EXALogo colour Help

Initial SurfProtect Setup

Initial SurfProtect Setup


SurfProtect’s cloud-based HTTPS filtering feature requires that all devices on your network trust Exa. This document provides guidance to enable this across your network, however, should you require any additional help then please do not hesitate to contact our dedicated Support Team on 0345 145 1234 or by emailing support

Certificate Setup

A certificate published by Exa needs to be installed on each device within your network. This can be done on a per machine basis, however we have detailed how to deploy the necessary certificate using various management tools below.

Note: for all customers using our connectivity, we recommend setting your DNS forwarders to:


Individual Machine Installation

Legacy Individual Machine Installation

Installation Verification

You can check whether the certificate is being successfully trusted by visiting the SurfProtect Certificate Status page

This page will automatically detect the location you’re browsing from so it can present a certificate signed by the authority you’ve trusted during negotiation of the secure HTTPS connection.

If your browser shows that the connection is safe then this validation serves as proof that the service certificate is trusted.

If you don’t already have SurfProtect configured to transparently decrypt all web traffic you can test decryption by configuring your browser to use proxy.quantum.exa-networks.co.uk on port 3128.

AD Configuration

SurfProtect Quantum integrates with Active Directory to provide ‘per user’ policy filtering and reporting. To achieve this, your AD data needs to be imported to SurfProtect. This document provides guidance on this process, however, should you require any additional help then please do not hesitate to contact our dedicated Technical Support Team on 0345 145 1234 or by emailing support

Note: If you do not want to enact the AD integration feature of SurfProtect Quantum, or do not have an AD server, you do not need to perform the following steps.

This will prevent these devices accessing any website belonging to a restricted SurfProtect category, or any website that you have added to your blocked list.

Why Synchronise your Active Directory data with SurfProtect?

Individual users are represented in Active Directory by a unique user account and by membership to an arbitrary number of group accounts. With Active Directory integration enabled, SurfProtect can apply different filtering policies to unique users as well as group accounts. SurfProtect also uses the information from the data synchronisation to display the real names of your users to enrich the data provided by our data analytics panel.

Windows Active Directory

SSO is achieved with Active Directory by requesting a user’s information from the web browser whenever a web resource is requested by a machine in your school’s local domain.

Running the below script will establish trust between your school’s domain controller and our proxy servers. This means that when a user requests access to a website, the web browser will be able to communicate with the domain controller to identify the individual and provide SurfProtect with trusted proof of who that person is. As a result, SurfProtect can then filter the web request according to that individual’s filtering profile, and record their online activity.

As SSO requires direct authentication against our proxy servers, Active Directory SSO requires web browsers to be configured with explicit proxy settings. Fortunately, these settings can be pushed to all Windows devices by creating a Group Policy Object; using this mechanism also helps to prevent settings from being manually changed by students.

Mixed Environments

If your school uses devices outside of your AD domain, such as iPads and Chromebooks, which are not managed as part of your local domain, individual user filtering and identification will not be possible on Quantum.

These devices will still receive transparent SurfProtect filtering when connected to your school’s network, however, user identity information and profile matching will not be enacted and weblogs will not be populated with user or machine identities. 

SurfProtect Quantum+ allows schools to configure non-domain devices to authenticate via a Captive Portal which allows us to track users and log traffic against usernames. If this is something you’re interested in please contact your Account Manager via 0345 145 1234. 

If you are using Quantum you can finish the set up here, for Quantum+ follow the below steps.

Quantum+ Setup

Suggested Next Read

Related Help Articles

The Exa Foundation

Contact us


Contact us

Is DarkLight connectivity best suited to you?

Dark fibre is perfect if you are looking for a potentially limitless, ultrafast connection with complete flexibility and control.

If you fully rely on the internet, a dark fibre connection could be the best option for you.

Is Leased Line connectivity best suited to you?

Leased Lines are best suited to you if you have high bandwidth requirements and need a reliable, uncontended service.

It is ideal for you if you regularly carry out large uploads and downloads, use cloud based services and a VoIP telephone system as well as video conferencing, for everyday communication.

Is GPON connectivity best suited to you?

GPON is a great choice for you if you need gigabit speeds but don’t need them to be symmetrical. It is becoming more widely available across the UK but may not be immediately available to you yet.

Is Rural Fibre connectivity best suited to you?

If you want to make the move to full fibre, but are based in a rural area, this option is for you.

Is FTTP connectivity best suited to you?

If you have a number of users who use cloud-based applications to upload and download data on a daily basis, but don’t transfer large amounts of data, FTTP might be your best option.

Is Gfast connectivity best suited to you?

If your line cannot support a minimum of 100Mbps, this connection is not for you. Gfast must meet the speed as a minimum. 

If your line meets this need, and you’re looking for an ultrafast, consistent and reliable connection without the hassle and upheaval of construction work – this could be a good fit.

It’s worth noting that Gfast is a stop gap to FTTP, and is not a technology that is likely to be around for a long time.

Is FTTC connectivity best suited to you?

If you need more bandwidth but don’t really need a guaranteed speed, FTTC could be for you. It is widely available throughout the UK, making it suitable as a main connection. As this connection provides higher speeds than ADSL, it is also a good option for a back up to a leased line.

As with ADSL, once the PSTN is turned off in 2025/26, FTTC will become virtually obsolete and at the very least you will require FTTP to remain connected.



Office hours

Monday: 8:30am – 5pm
Tuesday: 8:30am – 5pm
Wednesday: 8:30am – 5pm
Thursday: 8:30am – 5pm
Friday: 8:30am – 5pm
Saturday: Closed
Sunday: Closed


Contact us

Office hours

Monday: 8am – 4pm
Tuesday: 8am – 4pm
Wednesday: 8am – 4pm
Thursday: 8am – 4pm
Friday: 8am – 4pm
Saturday: Closed
Sunday: Closed


Contact us

Office hours

Monday: 8am – 5pm
Tuesday: 8am – 5pm
Wednesday: 8am – 5pm
Thursday: 8am – 5pm
Friday: 8am – 5pm
Saturday: Closed
Sunday: Closed

Is DSL connectivity best suited to you?

DSL connections offer very limited bandwidth so it might be right for you if you typically use the internet for less data-intensive tasks. If you’re sending emails, browsing the web, downloading very small files and working with small amounts of data – you should be fine with DSL.

It is worth noting connections based on copper wire, like DSL, will be switched off in the UK by Openreach, with a phased approach due to begin at the end of 2025. If you don’t have a fibre connection at the moment, you’ll need to upgrade this as well as move to a VoIP telephone system.

Technical Support

Contact us

Office hours

Monday: 8am – 6pm
Tuesday: 8am – 6pm
Wednesday: 8am – 6pm
Thursday: 8am – 6pm
Friday: 8am – 6pm
Saturday: 10am – 4pm
Sunday: 10am – 4pm