Securly is a combination DNS and proxy based web filtration system. It works in combination with Google Open ID federated login and automatic proxy configuration to provide for individual filtering by account group. Securly uses existing google apps OU structure to provide hooks for filtering policy.

 

Admin Login

Securly Admin Login: http://useast-www.securly.com/

Setup Instructions

Securly DNS Setup: Securely Setup - East DNS.pdf

Securly Proxy Setup: east_coast_chromebook.pdf

Securly SSL MITM Cert: securly_mitm_cert.pem

Securly Proxy Bypass for Untangle

Untangle will, by default prevent proxy access from inside the network. Because all 1:1 Chromebooks will be required to use this proxy this will result in much of that legitimate traffic being blocked.

To prevent this, we will bypass the Securly proxy server addresses using Untangle's built in UVM bypass system. The following addresses should be bypassed:

  • useast1-proxy.securly.com
  • useast-1.securly.com
  • useast-2.securly.com
  • useast-3.securly.com
  • useast-4.securly.com
  • useast-5.securly.com
  • useast-6.securly.com
  • useast-7.securly.com
  • useast-8.securly.com

Networking->Advanced->Bypass Rules


Table of Contents

Setup

For use on general networks the DNS forwarders below should be used.

DNS Forwarders

  • Primary: 184.72.238.71
  • Secondary: 184.72.283.58

Proxy Auto Configuration Script

Google Apps Proxy Controls

Proxy settings must be configured in the user settings under the network heading. Select "Always use the proxy auto-config specified below" Insert the config script (PAC) in the box below. Google also allows the configuration of proxies for specific networks but these settings should be reserved for special implementations.

DNS Filtering

CCA will not be using the DNS filtering side of Securly since we do not want to change our entire network filter. When students access the securly proxy via registered IP addresses from the CCA network a separate policy will be applied.

Management

Google Apps OU + User Import

Securly needs to import user and OU data from the google domain, this can be done via the Policy Map tab.

 

Dashboard

Displays quick facts for tracking filter effectiveness.

 

Creating New Policies

New filtering policies are created via the policy editor. Here I have created a policy for the chrome book pilot and excluded it from the Take-Home Policy for now.

In this test policy I also black listed cnn.com and enabled email alerts on attempts to access black listed sites.

Take-Home Policy

The Take-Home Policy is a special policy that gets applied (unless exempted) when the proxy sees traffic originating from outside the school's register IP addresses.

Applying policies to Google OUs

The Policy Map tap allow the application of policies to OUs as necessary. In the picture below I have applied the ChromeBook Pilot Policy to the ccaschools.org/Chromebooks/Chromebook+Pilot OU.

 

User Login Settings

Several settings are important to note.

If Force Logins is enabled, when a device is used outside the school's registered IP addresses, the proxy will require users to login allowing for better depth auditing and for policies other than the bas policy to be enforced. The base policy will be enforced if the user is not forced to login or if they have no policy assigned to their OU.

If Auto-login Take-home Users is enabled, after the first login via an external IP the user will be automatically logged on without requiring their interaction so in depth auditing and the correct filtering policies are applied.