Contact UsContact Us

Setting Up HTTPS Inspection

This article is for IT support at schools with a School Manager physical appliance.

Warning

HTTPS Inspection is scheduled for removal from School Manager by early 2023.

Important

These instructions are for schools where users connect to the school network via School Manager, either directly or by using the Linewize Connect for Windows or macOS agent. Devices that have the Linewize Connect Chrome extension perform HTTPS inspection by default.

HTTPS Inspection without Linewize Connect only works where the agent/extension is not on the student device, and the SSL certificate is installed on the device.

About HTTPS Inspection

HTTPS Inspection filters access to certain websites, applications, and harmful content by initiating a “handshake” between devices to encrypt data transmitted across the internet.  HTTPS Inspection must be enabled to allow School Manager to filter and report on specific content, such as Youtube videos.

Enabling HTTPS inspection is a two-step process:

  • Setting up HTTPS inspection in School Manager
  • Installing the Linewize certificate on student devices

Step 1: Set Up HTTPS Inspection in School Manager

Important

  • This configuration applies to devices that are directly connected to the school network via School Manager.
  • Use only the Linewize certificate available from https://certs.linewize.net when setting up HTTPS inspection for schools.
  • For SSL inspection to work, configure an IP address on the bridge. If there are multiple VLAN bridges, configure an IP on each VLAN bridge that you need to inspect.

Warning

You MUST create a separate Firewall rule that allows all connections, and then create another firewall rule specifically for HTTPS inspections. Otherwise, it may result in blocking all traffic on the device. Make sure to configure the following rules in your firewalls:

Setting Up HTTPS Inspection in School Manager

  1. Go to Configuration > Networking > HTTPS Inspection.
  2. Click the Enabled checkbox.
  3. Under CA Configuration, enter or paste the required values for:
    1. CA Key
    2. CA Certificate
    3. CA Password
  4. Under Inspected Applications and Websites, configure site inspections by:

    Note
    We recommend only inspecting the websites required (eg. Google Search, Bing and YouTube). Selecting Inspect All can place a high strain on the School Manager appliance as it has to inspect all traffic.
    1. clicking Inspect All; or
    2. entering specific website categories/signatures; and
    3. entering excluded website categories/signatures (optional).
  5. Configure the inspection options for Networks and Groups:

    1. Click All Devices to inspect the connections for all devices in the network.
    2. Enter the relevant network details (IP address, IP range, MAC address, etc.) to inspect selected devices and connections.
    3. Select groups. Only the selected groups will have their connections inspected.
  6. If required, enter the excluded device IDs, IP addresses, or network names in the Excluded Networks field, and then press Enter on your keyboard to confirm the exclusion(s).

  7. Click Save.

Setting Up HTTPS Inspection for Windows and macOS

Important

This configuration applies to devices using Linewize Connect configured for 24/7 filtering while the device is connected to an off-campus network or Cloud-Only filtering (no physical School Manager appliance).

For Devices That are Connected via User’s Personal Mobile Networks

  1. Go to Configuration > Mobile Agent
  2. Under On School Manager Network, click the Filtering Enabled check box
  3. More configuration options will appear, and configure the filtering options as required. Refer to Content Filtering Overview for more information.
  4. Click MITM Enabled. More inspection options will be displayed.
  5. On the Inspected field, select or enter the website signatures and categories that will be inspected.
  6. (Optional) On the MITM Exclude Groups field, select the group(s) that will be excluded from HTTPS inspection. 
  7. (Optional) Enable Safe Search.
  8. Click Save.

For Devices That are Connected via Home Wi-Fi 

Man In The Middle (MITM) can run on any users' device with Connect installed. Connect on the users' local device will decrypt and inspect the connection request. If the website is allowed the connection will be completed and a block page will be displayed if the content is blocked.

  1. Go to Configuration > Mobile Agent.
  2. Under Off School Manager Network, click the Filtering Enabled check box
  3. More configuration options will appear; configure filtering options as required. Refer to Content Filtering Overview for more information.
  4. Click MITM Enabled. More inspection options will appear on the screen.
  5. On the Inspected field, select or enter the website signatures and categories that will be inspected.
  6. (Optional) On the MITM Exclude Groups field, select the group(s) that will be excluded from MITM inspections.
  7. Configure Safe Search (optional). Refer to Setting Up Safe Search for more information.
  8. Click Save.

Step 2: Download and Install the Linewize Certificate

Important: You will need Administrator privileges on the students’ devices.

For Windows 

  1. Go to https://certs.linewize.net and navigate to View Available Certificates > Other
  2. Download the .CRT file.

For macOS

  1. Go to https://certs.linewize.net and navigate to View Available Certificates > Other
  2. Download the .PEM file.

Install Certificate on Student Devices

Deployment via Group Policy Editor

  1. Start the Group Policy Management snap-in on the Active Directory domain controller.
  2. Find an existing Group Policy Object (GPO) or create a new one. The new GPO will contain the new certificate settings. 
  3. Right-click on the GPO, and then select Edit.
  4. On the console, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Right-click on Trusted Root Certification Authorities and select Import.
  6. On the Certificate Import Wizard, click Next.
  7. On the File Import page, click Browse to locate the certificate or enter the path to the certificate file.
  8. Click Next.
  9. On the Certificate Store page, select Place all certificates in the following store.
  10. Click Next.
  11. Verify that all settings are correct, then click Finish.

More information about Group Policy distribution is available on this page.

Individual Deployment on Windows Computers

IT support can push the Linewize certificates using their schools' MDMs.
  1. Locate the downloaded linewize.cacert.crt certificate file in the computer’s local folder or external storage (such as USB).
  2. Double-click on the file to open the downloaded certificate. A Certificate dialog box will appear.
  3. Click Install Certificate…
  4. On the Certificate Import Wizard window that appears, select Local Machine.
  5. Click Next.
  6. If prompted, enter your computer’s Administrator username and password if you have any. 
  7. Click Next.
  8. Select Place all certificates in the following store, and then click Browse…
  9. On the Certificate Store window that appears, select Trusted Root Certification Authorities.
  10. Click OK.
  11. Click Next.
  12. Click Finish. A notification will appear, confirming that importing the certificate has been successful.

Individual Deployment on macOS Computers

  1. Locate the downloaded file and open the PEM file certificate. This will open the Keychain Access window.
  2. Make sure the Certificate is installed in the System Keychain.
  3. Double-click Linewize Certificate to open the Certificate Properties dialog window.
  4. On the Trust section, select Always Trust in the When using this certificate: list.
  5. Close the window. If prompted, enter your password to save the changes.
  6. Reload all open browsers to check if the changes have taken effect.

FAQs

Are there default categories and signatures in the HTTPS Inspection setup?  

Yes, there are default site categories and signatures that we recommend for inspection, these are Google Search, Bing and YouTube.

How do I confirm that the user’s device is connected through School Manager?

Using the device, go to https://whoami.linewize.net. The URL should return a string that details the School Manager upstream.

How do I confirm the user’s device has the certificate?

For Windows:

  1. Press Windows  + R on your keyboard.
  2. Run certmgr.msc
  3. Go to the Trusted Root Certification Authorities > Certificates and locate the certificate

For macOS:

  1. Go to Applications > Utilities > Keychain Access.
  2. Open the Certificates tab. All certificates are saved in this folder. 
  3. Locate or enter the certificate’s name in the Search bar to find the Linewize certificate.
    Alternatively, click System Roots under System Keychains on the left navigation bar.
  4. Double-click the Linewize certificate to display more information.

How do I confirm that web pages, applications, and other content are being inspected?

To confirm HTTPS inspection is working, check that searches, videos, and Realtime Connections capture all reporting data:

  • Go to Cyber Safety > Searches to view the Search Report.
  • Go to Cyber Safety > Videos to view the Videos Report.
  • Go to Statistics > Realtime > Connections to view the Realtime Connections Report.

Why do I get timeout errors?

If a timeout error occurs, it may mean that School Manager is not connecting to the client (user’s) device due to the following reasons:

  • A route to the client network is missing. To check, go to Configuration > Networking > Routing.
  • School Manager may not be listening to the IP address of the device. To check, go to Configuration > Networking > Interfaces and check that BR0 or the relevant VLAN bridge is set up with an IP address.
  • If there is a reverse path filtering on the school switch, a management IP (instead of bridge IP) may have to be used to get back to the device.