Three Ways to Proxy

The Lightspeed Systems Web Filter utilizes three distinct proxy configuration methods:

  • + Forward – A global proxy that works on and off network
  • + Transparent – Full URL decryption but only on-network
  • + Selective (PAC) – Domain-based full decryption

Each proxy configuration method corresponds to a particular setup within your Web Filter settings. You should determine which configuration method you wish to use, based on your individual school network environment.

Note: If your enivronment is made entirely of Chromebook devices, skip down to the Chromebook Exception section


Forward Proxy

What is Forward Proxy?

Forward proxy functions as a full trusted man-in-the-middle proxy, meaning that all HTTPS requests can be examined just like HTTP requests. Forward proxy decrypts all traffic on your network, including traffic generated by both on-network and off-network devices that are setup to use the proxy. Utilizing the forward proxy option will show encrypted traffic in a simple easy to read manner in your Web Filter.

Proxy-Forward-On

  1. 1 An on-network device sends its request for google.com to the Web Filter.
  2. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the on-network device.
  5. 5 Google.com loads on the on-network device.

Forward Proxy Off Network Diagram

  1. 1 An off-network device sends its request for google.com to the Web Filter.
  2. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the off network device.
  5. 5 Google.com loads on the off network device.

Reasons to Use Forward Proxy

You should use Forward proxy if you want to have accurate reports on encypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes iPads
  • Your school utilizes Chromebooks
  • Your school performs a 1-to-1 deployment of iOS or ChromeOS devices
  • Your school allows users to take devices home, and you want to filter those devices while they are at home
  • You want the ability to filter and decrypt most website and app related traffic.
  • You want the best option to get full filtering and URL reporting on iOS and ChromeOS devices

Potential Drawbacks

The Forward proxy method proxies all network traffic, as a result all traffic is redirected to the Web Filter before it is allowed to reach the Internet. This means that when the devices are off-network their traffic is routed to your Web Filter to make the request and then the request is sent from the Web Filter to the desired destination. The response from the destination would follow the same path in reverse, resulting in a greater amount of traffic passing through the Web Filter.

Setting Up Forward Proxy

Learn more about: Setting up Forward proxy


Selective Proxy (PAC)

What is a Selective Proxy?

The Selective proxy is a proxy server that only filters select information. The Selective Proxy utilizes PAC (proxy-auto-config) files to define how web browsers can automatically choose the appropriate access method for fetching a given URL. The Selective proxy allows most of your users’ traffic to flow freely through the network, while sending encrypted traffic (such as Google and YouTube traffic) through the proxy. As a result, your Web Filter reports will show exactly which Google sites your users visited but it wouldn’t show other encrypted traffic, for bank.com for example.

Proxy-Selective-On

  1. 1 An on-network device checks its request for google.com against it’s PAC file.If google.com is not in the PAC file list then the request would pass through the Web Filter as non-proxied traffic.
  2. 2 If the requested site is listed in the PAC file, the device sends its request for google.com to the Web Filter proxy.
  3. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  4. 3 Google.com returns the site to the requester, your Web Filter.
  5. 4 Your Web Filter sends the requested google.com page to the on network device.
  6. 5 Google.com loads on the on network device.

Selective-Proxy-Off

  1. 1 An off-network device checks its request for google.com against the PAC file.If request is not on the PAC file list, then the request would go straight out to the internet and to google.com.
  2. 2 If the requested site is listed in the PAC file, the device sends its request for google.com to the Web Filter.
  3. 2 The Web Filter receives the request.If request is allowed, the Web Filter makes its own request to google.com on behalf of the device.If request is not allowed, it is redirected to an Access Page and reported.
  4. 3 Google.com returns the site to the requester, your Web Filter.
  5. 4 Your Web Filter sends the requested google.com page to the off network device.
  6. 5 Google.com loads on the off network device.

Reasons to Use Selective Proxy

You should use Selective proxy if you want to have accurate reports on encypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes OS X devices
  • Your school utilizes Windows devices
  • Your school allows users to take devices home
  • You want to see sites like Google and YouTube browsing and searches, but do not want to see other user web activity (as opposed to Forward proxy, where all web activity is proxied)
  • You want to enforce trusted man-in-the-middle proxy on search engines and see plain text searches on sites where you need granular search results

Potential Drawbacks

  • You will need to create a PAC file for every site or IP range that you wish to proxy. This is not an issue if you only wish to proxy Google and YouTube (see instructions below.)
  • Unlike Forward proxy, Selective proxy does not decrypt all app traffic

Do you want to how to set up a PAC file for Google and YouTube and how to upload it to the Web Filter?

Learn more about: Setting up and uploading a PAC file

Transparent Proxy

What is Transparent Proxy?

If your school devices do not leave your network, or you are not filtering off-network devices, then you can use Transparent proxy. The Transparent proxy is an on-network proxy that allows you to decrypt SSL traffic without configuring proxy settings or PAC files on network devices. Transparent proxies are considered transparent because the user isn’t aware of them. Utilizing the Transparent proxy option allows you to view Google and YouTube sites and search data in your reports for all devices that are connected to the school network.

Transparent-Proxy-On

  1. 1 An on network device makes a request for google.com.
  2. 2 The Web Filter intercepts the request.If request is allowed, the Web Filter lets the request proceed to google.com.If request is not allowed, it is redirected to an Access Page and reported.
  3. 3 Google.com returns the site to the requester, your Web Filter.
  4. 4 Your Web Filter sends the requested google.com page to the on network device.
  5. 5 Google.com loads on the on network device.

Reasons to Use Transparent Proxy

You should use Transparent proxy if you want to decrypt encrypted traffic (see which Google sites your users are accessing and what they are searching for on Google) and…

  • Your school utilizes OS X devices
  • Your school utilizes Windows devices
  • Your school does not wish to filter off-network devices

Potential Drawbacks

Setting up Transparent Proxy

Learn how to set up Trasparent proxy: in this video guide

The Chromebook Exception

If you have Chromebooks, the Lightspeed Systems Mobile Filter can provide full URL reports on encrypted traffic without the use of a proxy server.

Due to the design of the Chrome operating system, schools that only have Chromebook devices can filter most Google encrypted searches without the need for a proxy by using the Chrome Extension Lightspeed Mobile Filter or the Lightspeed S-Mobile Filter. The Lightspeed Mobile Filter extensions for Chrome provide content filtering for ChromeOS, allowing school administrators to ensure safe, monitored access on school-distributed Chromebooks. Operating as a Chrome extension, it offers policy-based filtering and off-network activity reporting–all without the need for a proxy. In addition, it provides seamless single sign-on capabilities for ChromeOS devices when they are used off the school network.

Note: The Chromebook extension currently only works off-network.

Setting up Chromebook Mobile Filter

Learn more about: Learn more about the Chrome Extension Mobile Filter

Other Helpful Information

Learn more about: Recommended levels of proxy security
Learn more about: SSL