Securus NET Installation Guide

Securus NET is a proxy that can be setup in explicit mode to monitor network traffic from all network based devices.

NET sits as the middle man on the network, authenticated machines using the network would communicate through the NET proxy service. Packets are subject to Securus analysis where words and phrases are matched against the proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses packet information to call on the website to produce the screenshot. Packet information regarding date & time and machine information will be sent along with the image.

NET can be installed to a virtual server or onto physical hardware, please refer to the Installation section below for product requirements and which installation options to use for a given scenario.

Securus NET can also integrate with other existing proxies to form a proxy chain. NET will come first in this chain, and then others will follow.

If you are currently using an explicit proxy (such as with LGFL) or multiple VLAN’s, Securus NET will need to be set up in explicit mode only.


Server Requirements

NET can be installed to a virtual machine (HyperV or VMware) or hardware in explicit mode.

For BYOD environments the use of a PAC file can apply the Securus NET proxy to unmanaged devices by adding the PAC file URL to the WiFi profile.

Note that the below serves as a guideline and is subject to network configuration and is irrespective of device type.

The NET ISO does not work in UEFI mode, the BIOS must be set to legacy mode to be able to install the ISO properly.

Up to 800 connections

  • 4 Core Processor.

  • 8GB RAM.

  • Minimal storage space of 60GB (captures held in our cloud service).

  • No operating system required.

  • Generation 1 VM (if using HyperV).

Up to 2500 connections

  • 8 Core Processor.

  • 12GB RAM.

  • Minimal storage space of 60GB (captures held in our cloud service).

  • No operating system required.

  • Generation 1 VM (if using HyperV).

2500+ Connections

  • Server specification outlined in each case before implementation.

Please note that no captures are stored on the NET server itself, captures will broadcast to our highly secure cloud environment as soon as they are created. You will be provided login details to the Capture Management portal to view the capture data.

Captures only occur in cases where a library term has been detected over the network.

 

Mobile Device Requirements

  • iOS 13 or higher

  • Android 4.4.2 or higher

Firewall Requirements

We recommend whitelisting the following addresses and ports on the firewall to allow full communication to our services.

  • Net1.securus-software.com

    • 167.99.94.236

  • Net-license.securus-software.com

CentOS Mirrors:

Ports:

  • 443 and 80 TCP


Securus NET Installation

The server MUST have unfiltered internet access during the install process to ensure the software and updates are installed properly.

If any of the below options or settings are missing from your installation, please contact the support team to get the most recent copy of the Securus NET ISO.


Installation – Explicit Mode (VM or hardware)

Installing in explicit mode would require the Securus NET proxy to be defined on the devices that are to be monitored. This can be automated to a number devices using an Mobile Device Management (MDM) service or individually on each device.

Explicit installs can be better for networks where only a small number of static devices (such as Apple Macs) need to be monitored.

Burn the ISO to a disc or USB and insert if installing to hardware or simply mount it to a new Virtual Machine.

Boot the server from disc or ISO to start.

Press Enter on Install Securus NET to start the installation process and configure the following options when prompted.

Which Securus Cloud server do you belong to?

This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.

Which OU does your school belong to?

Defines your schools OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.

Which IP address should I use?

Type in the IP address that you are allocating to the NET installation. This must be a free an unused IP address on your network.

Which gateway should I use?

Type in your gateway IP address.

Which DNS addresses should I use?

Enter your DNS addresses, separated by commas as shown in the example above in priority order. Local DNS addresses should be prioritised first.

If you intend to use Hostname authentication (explained further below), we’d recommend typing in the main DC or DNS only.

Which Netmask should I use?

Enter your netmask address.

Do I require a proxy?

This stage allows the entry of an upstream proxy address to be entered into the config, for situations where a school has another explicit proxy such as a filter.

Type Y or n and press Enter.

If pressing Y, enter the upstream proxy address and port number. Please note that we do not support authenticated proxies.

Which authentication method would you like to use?

This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.

  1. LDAP

    • Will use LDAP, integrating with your onsite Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information. Note that this will not integrate with Azure AD and will only work with an onsite AD server.

  2. Google

    • Will use Google’s SSO authentication within the Captive Portal.

      This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

      Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

  3. Azure

    • Will use Azure SSO authentication within the Captive Portal.
      Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

  4. MAC as username

    • Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.

  5. Hostname as username

    • Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

  6. Radius

    • Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

  7. None

    • Will disable the Captive Portal entirely and will display the devices IP address as the username instead.

You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.

If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.

Press:

  1. To change the cloud information or OU name.

  2. To change the network information assigned to the device.

  3. To change the selected authentication method.

After this process the network configuration utility will start.

If one network device is detected, the installer will automatically select Explicit and will continue with the installation.

The installation will now begin and can take up to 20 minutes to complete.

Once the install has finished, you will be presented with the Securus NET console screen. Please move onto the Post Install section.


Installation for BYOD Environments

Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.

Follow the steps from the Explicit Setup section as normal and then move onto the Post Install section to get the certificate and PAC file location.

BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the WiFi profile to get the proxy information.

Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS - https://www.howtogeek.com/293676/how-to-configure-a-proxy-server-on-an-iphone-or-ipad/


Post Install

Once the installation is complete, you will be presented with the Securus NET Terminal Interface.
Here you will find some troubleshooting options to help identify where a connection issue may lie.

I - System Information
This will show which cloud service the NET server is connected to, SSL certificate download link, Admin link and password, PAC file link, system uptime, CPU usage and storage usage.

S - Securus NET Status
This will show whether the NET services are up and connected.

P - Ping any address
Will allow you to ping internal or external devices to test for connectivity.

L - Update Licence
Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.

N - Network Information
This will show the network details that are currently assigned to the device. If no tunnel address is shown, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted.

It is recommended that the connection and capture creation be tested once the installation is complete. Please refer to the Capture Testing section for advice on this.

If you get stuck or need any further help, please do not hesitate to contact the support team.

Download the Securus NET SSL Certificate

The Securus NET SSL certificate is generated during the install and is unique to every installation.

Please be aware that reinstalling the Securus NET server will generate a new certificate which would need to be deployed to your devices again.

To get the certificate you will need to open a web browser and go to:

http://server.ip.address/securus.crt

In some cases the browser may display the contents of the file instead of download it. If this happens, copy and paste all of the displayed text into a new Notepad file and save it with a .crt format.

You can also find the URL to download the link by pressing I on the console screen for System Information.

The certificate will expire 5 years from the date of generation.

Download the PAC File (Optional)

A Proxy Auto-Config (PAC) file can be used to point devices to the proxy, useful for BYOD environments with unmanaged devices. The PAC file method replaces our previous transparent model.

Press I on the VM console to display the system information.

You will be given a URL to the PAC file, go to the address in a web browser and the file will download automatically. In some cases it may display the contents of the file instead, if so, copy and paste the entire contents into a new Notepad file and save it as “proxy.pac”.

The PAC file can be applied through an MDM with the certificate at the same time.

Alternatively the PAC file can be used directly from the server by adding the URL given to you in the steps above into the WiFi profile.

Changing Network Information Post Install

Changing the network details that are assigned to the device can be done post install if necessary. To do this, press N on the Securus NET Terminal Interface to take you to the Network Information screen.

Press E to edit the currently assigned details. This will show a screen asking which details to edit.

Press:

  • I to change the IP address address.

  • N to change the Netmask address.

  • G to change the Gateway address.

  • D to change or add DNS address(es).

Type in your changes and press enter to complete. The process may take a few minutes to complete and you will be taken back to the Network Information screen once the change has been successfully made. The new details will be shown in this screen.

Generate WiFi QR Code (BYOD)

Press I for System Information, you will be given a URL to the Admin page and a password. The password is unique to each install and is only used on this page.

On this page it’s possible to generate a QR code for users to quick join a WiFi network, the proxy PAC file location will then need to be defined in the WiFi profile before joining to apply the proxy.

Input the SSID name and Password in the correct fields, then type in the Admin page password shown on the VM console. Click Generate QR Code to finish. A success page will show if everything was entered correctly.

Display QR Codes (BYOD) - Onboarding Page

The QR codes for the certificate and WiFi network can be found on the onboarding page.

http://server.ip.address/onboarding.php

Users can scan the QR codes with their device camera to download the certificate and join the WiFi network. This page can be printed.

For BYOD environments, the PAC file will also need to be defined against the WiFi profile in order to receive the proxy information.

Change The Captive Portal AUP Images

The Captive Portal AUP logo and background can be changed in the Admin panel. Press I on the VM console to find the Admin page URL.

Click Browse… and select the file you want to upload, then click on the dropdown beneath to select whether the file should replace the Background or Logo.

Type in the admin password and then click Upload Image.

A success page will display if the file was uploaded correctly. Please contact support if this process fails for any reason.


Capture Testing

The final stage of the NET installation is to ensure the proxy is working by created a test capture.

Explicit – Capture Test

Set a devices proxy to the server’s IP address with port 3128 and make an exclusion for the local network – example 172.20.*. This will later need to be set for every device being monitored by NET and can be done via MDM. Alternatively, you can use the automatically created PAC file to provide the proxy information to the devices.

Our certificate will then need to be installed on the device.

Install the certificate as a root authority on the test machine (images for Windows below). If installing onto iOS, the certificate will also need to be trusted.

Windows
Mac
iOS
Android

Then go to Wikipedia and search for “AK47” and “Our Secret”.

If enabled during install, the Captive Portal login prompt will show. Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.

This should then generate several captures that can be then viewed in the Securus console.

The proxy can now be deployed site wide using an MDM.

BYOD (PAC File) – Capture Test

Install the certificate to a device either through an MDM or by using the QR code and apply the PAC file location manually to the WiFi profile.

Android - https://www.howtogeek.com/295048/how-to-configure-a-proxy-server-on-android/
iOS -

Then go to Wikipedia and search for “AK47” and “Our Secret”.

If enabled during install, the Captive Portal login prompt will show. Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.

This should then generate several captures that can be then viewed in the Securus console.


Troubleshooting and FAQ

I selected hostname authentication selected during install but I am still seeing the captive portal.

The captive portal will display when the hostname authentication fails on the device. This usually happens if Private WiFi is enabled on the iPad or the iPads are not registered correctly within your DNS.

If the hostname still fails with Private WiFi disabled then please contact the support team for further investigation.

Hostname authentication will also require a Reverse Lookup Zone within your DNS to properly populate the iPad hostnames within DNS.


Useful Information

Lightspeed MDM

If using Lightspeed MDM on site you should enable a setting called “Bypass captive login iOS10+”. This will fix any issues with the captive portal not loading or redirecting and WiFi disconnects when not authenticated.

Meraki MDM

As above, we’d recommend enabling “Bypass captive portal (for iOS10 and later)” in WiFi settings to ensure the Wifi will connect before authenticating with the captive portal.

Mosyle MDM

We would recommend enabling “Disable Captive Network Detection (iOS only)” in the Network information page.

As above, this will stop the WiFi from disconnecting on a device when the user is not authenticated with Securus NET.


Certificate Installation instructions

iOS:

Captive Portal Information

Document number/reference: SEC-KB-INST-001

Classification Level: Public

Related Labels:

Version Date Comment
Current Version (v. 84) Jun 14, 2024 11:26 Chris Collins
v. 83 Jun 14, 2024 11:24 Chris Collins
v. 82 Jun 14, 2024 11:22 Chris Collins
v. 81 Jun 11, 2024 15:08 Chris Collins
v. 80 Jun 03, 2024 17:35 Chris Collins
v. 79 Jun 03, 2024 17:08 Chris Collins
v. 78 Jun 03, 2024 16:57 Chris Collins
v. 77 Jun 03, 2024 11:22 Chris Collins
v. 76 Jun 03, 2024 10:35 Chris Collins
v. 75 Jun 03, 2024 10:22 Chris Collins
v. 74 Jun 03, 2024 10:08 Chris Collins
v. 73 Mar 11, 2024 13:55 Chris Collins
v. 72 Mar 11, 2024 13:54 Chris Collins
v. 71 Feb 08, 2024 08:58 Chris Collins
v. 70 Dec 01, 2023 16:07 Chris Collins
v. 69 Nov 29, 2023 08:59 Chris Collins
v. 68 Nov 10, 2023 08:57 Chris Collins
v. 67 Nov 10, 2023 08:56 Chris Collins
v. 66 Sept 26, 2023 14:45 Chris Collins
v. 65 Sept 21, 2023 14:00 Chris Collins
v. 64 Sept 18, 2023 11:47 Chris Collins
v. 63 Jul 27, 2023 13:02 Chris Collins
v. 62 Jul 27, 2023 12:56 Chris Collins
v. 61 Jul 04, 2023 11:25 Chris Collins
v. 60 Jun 22, 2023 10:15 Chris Collins
v. 59 Jun 22, 2023 10:14 Chris Collins
v. 58 Jun 21, 2023 10:46 Chris Collins
v. 57 Jun 21, 2023 10:41 Chris Collins
v. 56 Jun 21, 2023 10:41 Chris Collins
v. 55 Jun 21, 2023 10:31 Chris Collins
v. 54 May 26, 2023 12:07 Chris Collins
v. 53 May 26, 2023 10:07 Chris Collins
v. 52 May 26, 2023 10:06 Chris Collins
v. 51 May 04, 2023 09:19 Chris Collins
v. 50 Mar 10, 2023 10:46 Chris Collins
v. 49 Mar 10, 2023 10:42 Chris Collins
v. 48 Mar 10, 2023 10:40 Chris Collins
v. 47 Mar 07, 2023 17:39 Chris Collins
v. 46 Mar 07, 2023 15:19 Chris Collins
v. 45 Mar 07, 2023 15:17 Chris Collins
v. 44 Mar 01, 2023 15:51 Chris Collins
v. 43 Mar 01, 2023 15:50 Chris Collins
v. 42 Feb 28, 2023 11:29 Chris Collins
v. 41 Feb 28, 2023 11:28 Chris Collins
v. 40 Feb 15, 2023 16:20 Chris Collins
v. 39 Feb 15, 2023 16:18 Chris Collins
v. 38 Feb 15, 2023 16:13 Chris Collins
v. 37 Feb 15, 2023 16:06 Chris Collins
v. 36 Feb 15, 2023 11:58 Chris Collins
v. 35 Feb 15, 2023 11:50 Chris Collins
v. 34 Feb 09, 2023 10:53 Chris Collins
v. 33 Jan 10, 2023 13:39 Chris Collins
v. 32 Jan 09, 2023 12:18 Chris Collins
v. 31 Jan 09, 2023 12:12 Chris Collins
v. 30 Dec 16, 2022 16:27 Chris Collins
v. 29 Nov 23, 2022 10:21 Chris Collins
v. 28 Jul 25, 2022 11:25 Chris Collins
v. 27 Jul 25, 2022 11:22 Chris Collins
v. 26 Jul 18, 2022 15:36 Chris Collins
v. 25 Jul 18, 2022 15:33 Chris Collins
v. 24 Jul 18, 2022 15:27 Chris Collins
v. 23 Jul 18, 2022 12:44 Chris Collins
v. 22 Jul 05, 2022 15:17 Chris Collins
v. 21 Jul 05, 2022 15:13 Chris Collins
v. 20 Jun 30, 2022 13:57 Chris Collins
v. 19 Jun 30, 2022 13:56 Chris Collins
v. 18 Jun 30, 2022 13:40 Chris Collins
v. 17 Jun 30, 2022 13:39 Chris Collins
v. 16 Jun 22, 2022 13:44 Chris Collins
v. 15 Jun 22, 2022 13:43 Chris Collins
v. 14 Jun 22, 2022 12:20 Chris Collins
v. 13 Jun 22, 2022 12:16 Chris Collins
v. 12 Jun 16, 2022 16:18 Chris Collins
v. 11 May 19, 2022 13:01 Chris Collins
v. 10 Apr 29, 2022 10:54 Chris Collins
v. 9 Apr 27, 2022 17:19 Chris Collins
v. 8 Mar 09, 2022 08:59 Chris Collins
v. 7 Mar 07, 2022 10:26 Chris Collins
v. 6 Mar 07, 2022 10:25 Chris Collins
v. 5 Jan 28, 2022 14:59 Chris Collins
v. 4 Jan 28, 2022 14:58 Chris Collins
v. 3 Jan 28, 2022 14:57 Chris Collins
v. 2 Jan 28, 2022 14:37 Chris Collins
v. 1 Dec 02, 2021 15:08 Chris Collins