Checking that users must authenticate to the Proxy server

The simplest way to check whether your users are authenticating correctly to the proxy is to examine the log files.

Open your proxy log file in a text editor. You will see a single line for each web request served by your proxy server. The line contains details about the time of the request, URL visited, amount of data downloaded. Depending on your proxy server, the format will be different, but they all contain similar information. (Below is a sample line from a Microsoft ISA Server log file).

192.168.1.1	matt	Mozilla/4.0 (compatible; MSIE 6.0)	2004-09-22	10:42:07	VM-ISA-SERVER	-	slashdot.org	66.35.250.150	80	2312	373	43937	http	GET	http://slashdot.org/	Inet	200	PaperCut Internet Rule	-	Internal	External	0x480	Allowed

Check that log entries to ensure that the usernames appear in the log file. In the example above the username appears in the second column (matt). Depending on your configuration, the user may contain the Windows Domain name, for example DOMAIN\user

If the logs are correctly showing the username then PaperCut will be able to charge users for Internet usage. To verify this you can see net usage logs appear in PaperCut once PaperCut is installed and configured correctly. If you don't want to enforce internet quotas and disable internet access for users without credit skip to the next section.

If your logs do not contain your user names then your proxy server is not forcing users to authenticate to allow Internet access. Configuring this is dependent on your proxy server. For an example of how to configure this for ISA Server 2004, see the user manual.

Disabling Internet Access for users with no credit

To disable Internet Access when users have not credit available, PaperCut relies on the proxy server to deny the access. When the user has no credit PaperCut, removes the user from the Windows security group that is defined the give Internet access to users. The next time the user attempts to access the Internet through the Proxy server, the proxy server will see that the user does not belong to the security group and will deny access.

When the user is given credit again, the proxy server will again allow them to access the Internet.

For this to work, the proxy server needs to be configured so that PaperCut users are only allowed to access the Internet when they belong to a particular Windows security group. For this article we will call this group 'Internet Users'.

The configuration of diffent types of proxy server is out of scope of this article. A detailed guide to configuring ISA Server 2004 for net quotas can be found in the user manual.

Once you have configured your proxy to only allow access to the 'Internet Users' group, you can do the following to ensure that the proxy is configured correctly (this can be done without having PaperCut installed):

Using the Windows (or Active Directory) user manager, ensure that your user is not a member of the 'Internet Users' group.

Try to connect to the Internet via the proxy server using this user. The proxy server should not allow access.

Using the Windows (or Active Directory) user manager, add the user to the 'Internet Users' group.

Try to access the Internet again, and ensure that access is allowed. NOTE: That some proxy servers cache this information. If this is the case, perform this test using a different user.

If these tests work correctly then disabling of Internet access will work within PaperCut. You just need to set your 'Internet Users' Windows group in the PaperCut Net Charging Options screen.

If you have any other questions about proxy configuration, please feel free to email support@papercut.com.

Checking that users must authenticate to the Proxy server

Disabling Internet Access for users with no credit

Products

Support

Knowledge Base