[Eril-l] Asking patrons to login to electronic resources both on and off campus

Lynda Howell Lynda.Howell at uvm.edu
Tue Sep 13 11:51:10 PDT 2016


In EZProxy, proxying on-campus users and requiring on-campus users to log in are two different things.  If you use the AutoLoginIP directive with your full campus IP range in EZProxy and just give the proxy server's IP to the vendor, anyone sitting at any of your campus computers will be routed through EZProxy, but they will never see the login screen.  I would check with your IT people to see what it is they're trying to do.  Is it an issue of the logistics of keeping IP ranges up to date with vendors?  Or is it an issue of preventing unaffiliated users from accessing library resources from campus computers?  If it's the former, AutoLoginIP may address their concern with less disruption to your patrons.  If it's the latter, it won't.

The benefit of AutoLoginIP over actually making people log in is that it's much less of a hassle for patrons.  The "drawback" is that anyone on a campus computer can access library resources (if your IT people consider that a problem).

The drawback to AutoLoginIP over giving vendors your full range is what you and Monica pointed out -- putting all your eggs in one basket.  The benefit (and I think it's a big one) is that it makes on-campus users see the same URLs as off-campus users: no more frustrated instructors who tested all the links before sending out the syllabus, and didn't realize that they wouldn't work from off campus without manually adding the proxy prefix.  

Lynda.

------------------------------
Lynda Howell
Dana Medical Library
University of Vermont
lynda.howell at uvm.edu
(802) 656-8863



> -----Original Message-----
> From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Ihli, Monica
> Inez (Monica)
> Sent: Tuesday, September 13, 2016 1:05 PM
> To: May.Yan <may.yan at ryerson.ca>; Eril-l at lists.eril-l.org
> Subject: Re: [Eril-l] Asking patrons to login to electronic resources both on
> and off campus
> 
> For the record, University of Tennessee does not require on-campus proxy
> authentication, as we strive to keep our library as open and accessible as
> possible. However, as a proxy admin, I can understand some of the
> arguments in favor of doing so. The biggest advantage I can think of would be
> to not have to depend on the campus's central IT department to intervene in
> cases where excessive downloading is coming from the on-campus network.
> It is far less common than, say, an account getting hacked and used from a
> foreign IP. But it does happen. In those situations, my only recourse is to pass
> off the vendor logs and try to convince the central IT authority to treat it as a
> priority, because I don't have access to the campus network logs. I also don't
> have the authority to shut off that person's network ID.
> 
> Granted, the scope of impact when a single person's machine IP address gets
> blocked by a vendor is far less serious than when the proxy server IP gets
> shut down in this scenario. If the proxy gets blocked, ALL off-campus users
> are shut down from that resource. At the same time, it makes the library look
> bad when a vendor repeatedly blocks an IP from our network because we
> can't act with the same speed as we can when the offender is going through
> the proxy.
> 
> I think your concerns about what happens when a vendor blocks the proxy
> are quite valid, but then again we always treat the loss off access for any
> segment of our patron community as a high priority problem. The technical
> matters with making sure that server can handle the traffic should be a more
> straight-forward problem of making sure that the server has adequate
> resources to handle the load. That is something the admin can take care of.
> 
> Monica Ihli, M.S.
> ORCID: 0000-0001-6907-6167
> Enterprise Systems
> Hodges Library, University of Tennessee
> United States of America
> Office Phone: 1+ 865.974.2885
> Email: mihli1 at utk.edu
> 
> 
> -----Original Message-----
> From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of May.Yan
> Sent: Tuesday, September 13, 2016 11:56 AM
> To: Eril-l at lists.eril-l.org
> Subject: [Eril-l] Asking patrons to login to electronic resources both on and off
> campus
> 
> Our library has been approached by university IT security to start requiring
> patrons to login to all of our electronic resources both on and off campus. I'd
> like to learn from schools that require login to resources on and off campus
> how your systems are configured?
> 
> Currently we have IP authentication setup with all of our vendors, and
> patrons are only asked to login to resources when they are off campus
> where their sessions are routed via our ezproxy servers after being
> authenticated by our CAS system.
> 
> University IT security has proposed that we reduce our IP ranges with
> vendors and make everyone go through the proxy server for all resources.
> However, I'm very uncomfortable with this option because that one server
> becomes a bottleneck. What happens when vendor blocks our proxy server
> due to possible violations investigations? We stand to lose all access to the
> resource(s) during any investigation period. What happens when there's a
> hardware problem and we need to make a server swap and the IP changes?
> It's a scary thought to ask all our vendors to update an IP quickly. I'm hoping
> there are other (better) options out there?
> 
> I'd appreciate any help, and will consolidate responses to share with the
> group.
> 
> Thank you
> 
> May
> 
> --
> 
> May Yan | may.yan at ryerson.ca | 416.979.5000.4947 | @mayyan ER
> Discovery & Access Librarian | Strategic Systems Project Lead
> 
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org



More information about the Eril-l mailing list