at:
http://server.ip.address
In some cases the browser may display the contents of the file instead of download it. If this happens, copy and paste all of the displayed text into a new Notepad file and save it with a .crt format.
You can also find the URL to download the link by pressing I on the console screen for System Information.
PAC File Location
The Proxy Auto-Config (PAC) is be used to point devices to the proxy.
Press I on the VM console to display the system information.
The PAC file can be applied through an MDM with the certificate at the same time.
Alternatively the PAC file can be downloaded/saved and hosted elsewhere on the network. You will be given a URL to the PAC file, go to the address in a web browser and the file will download automatically. In some cases it may display the contents of the file instead, if so, copy and paste the entire contents into a new Notepad file and save it as “proxy.pac”.
Onboarding Page
The Onboarding Page displays useful information for BYOD users to be able to download the certificate and join a Wi-Fi network.
Please refer to our Onboarding Page guide here: Onboarding Page
Admin Page
The Admin Page can be used to customise the Captive Portal Accetable Use Policy (AUP) background and logo images, upload a custom upstream proxy certificate (for a filter or firewall etc), and generate a QR code for a Wi-Fi network.
Please refer to our Admin Page guide here: Admin Page
Capture Testing
It is recommended that the connection and capture creation be tested once the installation is complete. The below examples apply to school managed devices and BYOD environments.
Apply the proxy PAC file location to the device’s Wi-Fi profile.
Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/
This will later need to be set for every device being monitored by NET and can be done via MDM.
Then install the Securus NET certificate onto the device as a root authority on the test machine (images for Windows below). If installing onto iOS, the certificate will also need to be trusted.
Then go to Wikipedia and search for “AK47” and “Our Secret”.
If enabled during install, the Captive Portal login prompt will show. Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.
This should then generate several captures that can be then viewed in the Securus console.
The proxy can now be deployed site wide using an MDM for managed devices or BYOD users can use the QR Codes to get the certificate and PAC URL.
Troubleshooting
Please refer to our Troubleshooting section here: NET Troubleshooting
Useful Information
Lightspeed MDM
If using Lightspeed MDM on site you should enable a setting called “Bypass captive login iOS10+”. This will fix any issues with the captive portal not loading or redirecting and WiFi disconnects when not authenticated.
Meraki MDM
As above, we’d recommend enabling “Bypass captive portal (for iOS10 and later)” in WiFi settings to ensure the Wifi will connect before authenticating with the captive portal.
Mosyle MDM
We would recommend enabling “Disable Captive Network Detection (iOS only)” in the Network information page.
As above, this will stop the WiFi from disconnecting on a device when the user is not authenticated with Securus NET.