This article explains how affected schools can manage Encrypted Client Hello (ECH), which can interfere with filtering.
Is my school affected?
ECH affects only some schools. You only need to follow these instructions and manage ECH if your school uses:
- Linewize Connect Windows/macOS agent in WEB mode OR
- Linewize School Manager inline appliance to filter unmanaged Bring Your Own (BYO) devices
No other schools or configurations are affected or need to take any action.
What is Encrypted Client Hello?
ECH is a privacy feature for web browsers designed to encrypt Server Name Indication (SNI), making it harder to filter content based on domain names.
In certain configurations, School Manager can’t filter websites that send ECH traffic when ECH is turned on because the SNI header is encrypted. This means users can access content that should be blocked.
Before you begin
Block ports 80 and 443 (UDP) on your school’s firewall. This turns off Quick UDP Internet Connection (QUIC). QUIC can bypass filtering and allows access to undesirable websites and content.
Manage ECH for Windows/macOS agent in WEB mode
Managing ECH is a two-step process. First, use a browser policy to turn off ECH, then use MITM to inspect with the Encrypted Client Hello signature.
Warning: MITM Required
You need Man in the Middle (MITM) turned on for both on-network and off-network users. If your school has not turned on MITM, you should follow the instructions for the Inline Appliance. Contact our support team for help turning on MITM.
1. Turn off ECH using browser policies:
- Google Chrome - Set the EncryptedClientHelloEnabled policy to false.
- Microsoft Edge - Set the TlsEncryptedClientHelloEnabled policy to false.
- Mozilla Firefox - Use the DisableEncryptedClientHello policy.
2. Inspect Encrypted Client Hello signature
- Sign in to School Manager as an owner/administrator.
- Go to Configuration > Mobile Agent > On School Manager Network > MITM Enabled
- Add the Encrypted Client Hello signature to Inspected domains.
- Repeat this for Off School Manager Network.
Important: Get Companion Mode
We recommend schools using Windows switch to Companion Mode filtering. Contact Linewize Support for help with the migration.
Manage ECH for Linewize School Manager Inline Appliance
While you can’t turn off ECH on unmanaged devices, you can create a Filter Policy to block sites that use ECH. This will stop users from accessing these sites.
Warning: Blocking Legitimate Sites
Blocking ECH with a Filter Policy will block some legitimate websites. We’re working on a better solution and expect to release it in our next firmware update, v267.
- In School Manager, go to Filtering > Content Filtering.
- Select + Create Policy.
- Give your Policy a memorable name.
- In Type, search for and select the Encrypted Client Hello signature
- If you have managed and unmanaged devices on your appliance, use Criteria to restrict this Policy to only unmanaged devices.
- Turn on Locked and then Save Policy.
- Place this Policy close to the top of your Policy list, below any Policies that allow critical services and infrastructure.
Comments
0 commentsPlease sign in to leave a comment.