SchoolProtect - HTTPS Decryption Enabling At Your school
We strongly recommend enabling decryption, but it is something that should be done cautiously. We would recommend taking the following steps:
-
Research the topic.
-
Plan how you intend to roll it out in your school.
-
Install the HTTPS certificate on your devices.
-
Test, Monitor and make adjustments to your filtering.
-
Enabling HTTPS Decryption.
Setting up HTTPS Decryption at your school
1. Research
HTTPS Decryption can be a complicated topic. It's vital to read the documentation available in order to fully understand the implications of enabling HTTPS Decryption and what's involved to roll it out. An FAQ is below. Please note if you do have any questions or encounter any issues, our Support Team is on hand to assist.
FAQ
What types of websites will be decrypted?
All websites will be decrypted apart from those that are under the default exclusion list and anything you add to your school's exclusion list. The full list can be seen by going to Policies >> HTTPS Decryption, clicking on Next, and at the bottom of the page you will see a button called See Decrypted Defaults.
You might have some problems
It will require some technical knowledge. We'd recommend working with your IT team.
It may be difficult to install certificates onto BYOD (Bring Your Own Devices). If HTTPS Decryption is enabled, most users will not know that their devices will need to have a certificate installed to be able to browse the web without having certificate errors. The solution to this would be to disable the HTTPS Decryption on the policy that the Wi-Fi is on, assuming that the mobile devices will connect to the internet via Wi-Fi.
There will be some sites that does not like to be decrypted and it may stop some of your products or services from working correctly, we do have a default list of websites that were do not recommend the school decrypt such as bank sites but this will not cover all possible sites that your product/service will need, this means that you may need to exclude some websites from being decrypted by going to Policies >> HTTPS Decryption then the Advanced tab.
Concerns over HTTPS Decryption risking security
Nothing you type on a web page, including your passwords and personal information, will be visible to LGfL or anyone else. We exempt financial services from being decrypted.
What's different with the new decryption
Before it was just Google that was decrypted. Now everything is decrypted except for exclusions.
2. Plan
Like with any big change, we don't recommend rolling it out to everyone straight away. As highlighted above you might have some problems.
We would recommend rolling it out slowly. You can create policies targeted at any number of users or IP addresses, and so an effective way of rolling it out would be to initially enable HTTPS decryption on policies that would affect a small number of users, monitor and then roll out.
Think about which policies you do ultimately want to decrypt. If your school's Wi-Fi range for example is going to be frequently accessed by BYOD then perhaps it is best not to decrypt it (or at least provide instructions and a means for them obtaining the certificate).
3. Installing Certificates
It's very important that the certificate is installed on any device being decrypted otherwise you will have a degraded filtering experience. This includes uses receiving messages regarding "suspicious certificates" or any other certificate errors. The certificate can be downloaded by anyone needing it from https://support.lgfl.org.uk/public/sslfiltx.crt
Please view this page for details on installing certificates. There are multiple options available from rolling the certificate our centrally to installing it on individual devices. It is essential that certificates are installed or measures to prepare users to do this themselves are undertaken before the service is enabled. You can roll out the certificate to any device before time without any risk.
4. Testing, monitor, making adjustments
Testing applications & devices
You should create a policy that can be used to test the websites, applications and devices in use at your school.
To do this:
- Log into SchoolProtect and go to Policies > Policy Configuration.
- Create a new policy and choose one of your existing policies (My establishment) as the source.
- Open the Settings > IP Definitions page and create a new IP range to cover your testing device(s) linked to the policy you just created.
- Go to Policies > HTTPS Decryption and toggle the Enable HTTPS Decryption switch for the policy.
- HTTPS decryption will be active after a few minutes. Ensure your device(s) have the certificate installed and begin your testing.
What to test
- It is suggested that you run the following tests before enabling further policies:
- Ensure the devices boot up and connects to the internet without errors.
- Make sure the devices can be managed by the MDM/cloud platform (e.g. Azure AD/Google Admin Console)
- Run OS updates/upgrades on the devices and ensure these download correctly.
- Connect a device which has not been set up/enrolled in MDM/AD and determine if these can be enrolled without errors. Note: You may need to keep an IP range excluded from decryption for this purpose.
- Open each application and ensure they can log in and function correctly.
- Run application updates to ensure they download correctly.
As well as testing user devices such as PCs, mobiles, tablets, Chromebooks, etc., make sure you test other internet connected devices, for example:
- Printers
- Cameras
- Phone systems & handsets
- Building management (e.g. door controllers, heating systems, etc.)
- Connected alarm systems (e.g. fire alarms, intruder alarms, etc.)
Devices that are not used to browse the internet can be completely excluded from decryption, either by including them in a policy that does not have HTTPS decryption enabled or by adding IP exclusions as explained in the next section.
Most websites will not be affected by enabling HTTPS decryption if the certificate is installed on the system, however, it is best to check sites that the school relies on such as your MIS, cloud provider or payments systems.
Adding exclusions
Excluding domains
Your testing will likely highlight certain domains that need to be excluded from decryption. These can be added to your school exclusion list.
- In SchoolProtect, open the Policies > HTTPS Decryption page.
- Under the Advanced tab, use the New URL Exclusion button to add identified domains to your exception list.
Excluding IP addresses
You can also add IP addresses or ranges to completely bypass decryption for certain devices. This works best for internet-of-things devices that aren’t used to browse the internet. You may need to set static IP addresses or DHCP reservations for your devices to ensure they keep the same address.
- In SchoolProtect, open the Policies > HTTPS Decryption page.
- Under the Advanced tab, use the New IP Range Exclusion button to add IP addresses or ranges to be excluded from decryption completely.
5. Enabling Decryption
Once you have tested your devices and applications and added the required exclusions, you can start turning on decryption for your policies.
From the Policies > HTTPS Decryption page in SchoolProtect, simply use the toggle buttons next to each policy to enable decryption.
By clicking on the See Decrypted Defaults button at the bottom of the page you can view all the websites that are currently in our default exclusion list (we do not decrypt these websites).
Technical details
The service works by intercepting HTTPS connections to all websites where it is necessary to examine the URL that would normally be partially obscured from the filtering service due to encryption (HTTPS) by the website provider. These encrypted connections are transparently inspected by redirecting HTTPS connections to the SchoolProtect platform where data will be decrypted and checked by SchoolProtect policies to determine appropriateness. If the content is permitted according to the establishment's chosen and locally-applied SchoolProtect filtering policies, then the data will be re-encrypted and a new connection made to the destination website.
