Relay + Rocket: Best Practices

For the best experience when running Relay with an in-line Rocket, configure Relay to filter your managed devices, and your Rocket to filter your guest (or un-managed) devices. How you configure your Relay and Rocket to do so depends on your network setup (segmented or non-segmented).

Segmented networks should filter managed devices (with Relay) on a separate subnet from the Rocket. Non-segmented networks should configure Relay and their Rocket based upon their devices’ directory service (either Google Classroom, Active Directory, or both).

Following these best practices ensures that all of your devices are filtered properly and report your managed-device activity accurately.

Segmented Networks

On a segmented network, filter devices that do not have our Relay Smart Agent installed (or devices that you cannot install a Relay Smart Agent on) by your Rocket. Essentially, any device you would typically filter with a BYOD setup should be filtered by the Rocket.

Designate subnets for your devices without Smart Agents installed and subnets for your managed devices with Smart Agents installed (with their own fixed IP ranges). Then add your managed-device IP ranges to your Rocket’s Internal Ignore rules. The Rocket ignores all traffic from those devices and allows Relay to filter managed devices.

Non-segmented Networks

If your network is not segmented, configure your Relay and Rocket according to your devices’ directory service (either Google Classroom, Active Directory, or both).

Choose one of the following three device-directory environments, then choose an option to configure your Rocket to Allow All web traffic for your devices. This allows Relay to filter managed devices.

Note: The Rocket reports this device traffic as allowed content.

Only Chromebooks (Google Classroom)

Follow these guidelines if you are only filtering Chromebooks (synced with Google Classroom) on your non-segmented network.

  • Deploy the Chrome User Agent to your Chromebooks.
  • In the Rocket, enable the Allow All policy assignment for all users and groups running devices with Smart Agents installed.
  • Disable web authentication on your Rocket. This ensures that the Rocket filters un-managed devices.

Only Windows and macOS (Active Directory)

Choose one of the following options if you are only filtering Windows or macOS devices (synced with Active Directory) on your non-segmented network.

Option 1

  • Deploy the Lightspeed Management Agent (LMA) to Windows devices and/or Mac User agent to macOS devices.
  • In the Rocket, enable the Allow All policy assignment for all users and groups running devices with Smart Agents installed.
  • Disable web authentication on your Rocket. This ensures that the Rocket filters un-managed devices.

Option 2

  • Deploy the Lightspeed Management Agent (LMA) to Windows devices.
  • In the Rocket, enable the Allow All policy assignment for all computer OU’s running devices with Smart Agents installed.

Mixed (Chromebooks and Active Directory Devices)

Choose one of the following options if you are filtering macOS, Windows, and Chromebooks (synced via active directory and Google Classroom) on your non-segmented network. In this kind of mixed environment, the Chrome browser should be managed or unmanaged depending on your usage policy or preferences. Choose one of these options for managing Chrome browsers.

Option 1 – Un-Managed Chrome Browser

Deploy the Chrome User Agent and in the Google Admin console, exempt the agent from deploying to browsers. This prevents users (on non-district controlled devices) from signing into Chrome and getting the Chrome User Agent (which would give them an Allow All policy).

Option 2 – Managed Chrome Browser

In the Google Admin console, allow Chrome browsers to receive the Chrome User Agent. In this scenario, match your policies in Relay and the Rocket.

After configuring Relay and your Rocket (according to your network setup), your devices will not be double-filtered or report false data. If you continue to have issues with your Relay and Rocket setup, contact Lightspeed Support for additional help.