Troubleshooting proxy server configuration

KB Home   |   Troubleshooting proxy server configuration

The two most common problems with configuring a proxy server with use in PaperCut are:

  • Users are not authenticated to the proxy, so that PaperCut cannot determine an individual user’s usage
  • The proxy server is not configured to restrict access to members of a Windows security group. This means that when the user has no credit, they will still be allowed to access the internet.

These issues are common to any proxy server being used. Each proxy server requires different configuration, but the steps to diagnosing the issue are similar for all proxy servers.

Checking that users must authenticate to the Proxy server

The simplest way to check whether your users are authenticating correctly to the proxy is to examine the log files.

  • Open your proxy log file in a text editor. You will see a single line for each web request served by your proxy server. The line contains details about the time of the request, URL visited, amount of data downloaded. Depending on your proxy server, the format will be different, but they all contain similar information. (Below is a sample line from a Microsoft ISA Server log file).
    192.168.1.1 matt Mozilla/4.0 (compatible; MSIE 6.0) 2004-09-22 10:42:07 VM-ISA-SERVER - slashdot.org 66.35.250.150 80 2312 373 43937 http GET http://slashdot.org/ Inet 200 PaperCut Internet Rule - Internal External 0x480 Allowed
  • Check that log entries to ensure that the usernames appear in the log file. In the example above the username appears in the second column (matt). Depending on your configuration, the user may contain the Windows Domain name, for example DOMAIN\user
  • If the logs are correctly showing the username then PaperCut will be able to charge users for Internet usage. To verify this you can see net usage logs appear in PaperCut once PaperCut is installed and configured correctly. If you don’t want to enforce internet quotas and disable internet access for users without credit skip to the next section.
  • If your logs do not contain your user names then your proxy server is not forcing users to authenticate to allow Internet access. Configuring this is dependent on your proxy server. For an example of how to configure this for ISA Server 2004, see the user manual.

Disabling Internet Access for users with no credit

PaperCut relies on the proxy server to deny Internet Access when users run out of credit. So you must make changes your your proxy server access rules to deny users without credit.

PaperCut offers two approaches to integrate with proxy servers:

1. By maintaing a Windows security group (which is then used in proxy server rules) - see below.
2. For Squid proxy on Linux, you may also use a our “Squid ACL Helper” (see the user manual here for more info.

Controlling Internet Access with Windows groups

If you are running a Windows network and using Microsoft ISA Server (or Squid NT), then PaperCut can make use of Windows security groups to allow/deny Internet access. When the user has no credit PaperCut, removes the user from the defined Windows security group that grants Internet access to users. The next time the user attempts to access the Internet through the Proxy server, the proxy server will see that the user does not belong to the security group and will deny access.

When the user is given credit again, the proxy server will again allow them to access the Internet.

For this to work, the proxy server needs to be configured so that PaperCut users are only allowed to access the Internet when they belong to a particular Windows security group. For this article we will call this group ‘Internet Users’.

The configuration of different types of proxy server is out of scope of this article. A detailed guide to configuring ISA Server for net quotas can be found in the user manual.

Once you have configured your proxy to only allow access to the ‘Internet Users’ group, you can do the following to ensure that the proxy is configured correctly (this can be done without having PaperCut installed):

  • Using the Windows (or Active Directory) user manager, ensure that your user is not a member of the ‘Internet Users’ group.
  • Try to connect to the Internet via the proxy server using this user. The proxy server should not allow access.
  • Using the Windows (or Active Directory) user manager, add the user to the ‘Internet Users’ group.
  • Try to access the Internet again, and ensure that access is allowed. NOTE: That some proxy servers cache this information. If this is the case, perform this test using a different user.

If these tests work correctly then disabling of Internet access will work within PaperCut. You then just need to setup the PaperCut Internet Control service to update your selected ‘Internet Users’ Windows group. See the Net Control Setup section in the manual.

If you have any other questions about proxy configuration, please feel free to email the support team.


Categories: Troubleshooting, Proxy Servers

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on June 09, 2015, at 01:19 PM
Printable View   |   Article History   |   Edit Article