Special Edition Using Microsoft BackOffice, Volume I

Previous chapterNext chapterContents


Chapter 22

Implementing Microsoft Proxy Server

by Azam A. Mirza

Learn about the hardware, software and other requirement needs for setting up and running a Proxy Server.
Learn about the components that come together to provide Internet access control using the Proxy Server. The two major services supported by the Proxy Server are introduced in this section.
Learn how to set up and install the Proxy Server. The planning steps necessary to prepare for Proxy Server installation.
Learn about administering the Proxy Server using the Internet Service Manager. Configuration of Proxy Server services is discussed in detail. Using the Proxy Server Auto Dial feature to establish dynamic Internet connectivity.
Learn about securing your Proxy Server installation from unauthorized access and tampering by setting security policies and appropriate server permissions.

In other chapters in Part V, "Advanced I-Net Development," you learned about the I-net and the various server based components that come together to provide I-net connectivity. This chapter discusses in detail the Microsoft Proxy Server component of the BackOffice family of products. Proxy Server is a higher level server component that sits on top of the Internet Information Server (IIS) to provide a particular piece of the I-net connectivity puzzle.

The main purpose of Proxy Server is to act as an access control gateway for providing clients connectivity to the Internet. Proxy Server enables secure, two-way communications between clients on a local network and the Internet by passing requests between the local network and the Internet. The Proxy Server services client requests and server responses but masks the identities of the client and server from each other. In, addition, Proxy Server uses access control lists to limit outgoing access by clients and access from the Internet by unauthorized users.


NOTE: To the Proxy Server, a client is a computer, software, or service that makes a request for information from a server machine on a network. A server is a computer, software, or service that responds to the request.

The following sections detail the resource requirements for setting up and installing the Proxy Server, its features and administration. Special attention is paid to issues relating to security when providing enterprise-wide Internet connectivity.

Resource Requirements

Careful planning in implementing an effective solution is very important to the success of an organization's Internet connectivity. The setup of a Proxy Server requires special attention to the requirements for hardware and software.

Proxy Server not only requires special hardware considerations, it also requires certain software components for proper installation and operation. Each of these requirements is discussed in detail below.

Hardware

The hardware requirements in terms of running a Proxy Server machine are identical to the requirements for Windows NT Server 4.0 and Internet Information Server.

However, in addition to the machine running Proxy Server, there are other hardware components that play an important role in setting up and effective Proxy Server implementation.

One of the most important considerations is the storage subsystem. The Proxy Server caches frequently accessed Web sites and documents on its local hard disks. The use of a fast and high throughput subsystem can substantially increase system performance and server response time.

In addition, get as much memory as possible in your Proxy Server machine. A typical installation with 64M of RAM is not unreasonable. The memory requirements will be greatly influenced by the number of users being supported and the number of simultaneous connections being handled.


TIP: The use of NTFS file system for the hard disk subsystem is a good idea, due to its high throughput, fault tolerance, and security features.


TIP: It is a good idea to spread the Proxy Server storage requirements across multiple physical disks to improve system performance.

The speed of the Internet connection is also very important. The choices most commonly available currently include the following:

Software

The Proxy Server is a component of the Microsoft BackOffice suite of server components. However, since Proxy Server is a higher level component, it requires certain BackOffice components for its operation.

The following software components are required for successful installation of Proxy Server:


CAUTION: You must upgrade the Windows NT Server installation by installing the Windows NT Server 4.0 Service Pack 1 maintenance update to your Proxy Server machine. The service pack is included on your Proxy Server CD.

Make sure the appropriate drivers are installed for the network cards, modems, or ISDN adapters being used.


TIP: The machine running the Proxy Server can be a Primary Domain Controller, Backup Domain Controller, or a stand-alone server. However, it is recommended that you configure the Proxy Server machine as a stand-alone server to improve performance and security.

Proxy Server Features

Microsoft Proxy Server provides a rich and powerful combination of functionality and ease of use for establishing corporate-wide secure Internet connectivity. It acts as a gateway between the local network and the external Internet. It leverages the Microsoft BackOffice suite of server products to provide advanced security, high performance, reliability, and ease of use features. Some of the features supported by Proxy Server include:

Proxy Server provides its functionality through two Windows NT services that run on a server machine: Web Proxy service and WinSock Proxy service. The following sections detail some of the features supported by these services.

Web Proxy Service

The Web Proxy service provides some of the basic functionality needed to implement the Proxy Server. It is a standards-based service that supports the common Internet protocols, such as HTTP, FTP, and Gopher.


NOTE: The Web Proxy service is CERN-proxy compatible, which is the standard used by most popular proxy implementations.

Some of the features supported by Web Proxy include the following:

WinSock Proxy Service

The WinSock Proxy service provides services for Windows applications that comply with the Windows Sockets version 1.1. Some of the features supported by the WinSock Proxy Service include the following:

Having learned about the features of the Proxy Server, the following sections discuss its installation, setup, and administration functions.

Setting Up Your Proxy Server

In this section, you learn about installation and setup of a Proxy Server machine. Proxy Server installs the Web Proxy and WinSock Proxy services to control Internet access and network security. Before you can install Proxy Server, you need to complete the following steps:

  1. Set up a computer with Windows NT Server version 4.0 or higher. Make sure the TCP/IP services are installed during Windows NT Server installation.

  2. Install the Windows NT Server 4.0 Service Pack 1.


    NOTE: Service Pack 1 is included on the Proxy Server CD.

  3. Install Internet Information Server version 3.0.


    TIP: IIS can be installed during the installation of Windows NT Server 4.0 or at a later time by using the IIS Setup program. During the installation process, you will get the option of installing IIS. You can install IIS at that point or use the Setup program later to install IIS. The two procedures are identical, and this chapter outlines the procedure for installing IIS on a pre-configured Windows NT Server 4.0 machine.

  4. Make sure you have an administrator logon ID and password that you can use to install Proxy Server.

  5. Make sure these steps are completed before you attempt to install the Proxy Server software.

Installing Proxy Server

To install the Proxy Server, follow these steps:

  1. From the Start menu, Choose Run.

  2. In the Run dialog box, type <path>:\setup.exe for the command line, where <path> refers to the CD-ROM location where the Proxy Server CD is located. For example, d:\setup.exe.

  3. Click OK.


    NOTE: During setup, you can click the Help button at any time to get help on installing the Proxy Server.


    NOTE: You can also open a command prompt and enter <path>:\setup.exe at the command line.

  4. After you have started the Setup program for Proxy Server, perform the following steps:

  5. Read the Welcome Screen shown in Figure 22.1.

    FIG. 22.1
    The Proxy Server Setup Welcome screen provides information about running the Setup program.

  6. Click Continue. The Proxy Server Setup dialog box appears (see Figure 22.2).

    FIG. 22.2
    The Proxy Server Setup dialog box enables you to change the default installation directory for Proxy Server.
  7. If needed, change the folder where Proxy Server will be installed by clicking the Change Folder button; otherwise press the Installation Options button.

  8. The Installation Options dialog box appears, as shown in Figure 22.3.<

    FIG. 22.3
    The Proxy Server Installation Options dialog box enables you to select the various services that will be installed during Proxy Server installation.

  9. By default, all options are selected. Make the appropriate selections for your needs and click Continue. (For a first time installation, you should install the Proxy Server and the Administration tool. Documentation files can be installed at a letr time if so desired.)

  10. The Proxy Server Cache Drives dialog box appears (see Figure 22.4). Assign appropriate disk space for caching by selecting a drive, entering a value for Maximum Size (MB), and clicking Set. When done, Click OK.<

    FIG. 22.4
    Cache drives are used by Proxy Server to store frequently accessed data files.


    NOTE: You must assign at least one drive and 5M of disk space for caching. The minimum recommended caching space for Proxy Server is 100M plus 0.5M for each client being serviced by the Proxy Server.


    TIP: It is a good idea to use NTFS drives for caching. They provide better performance and security.


    CAUTION: Do not use removable media or CD-ROM drives as caching drives.

  11. The Local Address Table Configuration dialog box appears, as shown in Figure 22.5. Define IP addresses being used by your internal network here. You can define multiple ranges from the pool of your IP addresses. However, each range must be a contiguous block of IP addresses. Click OK.

    FIG. 22.5
    Local Address Tables (LATs) enable you to define the IP address ranges that constitute your internal network.

  12. You can also create a LAT by using the Construct Table button. When pressed, the Construct Local Address Table dialog box appears (see Figure 22.6). This dialog box enables you to include some pre-defined private internal network IP ranges as part of your LAT. It also enables you to obtain IP address ranges from your network adapter cards and from internal routing tables

    FIG. 22.6
    The Construct Local Address Table dialog box enables you to include some pre-defined IP ranges as part of your internal network.


    TIP: It is a good idea to use the Construct Local Address Table dialog box to include the pre-defined ranges and then add any other internal network ranges to the list.

  13. When finished, click OK to return to the Local Address Table Configuration dialog box.

  14. If you need to add any other IP address to the LAT table, use the From and To boxes and the Add button to add the ranges to the LAT table list.

  15. When finished, click OK. The Client Installation/Configuration dialog box appears, as shown in Figure 22.7

    FIG. 22.7
    The Client Installation/Configuration dialog box enables you to set up the options for installation of WinSock and Web Proxy Clients.

  16. Use the WinSock Proxy Client combo box to set up the options for installing WinSock clients from this server. Choose the method clients will use to connect to the Proxy Server. Clients can connect to the server by using its name or IP address.


    CAUTION: If using a DNS name, make sure the name displayed in the text box is correct, and ensure that the DNS server has an appropriate entry for the Proxy Server name.

  17. The Enable Access Control check box enables Proxy Server security and ensures that only clients with appropriate permissions can use the WinSock Proxy service. If disabled, all clients will have access to the WinSock Proxy service.

  18. Use the Web Proxy Client combo box to set up the options for installing Web Proxy Clients from this server. If you click the Set Client Setup to Configure Browser Proxy Settings check box, the Client Setup program will automatically configure the Web browser software to use the appropriate Proxy Server.


    NOTE: The Set Client Setup to Configure Browser Proxy Settings feature works only with Netscape Navigator and Microsoft Internet Explorer Web browsers.

  19. Make sure the correct Proxy Server name is listed in the text box.


    NOTE: You cannot configure the Connect Clients to Proxy via Port setting here. The setting is preset for Internet Information Server. You must use the Internet Service Manager to change this value. The configuration of this option is covered later in this chapter.

  20. The Enable Access Control check box enables Proxy Server security and ensures that only clients with appropriate permissions can use the WinSock Proxy service. If disabled, all clients will have access to the WinSock Proxy service.

  21. When finished, click OK. The Setup program will install the necessary files and complete the Proxy Server setup.


    TIP: To uninstall Proxy Server, select the Uninstall option from the Proxy Server Program group.

  22. At this point, Proxy Server installation is complete. You can use the Proxy Server program group to start the Internet Service Manager and administer Proxy Server services.

Administering Proxy Server

A powerful combination of tools are services are provided in the BackOffice suite for administering the Proxy Server. The central administrative tool for Proxy Server is the Internet Service Manager provided with Internet Information Server. The Proxy Server Setup program modifies the Internet Service Manager so it can also manage the Web proxy and the WinSock Proxy services. In addition, tools included with Windows NT Server, such as the Performance Monitor and User Manager, can be used to administer various facets of the Proxy Server.

The following sections discuss Proxy Server administration in detail

Using the Internet Service Manager

The Internet Service Manager is the focal point for most Proxy Server administration tasks. In particular, the Internet Service Manager is used to administer the two services provided by the Proxy Server: Web Proxy service and WinSock Proxy service.

To administer Proxy Server services through Internet Service Manager, follow these steps:

  1. From the Start menu, select Programs, Microsoft Proxy Server, Internet Service Manager.

  2. The Internet Service Manager is displayed, as shown in Figure 22.8. All services running on the currently selected server are listed.

    FIG. 22.8
    The Internet Service Manager can be used to administer Proxy Server services.

  3. If managing a different server, connect to that server by choosing Properties, Connect.


    NOTE: Internet Service Manager can be used to administer local, as well as remote, Proxy Servers.

  4. You can also list all servers running Internet services on the network by choosing Properties, Find All Servers.

  5. Once connected to the desired server, you can administer the particular Proxy Server service by double-clicking the computer name next to the service.

  6. The following sections describe in detail the configuration options for the two Proxy Server Services: administering Web Proxy service and WinSock Proxy service.

  7. The Internet Service Manager uses property sheets to configure and manage services running on the server. Property sheets are tabbed dialog boxes for configuring all options for a particular service.

Administering Web Proxy Service

To configure the Web Proxy service, from the Internet Service Manager screen, double-click the computer name next to the Web Proxy Service. The Web Proxy Service Properties dialog box appears with the Services tab selected (see Figure 22.9).

FIG. 22.9

The Service tab enables you to configure basic service options for the Proxy Server.

The Web Proxy Service Properties dialog box displays tabs for each category that can be configured. You can use property sheets to configure the following Web Proxy service categories:

Each of these categories is discussed in detail in the following sections.

Services

The Service tab sets basic options for the Web Proxy service (refer to Figure 22.9). To set these options, click the Service tab and follow these steps.

The Product ID number and the Comment text box are used by the system to identify the Proxy Server. Enter a comment that can be used to identify the Web Proxy service.

The Enable Internet Publishing check box determines if the Proxy Server will allow outside Internet users to gain access to Web servers on the local network. By default, this box is unchecked.


CAUTION: Be careful about enabling the Enable Internet Publishing check box. Make sure you understand the security risks and take appropriate measures to counteract unauthorized access to your Web sites and corporate network.

See "Windows NT Security Overview," [Ch 8]

See "Defining an Internet Security Plan," [Ch 18]


Pressing the Current Sessions button displays the Web Proxy Service User Sessions dialog box, as shown in Figure 22.10. This allows administrators to view the user connections currently using the Proxy Server service.

FIG. 22.10

The Web Proxy Service User Sessions dialog box can be used to dynamically monitor user activity across the Proxy Server.

The Edit Local Address Table (LAT) button on the Service tab enables administrators to make changes to the LAT table as discussed earlier.

Once finished, click the Apply to commit changes or click OK to close the Properties dialog box and continue.

Permissions

The Permissions tab is used to configure access control permissions for the Web Proxy service (see Figure 22.11).

FIG. 22.11

The Permissions tab allows administrators to control client access to the Web Proxy service.

The Permissions tab can be used to control access for the following Internet services:

Permissions are granted on a per-service basis. You will need to setup access lists for each service individually by selecting the appropriate service in the P rotocol drop down list box. To grant users and groups permissions to the various Internet protocols, use the Add button. This brings up the Add Users and Groups dialog box, as shown in Figure 22.12.

FIG. 22.12

The Add Users and Groups dialog box is used to grant Internet access permissions.

Once finished, click the Apply or OK button to commit changes.

Caching

The Caching tab is used to configure caching information for the Web Proxy service (see Figure 22.13).

FIG. 22.13

The Caching parameters are critical for optimal Web Proxy service performance.


TIP: Once enabled, caching stores the most frequently accessed locations and documents on the local storage subsystem. The main purpose of caching is to optimize system performance.

To set caching options, follow these steps:

Set appropriate values for the Cache Expiration Policy and Enable Active Caching options.


NOTE: It is best to experiment with these values and monitor the results to determine what is the best setting for your network needs.

The Change Cache Size button enables administrators to expand or contract the size of the allocated cache disk space. Typical cache sizes are about 2ó4M for each concurrent user connected through the proxy server.

The Reset Defaults button restores the original caching values.

The Advanced button displays the Advanced Cache Policy dialog box as shown in Figure 22.14. This dialog box can be used to set a maximum size limit for cached objects and to reuse expired objects from cache when the Web site is unavailable.

FIG. 22.14

Advanced caching options allow fine-tuning of caching performance.

The Cache Filters combo box options enable administrators to specify sites that should be especially cached or not. Pressing the Add button brings up the Cache Filter Properties dialog box, which allows you to add specific URL locations for the cache filters (see Figure 22.15).

FIG. 22.15

By caching frequently visited site URLs, performance can be greatly improved.

Once finished, click the Apply or OK button on the Caching tab to commit changes.

Logging

The Logging tab is used to configure event logging options for the Web Proxy service (see Figure 22.16).

FIG. 22.16

The Logging tab can be used to set up elaborate reporting for troubleshooting purposes.

Logging information can be stored in log files; or you can use an ODBC compatible database, such as Microsoft SQL Server, to store logging information.


TIP: You can use a single log file or a single ODBC database to store logging information from multiple servers.

To configure logging information, click the Logging tab and follow these steps:

Click the Enable Logging check box to start logging for the Web Proxy service.

Choose the Regular Logging or Verbose Logging option. The Verbose option provides more detailed textual descriptions of log entries whereas the Regular option provides logging codes.

Chose the Log to File or Log to SQL/ODBC Database option button.

If you choose the Log to File option, you have the following choices:


NOTE: If you do not use the Automatically Open New Log File option, the same log file will be used indefinitely. You must select an existing directory or manually create a new directory for log files using the File Manager or the MKDIR command.

If you chose the Log to SQL/ODBC Database option, you must configure the following options:


NOTE: You must use the ODBC Applet in the Control Panel to create the specified system ODBC data source.

Click OK to continue, or click Apply to immediately implement the changes.


CAUTION: Logging to an ODBC data source is slower than logging to a file. Sites with heavy traffic should consider logging to a file for performance reasons or adding processing power to the server to support the additional load, such as adding a processor and higher performance disk subsystem.

Filters

The Web Proxy Service Properties Filters tab is used to specify access limits and to control the network traffic on your Proxy Server (see Figure 22.17). You can choose a default access option that either will grant access to all users or deny access to all users. Then you can specify individual computers or groups that are the exceptions to the default.

FIG. 22.17

The Web Proxy service Filters tab can be used to specify access control properties and network usage limits.

In this section, the option of granting access by default and entering exceptions that will be denied access is described.

To configure Filters options, click the Filters tab on the Web Proxy Service Properties dialog box and follow these steps:

Select the Enable Filtering option for access control.

To exclude computers from having access, you can specify computers that will be granted access using the Add button. This displays the Grant Access To dialog box (see Figure 22. 18).

FIG. 22.18

The Grant Access To dialog box is used to grant access to selected computers when a default policy that denies access to everyone has been chosen.

In the Grant Access To dialog box, specify the computer or the group of computers that will be granted access using the IP addresses for those computers. For a group of computers, you must also specify a subnet mask used by the group of computers. You can also specify a Domain name.

Click OK to return to the Filters tab.

The specified computer or group of computers will show up in the included list. You can specify more computers to exclude, or remove computers from the list by selecting them and clicking Remove. Use the Edit button to change the Grant Access To properties for a computer from the list.

When finished, click OK to continue, or click Apply to immediately enforce the changes.

Administering WinSock Proxy Service

To configure the WinSock Proxy service running on a Proxy Server, double-click the computer name running the service to bring up the WinSock Proxy service properties dialog box. The WinSock Proxy service dialog box displays tabs for each category that can be configured. The categories are as follows:

The Services, Logging, and Filters tabs are identical to those used for the Web Proxy service. Refer to the previous section for the Web Proxy service for more information on setting these options. (The Protocols tab, which is different for the WinSock Proxy service, is discussed in this section.)

The WinSock Protocols tab is used to define or reconfigure existing Internet protocols that clients can use to access resources on the Internet (see Figure 22.19).

FIG. 22.19

The Protocols tab defines parameters for the various Web access technologies.

The Proxy Server comes equipped with a large number of protocol definitions, such as RealAudio, VDOLive, SMTP, POP3, and NNTP. By defining protocols for the common Internet protocols, access can be granted or denied to clients using the Permissions tab. To add a protocol definition from the Protocols tab, follow these steps:

Choose the protocol in the Protocol Definitions drop-down list box and click the Add button. The Protocol Definition dialog box is displayed (see Figure 22.20).

FIG. 22.20

The Protocol Definition dialog box can be used to add support for additional Internet protocols.

Provide a Protocol Name in the text box.


CAUTION: The protocol name and port number must be unique for each new protocol.

In the Initial Connection box, provide a Port number.


TIP: Most common protocol port numbers are defined in the PROTOCOL file located in the <systemroot\system32\drivers\etc> directory. You can print that file to have a list of protocol and port numbers handy.

Select the protocol type.

In the Direction box, specify if the protocol will be used for inbound or outbound traffic initially.

Use the Port Ranges for Subsequent Connections combo box to specify additional port ranges for protocols that facilitate both inbound and outbound traffic. The FTP protocol and the Telnet service are examples of two-way traffic protocols.

Click OK to save the new protocol definition.

Proxy Server Auto Dial Configuration

The Proxy Server Auto Dial feature is provided for scenarios when your organization's Internet connection is not permanent. A permanent, or dedicated, connection maintains constant connectivity to the Internet. A non-dedicated connection establishes itself as needed. Usually, non-dedicated connections are terminated when there has been no traffic for a certain period of time and re-established when Internet traffic is generated.

The Proxy Server Auto Dial feature provides dynamic connection of non-dedicated Internet connections. When a client machine generates an Internet request, the Proxy Server recognizes it, re-establishes the Internet connection and services the client request.

To configure Auto Dial, follow these steps:

From the Start menu, choose Programs, Microsoft Proxy Server, Auto Dial Configuration. This displays the Microsoft Proxy Auto Dial dialog box (see Figure 22.21)

FIG. 22.21

The Dialing Hours tab can be used to set valid times for Dial on Demand connectivity.

Click the Dialing Hours tab.

Select the Enable Dial on Demand check box.

Select time slots when Proxy Server can dynamically establish a connection to the Internet. If time slots are setup, users can only connect to the Internet during those times. All requests during invalid times are denied by the Proxy Server.

Select the Credentials tab (see Figure 22.22). It is used to provide logon authentication information for establishing Auto Dial connections.

FIG. 22.22

The Credentials tab is used to provide logon authentication information for establishing an Auto Dial Internet connection.

Select the appropriate entry from the RAS phonebook entries list.

Provide a User Name and Password that can be used to connect to the Internet.

Optionally, provide a Domain name if required for connectivity.

Click Apply or OK to commit changes. Auto Dial configuration is complete.

Monitoring Proxy Server Performance

There are a multitude of ways to monitor Proxy Server performance. Proxy Server uses the Windows NT built in monitoring tool called Performance Monitor to provide administrators with a means to gauge system performance and diagnose problems.

In addition to the Performance Monitor, the Windows NT logging system records events for Proxy Server. The built-in Proxy Server logging mechanism can also be used to gain insight into the server operation and performance.

Proxy Server also provides SNMP based monitoring capabilities. If you are using SNMP based monitoring tools, Proxy Server provides MIB files that can be used to enable SNMP monitoring.

However, Performance Monitor provides the most well-integrated and easy to use means of monitoring system performance for Proxy Server. When Proxy Server is first installed, three Performance Monitor objects are created to monitor Proxy Server activity. These include the following:

To monitor Proxy Server performance, follow these steps:

From the Start menu, choose Programs, Microsoft Proxy Server, Monitor Microsoft Proxy Server Performance. The Performance Monitor screen appears (see Figure 22.23).

FIG. 22.23

Performance Monitor can be used to monitor Proxy Server activity and diagnose performance bottlenecks.

To view additional counters, choose File, New Chart.

Choose Edit, Add to Chart. The Add to Chart dialog box appears.

In the Add to Chart dialog box, select an object to monitor, such as the WinSock Proxy Server service.

Select a counter from the counters list.

Click Add and then click Done.

See "Performance Monitor," [Ch 7]

Implementing Server Security

Installing and operating a Proxy Server involves paying special attention to the security issues involved. If you are running a server being accessed by thousands of users internally, security of your server and other computers on your enterprise network becomes an important issue. Microsoft accomplishes the security needs of administrators by integrating security for Proxy Server with the security model built into Windows NT Server.

Windows NT provides powerful security features for user authentication, access control, and auditing. Proxy Server leverages these capabilities of the Windows NT operating system to provide security for its Internet-based services.

Windows NT uses a security model that handles security for all services using a single logon authentication mechanism. By creating user accounts and setting access permissions for those accounts, administrators can control what resources and services are available to users.

You can minimize the chance of security problems by adopting these standards:

See "Understanding BackOffice Security," [Chap 5]

See "Setting Permissions on Shared Resources," [Chap 7]

From Here...

This chapter presented the features available in Microsoft Proxy Server, how to set up and install Proxy Server, how to administer your Proxy Server, and how to secure your installation. For more information on these and related topics, see the following chapters:


Previous chapterNext chapterContents


Macmillan Computer Publishing USA

© Copyright, Macmillan Computer Publishing. All rights reserved.