The Proxy Server
In a network environment, a proxy server has the authority to act for other computers on the network. Microsoft’s Proxy Server is a proxy, providing each workstation with access to TCP/IP networks such as the Internet, while keeping the workstation address anonymous. Such anonymity makes intruder attacks on your machine almost impossible.
You manage Proxy Server through the Internet Service Manager (ISM). To start ISM, click Start, select Programs, Catapult Server, and then Internet Service Manager. If you have other Internet services on your Windows NT machine, you’ll see them in the ISM display. Figure 1 shows the ISM with all the services installed and running.
All the configuration settings are on the administrative interface for each service. To display a service’s administrative interface, double-click the service name in the ISM or right-click the service name and select Service Properties.
The Proxy Service
The Proxy service controls access to FTP, Web, and Gopher sites on the Internet. The administrative interface for the Proxy service has five tabs: Service, Permissions, Caching, Logging, and Filters.
The Service tab is for informational purposes only and contains nothing to configure but a comment field, which lets you describe this service so users can view the description in ISM. Click Current Sessions to display a list of the users connected to the Proxy service at any given moment.
The Permissions tab, as shown in Figure 2, lets you grant or deny various users and groups access rights to the proxy for Internet access. You can separately manage three types of access here: FTP, Web, and Gopher. To allow access to a service, select it in the Rights pulldown, and click Add to display the Add Users and Groups dialog box. Once you add the users and groups that get access, click OK. To disallow access rights to a user or group, select the user or group and click Remove.
Tip: The User Manager for Domains lets you create a group that includes the user accounts of all users who need access to FTP, Web, or Gopher. Once you create this group, you need to apply permissions for each service only once for the group, rather than once for each member. This approach can be a real time saver.
The Caching tab, shown in Figure 3, presents the cache property settings. The Proxy service cache lets you configure the service to store Internet objects on your local hard drive for a given period. This option can greatly reduce response times and bandwidth utilization. When a client machine requests an Internet object that is in the cache, the Proxy server delivers the cached copy instead of getting the object from the Internet site.
The cache expires at intervals the administrator sets. The proxy server will retrieve a fresh copy of the Web object when a client requests it again or before a client requests the object, depending on how the cache is configured.
The cache has two modes of operation: passive and active. In the passive mode, Proxy Server copies each object someone requests from the Internet to the hard disk of the computer running the Proxy Server server. In active mode, Proxy Server updates objects in the cache periodically, whether a user requests them or not.
The proxy cache has five areas to configure:
The Enable Caching check box enables and disables the cache.
The Cache Expiration Policy lets you adjust the freshness of objects in the cache. Freshness is a measure of how long to store and use a local copy of a cached object before Proxy Server updates it from the Web site. A slider bar lets you adjust this setting. Move the slider bar toward “Always request updates” to keep objects fresher and increase the traffic the Proxy Server server generates. Move the slider bar toward “Fewest Internet requests” to lengthen the time you store objects before Proxy Server refreshes and to decrease the traffic the Proxy Server server generates.
The Active Caching Policy ensures the freshness of Internet objects you store on the hard disk, by letting the cache manager generate a request for an Internet object without a client’s prompting. Move the slider bar toward “Most client cache hits” to update the cache more frequently, or toward “Fewest Internet requests” to reduce the frequency of update requests to Internet sites.
The Cache Size lets you add and remove drives from caching and set the amount of disk space for caching Internet objects. The limit to the cache size is the amount of disk space available. Theoretically, cache size has no upward limitations.
The Advanced Cache Options let you specify which objects to cache and the maximum object size to cache, and enable server protection and cache filtering. Cache filtering lets you specify filename, directory name, and domain name to restrict which objects to always cache or never cache. To display Advanced Cache Options, click Advanced.
The Logging tab presents the available log settings. You can turn logging on or off, select Regular logging or Verbose logging, and select data logging to a text file or a database. Each log record contains the username, client type, client protocol, time and date stamp, and size of the requested object.
The Filters tab, in Figure 4, presents the filtering properties that let you control access to Internet sites through the server. The filtering mechanism grants or denies access based on the IP address or domain name of particular Internet sites. For example, to block access to a Web site to keep employees from misusing company time, you select Denied, click Add, select Domain, and then enter the Web address in the Domain data entry window. That’s all there is to it.
Remote Windows Socket
Now let’s look at the Remote Windows Socket (RWS) service. RWS is a mechanism that makes a Windows Sockets-compatible application running on a private network perform as if it were directly connected to the Internet, when actually, a gateway computer connects the two networks. Proxy Server can be the gateway.
You access the administrative interface for RWS the same way as for the proxy server. Open ISM, and double-click the RWS service. The RWS administrative interface consists of four tabs: Service, Permissions, Logging, and Filters.
The Service tab has only one field, Comment, which lets you describe this service. ISM lets you view the comment.
The Permissions tab is the most extensive area of the RWS administrative interface. You can add, change, and remove protocols and control access to each protocol. This page has five elements: Service, Right, Add, Remove, and Protocols.
Service lists the Internet protocols available to users of the RWS service that is using this server. To add a protocol to this list, choose Protocols and complete the dialog box. To grant a user protocol access, select that protocol from the Service box, click Add, and complete the dialog box. The Right box lists the users and groups that can use the protocol on this server. Add lets you assign a user or group the right to use a protocol. You must first select the protocol from Services, choose Add, and then complete the Add Users and Groups dialog box. Remove deletes a user or group’s right to use a protocol on this server. Protocols displays the dialog box that lets you add a protocol, modify an existing protocol configuration, or remove a protocol.
The Logging tab lets you turn logging on or off, select Regular or Verbose logging, and select data logging to a text file or a database.
The Filters tab lets you grant and deny access to Internet sites that users can access through RWS. Access filtering can prohibit access to specified sites or allow access to only the sites specified.
Working Together
You can configure the Proxy service and the RWS service to work together. Doing so lets you use Internal Package eXchange (IPX) and Sequenced Packet eXchange (SPX) on the internal network. This capability eases integration for Novell shops because they don’t have to migrate to TCP/IP. Having the proxy and RWS work together also allows streaming and datagram Internet protocols and the Windows NT Challenge/Response authentication between the client and Proxy Server server.
To configure the proxy to work with RWS, follow these steps:
Configure the client’s Internet browser to use the Catapult Server Proxy service.
Configure the client computer to use any RWS server on the internal network.
If the private network is running TCP/IP, use the Proxy Server setup to configure the Local Address Table (LAT) to remove the Proxy server’s internal IP address from the LAT. This configuration forces the use of RWS between the client and Proxy Server server. You must modify the LAT on all Proxy Server servers on the private network. If your internal network runs on IPX/SPX, you can skip this step because you won’t have TCP/IP routing tables to manage.
Proxy Gateways in DNS
Configuring multiple proxy server gateways is becoming more common in large network environments. As the number of users who need Internet access from your LAN grows, load balancing multiple proxy servers will become increasingly important to you.
Balance your network traffic with Proxy Server by creating a group name in your Lmhosts file. To this group, you assign all client computer applications. The group will contain a list of all the machine names and IP addresses for each proxy server on your network. The Lmhosts file includes sample entries that demonstrate how to correctly create entries in this file.
Use the Lmhosts file to create a group to configure client software to implement load balancing by following these steps:
Open the Lmhosts file with a text editor such as Notepad. A sample Lmhosts file named Lmhosts.sam is in the \SystemRoot\System32\Drivers\Etc directory. If you have not configured a Lmhosts file for your network, open the Lmhosts.sam file and save it (in the same directory that contains Lmhosts.sam) to a new file called Lmhosts.
Create a new group name for the proxy servers that will participate in the load balancing. Be sure the group name does not conflict with other group names or NT domain names. Enter the group name to make new proxy server entries, one per line, in the Lmhosts file. The proxy denotes groups by the #DOM tag at the end of each proxy server entry. Be sure that each proxy server’s entry includes the IP address, the NetBIOS machine name, and the #DOM tag with the group name. In the example below, the group name is proxygate.
206.4.11.69 proxy1 #DOM:proxygate #PRE 206.4.11.70 proxy2 #DOM:proxygate #PRE 206.4.11.71 proxy3 #DOM:proxygate #PRE
As the example shows, you can include the #PRE tag. It tells NT to preload these entries when the operating system boots. The #PRE tag is not required, but it can help improve the overall proxy server performance because name lookups resolve faster if the proxy doesn’t have to read the Lmhosts file from disk. Figure 5 shows a sample Lmhosts file.
Save the file, and exit the editor.
Configure your client software to use the proxy name.
When you use a group in the LMHOSTS file, client computers requesting an Internet object through the group name tell Domain Name System (DNS) to cycle through the gateways listed in the group, one at a time. The first request uses the first name in the list, the second request uses the second name, and so on. This cycle establishes load balancing, which can ease the burden of any particular proxy server. The Lmhosts file is in the SystemRoot\System32\Drivers\Etc subdirectory.
Proxy Gateways in WINS
If your network relies on Windows Internet Name Service (WINS) instead of DNS for name resolution, WINS lets you configure a multi-homed environment to facilitate Internet object requests. WINS is similar to the DNS environment: You create one entry that contains the list of IP addresses for all the proxy server gateways.
WINS provides three levels of name resolution for this configuration. First, the WINS server attempts to match a client’s request with the client’s IP address. Next, WINS will seek a proxy server on the same subnetwork as the client. Then WINS seeks a proxy server on the same network as the client. If WINS cannot match a client to a gateway, it will randomly pick a gateway from the WINS list of gateways to facilitate the Internet object request.
RWS with Multiple Gateways
By default, clients on an internal network use the RWS gateway that you configure them for. You achieve load balancing by installing RWS on the clients from each gateway you want the client to use. For example, if you expect a particular group of users to produce heavier-than-normal traffic to the RWS service — as with video conferencing — distribute the users across your gateways to lighten the load on any particular server.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
