[WEB4LIB] Off-site access to IP restricted resources

Christopher Stewart stewart at charlie.cns.iit.edu
Mon Mar 22 23:21:24 EST 1999 

We use MS Proxy Server 2.0 for off campus access to 23 IP restricted databases
(http://www.gl.iit.edu/database/database.htm). It  works well so long as the database
vendors are using relative path URLs, which most are. Scripts our web server can detect
not IIT-domain IP addresses and prompt the use with instructions on how to set their
browser for Proxy access.

The rest is as much an administrative issue as a technical one. Schools using advanced
authentication systems such as kerberos generally have integrated, campus wide
administrative systems in which users have a standardized net ID such as a PIN, which
give users gateway access to various services on the network. At IIT, not all users
have kerberos IDs (only those who have PPP accounts), and the registrar does not
support them. Legacy system still abound at many schools, and integration is often the
exception rather than the rule.

What this means is that user accounts can be a pain. We support 5000 users, and
accounts must be adjusted every semester according to one's registration status. The
library is not in the business of maintaining this kind of information, of course.
Since our system does not talk to the registrar's, we had a  middleware application
written. It takes a delimited text file, delivered by the register two times a
semester, and converts the names into Proxy accounts. After that, it's just a matter of
some NT busy work on technician's part. Users authenticate to the system via their
student IDs.

The most difficult part of the whole process was figuring out how to get the user data
into the Proxy server with the least hassle. Obviously, we were not planning on
creating accounts manually. If this kind of thing is not too great of an issue  for
you, I would suggest NT Proxy for its ease of use. It's not as beefy as kerberos, but
it does the job.

--
Christopher Stewart
Associate Director for Network Services
Paul V. Galvin Library
Illinois Institute of Technology
www.gl.iit.edu







Stacy Pober wrote:

> We would like to set up off-site access for our faculty and students to
> some of our databases that currently restrict access based on IP
> addresses.
>
> I know what I'd like to do.  I'm not sure how to actually set it up.
>
> What I want is for off-campus users to have a separate link on our pages
> for off-site access to a particular database.  This link gets them a page
> where they enter their library barcode.  The barcode number is checked
> by a program, and if it's valid, they are sent (presumably via a pass-through
> proxy server setup) to the database.
>
> I've looked at  the Pass-Through Proxying article on the Scholarly
> Technologies Group site:
>
> http://www.stg.brown.edu/pub/proxydoc/Proxy.tr98.1.shtml
>
> but it discusses using Kerberos for authentication, and that seems like
> it's designed for full network access and may simply be overkill in
> our situation.  I think a much less complicated program can probably
> handle the login-via-barcode part of the system, since network
> security is not an issue.
>
> And I don't know if we have the technical expertise available to us
> to implement that setup locally in any case.
>
> The other choice would be a normal proxy server with a login module
> to allow for user authentication.  But there can be some bumps along
> that road, as well.  In the article cited above, the  author notes:
>
> >It turns out that some proxy servers can be outfitted with specially secured
> >authentication packages, but in fact doing this requires special client software
> >and/or plug-ins to work. This is a problem, because it creates a need for a lot of
> >additional client-side support. And it ultimately reduces the accessibility of the
> >proxy.
>
> I really don't want to re-invent the wheel.  And frankly, since I'm the one
> who would be setting up and maintaining the system, and I'm not a
> programmer by trade, I'm looking for something relatively simple and
> if not outright easy, at least not horrendously hard to learn.
>
> If you have a solution that you're happy with and willing to share, please
> send it along.
>
> Advance thanks,
> //\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
> Stacy Pober                   mailto: spober at manhattan.edu
> Information Alchemist         http://www.manhattan.edu/library/
> Manhattan College Libraries   Voice: 718-862-7166
> Riverdale, NY 10471           Fax:   718-862-7995
> //\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\

More information about the Web4lib mailing list