One of the most complex problems with BYOD is how you connect your student and teacher devices to the Internet without creating a huge amount of work for yourself. Transparent proxy is your friend…kind of.
Some schools I’ve been talking to require the IT department to go hands on with each device before it is permitted onto the school network. This has the benefit that each device can be vetted and manually configured, but causes a huge amount of overhead for the IT department. This isn’t a scalable solution.
What we need is a way for teachers and students to connect up their devices to WiFi in a way they are familiar with but with as little configuration as possible. That’s where transparent proxy comes in.
What is Transparent Proxy?
When a user accesses the Internet through their web browser, transparent proxy intercepts the network traffic and directs it to either an upstream proxy or directly to the Internet. This means that there is no configuration required at all on each device. Students just connect their device and are on the Internet.
That sounds great, but there is a big problem with this system.
The Problem with Transparent Proxy
Transparent proxy cannot process HTTPS traffic. The problem is understandable if you consider what transparent proxy is doing with your data, however, it means that any website secured by an SSL certificate is not accessible without the manual configuration that we were trying to avoid.
Is it that much of a problem? Yes. Any service that you log in to or stores secure data (Google Apps, Office 365, iTunes, iPad App Store, Prezi, Blogger) will require an HTTPS connection.
How do we get Around This?
We need a solution that is less labour intensive than manually entering proxy server information. Part of the solution are PAC (proxy auto-config) files.
A .pac file is essentially a text file with a .pac extension which contains the information a device needs to connect to the Internet. The file can also contain scripting so, for example, we could enter local servers for which the proxy could be bypassed, or even use a different proxy server for different sites.
A basic PAC file
function FindProxyForURL(url, host)
return “PROXY proxy.example.com:8080; DIRECT”;
These settings can then be entered as an option (option 252) on a DHCP server for automatic distribution.
Not very helpfully, most modern browsers are set to ignore these settings by default. Internet Explorer, for example, has to have the “Automatically detect settings” option selected, and iOS has to have the location of the file manually entered in the network settings option. This creates less complex end-user configuration, but still more than I would like.
The benefits of using a PAC files are that you can change proxy server settings centrally without having to edit the configuration on each device.
The PAC file can be stored locally, although to get the greatest benefit it should be hosted on a web server your BYOD devices can access.
A slightly more complex PAC file which bypasses the proxy server for local servers
function FindProxyForURL(url, host)
if ((host=="localhost") ||
shExpMatch(host, "*localhost.*") ||
shExpMatch(host, "10.10.10.0/20") ||
shExpMatch(host, "126.96.36.199/8") ||
shExpMatch(host, "*moodle.school.com*") ||
shExpMatch(host, "*wifi.school.com*") ||
(host == "127.0.0.1"))
return "PROXY proxy.LEA.net:80"
Is there anyway to transparently proxy HTTPS traffic?
The problem is HTTPS traffic is, by it’s very nature, secure. When you access a web page that uses HTTPS (like https://www.facebook.com), your browser creates an encrypted tunnel between your computer and Facebook. Nobody in between can access the information that is passed through the secure tunnel.
A proxy server sits in between you and Facebook and would have to terminate the secure connection and then reinstate it later on.
Technically this is possible, it’s what’s known as a “man-in-the-middle attack”, where a computer terminates a secure connection between two devices and imitates one to read the data being passed through. The problem with this is that the end-user will receive certificate errors like the one below:
I have had one company claim that they have a way to do this safely, but I have yet to see this actually in action.
What are you Doing?
As far as I can see there is no ideal solution to transparently proxying HTTPS traffic. Everyone I speak to has a slightly different solution. The route I am taking is to use transparent proxy to get BYOD devices connected to the Internet and then give instructions to using the PAC file if they need HTTPS access.