EZproxy Hosted Frequently Asked Questions

advertisement
EZproxy Hosted Frequently Asked Questions
Q: What firewall ports would have to be opened to accommodate hosted EZproxy?
A: It mostly depends on how you plan to authenticate. For example if you want to authenticate to
something like LDAP, you would need to open access for the server to access it. You access your
Hosted Server at port 80 or 443.
Q: How will authentication work? Would an EZproxy request ping off of our AD server for
authentication, or would we have to supply a file of usernames/passwords?
A: EZproxy Hosted can authenticate against Active Directory provided that we can access the Active
Directory Server through any firewalls and provided that you can provide us with an encrypted (SSL
or HTTPS) connection to the Active Directory server.
Q: Is it possible to use a Group set-up to create three groups authenticating against three different
existing systems (for instance, Active Directory, or whichever system is authenticated against on
each campus), and have a single configuration file in which databases are assigned to one or more
Groups? If the entries in the config file are at the individual database level, does this allow EZproxy
to vary access between two databases provided by the same vendor?
A: Yes, this is usually possible. We will need to know some more details to answer in more detail. It's
important to note that the entries in the configuration file (including group authentication control)
are granular more to the web site level, not as much to the particular journal/article (i.e., single
journal in a web site of many journals) level. There are some ways to partially mitigate this but its
useful to think of the granularity this way.
Q: Currently our EZproxy is set up to work with our campus system (LDAP protocol, I believe). The goal
is for each student to have a single logon for all campus services. Of course, we change our
passwords periodically, not all at the same time. So….would this work with EZproxy being hosted?
If not, can you paint a picture for me of the hosted situation works?
A: If they are using LDAP as an authentication source, then we can interoperate with as long as we can
access it through the campus firewall and we can access it via HTTPS.
If we can access LDAP in this way, there will be no problem with users changing passwords at any
time. Since we access LDAP in real-time in this scenario as soon as a password is changed it is active
in the EZproxy hosting environment.
Q: Will EZproxy accept IP addresses for authentication purposes from NON-SCO COLLEGES?
A: Yes
Q: Can we also authenticate from the fixed IP’s?
A: You can authenticate from fixed IPs – in other words, allow access based on IP address.
Q: Is there an estimated cost if, after a few years, we decide to move all authentication to referring
URL?
A: To change to referring URL should not incur an extra cost unless we spend many hours configuring it
which I don’t believe will be the case. ‘Many’ hours is defined as more then 10.
Q: We are about to have an institutional domain name change. How would your service handle this?
A: In most cases, since databases are authenticated by IP address, there should be no change (assuming
your IP addresses stay the same). In the few cases where referring URLs are used for authentication,
we can make those changes for you. The EZproxy Hosting server is on OCLC’s domain: <inst
name>.idm.oclc.org.
Q: I know the hosted EZproxy supports CAS (Central Authentication Services) system. Do we need to
make any change (e.g. open the firewall) at the CAS site if we move to hosted EZproxy?
A: Yes, the CAS server would need to be available to the EZproxy Hosting server that is in OCLC’s
network.
Q: How can WorldCat Local Metasearch get authenticated if we change to hosted EZproxy?
A: We can authenticate via EZproxy which would use CAS.
Q: Would we be assigned a permanent unique IP address we could share with our online vendors?
A: Yes
Q: How quickly could this remote service be implemented?
A: We give you a commitment date after we meet to discuss and you have filled out your questionnaire.
Q: What interface would I use to connect to hosted EZproxy to modify the config.txt and user.txt files?
A: You do not have any direct access to the configuration. We do that for you. For expert users, we are
planning a fast deploy method for admins to submit changes. Currently you request changes via
email to hostedezp@oclc.org.
Q: Would I be allowed to upload via FTP or another program a user.txt file every day? Could this
upload be scheduled and automated?
A: Yes, this is possible. The first version of this is a web upload (i.e., you login and upload your file). Then
we move it into the production configuration. This facility is still in development but we anticipate
having it working in a few weeks. It should be a matter of minutes from upload to deployment in the
production environment.
Q: Lastly, we would be able to set up a test of hosted EZproxy first to confirm that it will work in our
environment before committing to purchase it?
A: We prefer to do something like a 60 day acceptance period. Where we define success criteria up
front. We can discuss this on the phone if you like
Q: How long does it take to configure?
A: Depends on the size of your database. Our EZproxy database is vast and updated regularly, so most of
your databases should be compatible to ours. Just to make sure, we set up a time for a conference
call with you to discuss configuration details and startup date.
Q: How are configuration files updated by customers (institutions) in the hosted service?
A: We currently maintain a set of files using SVN to capture all of the configuration settings, and we use
SVN's updating process to keep our application servers current. We weren't sure whether this type
of setup would be supported in the hosting service, or whether there were any file-uploading
capabilities.
We also will be using SVN internally for this purpose. We will not have, to start, any config file
uploading facilities for the institutions to use. You can send us entire files and if you desire, we can
send you a copy of the entire environment (from a config-perspective) we have to help you know
what is running in your configuration.
Q: Will there be any way to support automated-script-updated configuration files?
A: We currently run a script on a daily basis to generate a configuration file for our e-journal/e-book
resources based on our hosted knowledge-base data, and we will need to have a way to continue the
automated process with a hosted proxy service. (Our knowledge-base data is coming from Serials
Solutions.) We would be fine with running the script locally and uploading the resultant file to the
hosted proxy service servers, providing there is away to automate that process.
This may be possible. We will need to discuss this in some more detail. We do have the facility to
upload periodic user/password files.
Q: Will we be able to preserve our current proxy-server hostname? Or does subscribing to the service
also involve a new OCLC-based hostname?
A: There is a new DNS name for the proxy server.
Q: How does this work? Will we still be able to configure the file ourselves?
A: No, the model is that OCLC configuration staff maintains the configuration file for you. You will send
OCLC requests for modification of the configuration. You can either send us an entire config file or
the text to put into it.
Q: Is there going to be a web admin?
A: You will have, upon request access to the /admin interface of your EZproxy instance.
Q: Will we upload config files?
A: At the start of the service, no. We will be investigating ways to allow experienced admins more
streamlined ways to update their config.
Q: I noticed in the terms & conditions that there is not a bandwidth allocation. Can you give me an
idea of what would be considered “excessive?”
A: The network bandwidth management is managed across our server environments. We don’t
anticipate bandwidth problems from normal usage. “Excessive” is when an institution’s consumption
effects other institutions.
Q: What is the cost of configuration time (per hour) beyond the 10 hours provided at start-up? How is
this fee assessed and charged?
A: The 10 hours of configuration time is for initial configuration not for ongoing requests. Ongoing
requests for changes are done without charge unless they will take an excessive amount of time
where excessive amount is more than 10 hours. For example, adding a user to a user.txt file (takes a
few minutes) is not charged, but a request to add 100 more resources to the configuration file may
be charged. We will not charge you without discussing with you beforehand.
One way this can be avoided is if you help us research for complex config problems. For example, if a
config is not on our supported list but you know what is – you can send it to us and we can use it.
Q: How do we have new e-resources added to our configuration? What else would local
administrators still have to do?
A: You request us to do that. Local administrators do not have modified access to the hosted EZproxy
system. You can, upon access, have admin access which allows you to view logs.
Q: How does problem reporting work - would patrons be able to report problems directly to OCLC, or
would they report those to local administrators and then we'd troubleshoot and/or forward them
to OCLC?
A: We prefer patrons continue to contact local contacts and then the local contacts (administrators)
report to OCLC. If you can initially troubleshoot that can be very helpful since sometimes there are
local institution nuances to these types of problems.
Q: Please provide a list of contracted or testing sites we could contact for references.
A: Upon request, we can provide you with some contacts.
Q: If that won't work, what are our most efficient/easily supported local installation options given our
consortium set-up? i.e., If we can't run one instance using Group configurations, can we run three
instances on one server at one campus, or would we have to continue maintaining three instances
(one on each campus)?
A: I believe you will be able to get 1 server for the three institutions to work. However, for some reason
you can't you run 3 copies on one server or three separate instances. It's probably best to run using
virtual machines, in other words, run 3 virtual servers on one physical server.
Q: Let's say we start with the hosted service, and then we decide to host it locally. Would we be able
to get a discount on the software, and how much reconfiguration would we have to do for
"linking." Would we have to rewrite all of our links?
A: If you were to decide to move from hosting to local deployment, we would give you all the
configuration files from the hosting server necessary to configure and run your server. The DNS name
of your locally deployed proxy server will be different then the hosted one so you would have to
make a pass through your links and substitute the new local name for the previously used, hosted
name.
Q: Currently our EZproxy is set up to work with our campus system (LDAP protocol, I believe). The goal
is for each student to have a single logon for all campus services. Of course, we change our
passwords periodically, not all at the same time. So….would this work with EZproxy being hosted?
If not, can you paint a picture for me of the hosted situation works?
A: If they are using LDAP as an authentication source, then we can interoperate with as long as we can
access it through the campus firewall and we can access it via HTTPS.
If we can access LDAP in this way, there will be no problem with users changing passwords at any
time. Since we access LDAP in real-time in this scenario as soon as a password is changed it is active
in the EZproxy hosting environment.
Q: Will EZproxy hosted run on server 2008 R2?
A: Yes, EZproxy will run on Windows 2008 R2.
Q: What is “excessive” bandwidth? Is there a number? Also, are there breakpoints on the number of
users? And is the number of users based on individuals or number of simultaneous users?
A: Regarding ‘excessive’ we don’t have a number. We monitor in order to protect delivery of services
across all of our network services and users. We will take reasonable measures to protect our
services and users against service outages which can be caused by a large variety and constantly
changing set of events.
Q: Will EZproxy accept IP addresses for authentication purposes from NON-SCO COLLEGES?
A: Yes.
Q: Can you RESTRICT the access of users coming from these external IP addresses to Millennium only
(so that they do not have access to other databases available exclusively to SCO patrons, such as,
etc.)?
A: Yes.
Q: We are about to have an institutional domain name change. How would your service handle this?
A: In most cases, since databases are authenticated by IP address, there should be no change (assuming
your IP addresses stay the same). In the few cases where referring URLs are used for authentication,
we can make those changes for you. The EZproxy Hosting server is on OCLC’s domain: <inst
name>.idm.oclc.org.
Q: Would it cost extra to reconfigure the resources to the new domain name?
A: No.
Q: When we add or remove databases, is the process of configuration done on your end?
A: Yes
Q: What is the time frame for changes we might require?
A: Our goal is 24-hour turnaround. It does depend on the quantity and complexity of the changes.
Q: We have a complex system in place (WAM proxy) with many database records. We need to know if
the two systems can be run simultaneously as we change our records to the new proxy URL. We
would want to experience as little “downtime” to our database searching as possible.
A: Regarding WAM, you can run them in parallel as you set up the new server. You would register an
additional IP address for the new EZproxy Hosting server with your vendors and then cutover when
the configuration is done and you are ready. There may be some vendors that require referring URLs
that can’t be run in parallel.
Q: With regard to the SSL certificate that you provide with this service. I assume that the certificate
you supply does not reside on our server but on one at OCLC, is that correct? Our server requires
an SSL certificate, so I am assuming we still need to provide our own as well correct?
A: We supply the SSL certificate for the EZproxy Hosting server. Any other certificates will be supplied by
you.
Q: As you know, we are using WMS, WorldCat Local, and Worldcat Link Manager. Our patrons will use
single login to access their library account and library resources. Will EZproxy patron records come
from WMS? Currently WMS has our Pepperdine user names. But it doesn’t have our passwords.
Will we use CAS or WMS system to authenticate us? Do you know the timeline for the single login?
A: EZproxy supports authenticating straight to CAS – EZproxy only needs to authenticate – it doesn’t
need any patron information. We can test the configuration but once WMS authenticates to CAS
also, there should be single sign-on.
Q: Can DNS names be changed at any time?
A: Yes.
Q: Can we receive usage logs for their institution? And what tools exist to process them?
A: Yes, if you want us to supply your logs we can do that. We currently provide reporting or ‘digesting’ of
the logs into a reporting format. There are some emails about such programs on the EZproxy Listserv
if you are interested in investigating.
Download