Getting Started with Relay

Welcome to Relay. Our goal is to provide you with tools that help you monitor and secure web activity on your network. But before you jump into the Relay interface, follow these three simple steps to get started:

  1. 1. Verify network access to Relay
  2. 2. Import users and groups
  3. 3. Deploy Relay software to devices

Of course, you need to log in to Relay before getting started.

Prerequisites

Minimum OS Version

Before deploying Relay to any devices on your network, ensure that the device(s) is running this version of the operating system:

  • Windows– Windows 10 (x64- builds 1703+) and Windows 7 (x64)
  • Note: Support for Windows 10 (x32) will be available in future releases.
  • Mac– High Sierra, x64
  • Note: Support for macOS Sierra will be available in future releases.
  • iOS– 11.2

Step 1- Verify network access to Relay

Ensure that the following ports and domains/hosts are unblocked by your network filter.

Outbound ports

  • TCP/UDP-443
  • TCP/UDP-3478
  • TCP-5349

Domains

  • relay.school
  • access.relay.school
  • lsrelayaccess.com
  • rs-db.lsfilter.com
  • ws-db.lsfilter.com
  • b16rt683ll.execute-api.us-west-2.amazonaws.com
  • lsrelay-config-production.s3.amazonaws.com
  • lsrelay-extensions-production.s3.amazonaws.com

Step 2- Import users and groups

Add (or import) users and groups into Relay. Select one of the following import methods:

Choose an import method

Step 3- Deploy Relay software to devices

After you’ve imported users and created your filtering policy, you are ready to deploy Relay to your devices (Chrome, Mac, Windows, and iOS).

Chrome Devices

Open the Google Admin console and navigate to Device Management.

Click Chrome Management from the left-side menu (Device Settings), then click User Settings.

Choose your organization from the left menu (Organizations), then scroll down to Apps and Extensions > Force-installed Apps and Extensions. Click on Manage force-installed apps. Click on Specify a Custom App.

Enter your organization-specific App ID and URL in the ID and URL fields. Then click Add.

Note: Refer to the Relay (Step 3) or Classroom (Step 2) Getting Started page and click Details for the App ID and URL. You can also find your organization-specific App ID and URL on Relay’s Settings > Chrome Extension page.

Once added, the App ID is listed in the Total to force install list. Click Save to push the extension.

Additional Steps

When running Relay in Google Chrome, we recommend enabling these settings (if not already) to prevent users from bypassing or compromising the web-filtering service:

Caution:Make sure you select the correct organization from the list of Organizational groups (User Settings left-menu) when making these changes.

Add Chrome Flags & Inspect Tools to the URL Blacklist

Google Chrome Flags (list of experimental features) provide savvy users the ability to bypass web filtering in Chrome. Disable any opportunity to bypass web filters by adding these pages to your list of blocked URLs in Google’s Admin console.

To add the Chrome Flags and Inspect Tool URLs to the URL Blacklist from the Google Admin console, navigate to the URL Blacklist settings (Device Management > Chrome > User settings > Content > URL Blocking > URL Blacklist) enter the following URLs in the URL Blocking Field. Click Save to apply this setting.

Ensure Extensions are Allowed

Our web-filtering services (for Chrome) are deployed to devices via a Chrome Extension. By default, Extensions should be allowed, but if you have issues pushing the extension to a device, ensure that this setting is enabled.

To verify that extensions are allowed from the Google Admin console, navigate to the list of Allowed Types of Apps and Extensions (Device Management > Chrome > User settings > Apps and Extensions > Allowed types of Apps and Extensions) and ensure that the box next to Extension is marked. Click Save to apply this setting.

Disallow Incognito Mode

Chrome’s Incognito Mode allows users to browse the Internet privately. While user activity isn’t hidden in Incognito Mode, it’s best to disallow this feature when setting up your web-filtering service.

To disallow Incognito Mode from the Google Admin console, navigate to Incognito Mode (Device Management > Chrome > User settings > Security > Incognito Mode) and select Disallow Incognito Mode from the drop-menu. Click Save to apply this setting. Click Save to apply this setting.

Never Allow Developer Tools

Chrome’s built-in developer tools give users access to the browser’s (and other web applications) internal code. It’s best to never allow users access to the browser’s built-in developer tools.

To never allow access to Chrome’s built-in developer tools, from the Google Admin console, navigate to Development Tools (Device Management > Chrome > User settings > User Experience > Developer Tools) and select Never allow use of built-in developer tools from the drop-menu. Click Save to apply this setting.

Mac OS Devices

To install a Smart Agent on a Mac, follow these steps:

  1. 1. Obtain your .dmg file in one of the following ways:
    1. a. From Getting Started under Deploy Relay software to devices, click the macOS tab. Then click the SmartAgent.dmg link.
    2. b. Navigate to Settings > Software using the left-side navigation of Relay and click the macOS tab. Then click the SmartAgent.dmg link.
  2. 2. Working from the target workstation as an Administrator, make a local copy of your Smart Agent .dmg file accessible..
  3. 3. Open SmartAgent.dmg and complete the installer.
  4. Tip: Need to deploy the MacOS Smart Agent to multiple machines? Refer to our documentation, Deploy the MacOS Agent with Third Party MDM for help.

Note: If you are installing the macOS Smart Agent to a machine running macOS 10.14+, add the following URLs to your list of Exclude from Decryption in Relay:
  • oscp.apple.com
  • apps.mzstatic.com

Enabling High Sierra Security and Privacy

Note: You can bypass this step by following the instructions in this Apple article under the How This Affects Enterprise App Distribution section. Use Team ID ZAGTUU2342 if you elect to boot into Recovery OS and use the spctl kext-consent command approach.

After installing the Relay Smart Agent, enable security and privacy preferences. This step only needs to be done once for every device.

Navigate to System Preferences > Security & Privacy. Click on the lock icon at the bottom left to unlock changes and enter your password. Click the Allow button to authorize software initiation.

Windows Devices

Before installing the Windows Smart Agent, ensure that your anti-virus software is set to exclude the following locations:

  • C:\Windows\System32\drivers\LSSADrv.sys
  • C:\ProgramFiles\Lightspeed Systems\Smart Agent\*
  • C:\ProgramData\Lightspeed Systems\Smart Agent\*

To install a Smart Agent on a Windows machine, follow these steps:

  1. 1. Obtain your .msi file in one of the following ways:
    1. a. From Getting Started under Deploy Relay software to devices, click the Windows tab. Then click the appropriate link to the Smart Agent .msi file.
    2. b. Navigate to Settings > Software in the left-side navigation of Relay and click the Windows tab. Then click the Smart Agent .msi link.
  2. 2. Working from the target workstation as a Local Administrator, make a local copy of your Smart Agent .msi file accessible.
  3. 3. From an administrator command prompt, navigate to the folder where your SmartAgentx64.msi file is saved and launch it using this command: msiexec /i [File Name.msi]
Note: If you are using LANDesk to deploy the Windows Smart Agent, add a 5 min delay to the deployment to give the agent enough time to receive it’s policy.
Note: If you are using Sophos AV, disable the
software’s web filter feature, or else the Smart Agent will not filter the device properly.

iOS Devices

iOS Specific Prerequisites

  • Device cannot be running any other iOS filtering software and cannot have a global proxy configured.
  • Device must be enrolled in a mobile device manager and owned by the user that you are filtering with Relay.
Note: You do not have to launch the app if you are running iOS 12+, however, iOS 11 users may need to launch the app once (in single-app mode).

You should install the Smart Agent iOS app using Managed Distribution. For more information on Managed Distribution, click here.

Following installation, you need to configure the Web Content Filter settings within your MDM.

Lightspeed Systems Mobile Manager

Follow these instructions to configure the Web Content Filter settings in Lightspeed Systems Mobile Manager.

  • Click Policies in the main navigation menu.

Note: If your Relay interface is integrated with Mobile Manager, click Device Management > Policies to open the Mobile Manager policies page.

  • Click Web Content Filter in the Policies list.

  • In the Web Content Filter policy, set Filter Type to Plug-In and Vendor to Lightspeed (Relay).

Third-Party MDM

If you’re using a third-party MDM, you’ll need to configure the following settings:

Filter Type: Plugin
Filter Name Lightspeed Relay
Identifier com.lightspeedsystems.iosrelayfilter
Organization Provided by Customer (ex: Relay – Content Filter)
User Name email address – must match the email address in Relay/Launch
Password Leave blank
Certificate None
Filter WebKit Traffic Checked
Filter Socket Traffic Checked

Custom Data

Key Type Value
UDID String UDID of the device
customerID String Lightspeed Customer ID

Here’s an example of the settings using Apple Configurator as a third-party MDM:

Note: Cisco Meraki MDM solutions do not support our Relay Smart Agents for iOS. Refer to our FAQ to learn more.