EZproxy Hosted Frequently Asked Questions Q: What firewall ports would have to be opened to accommodate hosted EZproxy? A: It mostly depends on how you plan to authenticate. For example if you want to authenticate to something like LDAP, you would need to open access for the server to access it. You access your Hosted Server at port 80 or 443. Q: How will authentication work? Would an EZproxy request ping off of our AD server for authentication, or would we have to supply a file of usernames/passwords? A: EZproxy Hosted can authenticate against Active Directory provided that we can access the Active Directory Server through any firewalls and provided that you can provide us with an encrypted (SSL or HTTPS) connection to the Active Directory server. Q: Is it possible to use a Group set-up to create three groups authenticating against three different existing systems (for instance, Active Directory, or whichever system is authenticated against on each campus), and have a single configuration file in which databases are assigned to one or more Groups? If the entries in the config file are at the individual database level, does this allow EZproxy to vary access between two databases provided by the same vendor? A: Yes, this is usually possible. We will need to know some more details to answer in more detail. It's important to note that the entries in the configuration file (including group authentication control) are granular more to the web site level, not as much to the particular journal/article (i.e., single journal in a web site of many journals) level. There are some ways to partially mitigate this but its useful to think of the granularity this way. Q: Currently our EZproxy is set up to work with our campus system (LDAP protocol, I believe). The goal is for each student to have a single logon for all campus services. Of course, we change our passwords periodically, not all at the same time. So….would this work with EZproxy being hosted? If not, can you paint a picture for me of the hosted situation works? A: If they are using LDAP as an authentication source, then we can interoperate with as long as we can access it through the campus firewall and we can access it via HTTPS. If we can access LDAP in this way, there will be no problem with users changing passwords at any time. Since we access LDAP in real-time in this scenario as soon as a password is changed it is active in the EZproxy hosting environment. Q: Will EZproxy accept IP addresses for authentication purposes from NON-SCO COLLEGES? A: Yes Q: Can we also authenticate from the fixed IP’s? A: You can authenticate from fixed IPs – in other words, allow access based on IP address. Q: Is there an estimated cost if, after a few years, we decide to move all authentication to referring URL? A: To change to referring URL should not incur an extra cost unless we spend many hours configuring it which I don’t believe will be the case. ‘Many’ hours is defined as more then 10. Q: We are about to have an institutional domain name change. How would your service handle this? A: In most cases, since databases are authenticated by IP address, there should be no change (assuming your IP addresses stay the same). In the few cases where referring URLs are used for authentication, we can make those changes for you. The EZproxy Hosting server is on OCLC’s domain: <inst name>.idm.oclc.org. Q: I know the hosted EZproxy supports CAS (Central Authentication Services) system. Do we need to make any change (e.g. open the firewall) at the CAS site if we move to hosted EZproxy? A: Yes, the CAS server would need to be available to the EZproxy Hosting server that is in OCLC’s network. Q: How can WorldCat Local Metasearch get authenticated if we change to hosted EZproxy? A: We can authenticate via EZproxy which would use CAS. Q: Would we be assigned a permanent unique IP address we could share with our online vendors? A: Yes Q: How quickly could this remote service be implemented? A: We give you a commitment date after we meet to discuss and you have filled out your questionnaire. Q: What interface would I use to connect to hosted EZproxy to modify the config.txt and user.txt files? A: You do not have any direct access to the configuration. We do that for you. For expert users, we are planning a fast deploy method for admins to submit changes. Currently you request changes via email to hostedezp@oclc.org. Q: Would I be allowed to upload via FTP or another program a user.txt file every day? Could this upload be scheduled and automated? A: Yes, this is possible. The first version of this is a web upload (i.e., you login and upload your file). Then we move it into the production configuration. This facility is still in development but we anticipate having it working in a few weeks. It should be a matter of minutes from upload to deployment in the production environment. Q: Lastly, we would be able to set up a test of hosted EZproxy first to confirm that it will work in our environment before committing to purchase it? A: We prefer to do something like a 60 day acceptance period. Where we define success criteria up front. We can discuss this on the phone if you like Q: How long does it take to configure? A: Depends on the size of your database. Our EZproxy database is vast and updated regularly, so most of your databases should be compatible to ours. Just to make sure, we set up a time for a conference call with you to discuss configuration details and startup date. Q: How are configuration files updated by customers (institutions) in the hosted service? A: We currently maintain a set of files using SVN to capture all of the configuration settings, and we use SVN's updating process to keep our application servers current. We weren't sure whether this type of setup would be supported in the hosting service, or whether there were any file-uploading capabilities. We also will be using SVN internally for this purpose. We will not have, to start, any config file uploading facilities for the institutions to use. You can send us entire files and if you desire, we can send you a copy of the entire environment (from a config-perspective) we have to help you know what is running in your configuration. Q: Will there be any way to support automated-script-updated configuration files? A: We currently run a script on a daily basis to generate a configuration file for our e-journal/e-book resources based on our hosted knowledge-base data, and we will need to have a way to continue the automated process with a hosted proxy service. (Our knowledge-base data is coming from Serials Solutions.) We would be fine with running the script locally and uploading the resultant file to the hosted proxy service servers, providing there is away to automate that process. This may be possible. We will need to discuss this in some more detail. We do have the facility to upload periodic user/password files. Q: Will we be able to preserve our current proxy-server hostname? Or does subscribing to the service also involve a new OCLC-based hostname? A: There is a new DNS name for the proxy server. Q: How does this work? Will we still be able to configure the file ourselves? A: No, the model is that OCLC configuration staff maintains the configuration file for you. You will send OCLC requests for modification of the configuration. You can either send us an entire config file or the text to put into it. Q: Is there going to be a web admin? A: You will have, upon request access to the /admin interface of your EZproxy instance. Q: Will we upload config files? A: At the start of the service, no. We will be investigating ways to allow experienced admins more streamlined ways to update their config. Q: I noticed in the terms & conditions that there is not a bandwidth allocation. Can you give me an idea of what would be considered “excessive?” A: The network bandwidth management is managed across our server environments. We don’t anticipate bandwidth problems from normal usage. “Excessive” is when an institution’s consumption effects other institutions. Q: What is the cost of configuration time (per hour) beyond the 10 hours provided at start-up? How is this fee assessed and charged? A: The 10 hours of configuration time is for initial configuration not for ongoing requests. Ongoing requests for changes are done without charge unless they will take an excessive amount of time where excessive amount is more than 10 hours. For example, adding a user to a user.txt file (takes a few minutes) is not charged, but a request to add 100 more resources to the configuration file may be charged. We will not charge you without discussing with you beforehand. One way this can be avoided is if you help us research for complex config problems. For example, if a config is not on our supported list but you know what is – you can send it to us and we can use it. Q: How do we have new e-resources added to our configuration? What else would local administrators still have to do? A: You request us to do that. Local administrators do not have modified access to the hosted EZproxy system. You can, upon access, have admin access which allows you to view logs. Q: How does problem reporting work - would patrons be able to report problems directly to OCLC, or would they report those to local administrators and then we'd troubleshoot and/or forward them to OCLC? A: We prefer patrons continue to contact local contacts and then the local contacts (administrators) report to OCLC. If you can initially troubleshoot that can be very helpful since sometimes there are local institution nuances to these types of problems. Q: Please provide a list of contracted or testing sites we could contact for references. A: Upon request, we can provide you with some contacts. Q: If that won't work, what are our most efficient/easily supported local installation options given our consortium set-up? i.e., If we can't run one instance using Group configurations, can we run three instances on one server at one campus, or would we have to continue maintaining three instances (one on each campus)? A: I believe you will be able to get 1 server for the three institutions to work. However, for some reason you can't you run 3 copies on one server or three separate instances. It's probably best to run using virtual machines, in other words, run 3 virtual servers on one physical server. Q: Let's say we start with the hosted service, and then we decide to host it locally. Would we be able to get a discount on the software, and how much reconfiguration would we have to do for "linking." Would we have to rewrite all of our links? A: If you were to decide to move from hosting to local deployment, we would give you all the configuration files from the hosting server necessary to configure and run your server. The DNS name of your locally deployed proxy server will be different then the hosted one so you would have to make a pass through your links and substitute the new local name for the previously used, hosted name. Q: Currently our EZproxy is set up to work with our campus system (LDAP protocol, I believe). The goal is for each student to have a single logon for all campus services. Of course, we change our passwords periodically, not all at the same time. So….would this work with EZproxy being hosted? If not, can you paint a picture for me of the hosted situation works? A: If they are using LDAP as an authentication source, then we can interoperate with as long as we can access it through the campus firewall and we can access it via HTTPS. If we can access LDAP in this way, there will be no problem with users changing passwords at any time. Since we access LDAP in real-time in this scenario as soon as a password is changed it is active in the EZproxy hosting environment. Q: Will EZproxy hosted run on server 2008 R2? A: Yes, EZproxy will run on Windows 2008 R2. Q: What is “excessive” bandwidth? Is there a number? Also, are there breakpoints on the number of users? And is the number of users based on individuals or number of simultaneous users? A: Regarding ‘excessive’ we don’t have a number. We monitor in order to protect delivery of services across all of our network services and users. We will take reasonable measures to protect our services and users against service outages which can be caused by a large variety and constantly changing set of events. Q: Will EZproxy accept IP addresses for authentication purposes from NON-SCO COLLEGES? A: Yes. Q: Can you RESTRICT the access of users coming from these external IP addresses to Millennium only (so that they do not have access to other databases available exclusively to SCO patrons, such as, etc.)? A: Yes. Q: We are about to have an institutional domain name change. How would your service handle this? A: In most cases, since databases are authenticated by IP address, there should be no change (assuming your IP addresses stay the same). In the few cases where referring URLs are used for authentication, we can make those changes for you. The EZproxy Hosting server is on OCLC’s domain: <inst name>.idm.oclc.org. Q: Would it cost extra to reconfigure the resources to the new domain name? A: No. Q: When we add or remove databases, is the process of configuration done on your end? A: Yes Q: What is the time frame for changes we might require? A: Our goal is 24-hour turnaround. It does depend on the quantity and complexity of the changes. Q: We have a complex system in place (WAM proxy) with many database records. We need to know if the two systems can be run simultaneously as we change our records to the new proxy URL. We would want to experience as little “downtime” to our database searching as possible. A: Regarding WAM, you can run them in parallel as you set up the new server. You would register an additional IP address for the new EZproxy Hosting server with your vendors and then cutover when the configuration is done and you are ready. There may be some vendors that require referring URLs that can’t be run in parallel. Q: With regard to the SSL certificate that you provide with this service. I assume that the certificate you supply does not reside on our server but on one at OCLC, is that correct? Our server requires an SSL certificate, so I am assuming we still need to provide our own as well correct? A: We supply the SSL certificate for the EZproxy Hosting server. Any other certificates will be supplied by you. Q: As you know, we are using WMS, WorldCat Local, and Worldcat Link Manager. Our patrons will use single login to access their library account and library resources. Will EZproxy patron records come from WMS? Currently WMS has our Pepperdine user names. But it doesn’t have our passwords. Will we use CAS or WMS system to authenticate us? Do you know the timeline for the single login? A: EZproxy supports authenticating straight to CAS – EZproxy only needs to authenticate – it doesn’t need any patron information. We can test the configuration but once WMS authenticates to CAS also, there should be single sign-on. Q: Can DNS names be changed at any time? A: Yes. Q: Can we receive usage logs for their institution? And what tools exist to process them? A: Yes, if you want us to supply your logs we can do that. We currently provide reporting or ‘digesting’ of the logs into a reporting format. There are some emails about such programs on the EZproxy Listserv if you are interested in investigating.