Educause Security Discussion mailing list archives

Re: Remote Access for Library Resources Alternatives

From: Geoff_LeBoldus <Geoff_LeBoldus () CARLETON CA>
Date: Tue, 23 Jun 2009 12:02:29 -0400

We use EZProxy here.

I'll weigh in and say I don't actually like EZProxy, though it does work
well enough. I ran it, Squid and SSL VPNs at a another university. Here
are my thoughts, hold the flames.

EZProxy is cheap and easy. It also supports a wide variety of
authentication methods. You can load balance it to get redundancy.

The bad news is the configuration requires all proxied sites to be in
the configuration file. You can use a wildcard, but that was
unsupported. Some sites will still need their own config section to work
properly. Our Library couldn't provide us with a list of sites, in the
thousands, and it wasn't a static list. We also didn't know which
departmental sites had sections that required proxying and they weren't
saying.

There was also the port mode issue. The normal operation config uses
non-standard ports, which will likely be filtered for many clients. To
avoid this issue, you'll want to use 'proxy by hostname' mode, which
requires a one-time DNS change. Pay attention to MaxVirtualHosts, if you
use proxy by hostname and a wildcard. If you want to use SSL, you'll
need a special wildcard certificate for hostname mode ( ie:
*.proxy.uni.edu ).

What I liked about SSL VPNs ( Nortel, Juniper, and Cisco ) was there was
no configuration for proxied sites. You set it up and walked away. SSL
VPNs use a standard certificate. SSL VPNs have limited choices for
authentication methods, but I'm fairly certain most places have RADIUS,
LDAP or AD available. 

SSL VPNs are likely already on existing network hardware and it's not a
stretch to enable this service. If you're buying them outright for the
Library, they're very expensive compared with EZProxy. You're better off
piggy-backing an SSL proxy with a traditional VPN or firewall upgrade.


For a new purchase, it's going to come down to money and EZProxy will
likely win. I ran it in 'proxy by hostname' with a wildcard
configuration, but I disliked being mostly unsupported. Chris Zagar was
excellent, but he really wasn't keen on wildcards.


Geoff LeBoldus
Sr. IT Security Analyst
Carleton University

Current thread:

Re: Remote Access for Library Resources Alternatives, (continued)
- Re: Remote Access for Library Resources Alternatives Michael J. Wheeler (Jun 23)
- Re: Remote Access for Library Resources Alternatives Joey Rego (Jun 23)
- Re: Remote Access for Library Resources Alternatives Kenneth Arnold (Jun 23)
- Re: Remote Access for Library Resources Alternatives Gary Flynn (Jun 23)
- Re: Remote Access for Library Resources Alternatives Miller,James R (Jun 23)
- Re: Remote Access for Library Resources Alternatives Tracy Mitrano (Jun 23)
- Re: Remote Access for Library Resources Alternatives Vik Solem (Jun 23)
- Re: Remote Access for Library Resources Alternatives Mike Porter (Jun 23)
- Re: Remote Access for Library Resources Alternatives Kevin Wilcox (Jun 23)
- Re: Remote Access for Library Resources Alternatives Becker, Gerald D (Jun 23)
- Re: Remote Access for Library Resources Alternatives Geoff_LeBoldus (Jun 23)
- Re: Remote Access for Library Resources Alternatives Steven Carmody (Jun 23)
- Re: Remote Access for Library Resources Alternatives Hatala, Jeffrey (Jun 23)
- Remote Access for Library Resources Alternatives Miller,James R (Jun 29)