Secure proxy authentification (SPA)
Protecting student and staff credentials - the way all users access the internet at school is changing. The change is starting in Term 2, 2016 and will be complete for all secondary schools by mid Term 3.
What is SPA?
In 2006, the Authenticated Internet Browsing and Email service launched and all staff and students were provided with individual accounts with year-level filtering introduced. In order to access the Internet, users authenticate with their DoE Portal ID & password.
The main function of the department’s Filtered Internet Browsing service is to provide filtered access to the Internet to minimise the risk of students and staff accessing websites that contain inappropriate material. The filtering service is accessed by authenticating to the department’s proxy servers which have recently been updated. The update provides for a new authentication process with user credentials encrypted and securely sent to the proxy server.
The filtering service is accessed by authenticating to the department’s proxy servers which have recently been updated. The update provides for a new authentication process with user credentials encrypted and securely sent to the proxy server. SPA roll out timing A successful pilot of SPA was conducted in term 4 2015.
What is single sign on?
SPA is the first step to establishing a single sign-on service for all eT4L schools. On eT4L Windows devices, once logged onto Windows, it will remove the need to authenticate again for Internet sessions. The next phase of single sign-on due in the second half of 2016 will see the Windows logon apply automatically for the DoE Portal, email and most corporate applications, so you won’t need to authenticate multiple times a day.
Transitioning to SPA
A process is now in place to individually cutover each high and central school by the end of term 3 2016, then complete the cutover of all remaining schools by the end of 2016. Each school will be contacted directly to notify your cutover date. Some local preparations will be required to ensure all staff and students are ready for this important change.
What your school needs to be ready for SPA
Schools will be cutover to SPA progressively in large cohorts. For consistency, SPA cutover days will be either a Wednesday or a Friday, with the actual change taking place the evening before. ITD will provide each school with at least two weeks’ notice before SPA is configured for the site. In this time, it will be important for the school to:
- Understand what changes SPA will bring to the school and the user experience by reading this Fact Sheet
- Effectively promote the school’s scheduled SPA Day to ensure all students and staff are ready for the upcoming change and deliver a smooth transition
- Download the other SPA Resources. Print off the posters and hang them around the school. Publicise the information via email, your school intranet and other communications channels used by your school
- If your school has a BYOD program for either staff or students, SPA will affect your users. It’s important to make sure they prepare their personal devices on SPA Day
- If your school has a Sentral server or some other form of local proxy/caching server, read the fact sheet in the above linked resources. There are some changes that may be required
- Do any of your staff use Dropbox client? Unfortunately it’s not compatible with SPA and will stop functioning.
- Get ready. Secure Proxy Authentication is coming.
Users in schools that have already been migrated to eT4L Services will no longer be required to manually authenticate for Internet access on managed Windows PCs (any computer built using the eT4L F12 function)
Logging onto Windows on a managed computer will automatically securely apply your Windows credentials to browse the Internet on any browser. Users will still need to sign in to access the Portal.
An “unmanaged” device is any computer, laptop, tablet or other mobile device in a school that can be used to access the Internet via the school’s network. This includes Apple Macs, iPads, Android devices, Chromebooks, BYODs (including Windows) as well as any school-owned Windows devices that have not been built using the eT4L F12 function.
Unmanaged devices will need to manually authenticate to the Secure Proxy to access Internet services.
The device’s browser should preferably be set to point to the new FIB PAC file for proxy – http://pac.det.nsw.edu.au/fib/proxy.pac or configured for automatic proxy.
If the device can only accept a manual proxy, set it to proxy.det.nsw.edu.au on port 8080. A custom popup for proxy authentication will appear and users must append @detnsw to their user ID.