Transcript U. K. Proxy Server (powerpoint)

University of Kentucky
Proxy Service
For the web version of this presentation, information
given in the classroom has been added using yellow
text boxes.
Presentation
By
Kelly Vickery
http://www.uky.edu/~kmvick0/proxy/proxytrouble.ppt
Proxy Server Originally Developed To
• insulate an institution’s closed network from the
Internet – used as a firewall.
• serve all external Internet requests for a single
institution.
• handle multiple internet protocols for a closed network.
• mediate multiple requests for documents from a
closed network.
• efficiently serve multiple requests for the same
document.
• improve network performance on a limited bandwidth.
Standard HTTP Get
Requests are sent over the Internet from a client
computer directly to a serving computer.
• Image taken from Ari Luotonen - Kevin Altis
http://www.w3.org/History/1994/WWW/Proxies
Original Proxy Design
(to protect & serve the subnet)
In a network with a proxy server firewall, all requests for
information external to the closed network are sent to the
proxy server. The proxy then relays the request to
servers
on the
Internet.
There
are no- direct
from
• Image
taken
from Ari
Luotonen
Kevin requests
Altis
the within
the closed network to the Internet.
http://www.w3.org/History/1994/WWW/Proxies
HTTP Get with a Proxy
The Internet server sends the proxy requested
document back to the proxy which then distributes the
document
the requesting
computer
withinAltis
the closed
• Image to
taken
from Ari Luotonen
- Kevin
network.
http://www.w3.org/History/1994/WWW/Proxies
Document saved in Proxy Cache
However, before distributing the requested document
the proxy also saves a copy of the document in its cache.
• Image taken from Ari Luotonen - Kevin Altis
http://www.w3.org/History/1994/WWW/Proxies
Subsequent requests from within the closed network for
Requests
from
thatSubsequent
same document are
delivered from
the Cache
proxy’s
cache, thus improving the speed of delivery
(at the potential cost of the currency of the document.)
• Image taken from Ari Luotonen - Kevin Altis
http://www.w3.org/History/1994/WWW/Proxies
UK Proxy Server
Is this how the UK proxy server is used?
NO! …Some differences are:
• Service is to client computers external to
the UK firewall.
• There is NO proxy caching.
• User must be authenticated.
• Proxy intervention is directed by a list of
URLs – only specific sites use proxy server.
Purpose of proxy server as used by
Libraries
• To authenticate authorized users affiliated with
the institution.
• To authorize access to vendor resources that
use Internet Protocol address restrictions.
• To serve documents to computers OUTSIDE
the institution’s closed network.
• To handle multiple Internet protocols external to
the institution’s closed network.
Three Basic Proxy Functions
1. Maintain a list of authenticate users
and provide a means of verifying they
are on the list.
2. Maintain a list of Vendor URLs to which
the proxy will authenticate access—this
list is called the ”proxy.pac”
3. Mediate requests for information
between users and vendors, and deliver
information to authenticated users.
Prerequisite Knowledge
• What is an IP (Internet Protocol) address?
• What is a Domain Name?
• Anatomy of a URL (Uniform Resource
Locator)
• What is a proxy.pac?
What is an IP address?
An Internet Protocol address is a set of four
numbers separated by a decimal point—
each set can be a value from 0 to 255; e.g.
128.163.2.27. The important point is that an
IP address is assigned to every computer
that sends or receives information on the
Internet—it can be considered an Internet
address or social security number; i.e., it
distinctly identifies a single computer or
service on the Internet.
What is a Domain Name?
A domain name is an alphanumeric identifier used
to refer to a computer or computing service on
the Internet. It usually has a name that is a
mnemonic. In a URL the domain name is just
that part of the URL that appears between the
“://” and the following slash “/”; e.g., in the URL
“http://www.uky.edu/Libraries” the domain name
is “www.uky.edu.” A domain name usually refers
to an underlying IP address which identifies an
individual computer or service.
Anatomy of a URL
Document name being viewed
Host computer name: domain name or IP.
http://www.uky.edu/Libraries/proxyhelp.html
Internet protocol
(i.e., transaction language)
Directory or folder on serving computer
The following are the functions performed by the various
parts of a URL (Uniform Resource Locator).
Uniform Resource Locators
Protocol
Host
Directory
Document
http://
www.uky.edu
/Libraries/
proxyhelp.html
http://
www.uky.edu
/Libraries/Reserves/ERes
Courses/edsaedp301
Jones_Talk.pdf
ftp://
ukcc.uky.edu
/webstat391/
stats1202.webpath
gopher://
mother.wis.edu /sports/
ncaa.txt
Internet web page transfer.
Hey, send
me a web
page?
Ok, here
you are.
Web
page
server.com
Patron computer
121.214.5.555
In
a standard
transaction
The
server responds
by a
client
(patron’s)
computer
sending
the requested
requests
document
documentaback
to the and
IP of the
sends
its IPcomputer.
to a server.
requesting
IP protected service.
Hey, send
me a web
page?
Sorry! I can’t
send to your IP.
Vendor.com
Patron computer
121.214.5.555
When an off-campus library
To
restrict
accessa adocument
vendor
patron
requests
…and delivery of the
maintains
a list ofthe
IPspatron’s
of all
from
the
vendor,
requested document is
customers
who
purchaselist of
IP
is
not
in
the
vendor’s
denied.
access
to IPs.
the service.
customer
What is a proxy.pac - 1
To assist delivery of documents to offcampus patrons a list of vendor domain
names or IPs is maintained by the libraries
on the UK proxy server. This list is called
the “proxy.pac”, and can be viewed using
Internet Explorer at
http://portal.uky.edu/proxy.pac. The
proxy.pac is a text file that contains a
series of Java script instructions on how a
patron’s browser should handle a URL.
What is a proxy.pac - 2
The UK proxy.pac list contains Java script
which instructs the browser to go directly
to a URL if the domain name is NOT found
in the proxy.pac. If a vendor domain name
IS in the proxy.pac then the patron’s
browser will automatically contact the UK
proxy server requesting the document.
The proxy then requests authorization
from the browser. The patron’s browser
then prompts to enter a User ID and
Password.
What is a proxy.pac - 3
Each time a properly configured browser
connects to the Internet it automatically
contacts the proxy server which sends a
copy of the proxy.pac to the patron’s
computer. The patron’s browser is
responsible for contacting the proxy and
maintaining the copy of the proxy.pac. To
see how to properly configure a browser
please see the off-campus access help
pages:
http://www.uky.edu/Libraries/proxyhelp.html
A properly
configured browser
Internet proxy
transaction
copies the proxy.pac
when first
connected to the
Hey, portal.uky.edu! I just
Internet..
logged onto the web. Send
-1.
me your proxy.pac.
Vendor.com
Proxy.pac
url list
Patron computer
UK Proxy
Server
Ok, here is
the list of
proxy
protected
urls.
proxy.pac vs proxy.cfg
If you are troubleshooting and need to search for
a vendor’s domain name is in the proxy.pac then
it is best to search only for the second order of
the name; e.g., if searching for “www.aip.org”
Evidence
of proxy.pac
copying
can be
seen
Internet
Explorer
maintains
itsdomain
copy
of names
the in can
then enter
“aip” only
because
Netscape,
asthe
thepatron’s
proxy.pac
is copied
to a file
in
proxy.pac
in
computer
RAM,
but
be entered as a wildcard for a site. In the case of
c:\Program
Files\Netscape\Users\
profile
\proxy.cfg
does
not write
a copyistoremoved
the hardfrom
drive.
a wildcard
the prefix
the domain
name; e.g., “.aip.org” is only entered in the pac.
Domain name not in proxy.pac
If a vendor domain name is not in the
proxy.pac then access will be denied to all
off-campus users for that vendor service. If
patrons receive the proxy prompt for some
services but not others, then there is a
good chance, that for the service where
there is no prompt, the vendor’s domain
name is not in the proxy.pac. If this occurs
check the proxy.pac to ensure the domain
name for the vendor is there.
If the ID and Password entered in the prompt are
notInternet
in the list of proxy
authorized
users then access is
transaction-2.
denied; if they are in the list then the proxy
fetches the document and sends it to the patron.
Proxy.pac
url list
I need to go to
Vendor.com. It is
listed in my
proxy.pac file.
Vendor.com
Get ID &
Password
Ok, but
first, who
are you?
Patron computer
121.214.5.555
UK Proxy
Server
128.163.1.29
Proxy Authority List
A list of last names and barcodes is loaded
into the proxy server from Voyager at
10:30 P.M. daily, and becomes active in
the proxy at 11:00 P.M.. For patron
information to be loaded into the proxy it
must have an active, 13 character
barcode, beginning with “2” that is
associated with a proxy approved Voyager
patron group. The ID is the patron’s last
name and the password is their 13
character Voyager barcode.
Proxy Approved Patron Groups
»
»
»
»
»
»
»
»
»
»
UK Distance Learning
UK Donovan Scholar
UK Faculty and Staff
UK Graduate Student
UK Independent Study Program Student
UK Law Faculty
UK Medical Center Community-Based Faculty
UK Undergraduate Student
UK Visiting Scholar
UK Affiliate Faculty and Staff
Proxy prompts can look different on differing
Proxyandauthentication
OS and
browsers
operating systems;is
however,
there
are common
elements found
in the prompts:
browser
dependent.
Common Elements
• Pop-up window (not a
web page) and says
either:
• “portal.uky.edu”
• or “128.163.1.29”
If patron’s last name and barcode is not in the list
(or
if they enter
them incorrectly when
prompted)
Proxy
Authentication
Required
then access is denied.
Internet proxy transaction-3.
Ok, here is my ID
and password.
Please get
Vendor.com for me.
You’re IP is
authorized for
access. I’ll send the
web page.
Vendor
web page
Vendor.com
Post ID &
Password
Vendor
web page
Patron computer
121.214.5.555
UK Proxy
Server
You’re on my
list. Ok,
I’ll Get
121.214.5.555,
Vendor.com
for
here isyou.
your web
page from
Vendor.com
128.163.1.29
Purpose of the UK proxy server.
The proxy server does not solve a technical problem–the
problem of delivering information. (The Internet is
perfectly adequate for delivering information without
the use of a proxy server.) The purpose of a proxy
server is to NOT deliver information. The PURPOSE
of a proxy server is to STOP the delivery of
information to unauthorized individuals.
The proxy IS a technical solution to a legal problem—the
purpose of which is to STOP the delivery of
information to unauthorized individuals.
Proxy function summary
•
•
•
•
•
List of URLs sent to user’s browser.
Browser checks URLs for a match.
Proxy prompts & checks ID and password.
Proxy requests document from Vendor.
Proxy delivers document to Patron.
Problems can occur in each step.
There are still people who will configure I.E. or
Netscape 7.x correctly, but their browsers will still
Potential
problems
not communicate
properly
with the proxy server.
Netscape 4.78 still tends to be the MOST RELIABLE
• browser
Proxy server
orwhen
its connection
is down.
available
using a proxy
service.
•
•
•
•
•
Vendor server or its connection is down.
Patron’s computer or connection problems.
Problems with patron authentication.
Vendor’s domain name is not in proxy.pac.
Patron’s browser is not communicating
with the proxy server.
Diagnosing connection problems
• Proxy server or its connection is down.
– Point web browser to portal.uky.edu
– Start>Run>Cmd> Ping portal.uky.edu
– Start>Run>Cmd> Tracert portal.uky.edu
• Vendor server or its connection is down.
– Point web browser to vendor server.
– Start>Run>Cmd> Ping vendor server.
– Start>Run>Cmd> Tracert vendor server
Diagnosing Authorization Problems
• Problems with patron authentication.
– Check Voyager Circulation:
•
•
•
•
Approved patron group?
Active account?
Valid barcode?
Check date (was record entered today? Will load at 11:00
P.M.)
– With patron barcode and ID, log into proxy protected
resource—this is the acid test.
– Log into InfoKat using “My Library Account”. (Problem
with this test is that patron can be in an Unapproved
patron group yet this test will work.)
If a patron receives the proxy prompt, but is denied
access then you can check Voyager for the following 4
Voyager
Circulation
conditions:
1)13 character barcode beginning with “2”.
2) with one of the approved patron groups
3) with an active account
4) not entered with today’s date.
Diagnosing Authorization Problems
con’t
• Problems with patron authentication.
– Log into portal.uky.edu/libauth/ and check for patron
– Does patron have hyphenated last name or
punctuation in name?
– Have patron enter 13 character barcode in Notepad
and cut and paste it into proxy prompt.
Make sure patron has a Voyager record, an ID
barcode, and an appropriate patron group.
Attempt to log into the proxy using patron’s name
and barcode to see if you can gain access.
Tell patron to remove any spaces or punctuation
from their name when entering it in proxy prompt.
Diagnosing Access Problems
• Vendor’s domain name is not in proxy.pac.
– Other resources receive proxy prompt, but not
this one.
Point IE or Netscape 7.0 browser to
portal.uky.edu/proxy.pac and load the file.
Search for the vendor’s second level domain
name. Example: EBSCOhost might have url
with http://web23.epnet.com/selectdb.asp?
Search for just “epnet” in the proxy.pac.
Different look and feel in Netscape 7.x and 4.x.
Setup is basically the same.
Netscape
If you are describing the
browser to a patron on the
phone, but they don’t see
Viewing
Problems
what you think
they should
see, then have them place a
“check mark” on all features
found under “View”.
Configure Netscape for Proxy
Netscape
4.8
and
7.0
Some web problems or browser configuration
problems get blamed on the proxy. Check some
Check
“Enable-Java”
and cookies
of the following browser settings to ensure they
are configured correctly (enabling Java, for
instance).
Netscape
4.8
and
7.0
In the Cache, make sure “Never” is NOT
selected. This can create problems if the patron
NEVER
select
“Never”!
receives an error viewing a web page. If the
problem is corrected on the server the patron will
continue viewing the cached error page.
Enable Cookies for 7.0
Netscape
7.0
and after clicking “view
JavaScripts for 7.0
…and finally.
Configure Internet Explorer
Standard Internet Explorer proxy configuration
depends on whether the connection is by modem
Proxy
Configuration
or is a Local Area Network (LAN) connection.
Modem
Or
Lan
Internet Explorer proxy settings
“Settings…” setup
and
“LAN Settings…” setup
NEVER select “Never”, again
“Settings…” setup
and
“LAN Settings…” setup
Java, ActiveX, etc.
“Internet” globe > Custom Level.
Choose Medium or lower.
You never would believe where
those web cookies come from.
Never higher than “Medium High”.
Advanced…> Not “Block”
Download
When downloading
Netscape 4.78
to a
Netscape
4.78
Windows computer tell
the patron to choose the
“Base Install” under
“Windows 95, 98, NT”
even if they have
Windows 2000 or XP.
Presentation handouts.
• Trouble Shooting Document
• Setup Script
• Some Internet Explorer Troubleshooting