6 Replies Latest reply on Apr 23, 2015 10:38 AM by Richard Smith Jr

    Whats everyone's best practice for Authentication to the Package site?

    Mike Dorris Scout

      IIS built in?   CAS?  Some other third party?  We have had issues trying this as far as installing the packages,  once we put the site behind authentication,  the user can no longer install the package.

        • Re: Whats everyone's best practice for Authentication to the Package site?
          Scott Olswold Guide

          Mike,

           

          Is your intent to force users to authenticate to access the /Uniprint website? Generally, this is just left to Anonymous so that any person can install. Windows authentication would potentially fail since any student computer is probably not on your domain.

           

          -Scott

          • Re: Whats everyone's best practice for Authentication to the Package site?
            Paul LaFollette Guide

            For us, we've got our Package site available to anyone ... but only within our site (not the "outside" world) which means 1) Only "on-campus" connected systems can reach the package site, and 2) Only authenticated users (using either a campus computer or connecting to the campus wireless can access the Package site.

             

            We then add a "poor-mans" security level by never telling anyone where the Package site resides.  We only provide web links to specific packages thus the end users don't know about the Package "site" ... unless they "stumble" upon it by removing the executable file name from the web path to a package.  Even then, they will only find a small number of packages as we've only made packages for the most common (and "public" to the students) print queues.

             

            Not very robust security, but for several years it's worked with near perfection.  Basically, it's "If you don't tell them, they probably won't know".

             

            - Paul L.

              • Re: Whats everyone's best practice for Authentication to the Package site?
                Mike Dorris Scout

                Not a bad suggestion,  but the cat may be out of the bag already as for the location of the site.  How did you implement this portion
                1) Only "on-campus" connected systems can reach the package site, and 2) Only authenticated users (using either a campus computer or connecting to the campus wireless can access the Package site.

                  • Re: Whats everyone's best practice for Authentication to the Package site?
                    Paul LaFollette Guide

                    The server hosting our Package site is only available within our campus network/domain.  On our network, our "campus provided" computers require domain username authentication, and anyone using our "on campus" wireless must connect to the wireless using domain username authentication.  To prevent "rogue" computers (or someone just plugging their laptop into an active network jack), we've implemented 802.1x authentication so that only authorized devices and/or authorized usernames can even get an active network connection.

                     

                    Thus, in order get to the package site, users have to 1) be physically on campus and 2) use a campus domain username.

                     

                    There is a notable "flaw" to our method.  A couple faculty (just two so far) have realized we could provide print connections to their "department" printers to students and have asked for specific students (working on special assignments/projects) to be setup to print to those "department" printers ... which meant a package has been made for those requests.   As more faculty realize we can do this... the more the "cat out of the bag" may occur.

                     

                    Part of the reason we got this far, was because we were running Uniprint 7.2 for a long time and it's packages were not compatible with newer OS versions and so we didn't do any packages at all for quite a while.  That changed when we upgraded from 7.2 to 8.4.

                     

                    At this point, our "saving grace"  will be simply not revealing the path to the package "site" by only providing links directly to select packages.

                     

                    Might have to secure it further down the road.  When we do, it will surely be through domain authentication.

                     

                    - Paul L.

                    • Re: Whats everyone's best practice for Authentication to the Package site?
                      Richard Smith Jr Scout

                      We utilize the same 'security' as Paul listed above.  Our servers are behind the campus firewall so you are either 1) directly connected on campus 2) wireless on campus or 3) VPN authenticated through our network. We also send direct links to the package and not the Uniprint page.

                       

                      If your server is not already, I would suggest you lock down the Uniprint IIS with Windows Firewall (With Advanced Security) at the very least (domain and/or IP subnets of your network/wireless).


                      If you want to add a step and have another method you wish to deploy (SFTP/HTTPS, etc. on a secure system in place) you could disable all access to your /Uniprint site and copy/paste the packages to the other system.