Help
Initial SurfProtect Setup
- 23 February 2024
- Exa Support
Initial SurfProtect Setup
Introduction
SurfProtect’s cloud-based HTTPS filtering feature requires that all devices on your network trust Exa. This document provides guidance to enable this across your network, however, should you require any additional help then please do not hesitate to contact our dedicated Support Team on 0345 145 1234 or by emailing support
Certificate Setup
A certificate published by Exa needs to be installed on each device within your network. This can be done on a per machine basis, however we have detailed how to deploy the necessary certificate using various management tools below.
Note: for all customers using our connectivity, we recommend setting your DNS forwarders to:
- 82.219.4.28
- 82.219.4.29
- Download your SurfProtect Quantum Certificate
- Once you are logged into your active directory server, go to Start > Administrative Tools > Group Policy Management
- Identify the Group Policy Object that you wish to edit (optionally, you may wish to create a new Group Policy Object to define all SurfProtect settings in one place)
- Right click the newly created Group Policy Object and select Edit
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
- Right click on the folder Trusted Root Certification Authorities and select Import
- Follow the steps in the Certificate Import Wizard, providing the location of the certificate downloaded from the SurfProtect panel when prompted for a file to import
- Download your SurfProtect Quantum Certificate
- Log into the admin panel at admin.google.com
- Navigate to Device Management
- In the DEVICE SETTINGS menu on the left, select Network
- Select Certificate > ADD CERTIFICATE
- Navigate to the previously downloaded certificate
- Ensure that the option labelled Use this certificate as an HTTPS certificate authority is checked
- Click Save
Individual Machine Installation
- Download your SurfProtect Quantum Certificate
- Click the Windows Start Button and type ‘mmc’ into the search bar to locate and run the Microsoft Management Console
- Navigate to the File menu > Add/Remove Snap-in
- From the Available Snap-ins pane, select Certificates and then click on the button labelled Add
- In the Certificates Snap-in wizard, select Computer Account or Local Computer when prompted for which context the snap-in should manage certificate for
- Click Finish to close the wizard and OK to close the snap-ins window
- In the console tree, double-click on Certificates
- Right-click the Trusted Root Certification Authorities and click Import
- Follow the steps in the Certificate Import Wizard, providing the location of the certificate downloaded from the SurfProtect panel when prompted for a file to import
- Download your SurfProtect Quantum Certificate
- Launch Keychain Access
- From the Keychain Access toolbar, select File > Import Items
- Provide the location of the downloaded certificate when prompted for a file location and click Open
- Double-click on the newly imported certificate, labelled Exa Networks Ltd CA
- In the Trust section of the newly opened window, set the value in the dropdown labelled Secure Sockets Layer (SSL) to Always Trust
- Close the current window to apply changes
- Enter your system password when prompted and click on Update Settings
- Download your SurfProtect Quantum Certificate
- Tap Allow on the pop-up
- On the following screen tap Install (if using iOS 12.x, you can find this in Settings > Profile Downloaded)
- Input your Passcode if prompted
- Confirm by tapping Install
- Return to Settings and follow: General > About > Certificate Trust Settings and Enable ‘Exa Networks Ltd Root CA’ by tapping the slider
- Download your SurfProtect Quantum Certificate
- Open the Chrome Browser
- Go to Settings
- Click Privacy & Security on the left hand side menu
- Click Security in the middle
- Scroll down to Manage Certificates
- Ensure you click Authorities, then Import
- Download your SurfProtect Quantum Certificate
- Open Device settings
- Go to Security (or Biometrics & Security)
- Go to Other Security Settings
- Go to Install From Storage or Install a Certificate (depending on devices)
- Select CA Certificate from the list of types available
- Accept a warning alert
- Navigate to the certificate file on the device and click Open to confirm the certificate install
Legacy Individual Machine Installation
- Download your SurfProtect Quantum Certificate
- This will prompt a download, click Open
- Input your Passcode when prompted
- Set the certificate name then choose credential use as VPN and Apps option
- Tap OK, this will then install and become a user certificate
- Download your SurfProtect Quantum Certificate
- Scroll to the bottom of your Chromebook’s Settings page and click on Show Advanced Settings
- Under the HTTPS/SSL section, click on Manage Certificates
- Navigate to the Authorities tab in the Certificate Manager and click Import
- Select the certificate from your Downloads location and click on Open
Installation Verification
You can check whether the certificate is being successfully trusted by visiting the SurfProtect Certificate Status page
This page will automatically detect the location you’re browsing from so it can present a certificate signed by the authority you’ve trusted during negotiation of the secure HTTPS connection.
If your browser shows that the connection is safe then this validation serves as proof that the service certificate is trusted.
If you don’t already have SurfProtect configured to transparently decrypt all web traffic you can test decryption by configuring your browser to use proxy.quantum.exa-networks.co.uk on port 3128.
AD Configuration
SurfProtect Quantum integrates with Active Directory to provide ‘per user’ policy filtering and reporting. To achieve this, your AD data needs to be imported to SurfProtect. This document provides guidance on this process, however, should you require any additional help then please do not hesitate to contact our dedicated Technical Support Team on 0345 145 1234 or by emailing support
Note: If you do not want to enact the AD integration feature of SurfProtect Quantum, or do not have an AD server, you do not need to perform the following steps.
This will prevent these devices accessing any website belonging to a restricted SurfProtect category, or any website that you have added to your blocked list.
Why Synchronise your Active Directory data with SurfProtect?
Individual users are represented in Active Directory by a unique user account and by membership to an arbitrary number of group accounts. With Active Directory integration enabled, SurfProtect can apply different filtering policies to unique users as well as group accounts. SurfProtect also uses the information from the data synchronisation to display the real names of your users to enrich the data provided by our data analytics panel.
Windows Active Directory
SSO is achieved with Active Directory by requesting a user’s information from the web browser whenever a web resource is requested by a machine in your school’s local domain.
Running the below script will establish trust between your school’s domain controller and our proxy servers. This means that when a user requests access to a website, the web browser will be able to communicate with the domain controller to identify the individual and provide SurfProtect with trusted proof of who that person is. As a result, SurfProtect can then filter the web request according to that individual’s filtering profile, and record their online activity.
As SSO requires direct authentication against our proxy servers, Active Directory SSO requires web browsers to be configured with explicit proxy settings. Fortunately, these settings can be pushed to all Windows devices by creating a Group Policy Object; using this mechanism also helps to prevent settings from being manually changed by students.
- Download the AD configuration script
- Update the local proxy settings on the AD server with the below proxy settings:
- Proxy Address: proxy.quantum.exa-networks.co.uk
- Port: 3128
Right click on the downloaded file and select ‘Run with PowerShell’
Note: This script must be run directly on your Active Directory domain server in order to perform all necessary configurationSelect ‘Open’ in the security dialogue box that appears
Follow the commands on screen, the script should complete in a matter of minutes
- After the Setup script has ran we need to run the export which can be done by navigating to ‘Files’ and ‘C Drive’
- Under C-Drive go to ‘Programme Files’ an ‘SurfProtect’.
- Under the SurfProtect file you should see a script labelled ‘Quantum AD Export’ right click on this and run it as Administrator. This will send a copy of all users/groups from the AD server to SurfProtect.
- In order for SurfProtect integration with Active Directory SSO to function, your operating system or web browser must be configured to use the SurfProtect AD proxy service below.
- Proxy Address: ad.quantum.exa-networks.co.uk
- Proxy Port: 3128 The service on this host name is dedicated specifically to Active Directory.
Mixed Environments
If your school uses devices outside of your AD domain, such as iPads and Chromebooks, which are not managed as part of your local domain, individual user filtering and identification will not be possible on Quantum.
These devices will still receive transparent SurfProtect filtering when connected to your school’s network, however, user identity information and profile matching will not be enacted and weblogs will not be populated with user or machine identities.
SurfProtect Quantum+ allows schools to configure non-domain devices to authenticate via a Captive Portal which allows us to track users and log traffic against usernames. If this is something you’re interested in please contact your Account Manager via 0345 145 1234.
If you are using Quantum you can finish the set up here, for Quantum+ follow the below steps.
Quantum+ Setup
- Sign in to surfprotectpanel.exa-networks.co.uk.
- Navigate to the SurfProtect location you want to configure.
- Navigate to the SSO management page.
- Click the “Create domain” button in the top-right or in the centre of the page.
- Click on the “Domain Type” field and select “Azure Active Directory ID”
- Enter your Azure AD tenant’s ID. This can be retrieved from the “Basic Information” section of the overview page of your Azure AD tenant on the Azure Portal. You may need to contact your Azure AD administrator to retrieve this information for you.
Enter a domain name you want to associate with the tenant. This serves as a human-friendly identifier for your tenant and has no impact on how your organisation is filtered.
- Click the “Create” button. This will create your domain, which you will see appear in the SSO management menu.
If you don’t need to filter by Azure AD groups, you can stop here – if you do, proceed to the next steps below.
You may have configured your Google Workspace with restrictions on which application users are able to use – for example, users may not be able to consent to sharing with an application without an Administrator approving the consent.
Sign in via the captive portal and follow through the Google sign-in flow. When your sign-in is stopped by Google, click the blue “request access” link in the sign-in popup.
This will submit the SurfProtect application for review in your Google workspace administration panel. You will need to approve our application in order for your users to use captive portal.
- Sign in to surfprotectpanel.exa-networks.co.uk
- Navigate to the SurfProtect location you want to configure.
- Navigate to the SSO management page.
- Click the “Create domain” button in the top-right or in the centre of the page.
- Click on the “Domain Type” field and select “Google Hosted”.
- Enter the domain you have hosted with Google (this will be the part of your email address after the “@”) and click “Create”. For example, if your email address from your Google domain is “user@domain.co.uk”, you would need to enter “domain.co.uk”.
If you don’t need to filter by Google groups, you can stop here – if you do, proceed to the next steps below.
To populate your tenant with user and group data, you will need to export some data from your Azure tenant. As was the case with your Azure tenant ID, you may need to ask your Azure administrator to perform the following few steps.
- Navigate to the users page of your Azure AD tenant. This can be done by clicking the “Users” option under the “Manage” section of the menu on the left of the page. If you can’t see this menu, click on the right-facing arrows on the left of the page to open it.
- Click on the “Download users” button in the menu, and “Start” in the pane that opens on the right of the page. This may take some time to complete. When it does, you will be prompted with a link to download the file. Click on the link to download the file.
- Navigate to the groups page of your Azure AD tenant. See the instructions in step 9, but click on the “Groups” button instead.
- Export a list of users from each group you wish to create a filtering profile for. For each group, navigate to the specific group page by clicking on the corresponding entry in the table on the groups page. From there, navigate to the “Members” page via the menu on the left of the page. As was the case with the user list export, you will be prompted to start an export process and must wait for it to complete to download the list of group members.
Do not alter the name of the file, as it contains the name of the group you are exporting – we require this to process the data correctly.
Now that you have your user data export and one or more group data exports, click on your newly-created tenant in the left-hand panel to open an extended view of it. Click on the green “Upload users and groups“ button in the right-hand pane.
Click on the “Browse” button under the “Select Users file” heading and submit the file you downloaded during the “user export” step. Repeat this process for each group file you’ve downloaded from Azure in the “Select Groups file(s)” section. If the group name associated with a file you have uploaded is incorrect, edit the name as appropriate. You can now click on the “Upload” button to populate your tenant with user and group data.
If the users or groups in your tenant change, you can repeat this process to update SurfProtect with the new data
To populate your tenant with user and group data, you will need to export some data from your Google Workspace. You may need to ask your Google administrator to perform the following few steps.
- Go to the users overview section of your Google admin panel (https://admin.google.com/ac/users).
- Click the “Download Users” button above the list of users.
- Select the “All user info” and “Comma-separated values” options, then click the “Download” button.
- Once Google has finished processing your file for download, a “task” will appear in the top right of the page. You can download your file of exported users from the notification by clicking “Download CSV”.
- To download group data, proceed to the groups overview page of the Google admin panel (https://admin.google.com/ac/groups).
- Repeat this step for each group you wish to filter by.
- In the list of all groups, click on the the group you wish to export to view more details about it. Specifically, you need to click on the blue hyperlinked group name, not the white table row.
- Click on the arrow on the right of the members section to view more context about the group’s members.
From the members context, you can click the “Download members” button. 
- Select the “All 5 columns” and “Comma-separated values” options, then click “Download”. This schedules a file download, similar to the users export – and as such, it can be downloaded when the “task” appears. See step 1 for more detail.
- Now that you have your user and group export data files, click on your newly-created tenant in the left-hand panel to open an extended view of it.
- Click on the green “Upload users and groups“ button in the right-hand pane.
- Click on the “Browse” button under the “Select Users” section and upload your users data file.
- Repeat this for the “Select Groups” section, but select your group files. You can select multiple files by holding shift and clicking on the files you wish to upload.
- Once you’ve added all your files to the form, click “Upload” to complete the process.
Suggested Next Read
