In this Daily Drill Down, I’ll discuss Microsoft’s Proxy Server. This product may be one of the least publicized of the BackOffice suite. If you want to connect your users to the Internet, cache Web pages locally, restrict Internet use, and place a firewall between your network and the rest of the world, you’ll be interested in Proxy Server.
What is Proxy Server?
Microsoft Proxy Server provides an easy and secure way of bringing Internet access to every desktop in an organization. It acts on behalf of assigned clients by sending requests from computers on your private network to the Internet and then sending the response from the Internet back to the client. The Proxy Server hides every IP address on your private network from the Internet with the exception of its own external card. Along with the added security you receive, you can save money by not having to lease as many IP addresses. Some companies pay $2 per month for each IP address, which adds up to a considerable amount of money when you have hundreds of computers.
Requirements for installing Microsoft Proxy Server 2.0 include:
- Microsoft Windows NT Server version 4.0 or later.
- Service Pack 3 or later for Microsoft Windows NT Server 4.0.
- Microsoft Internet Information Server (IIS) version 3.0 or later. (Version 4.0 is recommended because of a known bug with IIS 3.0 that can cause the Web service to abnormally terminate.)
- A Pentium 166-MHz processor at a minimum. Although Proxy Server will run on a 486, I don’t recommend it.
- Two network interfaces—internal and external.
The internal interface must be a network interface card (NIC). The external network interface can either be another NIC or a modem. If your Proxy Server will be configured as a chained downstream configuration or as a caching-only server, only one NIC card is required. If you choose this configuration, the following considerations apply:
- Packet filtering cannot be enabled.
- You should either disable the WinSock Proxy service or disable access control for the WinSock Proxy service if the Proxy Server computer is connected to the Internet.
- You’ll need 10 MB of disk space for Proxy Server and additional space for caching. You can calculate the caching requirements with the following formula: 100 MB + 0.5 MB for each Web Proxy service client.
Proxy Server supports the following Internet protocols:
- WWW (HTTP)
- RealAudio (streaming audio)
- VDOLive (streaming video)
- IRC (Internet Relay Chat)
- Mail and news protocols
Internet sites can be accessed by Web browsers running any operating system, as well as by all 16-bit and 32-bit Windows Sockets applications, with no modifications to the applications.
Advantages of Proxy Server
Proxy Server has a number of nice features. You can allow all computers on your network to access Internet applications using one Internet connection. Proxy Server eliminates the need to install and support additional protocol drivers for each client’s desktop.
Through its caching technology, Proxy Server will improve performance and access for Internet-based services on your private network. It can cache frequently accessed documents to ensure the immediate availability of fresh data. Cached copies of popular Web pages can be maintained locally and updated automatically.
Proxy Server also allows you to increase security between your private network and the Internet. You can configure it to grant or deny outbound Internet access by user, service, port, or IP domain. Access to specific domain sites can be blocked easily. It can also take advantage of security features built into Windows NT Server.
You need only one public IP address for the external NIC. The computers on your network can have private IP numbers that are seen only by computers on your network, so you can assign any range you wish. For instance, if you assign the internal NIC card an IP address of 10.1.1.1, the computers on your local network can be assigned the range of 10.1.1.2–10.1.1.255 with a subnet mask of 255.255.255.0.
Installing Proxy Server consists of six main steps:
- Initiating Setup
- Installing components
- Setting up the cache drives
- Defining the Local Address Table (LAT)
- Configuring client information
- Setting access control
I won’t cover upgrading from Proxy Server version 1.0 to version 2.0 in detail, but you should be aware that Proxy Server 2.0 uses a different caching format than that of Proxy Server 1.0. When you upgrade from version 1.0 to 2.0, the contents of your old cache will be deleted when Proxy Server 2.0 is first started. When running Setup, if you specify the same cache drive for Proxy Server 2.0 as you were using for version 1.0, caching is temporarily disabled until the deletion process completes. Depending on the size of your cache, this can take a few minutes to several hours.
To install Proxy Server 2.0 on your Windows NT Server, insert the Setup CD. You’ll be presented with the usual welcome screen. Click Continue, enter the CD-key, and choose the folder where Proxy Server will be installed, as shown in Figure A.
|You must specify the folder where you want to install Proxy Server.|
If you do not have the Windows NT SAP Agent service installed and running on your server computer, you’ll see a warning message. (You should install the SAP Agent if you have client computers that use only the IPX/SPX protocol.) Click Continue to ignore this warning and proceed with Proxy Server Setup, or click Abort to halt Proxy Server Setup and follow the on-screen instructions to install the SAP Agent.
Next, you’ll see the Installation Options screen, shown in Figure B. At this point, you can choose the components you want to install. The default is to install all components, but deselecting the items you don’t want to install saves space.
|Choose the components you want to install.|
Next, you’ll see the Cache Drives dialog box. You can use multiple drives for a cache, but it can reside only on an NTFS partition. The disk cache should be located on one or more hard disk drives on the computer running Proxy Server. You cannot use network drives to store cached data.
After you choose the drive cache, the next step is to construct the LAT, as shown in Figure C. You can manually type the internal IP range and click Add. Keep in mind that the To field indicates the end of the range and not the subnet mask.
|You must then construct the LAT and specify the internal IP range.|
Clicking the Construct Table button automatically generates the list of IP address pairs from internal routing tables used by Windows NT Server, as shown in Figure D. If you generate the list this way and then remove an address from the internal IP range, you may introduce redundant load on the server. This can occur when clients redirect connections to that address through Microsoft Proxy Server when they are already connected to that computer on the internal network.
|You can automatically build the LAT by clicking Construct Table.|
Ensure that external addresses are not entered in internal IP ranges. This would identify them as internal addresses, which is a security breach and could allow intruders to access your internal network.
You can make additional changes to the LAT after Proxy Server is installed by using the Internet Service Manager (ISM). An alternative is to use a text editor to edit the Msplat.txt file, which is located by default in the C:\Msp\Clients directory on each Proxy Server computer.
Once you’ve configured the LAT, you’ll see the Client Installation/Configuration text box. This is where you specify how Web browsers and WinSock Proxy client applications connect to the Proxy Server computer. You can reconfigure this information after the initial setup, if necessary. The default name will be the name of the server followed by Proxy.
Next, Setup prompts you to specify access control for the Web Proxy and WinSock Proxy services. By default, access control is enabled for both services. If the access control field is selected, only those clients that have been assigned permissions are able to use either service. If the field is not selected, all internal clients are able to use the services.
Setup then copies the files to the server and configures Proxy Server based on the selections you’ve made. The amount of time this takes depends on the options you’ve selected and the speed of your server. When Setup finishes copying the files, you’ll need to reboot your server.
After you finish installing Proxy Server, you must reapply the last service pack you placed on your server. Reboot the server one more time, and you’re ready to go!
Securing your Proxy Server
Since the Internet is not secure by nature, it is important to make sure that only traffic you want to be able to move across your network is allowed. Proxy Server is designed to hide your network’s IP address from users on the Internet. The only IP address they should see is the one bound to the external NIC in your Proxy Server. There are three ways to help secure your Proxy Server and prevent unwanted access to your network: configuring the proxy agents, disabling all unneeded ports, and removing unneeded protocols.
Proxy Server has three different types of proxy agents that must be secured:
- Web Proxy
- WinSock Proxy
- Socks Proxy
You’ll need to configure each of these proxy agents. To do so, you must first launch the ISM and then navigate to Console Root | Internet Information Server | Your Server Name | Proxy Agent To Be Configured. Each proxy agent will be configured in a similar fashion, so it doesn’t matter which one you choose first.
Right-click a proxy agent, such as WinSock Proxy, and select Properties from the menu. This will bring up the WinSock Proxy Service Properties sheet, as shown in Figure E. Click the Security button on the Service tab to open the Security page. There are several tabs on this page that you can use to increase network security, as you can see in Figure F.
|You can secure each proxy agent by modifying its properties.|
|Click the Security button to configure security settings on this screen.|
Let’s take a quick look at what each tab has to offer:
- Packet Filters: Allows you to configure packet filtering. Packet filtering controls which IP packet types are accessible to internal network services. You can deny packets, block packets from specific Internet hosts, and reject address spoof, SYN, and FRAG attacks.
- Domain Filters: Allows you to enable domain filtering, which grants or denies access to all domains except the ones you specify.
- Alerting: Allows you to set up a proxy to send you an alert via e-mail or to add an event to the Event Log when a condition you specify has occurred.
- Logging: Allows you to set the logging options for the WinSock Proxy, Web Proxy, and Socks Proxy services. You can also set logging for packet filtering.
One way that intruders can gain access to your network is by exploiting open TCP/IP ports. You should disable all TCP/IP ports and protocols that are unnecessary. You do this, once again, by right-clicking a proxy agent and selecting Properties. The Permissions tab will display a list of the protocols that Proxy Server is aware of. From here, you can choose to grant certain users specific rights to protocols.
The Protocols tab of the Properties page, shown in Figure G, also lists all protocols of which Proxy Server is aware. From here, you can remove unneeded protocols. You can also change port assignments for any protocol by selecting the protocol and clicking Edit. You’ll see a list of port numbers that are allowed for inbound and outbound connections. It’s a good idea to disable any inbound ports that aren’t necessary.
|You can increase security by restricting protocols.|
In this Daily Drill Down, I’ve shown you how Proxy Server can greatly enhance your network speed, security, and flexibility. It can also save you money in terms of network management and IP address leasing. It’s easy to set up and relatively easy to administer. For small networks, Proxy Server can run on an existing NT Server that has excess capacity. Its ability to deter intrusion and to manage Internet activity makes Proxy Server an application worth having.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.