Educause Security Discussion mailing list archives
Re: Remote Access for Library Resources Alternatives
From: Geoff_LeBoldus <Geoff_LeBoldus () CARLETON CA>
Date: Tue, 23 Jun 2009 12:02:29 -0400
We use EZProxy here. I'll weigh in and say I don't actually like EZProxy, though it does work well enough. I ran it, Squid and SSL VPNs at a another university. Here are my thoughts, hold the flames. EZProxy is cheap and easy. It also supports a wide variety of authentication methods. You can load balance it to get redundancy. The bad news is the configuration requires all proxied sites to be in the configuration file. You can use a wildcard, but that was unsupported. Some sites will still need their own config section to work properly. Our Library couldn't provide us with a list of sites, in the thousands, and it wasn't a static list. We also didn't know which departmental sites had sections that required proxying and they weren't saying. There was also the port mode issue. The normal operation config uses non-standard ports, which will likely be filtered for many clients. To avoid this issue, you'll want to use 'proxy by hostname' mode, which requires a one-time DNS change. Pay attention to MaxVirtualHosts, if you use proxy by hostname and a wildcard. If you want to use SSL, you'll need a special wildcard certificate for hostname mode ( ie: *.proxy.uni.edu ). What I liked about SSL VPNs ( Nortel, Juniper, and Cisco ) was there was no configuration for proxied sites. You set it up and walked away. SSL VPNs use a standard certificate. SSL VPNs have limited choices for authentication methods, but I'm fairly certain most places have RADIUS, LDAP or AD available. SSL VPNs are likely already on existing network hardware and it's not a stretch to enable this service. If you're buying them outright for the Library, they're very expensive compared with EZProxy. You're better off piggy-backing an SSL proxy with a traditional VPN or firewall upgrade. For a new purchase, it's going to come down to money and EZProxy will likely win. I ran it in 'proxy by hostname' with a wildcard configuration, but I disliked being mostly unsupported. Chris Zagar was excellent, but he really wasn't keen on wildcards. Geoff LeBoldus Sr. IT Security Analyst Carleton University
Current thread:
- Re: Remote Access for Library Resources Alternatives, (continued)
- Re: Remote Access for Library Resources Alternatives Michael J. Wheeler (Jun 23)
- Re: Remote Access for Library Resources Alternatives Joey Rego (Jun 23)
- Re: Remote Access for Library Resources Alternatives Kenneth Arnold (Jun 23)
- Re: Remote Access for Library Resources Alternatives Gary Flynn (Jun 23)
- Re: Remote Access for Library Resources Alternatives Miller,James R (Jun 23)
- Re: Remote Access for Library Resources Alternatives Tracy Mitrano (Jun 23)
- Re: Remote Access for Library Resources Alternatives Vik Solem (Jun 23)
- Re: Remote Access for Library Resources Alternatives Mike Porter (Jun 23)
- Re: Remote Access for Library Resources Alternatives Kevin Wilcox (Jun 23)
- Re: Remote Access for Library Resources Alternatives Becker, Gerald D (Jun 23)
- Re: Remote Access for Library Resources Alternatives Geoff_LeBoldus (Jun 23)
- Re: Remote Access for Library Resources Alternatives Steven Carmody (Jun 23)
- Re: Remote Access for Library Resources Alternatives Hatala, Jeffrey (Jun 23)
- Remote Access for Library Resources Alternatives Miller,James R (Jun 29)