Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Windows NT Security: A Collection of Topics
View the book table of contents
Author: John Enck
Published: June 1998
Copyright: 1998
Publisher: 29th Street Press
 


MICROSOFT’S PROXY SERVER: INTRODUCTION AND INSTALLATION

by Mark Edwards

Microsoft has launched another powerful tool into the BackOffice Suite. The product, Microsoft Proxy Server, makes connecting your intranet to the Internet much safer than ever before and will probably let you sleep a little better at night, knowing your network is now a safer environment.

What is a Proxy?
First, the definition of proxy in a general sense is the “authority or power to act for another.” In a network environment, a proxy server has the authority to act on behalf of other computers on the network. The Proxy Server serves as proxy by providing access to TCP/IP networks such as the Internet while keeping the workstation address anonymous. Workstation anonymity makes intruder attacks on your machine almost impossible. I say almost because a trojan horse or virus can still infiltrate your workstation through a file you download from the Internet, so to be completely safe at the workstation level, you need more than a proxy server. But when the workstation is anonymous, a potential intruder has no way of knowing what client address to attack.

How a Proxy Works
Proxies keep workstations anonymous by servicing TCP/IP protocol requests for the client. First, the client workstation makes a TCP/IP-based protocol request, such as entering a universal resource locator (URL) into a Web browser to pull up a Web page. The client sends the request to the proxy server and waits for the reply. Then, the proxy server receives the request and sends it to the destination address, substituting its server address for the client address. This substitution maintains the anonymity of the client address. Next, the destination processes the request and sends the results back to the proxy server. Finally, the proxy returns the results to the client.

Eliminate Alternative Routes
Simple enough, right? Actually, it is. The secret to establishing a proxy server is to make sure it is the only route to your workstations and servers. The proxy server needs at least one valid, routable IP address. If a real route to the rest of your network doesn’t exist, traffic can’t reach your machines.

You can eliminate alternative routes in two ways. The first is to choose an arbitrary Class C network pool to use internally. For instance, pick something such as 206.136.112.0 out of the air for one of your Class Cs. This choice gives you 206.136.112.1 through 206.136.112.254 as internal addresses. This Class C network pool is probably assigned to someone already, and the routes on the Internet point to that network, not yours, so you’re safe using arbitrary addresses this way.

The second way is to use what I’ll call test address pools. Several non-routable test address pools are available from InterNIC, the US organization that manages domains on the Internet. What you need to understand about these test addresses is that lots of people all over the Internet use them. None of the backbone ISPs include routes to these addresses, so they are useless for routable traffic but perfect for internal use behind a proxy server.

You’re safe using Class C addresses out of the Class A network address pool of 10.0.0.0. This pool provides more than enough IP addresses for an average intranet. If you need fewer than 254 addresses, use a Class C network from this pool. For example, you can have a Class C network, ranging from 10.0.0.1 through 10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than one Class C for internal addresses, simply subnet the 10.0.0.0 again (break the pool into more manageable pieces for routing in different directions), creating additional address pools. Subnetting can get rather complex, so seek administrative help if necessary.

Proxy Server Features
Proxy Server consists of the Remote Windows Socket (RWS) service and the proxy service. Either of these services or both provide secure access for your intranet.

The proxy service operates with TCP/IP only and is CERN-Proxy compatible, which broadens the scope of available client software. The proxy server supports Web, Gopher, and FTP and has a caching feature that can store frequently requested documents for a given period. Caching reduces bandwidth utilization and speeds information delivery to the client. The proxy lets you configure what to cache, what not to, and the size of the cache. You can implement user-level security, controlling who can and cannot access any particular service. You can also implement IP address filtering, so you can determine overall access to the proxy by granting and denying access according to a workstation’s address. The RWS service allows other types of TCP/IP protocols through the Proxy Server and supports most popular Internet tools.

RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange (SPX) protocol on your network. This combination can provide an additional level of security in the form of a protocol barrier. TCP/IP can’t talk to IPX/SPX, so you get the picture. RWS is compatible with most existing Windows Sockets 1.1-compatible applications and lets you control inbound and outbound access by port number, protocol, and user or group. You can establish restrictions via filters that control access to Internet sites by domain name, IP address, and subnet mask.

The Proxy Server integrates seamlessly into an existing Microsoft Internet suite. If you’re already running Microsoft’s Internet Information Server (IIS), Proxy Server fits like a glove, letting you control the services through the Internet Service Manager, which comes with both IIS and Proxy Server.

Step-by-Step Installation
The initial setup process is simple and quick, so you won’t need more than about 30 minutes to install the entire product.

The setup routine installs Proxy Server, copies client software packages to the server and pre-configures them for easy installation, and establishes a network share for installing client software. Here are the eight steps in the installation process.
  1. Setup searches for installed components.
  2. You then choose a directory for the software installation.
  3. You can choose components to install from the list in Figure 1. Here’s a nice surprise: The documentation is in Hypertext Markup Language (HTML) format, which Microsoft has promised for all Help files as we move toward the browser-based desktop.
    The options include the various client software packages necessary to use the proxy server. Some available client packages are NT versions for Intel, PowerPC, MIPS, Alpha, Intel-based Windows 95 clients, and Windows 3.x clients, as you see in Figure 2.
  4. Setup stops any Microsoft Internet services, such as the IIS Web server, that are running.
  5. You choose the drive(s) you want for caching documents from the list in Figure 3. Setup recommends drives with at least 50 MB of free space. You can certainly choose drives with less space, but the amount of information you can cache is limited.
  6. You define the IP address ranges on your internal networks as shown in Figure 4.
    The information you enter here creates a Local Address Table (LAT). The LAT is the Iaslat.txt file, which, by default, is in the \Ias\Clients directory on the same drive on which you install the server. When a workstation runs the client setup program, the LAT downloads from the server to the client workstation.

    When an RWS-type client attempts to access an IP address, it uses the LAT to determine whether the address is local or remote. Local addresses are on your network, and remote addresses are outside your network on the Internet. You can connect to local addresses directly and to remote Internet addresses through Proxy Server.
  7. Setup lets you preconfigure most aspects of the client software packages, which minimizes administrative efforts. Figure 5 shows the settings in two groups, one for RWS and one for the proxy.


    8. The RWS access settings are as follows.
    • A radio button group pre-configures the client software package to contact the RWS service by name or IP address. To rely on DNS names or machines names for client access, check that box and enter the server name. To access the server by IP address, check that box and enter the server IP address.
    • A check box lets you disable Access Control. If you check this box, all internal clients can use RWS without restriction. When this box is not checked (the default setting), only clients that have permissions for specific protocols can use RWS. The Internet Service Manager lets you assign these permissions.
    The proxy access settings are as follows.
    • A check box tells the Proxy Server setup to configure the client packages so that they automatically configure Web browsers for use with a given proxy access server. To automate some of the client package installation process, check this box.
    • A data entry box lets you predetermine the machine name of the proxy access server that the client packages on this computer will use. If you check “Set Client setup to configure browser proxy settings,” enter the proxy server name in this data-entry box.
  8. Setup checks for necessary disk space and copies the required files. Once the file copy operation is complete, Setup restarts any Internet Services that it had stopped, and then exits.
Additional Configuration
That’s the initial installation. Be aware that additional configuration is still necessary. These configuration settings can take from 30 minutes to several hours or even days, depending on the number of users needing access to the server.

You’ll want to start the Internet Service Manager on the Start Button menu: Select the Programs folder, then the Catapult Server folder, then the Internet Service Manager. You’ll find that the Setup program has created a shared directory, Mspclnt, on the server.

You access this directory with the universal naming convention (UNC) name \\ServerName\Mspclnt. Your workstations will connect to this share to access and install the appropriate client access software package.

Beyond Installation
When you look at some features of Proxy Server and walk through the initial installation and preliminary configuration options and settings, you see that the complete Proxy Server package is not very large or complex to configure. The installation process is intuitive and straightforward.

INSTALLATION CHECKLIST
  • Inform all your users of the downtime you’ll need. If your server runs other Internet services, such as Microsoft’s IIS, notify your users that the services will be unavailable while you install IAS.
  • Make sure the only applications running on the server are those that are absolutely necessary. The Setup program overwrites particular files on the server, so if other programs are using them, Setup will not continue properly. Stop any Microsoft Internet services that you have running, or you can let the IAS Setup program stop them for you.
  • Before starting installation, be sure to log in as Administrator or as a user who is a member of the Administrator group. You will need administrative privileges to complete the installation correctly.
  • Gather all the IP address ranges your network uses. You’ll need them during installation.
  • Determine what client operating systems the workstations on your network run so you can install the appropriate client packages during setup.
  • Be sure that the disk drive on which you install the software has about 3.5 MB of free space available.
  • Be sure you already have a second network card installed in the server and that the card is pre-configured with a non-routable IP address, such as 10.0.0.1. If you’re connecting to the Internet with a regular modem or Integrated Services Digital Network (ISDN) connected to a COM port, you’ll need only one network card, because NT sees modems as Ethernet devices.

NT Version: NT 4.0 Server



Page: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16
next page



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing