Filter › Policy Management
Understanding Enhanced Guest Network Policy (GNP)
Standard Guest Network Policies typically rely on dedicated DNS servers that provide customizable filtering without the need for logins or SSL certificates. However, they work like an on-off switch – you can either allow or block a site entirely. This means you don't get advanced controls, such as allowing specific sections of a site (like a single video or a specific page) while keeping the rest of the site restricted.
Enhanced Guest Network Policy (Enhanced GNP), on the other hand, gives schools granular control over what users can see and do on their school network. It uses a secondary Filter account and SSL inspection to provide deep visibility and filter content on unauthenticated devices, making it a powerful cloud-based alternative to traditional, expensive hardware solutions.
In this guide:
-
Key Features & Benefits of Enhanced GNP
- Granular control: Apps & embedded content
- Enhanced activity visibility
- Cross-platform support
- Keyword scanning
- Setup prerequisites
-
Configuration workflow
- Account setup
- Policy Configuration
- Traffic Routing and SSL Deployment
- Important considerations
Key Features & Benefits
Granular Control: Apps & Embedded Content
Standard GNP policies only see that a device is asking for a general website. They can't tell if you’re using an app or just watching a single video embedded on a teacher's blog. Enhanced GNP unpacks these requests by reading the Referer and Origin headers (which tell the Filter where web traffic is coming from and where it originated). This allows for much smarter filtering:
- App Control: While Enhanced GNP is not a dedicated solution for app blocking, its deep packet visibility allows it to “break” specific application functions. This allows for much smarter filtering, such as allowing a guest teacher to use Google Drive while ensuring they cannot access Gmail. Filter achieves this by recognizing the specific traffic patterns and data signatures that distinguish the different services of a website, even when they are under the same domain.
-
Embedded Content Access: You can allow embedded content in a website like when you want to block YouTube entirely, but still allow certain videos to play when they are embedded on your school’s own website.
Enhanced Activity Visibility
Your logs capture both allowed and blocked traffic, providing a complete audit trail of guest activity.
Cross-Platform Support
Seamlessly filter a mix of personally owned Chromebooks, iOS, macOS, Windows, and Android devices.
Keyword Scanning
The SSL certificate enables deep scanning and blocking beyond basic SafeSearch. This keeps guests safe on sites like Google or Bing by filtering out inappropriate results before they even appear.
Prerequisites
Before beginning the configuration, ensure you have the following:
- Dedicated Subdomain: This web address (e.g., gnp.schooldomain.org) will be used specifically for the guest network.
- Dedicated Public IP: This IP must be exclusive to the guest network traffic to ensure policy mapping.
- Admin Access: You’ll need rights to modify DNS forwarders and distribute SSL certificates.
Configuration Workflow
1. Account & Infrastructure Setup
Securly will set up and register the new subdomain and the dedicated public IP to a fresh Securly account and set up a multi-tenancy for the primary admin to allow seamless switching between the main and guest accounts, or create a dedicated admin user on the new subdomain.
2. Policy Configuration
- IP-Based Policy: With the newly created account, create a policy tied to the dedicated public IP. Then, add your custom allow/block lists and set any other rules if required.
- Disable Force Logins: Under Policy Editor > Global Settings, ensure "Force Logins" is disabled to allow guest devices to browse without any login credentials.
3. Traffic Routing & SSL Deployment
- DNS Forwarding: Direct all traffic from the guest network to the Securly DNS servers specific to your cluster (found in Filter’s Settings menu).
-
SSL Certificate Deployment: Installing the Securly SSL Certificate on all guest devices is the most critical step for keyword scanning and application-level blocking. You can share the self-service link with the guest user, use installers, or push it to multiple users remotely using Google Workspace, Azure, or an MDM.
- Self-Service Link: securly.com/ssl
- Raw Certificate Formats & Installers: Securly CA Certificates
With these steps complete, your guest network is fully configured.
Important Considerations
Management Complexity: Using a second Filter account introduces administrative overhead. Ensure your IT team is aware that guest policies must be managed within the secondary account dashboard.
Cloud vs. On-site hardware: This is a cloud-native solution. Unlike an on-site appliance, app-level blocking relies on DNS and SSL inspection. If the SSL certificate isn't properly installed on the guest device, the filtering will be limited to domain level – it won’t assess specific pages or keywords.