Installing HomeProtect on Windows
Prerequisites
Windows 10
Software deployment tools or access to each device to manually install the MSI
HomeProtect welcome email from LGfL. If you do not have this, please register at homeprotect.lgfl.net.
Before deploying the client filter, please test applications that will be used as some may not work with the HTTPS decryption that is used to inspect the traffic. Instructions for excluding certain domains from being decrypted can be found in the White/Blacklisting URLs section below.
Deployment Scenarios
There are different ways to connect your devices to your school filtering policy. Please read through the options and decide which will work best before continuing.
Google/Microsoft Sign In
This is the default option whereby no configuration is necessary as long as your Google/Microsoft domain name was given on the sign up form. When the device is first used outside of the school network, the user will be prompted to sign in with a Google or Microsoft account.
This should only need to be done once and the login name is remembered from that point onwards.
Azure AD Joined SSO
If your devices are joined to Azure AD and the domain name was given on the signup form, the devices will log in automatically without any prompts. No further configuration is required besides joining the devices to Azure AD.
Active Directory UPN SSO
If your devices are joined to Active Directory, the User Principal Name can be registered in HomeProtect to achieve single-sign-on. You can find the UPN by looking at the properties for a user on the Account tab.
Please send the UPN suffix (the second box) to homeprotect@lgfl.net so we can register the domain.
Command Line Installation Parameter
If none of the other options are suitable, you can use a command line to associate the installation with your policy. In your welcome email, you will have been given a group name which will start cfdefault@.
Download the batch file from here, open the file in Notepad (right-click>Edit) and find the line SET group=. Add your group name including the cfdefault@ straight after the = e.g:
SET group=cfdefault@example.com
Make sure the batch file is in the same directory as the downloaded installer.
Installation
-
Download the Windows HomeProtect Client Installer:
-
Run the installer or use your deployment solution (e.g. Group Policy, SCCM, InTune, etc.).
Restart the devices.
Prevent Bypass
It is important that pupils cannot uninstall or tamper with the software to prevent attempts to bypass the filtering.
Pupil users must not be administrators as they could easily uninstall or disable the filter.
User Experience
By default, when the device is first used outside of the school network, the user will be prompted to sign in with a Google or Microsoft account unless SSO has been set up (see the Deployment Scenarios section above).
This should only need to be done once and the login name is remembered from that point onwards.
Once they have signed in, they will be able to browse the internet, filtered by your school policy. If the user can’t get past the sign in screen, please follow the troubleshooting steps below.
If the user tries to navigate to a blocked site, they will see a HomeProtect block page.
Websites and Content Considerations
YouTube Mode
YouTube is allowed by this filtering service. However, it is important that you apply one of the restricted modes to your pupils by using the instructions below. You can choose between moderate restricted (most secondaries prefer this and it is more relaxed) and strict restricted (most primaries use this and it is the most strict, but may block videos you want pupils to see – if this is the case you can whitelist them – see YouTube.lgfl.net for how to do this).
In Windows, the hosts file is used to redirect YouTube requests to the correct address for either mode.
-
Download the hosts file for the YouTube mode you select:
Copy the file into c:\windows\system32\drivers\etc\hosts, overwriting the existing hosts file (if you have previously deployed a custom hosts file for any other reason, then you should merge the files together first).
For more details, see www.youtube.lgfl.net or https://support.google.com/a/answer/6212415?hl=en
Search Engines
Search engines are limited to those that we can enforce safe search on. This includes:
Vimeo
Vimeo.com is blocked as a lot of videos are very inappropriate for pupils and there is no way to enforce safe search. The embedded version of Vimeo (player.vimeo.com) is unblocked as there are many educational resources using Vimeo to host videos. This allows embedded videos to play on sites that are unblocked. This is a compromise – it allows sites to function and stops students searching on Vimeo; at the same time though, an enterprising student could find a video code on another device and combine that with the allowed player url to access an inappropriate video. You can use the management console to either block player.vimeo.com to prevent all access to Vimeo content, allow vimeo.com (strongly not recommended) to allow the whole of Vimeo to be accessible to your students including the unsuitable material or add individual video URLs to the allow list to allow direct browsing to specific, approved videos.
Troubleshooting
Issues Logging In
If HomeProtect does not recognise the domain name that the user has signed in with, they will be taken back to the sign in page. Under the ‘Technical Details’ button it will show ‘no login name or password’.
The first thing to check is the domain name of the user account matches the domain name supplied during sign-up. If the registered domain is incorrect, please contact support who will correct it. Please note, it is the domain name of the user, not the primary domain for the Google or Microsoft tenancy.
If you have confirmed the domain name is correct the other potential cause of login issues is where the Microsoft or Google domain is ‘federated’ with a 3rd party identity provider or internal ADFS server and the service is being blocked by HomeProtect. This will generally mean that the user does not get the opportunity to even enter their password and are taken back to the sign in page instead.
Most common federated identity providers have been whitelisted in HomeProtect, but if yours does not work, please contact support who will work out and whitelist the required addresses.
Websites not loading despite being added to the Allow List
Many websites have multiple dependent addresses that all need to be allowed for the website to properly work. The easiest way to work out which addresses need to be added to the Allow list is to use the developer tools in Chrome to see which domains a site calls. Open the Network tab and reload the page. Make sure you have the Domain column visible (right click the column headings to add it). You will see all the domains the site requires:
Test and fix applications
The client filter works by running a proxy server on the PC and passing all traffic through this proxy. The proxy server decrypts HTTPS requests so that the whole URL can be processed. HTTPS decryption works well in web browsers and most applications, however, some applications will not be compatible and will not be able to connect to the internet.
The whitelist is used to prevent certain applications or domains from being processed by the filter.
To edit the whitelist, you will need to install the client filter on a reference PC which contains the applications you want to test.
Install the HomeProtect Client Filter on your reference PC as per instructions above.
Open Control Panel > LGfL HomeProtect Safe Browser… > Filter Settings.
Open the Requests Logs tab to see the live traffic from your PC.
Run the application that has been identified as not working. You should see the requests that all applications on your PC are making with the URL and application name (module).
Right-click the request from the application that you have just launched and click add Module to whitelist.
Set the action to ALLOW ALWAYS and click Ok.
Open the File menu and click Save (don’t forget this step as you won’t be prompted to save if you close the window).
Test the application. If it still does not work, repeat the steps and look at the requests tab again as sometimes applications need many different executables whitelisted to fully function.
Repeat steps 2-10 for each application. Once the whitelist is built, distribute it to clients by following the instructions below.
Please note that by whitelisting an executable, this program will have unrestricted internet access. This is generally fine for single-purpose applications but be aware, if an application has browser-like functionality, it might allow users to easily bypass the filter.
If you need to whitelist limited URLs for an application, in steps 4 and 5, look for requests starting with decrypt://, right-click the request and choose Add URL to whitelist. Select ALWAYS BLOCK as the action. This will exclude the selected domain from decryption. You may have to repeat this for many different domains. All the rest of the steps above are the same.
Deploying the Whitelist
Once you have the whitelist configured from the previous section, you will need to copy the file and deploy it to the clients.
Copy the file C:\Program Files (x86)\Netsweeper Client Filter\liger.cfw.
Use your deployment process to overwrite this file after the client filter is installed. The PCs (or NSFX Service) will need to be restarted to pick up the new whitelist.
Contacting Support
If you face any issues or just need some help or guidance, please email homeprotect@lgfl.net. To help us to resolve your issue as quickly as possible, please include the following information:
School and authority/MAT details.
Name of person who completed the sign up form if it is not yourself.
Platform (Chrome, Windows, iOS).
A screenshot of the block page. Please click Technical Details and ensure the text is included.
OS and browser versions.
Full Google/Microsoft username of the pupil/test account (including domain name).
Steps to reproduce the problem.