by Azam A. Mirza
In other chapters in Part V, "Advanced I-Net Development," you learned about the I-net and the various server based components that come together to provide I-net connectivity. This chapter discusses in detail the Microsoft Proxy Server component of the BackOffice family of products. Proxy Server is a higher level server component that sits on top of the Internet Information Server (IIS) to provide a particular piece of the I-net connectivity puzzle.
The main purpose of Proxy Server is to act as an access control gateway for providing clients connectivity to the Internet. Proxy Server enables secure, two-way communications between clients on a local network and the Internet by passing requests between the local network and the Internet. The Proxy Server services client requests and server responses but masks the identities of the client and server from each other. In, addition, Proxy Server uses access control lists to limit outgoing access by clients and access from the Internet by unauthorized users.
NOTE: To the Proxy Server, a client is a computer, software, or service that makes a request for information from a server machine on a network. A server is a computer, software, or service that responds to the request.
The following sections detail the resource requirements for setting up and installing the Proxy Server, its features and administration. Special attention is paid to issues relating to security when providing enterprise-wide Internet connectivity.
Careful planning in implementing an effective solution is very important to the success of an organization's Internet connectivity. The setup of a Proxy Server requires special attention to the requirements for hardware and software.
Proxy Server not only requires special hardware considerations, it also requires certain software components for proper installation and operation. Each of these requirements is discussed in detail below.
The hardware requirements in terms of running a Proxy Server machine are identical to the requirements for Windows NT Server 4.0 and Internet Information Server.
However, in addition to the machine running Proxy Server, there are other hardware components that play an important role in setting up and effective Proxy Server implementation.
One of the most important considerations is the storage subsystem. The Proxy Server caches frequently accessed Web sites and documents on its local hard disks. The use of a fast and high throughput subsystem can substantially increase system performance and server response time.
In addition, get as much memory as possible in your Proxy Server machine. A typical installation with 64M of RAM is not unreasonable. The memory requirements will be greatly influenced by the number of users being supported and the number of simultaneous connections being handled.
TIP: The use of NTFS file system for the hard disk subsystem is a good idea, due to its high throughput, fault tolerance, and security features.
TIP: It is a good idea to spread the Proxy Server storage requirements across multiple physical disks to improve system performance.
The speed of the Internet connection is also very important. The choices most commonly available currently include the following:
The Proxy Server is a component of the Microsoft BackOffice suite of server components. However, since Proxy Server is a higher level component, it requires certain BackOffice components for its operation.
The following software components are required for successful installation of Proxy Server:
CAUTION: You must upgrade the Windows NT Server installation by installing the Windows NT Server 4.0 Service Pack 1 maintenance update to your Proxy Server machine. The service pack is included on your Proxy Server CD.
Make sure the appropriate drivers are installed for the network cards, modems, or ISDN adapters being used.
TIP: The machine running the Proxy Server can be a Primary Domain Controller, Backup Domain Controller, or a stand-alone server. However, it is recommended that you configure the Proxy Server machine as a stand-alone server to improve performance and security.
Microsoft Proxy Server provides a rich and powerful combination of functionality and ease of use for establishing corporate-wide secure Internet connectivity. It acts as a gateway between the local network and the external Internet. It leverages the Microsoft BackOffice suite of server products to provide advanced security, high performance, reliability, and ease of use features. Some of the features supported by Proxy Server include:
Proxy Server provides its functionality through two Windows NT services that run on a server machine: Web Proxy service and WinSock Proxy service. The following sections detail some of the features supported by these services.
The Web Proxy service provides some of the basic functionality needed to implement the Proxy Server. It is a standards-based service that supports the common Internet protocols, such as HTTP, FTP, and Gopher.
NOTE: The Web Proxy service is CERN-proxy compatible, which is the standard used by most popular proxy implementations.
Some of the features supported by Web Proxy include the following:
The WinSock Proxy service provides services for Windows applications that comply with the Windows Sockets version 1.1. Some of the features supported by the WinSock Proxy Service include the following:
Having learned about the features of the Proxy Server, the following sections discuss its installation, setup, and administration functions.
In this section, you learn about installation and setup of a Proxy Server machine. Proxy Server installs the Web Proxy and WinSock Proxy services to control Internet access and network security. Before you can install Proxy Server, you need to complete the following steps:
NOTE: Service Pack 1 is included on the Proxy Server CD.
TIP: IIS can be installed during the installation of Windows NT Server 4.0 or at a later time by using the IIS Setup program. During the installation process, you will get the option of installing IIS. You can install IIS at that point or use the Setup program later to install IIS. The two procedures are identical, and this chapter outlines the procedure for installing IIS on a pre-configured Windows NT Server 4.0 machine.
To install the Proxy Server, follow these steps:
NOTE: During setup, you can click the Help button at any time to get help on installing the Proxy Server.
NOTE: You can also open a command prompt and enter <path>:\setup.exe at the command line.
NOTE: You must assign at least one drive and 5M of disk space for caching. The minimum recommended caching space for Proxy Server is 100M plus 0.5M for each client being serviced by the Proxy Server.
TIP: It is a good idea to use NTFS drives for caching. They provide better performance and security.
CAUTION: Do not use removable media or CD-ROM drives as caching drives.
TIP: It is a good idea to use the Construct Local Address Table dialog box to include the pre-defined ranges and then add any other internal network ranges to the list.
CAUTION: If using a DNS name, make sure the name displayed in the text box is correct, and ensure that the DNS server has an appropriate entry for the Proxy Server name.
NOTE: The Set Client Setup to Configure Browser Proxy Settings feature works only with Netscape Navigator and Microsoft Internet Explorer Web browsers.
NOTE: You cannot configure the Connect Clients to Proxy via Port setting here. The setting is preset for Internet Information Server. You must use the Internet Service Manager to change this value. The configuration of this option is covered later in this chapter.
TIP: To uninstall Proxy Server, select the Uninstall option from the Proxy Server Program group.
A powerful combination of tools are services are provided in the BackOffice suite for administering the Proxy Server. The central administrative tool for Proxy Server is the Internet Service Manager provided with Internet Information Server. The Proxy Server Setup program modifies the Internet Service Manager so it can also manage the Web proxy and the WinSock Proxy services. In addition, tools included with Windows NT Server, such as the Performance Monitor and User Manager, can be used to administer various facets of the Proxy Server.
The following sections discuss Proxy Server administration in detail
The Internet Service Manager is the focal point for most Proxy Server administration tasks. In particular, the Internet Service Manager is used to administer the two services provided by the Proxy Server: Web Proxy service and WinSock Proxy service.
To administer Proxy Server services through Internet Service Manager, follow these steps:
NOTE: Internet Service Manager can be used to administer local, as well as remote, Proxy Servers.
Administering Web Proxy Service
To configure the Web Proxy service, from the Internet Service Manager screen, double-click the computer name next to the Web Proxy Service. The Web Proxy Service Properties dialog box appears with the Services tab selected (see Figure 22.9).
The Service tab enables you to configure basic service options for the Proxy Server.
The Web Proxy Service Properties dialog box displays tabs for each category that can be configured. You can use property sheets to configure the following Web Proxy service categories:
Each of these categories is discussed in detail in the following sections.
The Service tab sets basic options for the Web Proxy service (refer to Figure 22.9). To set these options, click the Service tab and follow these steps.
The Product ID number and the Comment text box are used by the
system to identify the Proxy Server. Enter a comment that can be used to identify
the Web Proxy service.
The Enable Internet Publishing check box determines if the Proxy
Server will allow outside Internet users to gain access to Web servers on the local
network. By default, this box is unchecked.
CAUTION: Be careful about enabling the EnableInternet Publishing check box. Make sure you understand the security risks and take appropriate measures to counteract unauthorized access to your Web sites and corporate network.See "Windows NT Security Overview," [Ch 8]
See "Defining an Internet Security Plan," [Ch 18]
Pressing the Current Sessions button displays the Web Proxy Service
User Sessions dialog box, as shown in Figure 22.10. This allows administrators to
view the user connections currently using the Proxy Server service.
The Web Proxy Service User Sessions dialog box can be used to dynamically monitor user activity across the Proxy Server.
The Edit Local Address Table (LAT) button on the Service tab
enables administrators to make changes to the LAT table as discussed earlier.
Once finished, click the Apply to commit changes or click OK
to close the Properties dialog box and continue.
The Permissions tab is used to configure access control permissions for the Web Proxy service (see Figure 22.11).
The Permissions tab allows administrators to control client access to the Web Proxy service.
The Permissions tab can be used to control access for the following Internet services:
Permissions are granted on a per-service basis. You will need to setup access
lists for each service individually by selecting the appropriate service in the P
rotocol drop down list box. To grant users and groups permissions to the various
Internet protocols, use the Add button. This brings up the Add Users
and Groups dialog box, as shown in Figure 22.12.
The Add Users and Groups dialog box is used to grant Internet access permissions.
Once finished, click the Apply or OK button to commit changes.
The Caching tab is used to configure caching information for
the Web Proxy service (see Figure 22.13).
The Caching parameters are critical for optimal Web Proxy service performance.
TIP: Once enabled, caching stores the most frequently accessed locations and documents on the local storage subsystem. The main purpose of caching is to optimize system performance.
To set caching options, follow these steps:
Set appropriate values for the Cache Expiration Policy and Enable
Active Caching options.
NOTE: It is best to experiment with these values and monitor the results to determine what is the best setting for your network needs.
The Change Cache Size button enables administrators to expand
or contract the size of the allocated cache disk space. Typical cache sizes are about
2ó4M for each concurrent user connected through the proxy server.
The Reset Defaults button restores the original caching values.
The Advanced button displays the Advanced Cache Policy dialog
box as shown in Figure 22.14. This dialog box can be used to set a maximum size limit
for cached objects and to reuse expired objects from cache when the Web site is unavailable.
Advanced caching options allow fine-tuning of caching performance.
The Cache Filters combo box options enable administrators to
specify sites that should be especially cached or not. Pressing the Add
button brings up the Cache Filter Properties dialog box, which allows you to add
specific URL locations for the cache filters (see Figure 22.15).
By caching frequently visited site URLs, performance can be greatly improved.
Once finished, click the Apply or OK button on the Caching tab
to commit changes.
The Logging tab is used to configure event logging options for the Web Proxy service (see Figure 22.16).
The Logging tab can be used to set up elaborate reporting for troubleshooting purposes.
Logging information can be stored in log files; or you can use an ODBC compatible database, such as Microsoft SQL Server, to store logging information.
TIP: You can use a single log file or a single ODBC database to store logging information from multiple servers.
To configure logging information, click the Logging tab and follow these steps:
Click the Enable Logging check box to start logging for the Web
Proxy service.
Choose the Regular Logging or Verbose Logging
option. The Verbose option provides more detailed textual descriptions of log entries
whereas the Regular option provides logging codes.
Chose the Log to File or Log to SQL/ODBC Database
option button.
If you choose the Log to File option, you have the following
choices:
NOTE: If you do not use the Automatically Open New Log File option, the same log file will be used indefinitely. You must select an existing directory or manually create a new directory for log files using the File Manager or the MKDIR command.
If you chose the Log to SQL/ODBC Database option, you must configure
the following options:
NOTE: You must use the ODBC Applet in the Control Panel to create the specified system ODBC data source.
Click OK to continue, or click Apply to immediately implement
the changes.
CAUTION: Logging to an ODBC data source is slower than logging to a file. Sites with heavy traffic should consider logging to a file for performance reasons or adding processing power to the server to support the additional load, such as adding a processor and higher performance disk subsystem.
The Web Proxy Service Properties Filters tab is used to specify access limits and to control the network traffic on your Proxy Server (see Figure 22.17). You can choose a default access option that either will grant access to all users or deny access to all users. Then you can specify individual computers or groups that are the exceptions to the default.
The Web Proxy service Filters tab can be used to specify access control properties and network usage limits.
In this section, the option of granting access by default and entering exceptions that will be denied access is described.
To configure Filters options, click the Filters tab on the Web Proxy Service Properties dialog box and follow these steps:
Select the Enable Filtering option for access control.
To exclude computers from having access, you can specify computers that will be
granted access using the Add button. This displays the Grant Access
To dialog box (see Figure 22. 18).
The Grant Access To dialog box is used to grant access to selected computers when a default policy that denies access to everyone has been chosen.
In the Grant Access To dialog box, specify the computer or the group of computers
that will be granted access using the IP addresses for those computers. For a group
of computers, you must also specify a subnet mask used by the group of computers.
You can also specify a Domain name.
Click OK to return to the Filters tab.
The specified computer or group of computers will show up in the included list.
You can specify more computers to exclude, or remove computers from the list by selecting
them and clicking Remove. Use the Edit button
to change the Grant Access To properties for a computer from the list.
When finished, click OK to continue, or click Apply to immediately
enforce the changes.
Administering WinSock Proxy Service
To configure the WinSock Proxy service running on a Proxy Server, double-click the computer name running the service to bring up the WinSock Proxy service properties dialog box. The WinSock Proxy service dialog box displays tabs for each category that can be configured. The categories are as follows:
The Services, Logging, and Filters tabs are identical to those used for the Web Proxy service. Refer to the previous section for the Web Proxy service for more information on setting these options. (The Protocols tab, which is different for the WinSock Proxy service, is discussed in this section.)
The WinSock Protocols tab is used to define or reconfigure existing Internet protocols that clients can use to access resources on the Internet (see Figure 22.19).
The Protocols tab defines parameters for the various Web access technologies.
The Proxy Server comes equipped with a large number of protocol definitions, such as RealAudio, VDOLive, SMTP, POP3, and NNTP. By defining protocols for the common Internet protocols, access can be granted or denied to clients using the Permissions tab. To add a protocol definition from the Protocols tab, follow these steps:
Choose the protocol in the Protocol Definitions drop-down list
box and click the Add button. The Protocol Definition dialog box
is displayed (see Figure 22.20).
The Protocol Definition dialog box can be used to add support for additional Internet protocols.
Provide a Protocol Name in the text box.
CAUTION: The protocol name and port number must be unique for each new protocol.
In the Initial Connection box, provide a Port number.
TIP: Most common protocol port numbers are defined in the PROTOCOL file located in the <systemroot\system32\drivers\etc> directory. You can print that file to have a list of protocol and port numbers handy.
Select the protocol type.
In the Direction box, specify if the protocol will be used for inbound or outbound traffic initially.
Use the Port Ranges for Subsequent Connections combo box to specify
additional port ranges for protocols that facilitate both inbound and outbound traffic.
The FTP protocol and the Telnet service are examples of two-way traffic protocols.
Click OK to save the new protocol definition.
The Proxy Server Auto Dial feature is provided for scenarios when your organization's Internet connection is not permanent. A permanent, or dedicated, connection maintains constant connectivity to the Internet. A non-dedicated connection establishes itself as needed. Usually, non-dedicated connections are terminated when there has been no traffic for a certain period of time and re-established when Internet traffic is generated.
The Proxy Server Auto Dial feature provides dynamic connection of non-dedicated Internet connections. When a client machine generates an Internet request, the Proxy Server recognizes it, re-establishes the Internet connection and services the client request.
To configure Auto Dial, follow these steps:
From the Start menu, choose Programs, Microsoft Proxy Server,
Auto Dial Configuration. This displays the Microsoft Proxy Auto Dial dialog box (see
Figure 22.21)
The Dialing Hours tab can be used to set valid times for Dial on Demand connectivity.
Click the Dialing Hours tab.
Select the Enable Dial on Demand check box.
Select time slots when Proxy Server can dynamically establish a connection to the Internet. If time slots are setup, users can only connect to the Internet during those times. All requests during invalid times are denied by the Proxy Server.
Select the Credentials tab (see Figure 22.22). It is used to provide logon authentication information for establishing Auto Dial connections.
The Credentials tab is used to provide logon authentication information for establishing an Auto Dial Internet connection.
Select the appropriate entry from the RAS phonebook entries list.
Provide a User Name and Password that can be used to connect to the Internet.
Optionally, provide a Domain name if required for connectivity.
Click Apply or OK to commit changes. Auto Dial configuration
is complete.
There are a multitude of ways to monitor Proxy Server performance. Proxy Server uses the Windows NT built in monitoring tool called Performance Monitor to provide administrators with a means to gauge system performance and diagnose problems.
In addition to the Performance Monitor, the Windows NT logging system records events for Proxy Server. The built-in Proxy Server logging mechanism can also be used to gain insight into the server operation and performance.
Proxy Server also provides SNMP based monitoring capabilities. If you are using SNMP based monitoring tools, Proxy Server provides MIB files that can be used to enable SNMP monitoring.
However, Performance Monitor provides the most well-integrated and easy to use means of monitoring system performance for Proxy Server. When Proxy Server is first installed, three Performance Monitor objects are created to monitor Proxy Server activity. These include the following:
To monitor Proxy Server performance, follow these steps:
From the Start menu, choose Programs, Microsoft Proxy Server,
Monitor Microsoft Proxy Server Performance. The Performance Monitor screen appears
(see Figure 22.23).
Performance Monitor can be used to monitor Proxy Server activity and diagnose performance bottlenecks.
To view additional counters, choose File, New
Chart.
Choose Edit, Add to Chart. The Add to Chart
dialog box appears.
In the Add to Chart dialog box, select an object to monitor, such as the WinSock Proxy Server service.
Select a counter from the counters list.
Click Add and then click Done.
See "Performance Monitor," [Ch 7]
Installing and operating a Proxy Server involves paying special attention to the security issues involved. If you are running a server being accessed by thousands of users internally, security of your server and other computers on your enterprise network becomes an important issue. Microsoft accomplishes the security needs of administrators by integrating security for Proxy Server with the security model built into Windows NT Server.
Windows NT provides powerful security features for user authentication, access control, and auditing. Proxy Server leverages these capabilities of the Windows NT operating system to provide security for its Internet-based services.
Windows NT uses a security model that handles security for all services using a single logon authentication mechanism. By creating user accounts and setting access permissions for those accounts, administrators can control what resources and services are available to users.
You can minimize the chance of security problems by adopting these standards:
See "Understanding BackOffice Security," [Chap 5]
See "Setting Permissions on Shared Resources," [Chap 7]
This chapter presented the features available in Microsoft Proxy Server, how to set up and install Proxy Server, how to administer your Proxy Server, and how to secure your installation. For more information on these and related topics, see the following chapters:
© Copyright, Macmillan Computer Publishing. All rights reserved.