Re: [Emerald] IP

Dan Tang ( (no email) )
Tue, 18 May 1999 13:30:47 +0800

-----Original Message-----
From: Don Barron <>
To: <>
Date: Tuesday, May 18, 1999 12:34 PM
Subject: Re: [Emerald] IP

>>You can not direct the user to the page you want if the user enable the
>>proxy, because the web server will think the request come from proxy

What I mean is your webserver could not redirect the user which have IP address and proxy enabled, becuase the web server thinks the
request is coming from proxy server. Only proxy can tell which IP address
the request comes from. If you set your proxy server deny access from
10.x.x.x with destinantion all but allow access to internal network, then
when customer try to go out the proxy will return a deny access page which
you can configure to redirect to payment or signup page inside your internal
network which they have access.

>>server's IP instead of users IP. Only your proxy server can tell where
>>request come from, whatever you do on webserver is irelevent, I try with
>>Windows NT IIS4.0 and ASP script, without proxy enabled, it worked
>>with proxy enabled, it did not work.
>We block all port 80 requests and make users use the proxy.
>Thats why Squid is a wonderful proxy and so is having redirection scripts
>it or squirm :-))

This one does not work very well. You should assign input IP filters to user
by RADIUS server through account type, this way you have less server load on
SQUID, and easier to implement access poliocy. What we do is have three
basic types of accounts;
1. Sign Up account with following IP filter:
Block All by input filter, allow access to all internal network by input
filter , block access to mail server by input filter, allow access to proxy
server by input filter, session-timeout 45 minute.
2. Trial Account with following filter;
Block all by input filter, allow all access to all internal network.
session-time out 30 minutes.
3. Normal Accout without filter.
If you wish you could use block all for port 80, allow access to proxy
server for port 80 and port 25 or whatever port can be proxied.

>>So the best possible way to give the user IP address which has no access
>>the proxy server, when the user's proxy is enabled, proxy server will
>>a web page says your access id denied, error # xxxx, which you can
>>this page to response to error message and redirect to your signup or
>>payment page, it work well even customer switch to other ISP and forget to
>>change the proxy setting. While on the other hand the web server should
>>deal with those customer do not have proxy enabled.
>>To implement those, Emerald must record the subaccount type when the call
>>was made, so when you make some trigger or schedule to chnage those
>>to other subaccount type, Emerald could consolidate those calls properly.
>but how do you do this part

In RADIUS NT, there is a trigger table which can be used for this purpose
before user account is overdue, or you schedule a job in SQL server agent in
SQL 7.0 to run every now and then, depend on you business to change the use
account type to something else when user's account overdue. So some user
will keep trying while they could not be able to contact support and never
visit you homepage. There could be packed with those calls if the user is a
dummy, when the Emerald consolidate this user's account usage, if it is on
timed charge, he will be charged by time at moment, I am sure the user will
not be happy because they acturally did not use the type of service which
they had been charged on. Only way to avoid this is RadiusNT will record the
account type when the call is made so Emerald can consolidate properly.
IEA-Software has to do some change on their consolidation process and
RADIUSNT accounting process, but it is a minor change.

>>Dan Tang
>>Network Operation
>>Domain Internet Access
>>Sign Up a Dial up account at and get connect
>>right now.
>>Free web hosting for commercial customers.
>>Join the Emerald ASP Addon Product mailing list
>>by sending email to with message body SUBSCRIBE
>>-----Original Message-----
>>From: Don Barron <>
>>To: <>
>>Date: Tuesday, May 18, 1999 11:20 AM
>>Subject: Re: [Emerald] IP
>>>Well is there a way to make it so that anyone who's password does not
>>>it lets them on with a fake IP ?
>>>Then I can direct them to a webpage that atleast says your password does
>>>work so dont bother to dial again, just ring our support line. We seem to
>>>have l/users who keep dialling and then blame me for a wicked phone bill
>>>not getting connected.
>>>Don Barron
>>>World-Link Internet
>>>Thought of the Day:
>>>NEWS! Iraqi head seeks arms
>>>-----Original Message-----
>>>From: Dale E. Reed Jr. <>
>>>To: <>
>>>Date: Tuesday, 18 May 1999 12:36
>>>Subject: Re: [Emerald] IP
>>>>Don Barron wrote:
>>>>> Is there a way after a users time has expired that you can configure
>>>>> to allow a user to still log in but give them a fake IP ( for
>>>eg ).
>>>>> This way I can configure the proxy to take them to a web page that
>>>>> account has expired, give me your credit card number and you can have
>>>>> time after you redial. ?
>>>>Not currently. This is something we are looking into adding in the
>>>>future, though.
>>>>Dale E. Reed Jr. Emerald and RadiusNT
>>>>IEA Software, Inc.