Educause Security Discussion mailing list archives

Re: EZproxy installation and firewall configuration

From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Fri, 10 Dec 2004 13:12:41 -0500

Actually, the number of ports is proportional to the number of
databases/sites that you are proxying, not simultaneous users.

On Fri, 2004-12-10 at 09:06 -0500, William C. Moore II wrote:

Also, the number of ports required above 2048 is directly proportional to
the number of simultaneous users.  I would suggest that the Library Director
or the systems librarian give you a "ballpark" figure for the number of
simultaneous users they foresee as a baseline to "grow from".

If they are just "proxying" the offsite vendors, the user number may be
relatively small.  If they are planning to proxy their entire OPAC (which I
personally do not suggest) for management purposes, the number will increase
dramatically and may cause other management problems.

If you can convince the library to run EZProxy on a dedicated box (does not
require many resources if run on a Linux box) you may want to advocate
placing the box in the DMZ.  Other than the log files that are generated
which the library may want for statistics, EZProxy will not generate files
and theoretically could be run from a preconfigured bootable CD.  The
configuration files typically do not change that often (only when new
vendors are added), but you will probably apply changes numerous times
during the initial setup period while you and the librarians "experiment".

From a Library's perspective, EZProxy is very beneficial due to their "off
site e-resources and the accompanying contracts".  Also, it is cheap and
easy to manage.  From a Security perspective, consider the above and below.
Don't just open ports 2048 and above in the firewall; but maybe just to THAT
host.

My 2 cents worth.




William C. Moore II, CISSP, MLIS
Chief Information Security Officer
Information Technology
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349



***********************************************************************
The information transmitted is intended only for the person addressed.
Any unauthorized review, distribution or other use of or the taking of
any action in reliance upon this information is prohibited. If you
received this message in error, please contact the sender and delete or
destroy this message and any copies.
***********************************************************************

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Keller
Sent: Thursday, December 09, 2004 9:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] EZproxy installation and firewall configuration

We've used EZproxy for years now. If you firewall admins and/or your
firewall software are flexible people/software, you can just open up
those ports to JUST the EZproxy server, and not to your whole network.
Additionally there is a "proxy by name" mechanism in EZproxy
(http://usefulutilities.com/support/cfg/proxybyhostname.html) that
allows you to use one port (even port 80, if you'd like), and a special
wildcard DNS configuration. Your DNS admins will likely wig out when
they see it because it FEELS dirty, but it really is safe if you sit
down and logically lay it out. I'm happy to talk to your firwall and/or
DNS admins off-list if they have technical questions.



On Thu, 2004-12-09 at 14:56 -0500, Barros, Jacob wrote:

Our library has asked us to implement EZproxy for off-campus access to
reserved databases.  I noticed from the Useful Utilities website that it
seems like everyone is using it and I know you all have firewalls so...

I'm reading through the setup instructions and am a bit uncomfortable
with the way they ask to set this up, i.e. open port 2048 and higher on
the firewall. Can anyone offer a sample of their configs,  point me to a
best practices document or just give me some reassurance?

Jake Barros

**********
Participation and subscription information for this EDUCAUSE Discussion

Group discussion list can be found at http://www.educause.edu/groups/.
--
Matthew Keller
signat-url: http://mattwork.potsdam.edu/signat-url/
"No one ever says, 'I can't read that ASCII E-mail you sent me.'"

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

--
Matthew Keller
signat-url: http://mattwork.potsdam.edu/signat-url/
"No one ever says, 'I can't read that ASCII E-mail you sent me.'"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

EZproxy installation and firewall configuration Barros, Jacob (Dec 09)
- <Possible follow-ups>
- Re: EZproxy installation and firewall configuration Harvey, Chad (Dec 09)
- Re: EZproxy installation and firewall configuration James Riden (Dec 09)
- Re: EZproxy installation and firewall configuration Jerry Becker (Dec 09)
- Re: EZproxy installation and firewall configuration Drake, Craig (Dec 09)
- Re: EZproxy installation and firewall configuration Matthew Keller (Dec 09)
- Re: EZproxy installation and firewall configuration William C. Moore II (Dec 10)
- Re: EZproxy installation and firewall configuration Matthew Keller (Dec 10)