What is a proxy server and how does it work?

About Proxy Servers

Proxy servers are a standard method of providing library users with remote authentication to library resources.  Some common brand names include EZProxy (OCLC), WAM Proxy (III), OpenAthens Proxy (EduServ), MUSE Proxy (Edulib) and others.  Similar to this is also the BrowZine Pairing Service which works on similar proxy technology but is specifically designed to be used only with BrowZine while others enable remote use of BrowZine as well as other resources accessible via the web.

While each of these systems provides unique features, they all rely on providing access to content via IP recognition.  This method takes advantage of the uniqueness of public IP addresses that are registered to a particular institution.  Because these are unique and cannot be impersonated, they provide a unique and reliable way to ensure that requests for content coming from computers at those IP addresses indeed belong to the institution and therefore the user is a member of this institution.  This is similar to providing the content provider with a unique phone number.  Therefore, whenever they see an incoming "call" from that phone number, they have "Caller ID" to identify who is requesting the content, and if they indeed have valid permission to do so, they can provide this content back to the "caller".

However, these IP addresses typically are restricted to the physical grounds of the institution.  This provides a challenge then for users wanting to access IP-authenticated resources from home or via a mobile device connected to a cellular data network!

The solution is a proxy server which makes the request for content "by proxy" for the user who is outside the IP range by relaying that request through an IP that is inside the IP range.  To continue the use of the phone analogy from above, if only you have the ability to call and request information because your phone number was recognized by the content provider, but your colleague was at home and wanted some information, they could call you and you could then relay this request to the provider, and then, in turn, relay this information back to your colleague.  Proxy servers work in much the same way.  But how does the proxy server know if the user outside the IP range should be allowed access?

This is where authentication comes in.  Authentication to the proxy server can take many forms.  For example, EZProxy provides access via a wide range of authentication methods and the other proxy servers have similar lists of supported techniques.  A very common option is to link the username/password boxes seen on a proxy server login screen to that of the LDAP/Active Directory database for the institution.  This would be a "master list" of usernames/passwords that access other types of accounts for individuals on campus, typically including things like email accounts or links to student accounts or human resources information.  This way, the user doesn't need a "special" login to sign into the proxy server to access library materials.  This provides the best possible user experience.  Another popular method is to authenticate via Shibboleth which provides single sign on (SSO) capability to a wide variety of technology systems popular in universities.

Each proxy server has a unique IP address assigned to it.  Sometimes this proxy server will already exist within your institution's IP range and if you have already registered these IP ranges with your provider then you do not need to contact your content providers with this new IP address.  However, some content providers require that you designate if you have a proxy server and the exact IP address of that proxy server.  Be sure to check your license agreements for each content provider for details!

Getting started with a Hosted Proxy Provider

This is a proxy server that lives outside your normal IP range and is hosted by one of the companies providing the proxy software.  By choosing a hosted option you do remove the need to handle the technical setup of a server, but you will still need some information from your IT department to link that proxy server with the LDAP/Active Directory or Shibboleth system (or other similar authentication system) to this hosted proxy.

Additionally, you will need to update your IP ranges with all of your content providers to include this new IP address so that when that content provider sees data requests coming from this proxy server they will recognize that IP as being part of your institution and provide content to the user.

Finally, there will be some work needed on your proxy server to configure it for the resources you wish for it to proxy.  For security reasons, most proxy servers are setup as "white list" proxies, meaning that you need to explicitly detail in a configuration file/system all of the domains that you wish it to provide proxy services for.  This prevents abuse of the proxy server to, for instance, proxy youtube.com or some other high-bandwidth resource which would then slow down other users legitimate use of library content.  The amount of configuration needed varies by proxy provider and whether or not it is a hosted or self-installed system (hosted systems typically require less configuration).

BrowZine Pairing Service versus Hosted Proxy Systems

BrowZine Pairing Service
The BrowZine Pairing Service (BPS) provides an excellent alternative to a hosted proxy system if:
  1) You have no remote authentication system at all and you wish only to provide remote access via BrowZine
   2) You have some form of remote authentication but not one supported by BrowZine.

BrowZine Pairing Service provides:
   1) Fast setup by Third Iron
   2) High performance system
   3) Zero involvement needed from IT department
   4) Works by "pairing" with your campus for set intervals of time rather than relying on credentials to establish authorized users.  Convenient for security-minded environments where setting up a proxy server to provide access using sensitive credentials is not allowed by IT security protocols. 
   5) Low-cost solution worked into the total price of BrowZine
   6) No configuration of technical systems - Third Iron handles all of the "white listing" as explained above.

However, as mentioned earlier BrowZine Pairing Service can only be used with BrowZine for iOS and Android.  It cannot be used as a "general" proxy system for your library website and other content sources you may provide to your users.

Additionally, the library will be responsible for registering the Pairing Service IP address with all content providers.  This effort is identical to that of setting up a new Hosted Proxy Server.

You can read more about the BrowZine Pairing Service Here.

Hosted Proxy System
A hosted proxy system is ideal if:
   1) Your IT security policy will make it possible to authenticate via a standard authentication system within your institution
   2) You are interested in a general proxy to make all your web-enabled resources (as well as BrowZine!) accessible to your users off campus

This second point is the most important and the main reason you should choose a Hosted Proxy System over the BrowZine Pairing Service.

At Third Iron, we are here to help!  If you would like to discuss your unique requirements situation with us, we would be happy to advise you on the best course of action for you and your institution.  We have successfully worked with hundreds of libraries around the world to advise the best technology solution for their needs.  Please contact us at support@thirdiron.com with any additional questions you may have!

Feedback and Knowledge Base