[Eril-l] Asking patrons to login to electronic resources both on and off campus

Theresa Borchert borchert at cord.edu
Tue Sep 13 12:14:37 PDT 2016


A number of years ago our IP provider for the dorms kept changing IP's without notifying the library. So we choose to have campus dorms use our proxy IP access which required a login. We send our campus IP range and dorm proxy IP to our vendors. This allows all of our students access and is very convenient with student mobile devices and access. We also set aside a number of computers with static IP's to ExcludeIP  in our proxy configuration file so they act like off-campus so they will require a login. This allows our eReserve staff to easily create proxy URLs; our reference staff to 'see' an access issue for a student working off-campus/dorms and for me to check off-campus access issues from my office on campus. 

Hmmm.... If login is always required for access, maybe... a big data project could track student usage and analyze data gathered against student class enrollment, major...  

Theresa Borchert, Librarian
Concordia College
Moorhead, MN 56562
1-218-299-3235

-----Original Message-----
From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Lynda Howell
Sent: Tuesday, September 13, 2016 1:51 PM
To: Eril-l at lists.eril-l.org
Subject: Re: [Eril-l] Asking patrons to login to electronic resources both on and off campus

In EZProxy, proxying on-campus users and requiring on-campus users to log in are two different things.  If you use the AutoLoginIP directive with your full campus IP range in EZProxy and just give the proxy server's IP to the vendor, anyone sitting at any of your campus computers will be routed through EZProxy, but they will never see the login screen.  I would check with your IT people to see what it is they're trying to do.  Is it an issue of the logistics of keeping IP ranges up to date with vendors?  Or is it an issue of preventing unaffiliated users from accessing library resources from campus computers?  If it's the former, AutoLoginIP may address their concern with less disruption to your patrons.  If it's the latter, it won't.

The benefit of AutoLoginIP over actually making people log in is that it's much less of a hassle for patrons.  The "drawback" is that anyone on a campus computer can access library resources (if your IT people consider that a problem).

The drawback to AutoLoginIP over giving vendors your full range is what you and Monica pointed out -- putting all your eggs in one basket.  The benefit (and I think it's a big one) is that it makes on-campus users see the same URLs as off-campus users: no more frustrated instructors who tested all the links before sending out the syllabus, and didn't realize that they wouldn't work from off campus without manually adding the proxy prefix.  

Lynda.

------------------------------
Lynda Howell
Dana Medical Library
University of Vermont
lynda.howell at uvm.edu
(802) 656-8863



> -----Original Message-----
> From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of 
> Ihli, Monica Inez (Monica)
> Sent: Tuesday, September 13, 2016 1:05 PM
> To: May.Yan <may.yan at ryerson.ca>; Eril-l at lists.eril-l.org
> Subject: Re: [Eril-l] Asking patrons to login to electronic resources 
> both on and off campus
> 
> For the record, University of Tennessee does not require on-campus 
> proxy authentication, as we strive to keep our library as open and 
> accessible as possible. However, as a proxy admin, I can understand 
> some of the arguments in favor of doing so. The biggest advantage I 
> can think of would be to not have to depend on the campus's central IT 
> department to intervene in cases where excessive downloading is coming from the on-campus network.
> It is far less common than, say, an account getting hacked and used 
> from a foreign IP. But it does happen. In those situations, my only 
> recourse is to pass off the vendor logs and try to convince the 
> central IT authority to treat it as a priority, because I don't have 
> access to the campus network logs. I also don't have the authority to shut off that person's network ID.
> 
> Granted, the scope of impact when a single person's machine IP address 
> gets blocked by a vendor is far less serious than when the proxy 
> server IP gets shut down in this scenario. If the proxy gets blocked, 
> ALL off-campus users are shut down from that resource. At the same 
> time, it makes the library look bad when a vendor repeatedly blocks an 
> IP from our network because we can't act with the same speed as we can 
> when the offender is going through the proxy.
> 
> I think your concerns about what happens when a vendor blocks the 
> proxy are quite valid, but then again we always treat the loss off 
> access for any segment of our patron community as a high priority 
> problem. The technical matters with making sure that server can handle 
> the traffic should be a more straight-forward problem of making sure 
> that the server has adequate resources to handle the load. That is something the admin can take care of.
> 
> Monica Ihli, M.S.
> ORCID: 0000-0001-6907-6167
> Enterprise Systems
> Hodges Library, University of Tennessee United States of America 
> Office Phone: 1+ 865.974.2885
> Email: mihli1 at utk.edu
> 
> 
> -----Original Message-----
> From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of 
> May.Yan
> Sent: Tuesday, September 13, 2016 11:56 AM
> To: Eril-l at lists.eril-l.org
> Subject: [Eril-l] Asking patrons to login to electronic resources both 
> on and off campus
> 
> Our library has been approached by university IT security to start 
> requiring patrons to login to all of our electronic resources both on 
> and off campus. I'd like to learn from schools that require login to 
> resources on and off campus how your systems are configured?
> 
> Currently we have IP authentication setup with all of our vendors, and 
> patrons are only asked to login to resources when they are off campus 
> where their sessions are routed via our ezproxy servers after being 
> authenticated by our CAS system.
> 
> University IT security has proposed that we reduce our IP ranges with 
> vendors and make everyone go through the proxy server for all resources.
> However, I'm very uncomfortable with this option because that one 
> server becomes a bottleneck. What happens when vendor blocks our proxy 
> server due to possible violations investigations? We stand to lose all 
> access to the
> resource(s) during any investigation period. What happens when there's 
> a hardware problem and we need to make a server swap and the IP changes?
> It's a scary thought to ask all our vendors to update an IP quickly. 
> I'm hoping there are other (better) options out there?
> 
> I'd appreciate any help, and will consolidate responses to share with 
> the group.
> 
> Thank you
> 
> May
> 
> --
> 
> May Yan | may.yan at ryerson.ca | 416.979.5000.4947 | @mayyan ER 
> Discovery & Access Librarian | Strategic Systems Project Lead
> 
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org



More information about the Eril-l mailing list