This week we'll continue our discussion on how to troubleshoot common problems with Microsoft Proxy Server 2.0. Last week we went over the basics of how the three Proxy Services worked, and some common problems in Troubleshooting the Server configuration. If you missed it, you can read that article by going HERE.
This week we'll cover issues related to the Web Proxy, WinSock Proxy and SOCKS Proxy Service. These are the core services provided with Microsoft Proxy Server and knowing the common headaches associated with them can save you some time should things go wrong.
This week we'll continue our discussion on how
to troubleshoot common problems with Microsoft Proxy Server 2.0. Last week we
went over the basics of how the three Proxy Services worked, and some common
problems in Troubleshooting the Server configuration. If you missed it, you can
read that article by going HERE.
This week we'll cover issues related to the Web
Proxy, WinSock Proxy and SOCKS Proxy Service. These are the core services
provided with Microsoft Proxy Server and knowing the common headaches associated
with them can save you some time should things go wrong.
Common Web Proxy Service Problems
Many problems involving the Web Proxy service are
related to the security configuration of the IIS Server on which the Web Proxy
service depends. Remember, the Web Proxy service is an ISAPI plug-in to the IIS
Server's WWW Service. You configure the type of security required to access
the Web Proxy service at the IIS Server console. Below you see the
authentication methods configuration interface on the IIS Server.
On this IIS 5.0 Server, you can see that all
three of the supported authentication methods are allowed: Basic
Authentication, Digest authentication and Integrated Windows
authentication. Keep in mind that Basic Authentication sends the username
and password in clear text and can be easily sniffed. Digest Authentication is
new with IIS 5.0. The IIS Server send some information to the client, and the
client browser will hash this information with the username and password. The
hash is sent to the server for authentication. The Integrated Windows
authentication is the same as the NT Challenge/Response authentication you used
in IIS 4.0.
When you see the following error:
HTTP/1.0 500 Server Error (-number)
It may be related to the use of Integrated
Windows Authentication. Change your authentication method to Basic
Authentication and see if problem goes away. If it does, you should consider
problems related to the use of NTLM on the network and perhaps consider using
only anonymous access, or Digest Authentication.
You can start and stop IIS integrated services
from the command line. The net stop and net start commands can be
used to quickly stop and start IIS services. For example, if you want to stop
the WWW Service, you could type at the command prompt:
net stop w3svc
To start it again, type:
net start w3svc
If you try to start the WWW service from the
command line, and you get an error such as:
An instance of this service is already
Its most likely because you've started the Web
Proxy Service already. Since the Web Proxy service is dependent on the WWW
service, when you start the Web Proxy service it will automatically start the
Web Proxy service.
Cache (flow) Problems
The Web Proxy services Web Cache is a wonderful
thing. If you're in an environment where you have to pay packet charges on
data moving through your Internet connection, you can save a lot of money by
implementing caching of web pages. The Web Cache can also significantly improve
perceived performance on the end user's side, which should help reduce the
calls you get regarding the "Internet" being slow.
The Cache works in the background and caches
content based on the configuration parameters you've set. The Web Cache
configuration sets how aggressively you want caching to be performed, and
whether or not you want Active Caching initiated by the Proxy Server. Active
Caching will cause the Proxy Server to fetch "popular" web pages in
the background, so that these pages have the freshest content. This
"fetching" is done during times of low processor usage.
The configuration interface for caching appears
The cache expiration policy controls how often
the server will send pages back to the user from the cache versus how often it
will forward the request to the server on the Internet. The more aggressive
caching policies will encourage more cache hits. The drawback is that users may
see stale pages more often. The caching feature can always be side-stepped from
the client side by hitting the F5 key.
You can see the Advanced Settings for the Web
The Web Cache doesn't run into problems very
often. When there are problems, they're usually related to corruption of some
of the files in the web cache. When the Web Proxy service starts up, it always
checks the integrity of the web cache. If the cache is large, it may take some
time for the Web Proxy service to fully initialize. Keep this in mind if you've
configured a very large web cache and it seems like it takes a long time
for the service to boot up.
If the Web Proxy service fails to start, check
for proxy problems in the Event Viewer. If problems related to cache
corruption are mentioned, open a command prompt, change the focus to the drive
that contains the cache, and type:
This will find and correct file system problems
and hopefully fix them. Make sure that the Web Proxy service is stopped
when you are performing any of these maintenance tasks! You might also try
resizing the cache after performing this operation.
If this doesn't fix the things, you might be
experiencing more significant issues with the cache folder hierarchy. In this
case, you should disable caching and then delete the cache folder hierarchy. If disk
file related problems are getting this bad, you should
make sure that the disk is in good shape. If the disk drive is in the process of
going belly-up, you should replace the disk before re-enabling the Web Cache
WinSock Proxy Related Problems
The WinSock Proxy service is used to provide access for
WinSock programs that are not able to use the Web Proxy service. Since the Web
Proxy service supports only CERN compliant applications and only the FTP, HTTP,
HTTPS and gopher protocols, you must use the WinSock Proxy service to support
any other application layer protocols you want to put into service. Common
examples would be for SMTP, POP3, and NNTP.
The WinSock Proxy service is able to accomplish this amazing
feat by replacing the winsock.dll's on the client machines that need to use the
WinSock Proxy service. This is one of the major sticking points for many
administrators. They are loath to add client
software because of concern over how the client software will interact with
other software installed on the client machine. In our experience, the WinSock
client has little or no effect on the overall performance of client workstations
on which it is installed.
The WinSock Proxy client .dll's will pick up the request
made from user agents on the client workstations and forward those requests to the WinSock
Proxy service on the Proxy server. All this takes place in the background and
the users are not aware of the process. There is no application
configuration required in most cases.
WinSock Proxy related problems often can be traced back to the
Local Address Table or LAT. The LAT is used to determine if a request should be
handled by the WinSock Proxy service, or if the request can be forwarded directly
to the server. The LAT therefore should contain address ranges
that encompass your internal network. If a foreign address is included in the
LAT, requests to that address will not be subjected to WinSock Proxy service
Common service requests such as DNS must go through the
WinSock Proxy client software. If the machine tries to make a DNS query and it does not
have permission to do so, the DNS query will fail. Normally, the DNS Server is
on the internal network, therefore access permissions are not an issue. If
DNS queries are failing, make sure that the DNS Server is included on the LAT so
that WinSock Proxy access controls are not applied.
You can also use the chkwsp32.exe application on the
WinSock Proxy clients to check out the connection status between the WinSock
Proxy client and server. Often you'll find out that the WSP Service has been
disabled in the Control Panel, and its just a matter of turning the client back
on and everything is fine. Also, make sure that the Internet connection is
actually functional by going to the Proxy Server itself and confirming that
Internet access is possible.
SOCKS Proxy Problems
The SOCKS Proxy service is used to allow non-Windows clients
access to the Internet via the Proxy Server. If you are running a Windows only
environment, it would be best to completely ignore the SOCKS Proxy service.
Better yet, disable the SOCKS Proxy. You can stop the SOCKS Proxy service via the
Internet Services Manager interface, but when you restart the machine, it will
just "grow back".
A better solution for eradicating the SOCKS Proxy service is
to whack it via the Registry. The key is:
Change the value for SocksServiceEnabled to 0, and say goodbye
If you must run the SOCKS Proxy Service, keep in mind that the
default rule is to deny all connection requests. Access controls for the SOCKS
Proxy are not integrated with the SAM or Active Directory as they are with the
Web and WinSock Proxies. To control access, you identify source and destination
port and IP addresses, as seen in the shot of the SOCKS configuration interface
It is best policy to deny all requests, and then create
specific rules for those ports that you want accessible to the SOCKS Proxy
clients. When configuring the rule, you must set the action (deny or permit),
the source and destination IP addresses or network IDs, and the port number for
the destination machine. To see the rules interface click HERE.
Check out Basic To Basics next week, when we'll go over the
issue of using PING behind a Proxy Server and also how to configure your Proxy
Server on a DMZ subnet.