Before configuring PaperCut NG to monitor the proxy log files, it is important to ensure that the proxy is configured correctly. If the proxy is not configured correctly then PaperCut NG cannot monitor Internet usage. For this reason it's worth spending some time to check the proxy configuration before starting configuring PaperCut NG.
PaperCut NG Internet Control supports the following proxy servers:
Squid Proxy
Microsoft ISA Server 2000/2004/2006
Microsoft Proxy Server Version 2.0
Any other proxy server that generates W3C compliant log files
The most important part of proxy configuration is to ensure that the users who access the Internet are authenticated and that their usernames are logged in the proxy log file. This is essential, because PaperCut NG requires the username in the log file so that Internet usage can be allocated to the correct users.
In many organizations proxy authentication is already enabled so that:
Logging is performed so that inappropriate Internet access can be tracked and users who perform unauthized access can be warned or disciplined.
Access controls can be applied for different groups of users. For example, students may only be allowed to educational web sites, but staff have unrestricted Internet access.
The first step is to verify whether authentication is enabled on the proxy.
The simplest way to check this is to verify that the proxy's access log contains usernames.
By quickly scanning the proxy's access log file it should be easy to see usernames.
Below is a sample log entry for Squid proxy log (e.g. /var/logs/squid/access.log),
with the username chris
.
19.48 203 192.1.1.1 TCP_MISS/200 145 GET http://site.com chris DIRECT image/jpeg
Below is a partial log line from Microsoft ISA Server, for Internet access by matt
.
192.168.1.1 matt Mozilla/4.0 2004-09-22 10:41:59 www.google.com
Detailed instructions for configuring various proxy servers can be found in Appendix D, Proxy server configuration.
To enforce Internet quotas and deny Internet access to users without credit the proxy needs to be configured appropriately. This is achieved differently depending on the proxy server being used.
For Squid proxy running on Unix/Linux a custom Squid ACL helper provided by PaperCut NG can be used. This helper contacts the application server and checks to see if a user has credit available and only allows Internet access if credit is available. Instructions for configuring this can be found in the section called “Restricting Internet Access for users without credit”.
© Copyright 1999-2009. PaperCut Software International Pty Ltd. All rights reserved.