Educause Security Discussion mailing list archives
Re: EZproxy installation and firewall configuration
From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Fri, 10 Dec 2004 13:12:41 -0500
Actually, the number of ports is proportional to the number of databases/sites that you are proxying, not simultaneous users. On Fri, 2004-12-10 at 09:06 -0500, William C. Moore II wrote:
Also, the number of ports required above 2048 is directly proportional to the number of simultaneous users. I would suggest that the Library Director or the systems librarian give you a "ballpark" figure for the number of simultaneous users they foresee as a baseline to "grow from". If they are just "proxying" the offsite vendors, the user number may be relatively small. If they are planning to proxy their entire OPAC (which I personally do not suggest) for management purposes, the number will increase dramatically and may cause other management problems. If you can convince the library to run EZProxy on a dedicated box (does not require many resources if run on a Linux box) you may want to advocate placing the box in the DMZ. Other than the log files that are generated which the library may want for statistics, EZProxy will not generate files and theoretically could be run from a preconfigured bootable CD. The configuration files typically do not change that often (only when new vendors are added), but you will probably apply changes numerous times during the initial setup period while you and the librarians "experiment". From a Library's perspective, EZProxy is very beneficial due to their "off site e-resources and the accompanying contracts". Also, it is cheap and easy to manage. From a Security perspective, consider the above and below. Don't just open ports 2048 and above in the firewall; but maybe just to THAT host. My 2 cents worth. William C. Moore II, CISSP, MLIS Chief Information Security Officer Information Technology Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974 Fax: (229)245-4349 *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Keller Sent: Thursday, December 09, 2004 9:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] EZproxy installation and firewall configuration We've used EZproxy for years now. If you firewall admins and/or your firewall software are flexible people/software, you can just open up those ports to JUST the EZproxy server, and not to your whole network. Additionally there is a "proxy by name" mechanism in EZproxy (http://usefulutilities.com/support/cfg/proxybyhostname.html) that allows you to use one port (even port 80, if you'd like), and a special wildcard DNS configuration. Your DNS admins will likely wig out when they see it because it FEELS dirty, but it really is safe if you sit down and logically lay it out. I'm happy to talk to your firwall and/or DNS admins off-list if they have technical questions. On Thu, 2004-12-09 at 14:56 -0500, Barros, Jacob wrote:Our library has asked us to implement EZproxy for off-campus access to reserved databases. I noticed from the Useful Utilities website that it seems like everyone is using it and I know you all have firewalls so... I'm reading through the setup instructions and am a bit uncomfortable with the way they ask to set this up, i.e. open port 2048 and higher on the firewall. Can anyone offer a sample of their configs, point me to a best practices document or just give me some reassurance? Jake Barros ********** Participation and subscription information for this EDUCAUSE DiscussionGroup discussion list can be found at http://www.educause.edu/groups/. -- Matthew Keller signat-url: http://mattwork.potsdam.edu/signat-url/ "No one ever says, 'I can't read that ASCII E-mail you sent me.'" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- Matthew Keller signat-url: http://mattwork.potsdam.edu/signat-url/ "No one ever says, 'I can't read that ASCII E-mail you sent me.'" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- EZproxy installation and firewall configuration Barros, Jacob (Dec 09)
- <Possible follow-ups>
- Re: EZproxy installation and firewall configuration Harvey, Chad (Dec 09)
- Re: EZproxy installation and firewall configuration James Riden (Dec 09)
- Re: EZproxy installation and firewall configuration Jerry Becker (Dec 09)
- Re: EZproxy installation and firewall configuration Drake, Craig (Dec 09)
- Re: EZproxy installation and firewall configuration Matthew Keller (Dec 09)
- Re: EZproxy installation and firewall configuration William C. Moore II (Dec 10)
- Re: EZproxy installation and firewall configuration Matthew Keller (Dec 10)