Securus NET Installation Guide

Securus Net is a proxy that can be setup in either transparent or explicit mode to monitor network traffic from all network based devices.

NET sits as the middle man on the network, authenticated machines using the network would communicate through the NET proxy service. Packets are subject to Securus analysis where words and phrases are matched against the proprietary dictionary of terms. Any dictionary matches will result in an ‘event call’ where the software uses packet information to call on the website to produce the screenshot. Packet information regarding date & time and machine information will be sent along with the image.

NET can be installed to a virtual server or onto physical hardware, please refer to the Installation section below for product requirements and which installation options to use for a given scenario.

Securus NET can also integrate with other existing proxies to form a proxy chain. NET will come first in this chain, and then others will follow.

NET can be installed to a virtual machine (HyperV or VMware) in explicit mode or to standalone hardware in transparent or explicit mode. We can only support transparent configurations on hardware.

Recommended Specification

Up to 800 connections

• 4 Core Processor

• 8GB RAM

• Minimal storage space of 60GB (captures held in our cloud service)

• No operating system required

• NIC/Dual Network Card (Transparent only)

• Generation 1 VM (if using HyperV, Explicit only)

Up to 2500 connections

• 8 Core Processor

• 12GB RAM

• Minimal storage space of 60GB (captures held in our cloud service)

• No operating system required

• NIC/Dual Network Card (Transparent only)

• Generation 1 VM (if using HyperV, Explicit only)

2500+ Connections

• Server specification outlined in each case before implementation.

Please note that captures will broadcast to our highly secure cloud environment. You will be provided login details to the Capture Management portal to view the capture data.

Captures only occur in cases where a library term has been detected over the network. If you require an entirely on-site solution (XT server and NET), please contact us directly on 0330 124 1750 to discuss viability and options.

• iOS 13 or higher

• Android 4.4.2 or higher

We recommend whitelisting the following addresses and ports on the firewall to allow full communication to our services.

• Net1.securus-software.com

  • 167.99.94.236

• Net-license.securus-software.com

• Support.prosyscor.com

CentOS Mirrors:

• mirrors.fedoraproject.org

• mirrorlist.centos.org

Ports:

• 443 and 80 TCP

Installing in explicit mode would require the Securus NET proxy to be defined on the devices that are to be monitored. This can be automated to a number devices using an Mobile Device Management (MDM) service or individually on each device.

Explicit installs can be better for networks where only a small number of static devices (such as Apple Macs) need to be monitored.

Burn the ISO to a disc or USB and insert if installing to hardware or simply mount it to a new Virtual Machine.

Boot the server from disc/ISO to start.

Open

Press Enter on Install Securus NET to start the installation process and configure the following options when prompted.

Which Securus Cloud server do you belong to?

Open

This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.

Which OU does your school belong to?

Defines your schools OU on the server – i.e. LeatherheadPrimarySchool. This will have been provided in your initial installation email.

Which IP address should I use?

The IP address that you are allocating to the Net installation.

Which gateway should I use?

Type in Your gateway address.

Which DNS addresses should I use?

Enter your DNS addresses, separated by commas as shown in the example above.

Which Netmask should I use?

Enter your netmask address.

Do I require a proxy?

Type Y or n.

If Yes, enter your proxy information if required.

Which authentication method would you like to use?

This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.

1. LDAP

   • Will use LDAP, integrating with your Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information.

2. Google

   • Will use Google’s SSO authentication within the Captive Portal.

     This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

     Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

3. Azure

   • Will use Azure SSO authentication within the Captive Portal.
     Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

4. MAC as username

   • Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.

5. Hostname as username

   • Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

6. Radius

   • Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

7. None

   • Will disable the Captive Portal entirely and will display the devices IP address as the username instead.

You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.

If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.

Press:

1. To change the cloud information or OU name.

2. To change the network information assigned to the device.

3. To change the selected authentication method.

After this process the network configuration utility will start.

If one network device is detected, the installer will automatically select Explicit and will continue with the installation.

If more than one network device is detected, a prompt will ask if the server is to be installed in transparent or explicit mode.

Press E for explicit and then press enter to confirm your choice.

The next prompt will then ask you to connect the Internet line to the appropriate port and will detect that the link is established.

The installation will now begin and can take up to 15 minutes to complete.

Once the install has finished, you will be presented with the Securus NET console screen. Please move onto the Post Install section.

Installing transparently is most useful when there are multiple devices entering and leaving the school network on a regular basis (mobile phones and laptops etc). Devices entering the network will automatically be monitored by Securus NET.

Burn the ISO to a disc or USB and insert if installing to hardware or simply mount it to a new Virtual Machine.

Boot the server from disc/ISO to start.

Press Enter on Install Securus NET to start the installation process and configure the following options when prompted.

Which Securus Cloud server do you belong to?

This defines the server you will be connecting to – i.e. cloud08. This will be provided by Securus support in the setup email.

Which OU does your school belong to?

Defines your schools OU on the server – i.e. LeatherheadPrimarySchool. This will be provided by Securus support in the setup email.

Which IP address should I use?

The IP address that you are allocating to the Net installation.

Which gateway should I use?

Type in Your gateway address.

Which DNS addresses should I use?

Enter your DNS addresses, separated by commas as shown in the example above.

Which Netmask should I use?

Enter your netmask address.

Do I require a proxy?

Type Y or n.

If Yes, enter your proxy information if required.

Which authentication method would you like to use?

This option is for the authentication method the Captive Portal will use to handle logins. For more information on the Captive Portal, please click here.

1. LDAP

   • Will use LDAP, integrating with your Active Directory. Users will need to login with their Active Directory details. This will also provide their Active Directory username for the capture information.

2. Google

   • Will use Google’s SSO authentication within the Captive Portal.

     This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

     Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

3. Azure

   • Will use Azure SSO authentication within the Captive Portal.
     Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

4. MAC as username

   • Will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.

5. Hostname as username

   • Will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

6. Radius

   • Like option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that pushed to it.

7. None

   • Will disable the Captive Portal entirely and will display the devices IP address as the username instead.

You will be asked to confirm that the settings are correct. Type ‘Y’ and press enter to continue.

If you have made a mistake, type ‘n’ and press enter and select which section you would like to change. Network settings can also be changed post install.

Press:

1. To change the cloud information or OU name.

2. To change the network information assigned to the device.

3. To change the selected authentication method.

After this process the network configuration utility will start.

A prompt will ask if the server is to be in transparent or explicit mode.

Press T for transparent and then press enter to confirm your choice.

The next prompt will then ask you to connect the Internet line to the appropriate port and will detect that the link is established. It will then ask you for the LAN line and perform the same link check.

The installer will then run through the rest of the install process and you will be presented with the Securus NET Terminal Interface. Please move onto the Post Install section at this point.

Once the installation is complete, you will be presented with the Securus NET Terminal Interface.
Here you will find some troubleshooting options to help identify where a connection issue may lie.

I - System Information
This will show which cloud service the NET server is connected to, SSL certificate download link, system uptime, CPU usage and storage usage.

S - Securus NET Status
This will show whether the NET services are up and connected.

P - Ping any address
Will allow you to ping internal or external devices to test for connectivity.

L - Update Licence
Allows you to update the licence, can also be used to query the licensing server to check for connectivity outside of the network.

N - Network Information
This will show the network details that are currently assigned to the device. If no tunnel address is shown, please check your firewall and ensure the addresses listed in the Firewall Requirements section are whitelisted.

It is recommended that the connection and capture creation be tested once the installation is complete. Please read on for the next steps depending on the installation type.

If you get stuck or need any further advice, please do not hesitate to contact the support team.

Download the Securus NET SSL Certificate

The Securus NET SSL certificate is generated during the install and is unique to every installation.

Please be aware that reinstalling the Securus NET server will generate a new certificate, this new certificate would need to be rolled out to the devices before the new NET installation will work correctly.

To get the certificate you will need to open a web browser and go to:

Where <IPADDRESS> is the internal IP address of the server you just installed.

If the certificate doesn’t download automatically, you can copy the displayed text into a new Notepad file and save it as a .crt format.

You can also find the URL to download the link by pressing I on the console screen for System Information.

The certificate will expire 5 years from the date of generation.

Changing Network Information Post Install

Changing the network details that are assigned to the device can be done post install if necessary. To do this, press N on the Securus NET Terminal Interface to take you to the Network Information screen.

Press E to edit the currently assigned details. This will show a screen asking which details to edit.

Press:

• I to change the IP address address.

• N to change the Netmask address.

• G to change the Gateway address.

• D to change or add DNS address(es).

Type in your changes and press enter to complete. The process may take a few minutes to complete and you will be taken back to the Network Information screen once the change has been successfully made. The new details will be shown in this screen.

The final stage of the NET installation is to ensure the proxy is working by created a test capture.

Explicit – Capture Test

Set a devices proxy to the server’s IP address with port 3128 and make an exclusion for the local network – example 172.20.*. This will later need to be set for every device being monitored by NET and can be done via MDM.

Our certificate will then need to be installed on the device.

Install the certificate as a root authority on the test machine (images for Windows below). If installing onto iOS, the certificate will also need to be trusted.

Then go to Wikipedia and search for AK47. If enabled during install, the Securus NET Captive Portal will show.

Login with your Active Directory details and the webpage will continue to load as normal. You may also need to open a new tab and complete the search again.

This should then generate several captures that can be then viewed in the Securus console.

Other phrases that can be used to test with are “ISIS”, “Fortnite”, “Roblox, or “Our Secret”.

The proxy can now be deployed site wide to mobile devices using an MDM.

Transparent – Capture Test

Our certificate will then need to be installed on the device, this can be downloaded from here. Install the certificate as a root authority on the test machine (instructions below).

Install our certificate onto test machine (a laptop if available) and plug it into the second ethernet port. Install the certificate as a root authority on the test machine (instructions below).

Once this is done, attempt to browse the internet.

If enabled, the Securus NET server will block your connection and put up the Captive Portal and will ask you to login. Your Active Directory IP address should have been entered during the install, so it will already be linked to the schools Active Directory.

Login with your Active Directory credentials. Once a successful login has occurred, you will be prompted to continue browsing the internet.

Generate a test capture by browsing to Wikipedia and searching for AK47.

This should then generate several captures that can be then viewed in the Securus console.

Other phrases that can be used to test with are “ISIS”, “Fortnite”, “Roblox, or “Our Secret”.

The server will then to be deployed in line, between the firewall/router stack and the LAN or wireless network, depending on your network configuration.

I selected hostname authentication selected during install but I am still seeing the captive portal.

The captive portal will display when the hostname authentication fails on the device. This usually happens if Private WiFi is enabled on the iPad or the iPads are not registered correctly within your DNS.

If the hostname still fails with Private WiFi disabled then please contact the support team for further investigation.

Hostname authentication will also require a Reverse Lookup Zone within your DNS to properly populate the iPad hostnames within DNS.

https://activedirectorypro.com/configure-dns-reverse-lookup-zones-ptr-records/

https://bobcares.com/blog/set-rdns-in-windows-name-servers/

Lightspeed MDM

If using Lightspeed MDM on site you should enable a setting called “Bypass captive login iOS10+”. This will fix any issues with the captive portal not loading or redirecting and WiFi disconnects when not authenticated.

Meraki MDM

As above, we’d recommend enabling “Bypass captive portal (for iOS10 and later) in WiFi settings to ensure the Wifi will connect before authenticating with the captive portal.

Certificate Installation instructions:
iOS: https://support.apple.com/en-gb/HT204477#:~:text=If%20you%20want%20to%20turn,Mobile%20Device%20Management%20(MDM).

Captive Portal Information:

Document number/reference: SEC-KB-INST-001

Classification Level: Public

Related Labels: