Enabling HTTPS Inspection

Your School Manager physical appliance uses HTTPS Inspection to filter devices that are not running Linewize Connect and have only the Linewize SSL certificate installed. HTTP Inspection only works while the device is connected to your physical network and allows your School Manager appliance to sit between the devices and the internet. School Manager will intercept, decrypt, and filter text before sending it to specified websites and can enforce Safe Search.

About HTTPS Inspection

HTTPS Inspection filters websites, applications, and harmful content by initiating a “handshake” between devices to encrypt data transmitted across the internet. HTTPS Inspection must be enabled to allow School Manager to filter and report on specific content, such as Youtube videos.

Enabling HTTPS inspection is a two-step process:

1. Setting up HTTPS Inspection
2. Installing the SSL certificate on devices connected to your physical network.

Before You Start

Your firewall configuration will require two separate. One policy allows School Manager to inspect all connections, while the other manages UDP communications. If these ports are not open, your School Manager appliance will be blocked by your firewall.

Setting Up HTTPS Inspection in School Manager

1. Go to Configuration > Networking > HTTPS Inspection.
2. Click the Enabled checkbox.
3. Under CA Configuration, enter or paste the required values for:
   1. CA Key
   2. CA Certificate
   3. CA Password

4. Under Inspected Applications and Websites, configure site inspections:

   Note

   Not all traffic requires inspection as many background processes contain very little or no usable information. You should only inspect relevant websites (Google Search, Bing, and YouTube) as inspecting too much traffic can cause performance degradation on your School Manager appliance.
   
   

   By default we recommend Inspecting:

   • Google Search
   • Youtube
   • Bing
   • Search Engines
   • Other Search Engines

   Inspecting Search Engines and Youtube will provide valuable information and context for the content students are looking for. 

   And Excluding:

   • Financial Services
   • Family Zone
   • Linewize
   • Family Zone Login Services

   Excluding Financial Services is advised as there could be personal information involved.

5. Configure the inspection options for Networks and Groups:

   1. Click All Devices to inspect the connections for all devices in the network.
   2. Enter the relevant network details (IP address, IP range, MAC address) to inspect selected devices and connections.
   3. Select groups. Only the selected groups will have their connections inspected.

6. If required, enter the excluded device IDs, IP addresses or network names in the Excluded Networks field, and then press Enter on your keyboard to confirm the exclusion(s).

7. Click Save.

Download and Install the Linewize Certificate

For Windows: 

1. While the device is connected to your physical network, go to http://certs.linewize.net (http not https) and navigate to View Available Certificates > Other.
2. Download the .CRT file.

For macOS:

1. While the device is connected to your physical network, go to http://certs.linewize.net (http not https) and navigate to View Available Certificates > Other.
2. Download the .PEM file.

Install Certificate on Student Devices

Deployment via Group Policy Editor

1. Start the Group Policy Management snap-in on the Active Directory domain controller.
2. Find an existing Group Policy Object (GPO) or create a new one. The new GPO will contain the new certificate settings. 
3. Right-click on the GPO, and then select Edit.
4. On the console, go to Computer Configuration  > Policies > Windows Settings > Security Settings > Public Key Policies.
5. Right-click on Trusted Root Certification Authorities and select Import.
6. On the Certificate Import Wizard, click Next.
7. On the File Import page, click Browse to locate the certificate or enter the path to the certificate file.
8. Click Next.
9. On the Certificate Store page, select Place all certificates in the following store.
10. Click Next.
11. Verify that all settings are correct, then click Finish.

More information about Group Policy distribution is available on this page.

Individual Deployment on Windows Computers

1. Locate the downloaded linewize.cacert.crt certificate file in the computer’s local folder or external storage (such as USB).
2. Double-click on the file to open the downloaded certificate. A Certificate dialog box will appear.
3. Click Install Certificate…
4. On the Certificate Import Wizard window that appears, select Local Machine.
5. Click Next.
6. If prompted, enter your computer’s Administrator username and password if you have any. 
7. Click Next.
8. Select Place all certificates in the following store, and then click Browse…
9. On the Certificate Store window that appears, select Trusted Root Certification Authorities.
10. Click OK.
11. Click Next.
12. Click Finish. A notification will appear, confirming that importing the certificate has been successful.

Individual Deployment on macOS Computers

1. Locate the downloaded file and open the PEM file certificate. This will open the Keychain Access window.
2. Ensure the Certificate is installed in the System Keychain.
3. Double-click Linewize Certificate to open the Certificate Properties dialog window.
4. On the Trust section, select Always Trust in the When using this certificate: list.
5. Close the window. If prompted, enter your password to save the changes.
6. Reload all open browsers to check if the changes have taken effect.

FAQs

Are there default categories and signatures in the HTTPS Inspection setup?  

Yes, there are default site categories and signatures that we recommend for inspection, these are Google Search, Bing and YouTube.

How do I confirm that the user’s device is connected through School Manager?

Using the device, go to http://whoami.linewize.net (using http and not https). The URL should return a string that details the School Manager upstream.

How do I confirm the user’s device has the certificate?

For Windows:

1. Press Windows  + R on your keyboard.
2. Run certmgr.msc.
3. Go to the Trusted Root Certification Authorities > Certificates and locate the certificate.

For macOS:

1. Go to Applications > Utilities > Keychain Access.
2. Open the Certificates tab. All certificates are saved in this folder. 
3. Locate or enter the certificate’s name in the Search bar to find the Linewize certificate.
   Alternatively, click System Roots under System Keychains on the left navigation bar.
4. Double-click the Linewize certificate to display more information.

How do I confirm that web pages, applications, and other content are being inspected?

To confirm HTTPS inspection is working, check that searches, videos, and Realtime Connections capture all reporting data:

• Go to Cyber Safety > Searches to view the Search Report.
• Go to Cyber Safety > Videos to view the Videos Report.
• Go to Statistics > Realtime > Connections to view the Realtime Connections Report.

Why do I get timeout errors?

If a timeout error occurs, it may mean that School Manager is not connecting to the client (user’s) device for the following reasons:

• A route to the client network is missing. To check, go to Configuration > Networking > Routing.
• School Manager may not be listening to the device's IP address. To check, go to Configuration > Networking > Interfaces and check that BR0 or the relevant VLAN bridge is set up with an IP address.
• If there is a reverse path filtering on the school switch, a management IP (instead of bridge IP) may have to be used to get back to the device.