What is EZproxy?
EZproxy provides secure remote access to e-resources. Users authenticate and then they can access licensed online resources from off-campus.
     
PALS hosts and supports EZproxy for about 40 libraries in Minnesota. Most use LDAP authentication.
What is Needed?
Remember that there are three parts needed for a database to work with the proxy:
  1. A current stanza for the vendor in your config.txt file
  2. The vendor needs your proxy prefix and proxy IP address on their end
  3. A correctly constructed link
​Links
Once EZproxy is set up, construct your links by putting your proxy prefix in front of the database link.

Your proxy prefix will look something like this:

https://testproxy.mnpals.net/login?url=

You can get the database links for the ELM databases here.

A good database link will look something like this:

https://testproxy.mnpals.net/login?url=https://search.ebscohost.com/login.aspx?authtype=ip,uid&profile=ehost&defaultdb=rzh

If you are sharing specific content such as an article or video, do not just grab the url from the address bar at the top of your browser. Look for a link in an area marked Share. It might also be called permalink or persistent link.

Remember that open access resources do not need to be proxied, so you would not include the proxy prefix for open access resources.
Update your Config file
Update your Config File - Quick example video (3 minutes) which covers:
  • Check for a database conflict
  • Download your config
  • Update a stanza by putting in the IncludeFile
  • Upload your file
  • Restart Ezproxy
Transcript of video

Handout
​IncludeFile Reminders
Please note that if you make a mistake and put in an IncludeFile that does not exist, your EZProxy will fail to restart. 
  • This means we want to be careful about any typos. The stanzas are updated frequently and you can look in your Databases folder to verify that what you want is there. 
  • Remember, to Restart your EZproxy in the Admin interface after you have made changes to your config.txt.
A bit more discussion . . . The advantage of using the IncludeFile is that your stanza is updated automatically for you ongoing. Of course, if you need to customize your stanza or a separate file doesn't exist for that publisher, you want to keep the full stanza in your config.txt. Lastly, you do not want both the IncludeFile and the full stanza in your config.txt. That will cause database definition conflicts.
​Changes to ELM databases as of 7/1/20
If you haven't done it already, remember to update your links with the changes to ELM databases. Find the current links here.

One special case is the new elementary school resources from Capstone. Capstone offers custom links for each library. Please put in a ticket if you would like to get the Capstone links for your library.
 
Learn more about these Capstone resources here.
 
Https
If you haven't yet updated your EZproxy links to https, please begin updating them. This includes links on your website and in research guides. Please also communicate with your instructors that they should update their links in D2L. (Primo is done, so don't worry about that! And if you use SubjectsPlus, we will be sure to do this for you as you move to the new version.)
 
More details . . .
 
What we are focused on here is your proxy prefix, so for our test library, we change this:

http://testproxy.mnpals.net/login?url=
 
To:

https://testproxy.mnpals.net/login?url=

We do have settings in EZproxy to force the use of https and this works for most people. There are some Comcast/Xfinity users who are barred from access before the redirect can kick in. If needed, these users might want to disable Advanced Security until this transition to https is complete. Instructions are here.
 
Ideally, we do want both parts of our database links using https like this:



Most of the major vendors are using https now. Some of the smaller providers might not have made the switch yet.
 
Please also keep your stanzas current if you are maintaining EZproxy yourself. Remember that you can use the IncludeFile. 

For those who have asked PALS to maintain EZproxy for you, don't worry about your stanzas, we will do this for you.
 
Of course, if you have a problem, please put in a ticket.
​Raise your Limits
Due to COVID-19, many institutions are relying more heavily on off-campus access to online resources and EZproxy should be fine. If PALS is hosting your EZproxy instance, be assured that the server hardware and network can handle the increase to traffic.
 
That said, you might want to tweak your configuration a bit, for example, raising the default settings such as MaxSessions, MaxConcurrentTransfers, and MaxVirtualHosts.
 
More details here:  For those institutions who have said that they want PALS to maintain their EZproxy for them, we raised the raised the limits proactively.
 

Monitor and Adjust your Limits
 
If you want to monitor this yourself:
  • Log into your EZproxy Administration  
  • Choose View server status > Miscellaneous
You will see something like this:

Peak sessions active/limit: 4/1000
Peak concurrent transfers active/limit: 4/400
Peak virtual hosts/limit: 1305/7500
 
Which corresponds to these lines in your config.txt:

MaxSessions 1000
MaxConcurrentTransfers 400
MaxVirtualHosts 7500
 
If you are getting close to a limit, simply increase it in your config.txt and Restart your EZproxy.
 
A bit more background explanation . . . you might also see these settings abbreviated as MS, MC and MV. For example, a lot of people have some version of MaxVirtualHosts in their config.txt that looks something like this: MV 1000. Many people have not previously set MaxSessions and MaxConcurrentTransfers in their config.txt, but it makes sense to raise the limits from the defaults now that we expect more people to be working remotely.
​Basic Tips & Questions
  • Have the user try an incognito browser window
  • Are they using old software (browser and/or operating system)?
  • Get the link that was clicked and where it was from (Primo, D2L, Database A-Z list, etc)
  • Get the exact error shown – a screenshot is ideal
  • Happening to only 1 user? Can you replicate the problem?
  • Is it happening on and off campus?
  • VPN - if it is on, try with it off and vice versa.
  • Firewall and/or anti-virus software can cause problems
  • Browser security settings and/or proxy settings in the browser can cause problems
User Login Errors
Most login errors tend to be people entering incorrect credentials. Have the person try this test:
  • Type your StarID and password into Notepad
  • Then copy and paste those into D2L, so it is clear it is working
  • Then copy and paste those into the proxy login to be sure there are no typos or caps lock

If the person is affiliated with more than one institution, they should log in with their primary institution for best results.
 
If there is still a login problem, try to get these for troubleshooting:
  • A screenshot of the error including an exact date and time
  • StarID of the person having trouble
Seeing symbols and diamonds?
​VPN and EZproxy
There is a potential problem for patrons using EZProxy when connected to your campus VPN. The problem will exist if your VPN is configured to only handle traffic going to your campus network. This is referred to as "split tunneling." Under split tunneling, when you are accessing an on-campus resource, the connection has one IP address (from your VPN range), but when you go to off-campus resources, the off-campus resource sees an off-campus address (the IP address assigned to you by your ISP).

If this is the case, what happens is that your proxy server sees the VPN address, and thinking you are "on campus" passes you off to the e-resource. In the middle of that, the VPN-using-split-tunneling says "they are going off campus, time to route them to their off-campus IP address." And the e-resource sees the incoming connection as coming from your ISP and says "You don't have access to this resource. Log in for access."

How to tell if your VPN uses split tunneling
1.    Make sure you are NOT logged into the VPN.
2.    Google "What is my IP."
3.    Log into your VPN.
4.    Again, Google "What is my IP."
5.    If the addresses are the same, then your institution is using split tunneling.

What to do if your VPN uses split tunneling
1.    Contact your IT and ask them to provide you with the range of IP addresses that is assigned to your campus VPN.
2.    Use the IncludeIP directive to add that IP range to your EZproxy config.txt. (For example: IncludeIP 0.0.0.0-255.255.255.255). This will treat VPN users as off campus and should fix the problem caused by split tunneling. (More info here.)
3.    If you need help making these changes put in a support ticket.
 
​IP error or a login screen after logging in to EZproxy
If you are able to log in through EZproxy, but you then get an IP error or a login screen, the problem is likely on the vendor side. Perhaps the subscription isn't current or the vendor needs to tweak something on their end.
​SSL Errors
1) ERR_SSL_PROTOCOL_ERROR  
Have the patron clear cache and cookies.

You can have them try using a private or incognito window first, it often accomplishes the same thing without having to lose all the cache and cookies. 

There are some more ideas here:
2) SSL_ERROR_RX_RECORD_TOO_LONG 
To solve this problem, we have disabled TLS versions 1.0 and 1.1.

Please note that this will mean people using older software will not have access until they update to a current version of their browser and/or operating system.
​Blocked Access
If you see the Blocked Access error message or safebrowse.io at the beginning of the url, it comes from a protected browsing setting from the internet service provider. 

Possible workarounds: