Web Filter 3

Encrypted Traffic, Proxy & Your Web Filter

What is encrypted traffic?

You’ve probably heard the acronym “SSL,” especially lately, in relation to Google. Yet, you might not fully understand what it is, why it matters, and how Lightspeed Systems deals with the challenge. So what is SSL?

1

You’ve gone to a website and seen a little lock icon next to the web address. This lock means that the data going to and from your computer is encrypted via SSL, which stands for Secure Socket Layer. Most websites’ addresses start with HTTP; that means that the data transferring to and from your computer and the website’s server is in plain text.

2

When you pay for something with your credit card on Amazon, or you log into your bank account, you don’t want that information transferred in plain text. The Internet is a wide, open place, and anyone who has the skills can see that information. If that information is transferred in plain text, it’s relatively easy to steal.

3

There is another way to start web addresses, and that is HTTPS (the “s” stands for secure). With HTTPS transmissions, the information passing from your computer to the website’s server is encrypted, so that the data cannot be read by any third party.

4

Historically, HTTPS was used for sites that stored critical information (e.g., banks), but over time, more and more websites (such as Google, Facebook and Twitter) have made the switch because of privacy concerns.

5

Google switching all its services (including Google Apps for Education, Google Docs, Google Play, YouTube, etc.) to HTTPS is problematic for schools. If all the information going between student devices and Google is encrypted, web filtering becomes a challenge. How do schools balance privacy with their responsibility to keep kids safe? Fortunately, Lightspeed Systems has you covered.

6

SSL Certificates Explained

What are SSL certificates?

Certificates are key to encryption and decryption. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, an SSL certificate activates the padlock and the HTTPS protocol and allows secure, encrypted communications between a website and an Internet browser. SSL certificates utilize SSL technology to authenticate the identity of websites and to encrypt transmitted data. SSL certificates are typically installed on pages that require end-users to submit sensitive information over the internet. All Google and YouTube sites utilize SSL technology.

Do you want to learn more about SSL?

Learn more about: SSL

How do SSL certificates work?

1. A device on a server attempts to connect to a website that is encrypted with SSL.

2. The server asks the website to identify itself.

3. The website sends the server a copy of its SSL certificate.

4. The server checks to see whether or not it trusts the SSL certificate by identifying whether the certificate issuer is known or unknown.

5. If the server does trust the website, then it sends back a message to it indicating so.

6. The website sends back a digitally signed acknowledgement to start an SSL encrypted session.

7. Encrypted data is shared between the server and the website.

Types of SSL certificates

There are two main types of SSL certificates:

1. CA (Certificate Authority)-Signed: CA-Signed SSL certificates are considered to be the standard SSL certificate, as they are are issued and verified by a trusted Certificate Authority. These certificates are safe to use and are favored by practically every website that utilizes SSL encryption, as they have been authenticated by a trusted Certificate Authortiy to having met all necessary safety requirements and have safeguards in place to mitigate fradulent or misissued certificates. CA-Signed certifciates are by far the most used certificates and are strongly recommended. CA-Signed SSL certificates must be purchased from a Certificate Authority.

2. Self-Signed: is an identity certificate that is signed by the same entity whose identity it certifies. Self-signed SSL certificates are considered less trustworthy than CA-Signed certificates because they are not verified by a trusted Certificate Authority. As a result, they lack the authentication parameters established by CA-Signed certificates and are more prone to compromise or attack if not used correctly. Self-Signed certificates are traditionally used for internal-testing purposes and are not recommended for use in the public sphere, unless used as specifically instructed by a professional (the Web Filter, at times, will have you use a Self-Signed certificate, which is perfectly safe.) Using a Self-Signed certificate with most websites will trigger a warning message to appear, stating that there is a problem with the security certificate. Self-Signed SSL certificates are usually free.

3. Wildcard SSL certificate: A wildcard SSL certificate is an SSL certificate that can be used for multiple subdomains of a domain at once. Wildcard certificates are a more convenient form of securing every single subdomain on a website. Wildcard certificates are marked with a *. Wildcard certificates are always CA-Signed.

Ex. A wildcard certificate for *.google.com will secure all Google websites (all subdomains of Google.com )

Parts of an SSL certificate

An SSL certificate is the sum of several parts joined together through a complex encrypted mathematical algorithm. The SSL certificate is made out of the following parts:

  • Identity Information: The name of the website that is using the SSL certificate
  • Public Security Key: A digital file that is used as part of the encryption/decryption mechanism.
  • Digital Signature: A file used verify the authenticity of data transfered.

Ways to use SSL certificates

SSL certificates can be used in these ways:

Browser/Websites

The most common way to use certificates is to establish a secure connection between a browser and a website.

In the Trusted Root on Device

Any certificate generated by a Certificate Authority needs to be stored in the Trusted Root on a device. If the certificate is not located in the Trusted Root, then an encypted website will not be able to validate it. For this reason, you need to make sure to distribute your SSL certificates to all your devices, if they are not already pre-installed on the device.

With the Lightspeed Web Filter

The SSL Certificate page of the Web Filter is divided into two sections: Console Certificate and Proxy Certificate.

The Console Certificate provides trust for encryption for administrator usernames and passwords when logging into the Rocket administration dashboard. The trusted SSL connection also provides encryption for usernames and passwords for end users on your network when they sign into the Secure Access Page.

The Rocket includes a self-signed console certificate that is valid for 39 months. If you prefer to use an SSL certificate issued by a trusted Certificate Authority, you can install it in place of the self-signed certificate. You can also generate or install your own self-signed SSL certificate.

If the Rocket is not configured as a Proxy Server, when a user accesses a secure HTTPS site, only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based for the entire domain, rather than for URLs and URL patterns within the domain.

When the Proxy Server is enabled with SSL Decryption, all HTTPS (encrypted) requests can be examined via a trusted Man-In-The-Middle proxy. When a user requests a secure website, such as a Facebook.com, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

Decode SSL Certificates

Though you need to proxy for full URL details, there are certain settings within the Web Filter that can help you obtain more accurate reports and keep students safe without the need of a proxy. When an encrypted request is made (a user tries to navigate to a secured site), by default your Web Filter report on that traffic by IP address rather than URL. You can obtain and report the URL of the IP address by enabling the Decode SSL Certificates setting. As a result, the Web Filter will examine the SSL certificate to determine the domain of the certificate owner, then decide to allow or block based on that domain.

For youtube.com the report would show the url as google.com, as seen in their ssl certificate

For youtube.com the report would show the url as google.com, as seen in their SSL certificate

You can enable the Decode SSL Certificates option by navigating to Web Filter > General > Traffic Handling and checking the box next to Decode SSL Certificates.

 

If you want to be able to distinguish between Google’s domains (YouTube, Google, Classroom, Docs, etc.) then the Decode SSL Certificates setting will not be enough – for that you will need to setup your Web Filter as a proxy server. Google uses a single certificate for all of its domains, and setting up your Web Filter as a proxy server is the only way to determine which domains your users are accessing.

Example:

Rocket Configuration Full URL visited by user Reported URL
Decode SSL Certificate Off https://www.youtube.com/watch?v=DOOxoAIEECk 216.239.38.120
Decode SSL Certificate On https://www.youtube.com/watch?v=DOOxoAIEECk google.com
Proxy https://www.youtube.com/watch?v=DOOxoAIEECk https://www.youtube.com/watch?v=DOOxoAIEECk

What is a proxy?

A web proxy is essentially an intermediary device sitting between a device and the Internet.

A proxy server acts as a middle man for requests from clients (your users’ devices) seeking resources from other servers on the Internet. A client connects to the proxy server and requests a service (such as a file, connection, web page, or other resource.) The proxy server then evaluates the request and processes it.

In simpler terms, with a proxy server, your users are not actually connecting to their intended site. Instead, the proxy server is connecting to the site, sends the request, determines whether or not to process the request, and then either processes it or denies it (in the case of a blocked site.)

Proxy and SSL

These days, many websites are enforcing a secure connection by default. These websites use HTTPS instead of HTTP, which protects sensitive information such as login IDs and passwords from being intercepted and misused. Many sites, including Google and YouTube domains, banking sites, email sites, and other sites that hold sensitive information, utilize SSL certificates to ensure a trusted secure connection.  SSL certificates add a much needed additional security layer to an unsecured internet, but at the same time, they also inadvertently make web filtering and content monitoring more difficult due to the added security layers.

Proxy servers are able to decrypt SSL data, allowing them to see through the encoding and determine exactly which encrypted websites users accessed.

Proxy and Web Filtering

Using a proxy server guarantees accurate reporting and full web filtering. Without a proxy server, the Web Filter is unable to determine the exact URL details of encrypted sites.

Typically, the Lightspeed Systems Web Filter will be placed in a network in transparent bridge mode. This means that a client will not know the Web Filter is there, and the client’s request will pass through the Web Filter and be inspected on its path directly to the Internet. In this setup, if a user accesses a secure HTTPS site, only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based on this domain rather than the full URL. Thus, URL patterns for HTTPS sites may not operate correctly.

When a Web Filter is configured to act as a proxy server, the client knows that the Web Filter is there, and makes the request to the proxy server, asking to make a request on its behalf. The proxy server then makes the request to the Internet. The proxy server decrypts the request in order to read the full URL. If the proxy server determines that the request should be allowed, it will carry out the request on the client’s behalf over SSL as expected. If the site should be blocked, then the request will be denied and the user will see a block page.

In other words, enabling your Web Filter as a Proxy Server allows for the most effective filtering of a variety of HTTPS sites, including all Google domains.

Proxy and Schools

Using a proxy is key to school officials who want to filter encrypted traffic and see full URLs in their reports and to see and block search engine queries.

This particularly pertains to YouTube and Google traffic. Without using a proxy, you will not be able to filter YouTube and Google traffic, your only options will be to either allow all traffic or block all traffic. YouTube and Google sites utilize wildcard certificates in all of their sites. As a result, the Web Filter is only able to see domain data and not subdomain data. Furthermore, you will not be able to see which YouTube or Google sites your users accessed in your Web Filter reports, nor will you see any search term data.

With proxy enabled, you are able to decrypt YouTube and Google encrypted SSL certificates and see URL info for both domains and subdomains. The following examples explain the difference between what Web Filter reports show without a proxy and with a proxy.

  • Ex 1: YouTube Video
  • Ex 2: Google Domains (mail, docs, drive, classroom, etc.)
  • Ex 3: Google Search Terms
Example No Proxy Proxy
1.       YouTube https://www.youtube.com https://www.youtube.com/watch?v=yqmfrqAVeK0
2.       Google Docs https://www.google.com https://docs.google.com
3.       Google Search https://www.google.com https://www.google.com/search?q=bomb

The difference that proxy makes can be rather substantial. Proxy can help you ensure that your users do not have access to specific YouTube and Google sites that you want to block. Even more importantly, proxy can help you identify exactly what content your users are accessing on YouTube and Google sites. This can be a tremendous help in identifying and stopping potentially inappropriate or even dangerous behavior.

Proxy works with every possible setup and all devices. Different types of proxy work better with different setups. Your network environment and needs will determine which proxy setup will work best for you.

Do you want to determine exactly which kind of proxy you should utilize in a transparent bridge mode?

Learn more about: Proxy in transparent bridge

Do you want to learn more about SSL?/h4>

Learn more about: SSL

Should I proxy?

Setting up your Web Filter as a proxy server will give you the most detailed reporting so that you could stay on top of your school’s Internet activity and safety. Reports vary in detail, based on your Web Filter settings. Certain websites force encrypted (HTTPS) connections that prevent the Web Filter from identifying full URL details without certain settings enabled. In order to get full URL details for encrypted websites such as Google and YouTube, you will need to setup your Web Filter as a proxy server. Still, you may have concerns about proxy slowing your network, requiring every device to have an SSL certificate, or opening a port on your firewall. We will address each of these concerns in turn.

  • – Will proxy slow down my network?
  • – Will proxy require each of my devices to have an SSL certificate?
  • – Will opening a port on my firewall create a security risk?

Will proxy slow down my network?

The impact is minimal, depending on the proxy method you use. For example, the Forward Proxy method proxies all network traffic, and as a result, traffic is redirected to the Web Filter before it is allowed to reach the Internet, and then follows the same path in reverse, resulting in double traffic. The actual impact on the network is absolutely minimal, as long as the network is not already running at full capacity.

Will proxy require each of my devices to have an SSL certificate?

You will indeed need to import SSL certificates onto all of your devices. This is a very simple process. You need to download the proxy server SSL certificate link from the Rocket and then share it with each user.

Learn more about: SSL and the Rocket
Learn more about: How to download proxy SSL certificates

Will opening a port on my firewall create a security risk?

Opening a port on your firewall for proxy purposes is very safe. You can choose varying levels of proxy security, based on the needs of your network. We do recommend authentication, or other layers of security, in order to make sure that only authorized users access your network.

Learn more about: About levels of proxy security

If you decide against proxying

No matter what decision you make in regards to proxy, you should always have the Decode SSL Certificates Web Filter options turned on for optimal reporting and security.

Learn more about: the Decoding SSL Certificates option

Google + YouTube Safety without proxy

If you decide not to proxy but still want to allow your students to use Google and YouTube, you can turn on Google Safe Search in the Web Filter General settings. This will force all Google requests into safety mode.

Three proxy methods

The Lightspeed Systems Web Filter utilizes three distinct proxy configuration methods:

  • + Forward – A global proxy that works on and off network
  • + Transparent – Full URL decryption but only on-network
  • + Selective (PAC) – Domain-based full decryption

Each proxy configuration method corresponds to a particular setup within your Web Filter settings. You should determine which configuration method you wish to use, based on your individual school network environment.

Note: If your enivronment is made entirely of Chromebook devices, skip down to the Chromebook Exception section


Forward Proxy

What is Forward Proxy?

Forward proxy functions as a full trusted man-in-the-middle proxy, meaning that all HTTPS requests can be examined just like HTTP requests. Forward proxy decrypts all traffic on your network, including traffic generated by both on-network and off-network devices that are setup to use the proxy. Utilizing the forward proxy option will show encrypted traffic in a simple easy to read manner in your Web Filter.

Proxy-Forward-On

  1. 1 An on-network device sends its request for google.com to the Web Filter.
  2. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the on-network device.
  5. 5 Google.com loads on the on-network device.

Forward Proxy Off Network Diagram

  1. 1 An off-network device sends its request for google.com to the Web Filter.
  2. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the off network device.
  5. 5 Google.com loads on the off network device.

Reasons to Use Forward Proxy

You should use Forward proxy if you want to have accurate reports on encypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes iPads
  • Your school utilizes Chromebooks
  • Your school performs a 1-to-1 deployment of iOS or ChromeOS devices
  • Your school allows users to take devices home, and you want to filter those devices while they are at home
  • You want the ability to filter and decrypt most website and app related traffic.
  • You want the best option to get full filtering and URL reporting on iOS and ChromeOS devices

Potential Drawbacks

The Forward proxy method proxies all network traffic, as a result all traffic is redirected to the Web Filter before it is allowed to reach the Internet. This means that when the devices are off-network their traffic is routed to your Web Filter to make the request and then the request is sent from the Web Filter to the desired destination. The response from the destination would follow the same path in reverse, resulting in a greater amount of traffic passing through the Web Filter.

Setting Up Forward Proxy

Learn more about: Setting up Forward proxy


Selective Proxy (PAC)

What is a Selective Proxy?

The Selective proxy is a proxy server that only filters select information. The Selective Proxy utilizes PAC (proxy-auto-config) files to define how web browsers can automatically choose the appropriate access method for fetching a given URL. The Selective proxy allows most of your users’ traffic to flow freely through the network, while sending encrypted traffic (such as Google and YouTube traffic) through the proxy. As a result, your Web Filter reports will show exactly which Google sites your users visited but it wouldn’t show other encrypted traffic, for bank.com for example.

Proxy-Selective-On

  1. 1 An on-network device checks its request for google.com against it’s PAC file.If google.com is not in the PAC file list then the request would pass through the Web Filter as non-proxied traffic.
  2. 2 If the requested site is listed in the PAC file, the device sends its request for google.com to the Web Filter proxy.
  3. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  4. 3 Google.com returns the site to the requester, your Web Filter.
  5. 4 Your Web Filter sends the requested google.com page to the on network device.
  6. 5 Google.com loads on the on network device.

Selective-Proxy-Off

  1. 1 An off-network device checks its request for google.com against the PAC file.If request is not on the PAC file list, then the request would go straight out to the internet and to google.com.
  2. 2 If the requested site is listed in the PAC file, the device sends its request for google.com to the Web Filter.
  3. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  4. 3 Google.com returns the site to the requester, your Web Filter.
  5. 4 Your Web Filter sends the requested google.com page to the off network device.
  6. 5 Google.com loads on the off network device.

Reasons to Use Selective Proxy

You should use Selective proxy if you want to have accurate reports on encypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes OS X devices
  • Your school utilizes Windows devices
  • Your school allows users to take devices home
  • You want to see sites like Google and YouTube browsing and searches, but do not want to see other user web activity (as opposed to Forward proxy, where all web activity is proxied)
  • You want to enforce trusted man-in-the-middle proxy on search engines and see plain text searches on sites where you need granular search results

Potential Drawbacks

  • You will need to create a PAC file for every site or IP range that you wish to proxy. This is not an issue if you only wish to proxy Google and YouTube (see instructions below.)
  • Unlike Forward proxy, Selective proxy does not decrypt all app traffic

Do you want to how to set up a PAC file for Google and YouTube and how to upload it to the Web Filter?

Learn more about: Setting up and uploading a PAC file

Transparent Proxy

What is Transparent Proxy?

If your school devices do not leave your network, or you are not filtering off-network devices, then you can use Transparent proxy. The Transparent proxy is an on-network proxy that allows you to decrypt SSL traffic without configuring proxy settings or PAC files on network devices. Transparent proxies are considered transparent because the user isn’t aware of them. Utilizing the Transparent proxy option allows you to view Google and YouTube sites and search data in your reports for all devices that are connected to the school network.

Transparent-Proxy-On

  1. 1 An on network device makes a request for google.com.
  2. 2 The Web Filter intercepts the request.If request is allowed, the Web Filter lets the request proceed to google.com.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the on network device.
  5. 5 Google.com loads on the on network device.

Reasons to Use Transparent Proxy

You should use Transparent proxy if you want to decrypt encrypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes OS X devices
  • Your school utilizes Windows devices
  • Your school does not wish to filter off-network devices

Potential Drawbacks

Setting up Transparent Proxy

Learn how to set up Trasparent proxy: in this video guide

The Chromebook Exception

If you have Chromebooks, the Lightspeed Systems Mobile Filter can provide full URL reports on encrypted traffic without the use of a proxy server.

Due to the design of the Chrome operating system, schools that only have Chromebook devices can filter most Google encrypted searches without the need for a proxy by using the Chrome Extension Lightspeed Mobile Filter or the Lightspeed S-Mobile Filter. The Lightspeed Mobile Filter extensions for Chrome provide content filtering for ChromeOS, allowing school administrators to ensure safe, monitored access on school-distributed Chromebooks. Operating as a Chrome extension, it offers policy-based filtering and off-network activity reporting–all without the need for a proxy. In addition, it provides seamless single sign-on capabilities for ChromeOS devices when they are used off the school network.

Note: The Chromebook extension currently only works off-network.

Setting up Chromebook Mobile Filter

Learn more about: Learn more about the Chrome Extension Mobile Filter

Other Helpful Information

Learn more about: Recommended levels of proxy security
Learn more about: SSL

Setting up your proxy

The following information explains how to properly set up your proxy (depending on which of the three ways to proxy you have chosen), how to push SSL certificates, and, if necessary, how to set up your devices to work with proxy.

Prerequisites

If you pass these tests, you can proceed with proxy setup.

Test to see if your FQHN connects on your network/off network. 

Navigate to your FQHN on a browser and verify that it resolves internal to your network. Navigate to your FQHN on a browser on a device outside of your network (such as a browser on a cell phone or DMZ).

Learn more about: FQHN

Test your proxy port is open off network

Go to a port forwarding testing site such as http://www.yougetsignal.com/tools/open-ports/ and test over your proxy port, typically 8080. If it is open, then your firewall has been setup to allow connections to your Web Filter.

Learn more about: Firewall

Ex.

Test that your proxy port is open on network

From a terminal/command type in telnet FQHN port (replace “FQHN” with your FQHN and “port” with your port) if  you are able to connect, then the proxy is setup to connect connections.

Ex.

Best Practice: Turn on Google Safe Search in Rule Sets

Note: This setting will only work once proxy is enabled.

As a best practice, you should turn on Force safe search (Google) option in Rule Sets. Without the option on, blocked content will still be blocked. When you enable the Force safe search (Google) option, the search results will be filtered by Google.

Ex.

A student searched for “how to make a bomb” on Google

Force safe search (Google) turned OFF Google shows all search results, but student is unable to access any innapproriate site (they are blocked)-Innappropriate images show up in Google image search, but they are invisible to the student, showing up with an “X” through them and no picture
Force safe search (Google) turned ON Google only shows safe search results, completely eliminating any innappropriate sites-Google only shows appropriate images, completely eliminating innappropriates ones

Navigate to Web Filter > Policies > Policy Assignments > Rule Sets. Click on a Rule Set, and check the box next to Force safe search (Google) under Search Engine Controls. 

Setting up your proxy server

In order to set up your proxy server, you will need to follow these steps:

1. Push SSL certificates

2. Configure your Web Filter as a proxy server (Forward, Selective, Transparent)

3. Manually verify proxy behavior

4. Enforce proxy settings on devices

Pushing SSL Certificates

In order for proxying to be a smooth experience, it is necessary for the devices being proxied to trust your proxy by adding the Web Filter’s proxy SSL certificate to your devices. In order to do that you will first need to access your proxy certificate from your Web Filter.

You can access your certificate by navigating to Settings > Appliance > SSL Certificates > Download Links. Click Download  or navigate to the URL to download your certificate.

 

Pushing an SSL certificate to several devices at once:

Pushing an SSL certificate to BYOD devices:

You can access individual instructions for pushing SSL certificates to BYOD devices by navigating to:
YOURDOMAIN.com/lsaccess/proxycerthelp (replace YOURDOMAIN.com with the URL of your Rocket.)
This pathway includes instructions for all major operating systems and web browsers.

Forward Proxy

1. Navigate to Web Filter > Setings > Proxy Server. Under the Proxy Port section, input the Port you would like the Web Filter to listen for proxy connections on. This is by default port 8080 but can be any non-standard port (we chose Port 8093 in the example below.) Determine and set up the level of  Proxy security that is best for your environment.

Learn more about: Proxy security

Selective Proxy

Create a PAC file to decrypt Google and YouTube in Proxy Mode

1. Open a text editor.
2. Enter the following but replace the sample IP address in red with the IP address used in the management interface of your Rocket server running the proxy server.

function FindProxyForURL(url, host)

{

if (shExpMatch(url, "*.google.com/*")){return "PROXY webfilter.domain.com:8080";}

if (shExpMatch(url, "*.youtube.com/*")){return "PROXY webfilter.domain.com:8080";}

return "DIRECT";

}

3. Save the file as “proxy.pac”.

Upload the PAC file to the Web Filter

Click Web Filter, then click Proxy Server. On the Proxy Server page, scroll down to PAC Files. In the PAC Files grid, click the green “+” icon. In the Upload PAC File form, click Browse and select the PAC file to upload from your computer. Enter a brief description, then click Save to upload the PAC file, or click Cancel to discard your changes and return to the previous page.

Transparent Proxy

Navigate to Web Filter > Settings > Proxy Server > Transparent Proxy. Check the box next to Transparent proxy SSL to turn on Transparent proxy. Click Ok on the warning message. Click Save. 

Note: Transparent proxy is only a feature of Web Filter 3.

Watch the following video for an in-depth guide to enabling transparent SSL Proxy:

Testing Your Web Filter Proxy Setups

Test Web Filter Rules

Open a browser and navigate to an allowed site and to a blocked site. The blocked site should resolve to your FQHN. Navigate to Reports > Blocked Content and make sure that the site and appropriate rule set are showing.

Ex. We navigated to www.snapchat.com/download in our Student rule set and it successfully generated a block and showed up in the report.

blocked

Test Google searches

On a proxied device, navigate to Google.com and perform a search (or several searches.) Go to your Web Filter reports and locate those searches. If your proxy is set up correctly, you should be able to see the search terms and URLs.

Ex. We searched for “Newton’s Law resources” on a proxied device and successfully saw the search query in our reports.

google

Enforcing Proxy Settings On Devices

When setting up your devices to utilize the Forward Proxy or Selective Proxy, you will need to tell the device to send its web requests to the proxy. The instructions defer based on your operating system.

Proxy settings by OS

The following articles explain how to enforce proxy settings by each individual OS: