One of the subjects that you must get acquainted with in order to excel in any network environment, and on your Windows 2000 MCSE exams, is that of proxy servers and firewalls. Microsoft has an exceptional proxy server in their product Proxy Server 2.0. Although this product is getting a little long in the tooth, and is about to be supplanted by Microsoft Security and Internet Acceleration Server, it still remains a powerful ally on any Microsoft network.
One of the subjects that you must get acquainted
with in order to excel in any network environment, and on your Windows 2000 MCSE
exams, is that of proxy servers and firewalls. Microsoft has an exceptional
proxy server in their product Proxy Server 2.0. Although this product is getting
a little long in the tooth, and is about to be supplanted by Microsoft Security
and Internet Acceleration Server, it still remains a powerful ally on any
What is Microsoft Proxy Server?
Microsoft Proxy Server can provide both inbound
and outbound security for an organization. In addition to its security features,
Proxy Server 2.0 is able to cache objects retrieved from the Internet. This
caching feature significantly improves the perceived client performance for
Internet access, and has the potential for reducing traffic both on the external
interface of the proxy server, and at the corporate network backbone.
The Proxy Server Services
Microsoft Proxy Server is actually a collection
of server services. Some of these services are dependent upon, or "run on
top of", Microsoft Internet Information Server. The Proxy Server services
- The Web Proxy Service
- The WinSock Proxy Service
- The SOCKS Proxy Service
Each of these services have capabilities and
requirements that are specific to that service. In addition, there are aspects
of the Proxy Server configuration which span all three of the Proxy Server
The Web Proxy Service
The Web Proxy Service provides access to FTP,
HTTP, HTTPS and Gopher protocols for CERN compliant browsers. With a CERN
compliant web browser, users can access FTP, Web and Gopher sites via the Web
One of the most useful aspects of the Web Proxy
Service is the Web Cache. Almost all objects that are retrieved by the
Web Proxy Service are placed in the Web Cache. After the object is placed in
cache, a subsequent request for the same web object can be returned to the Web
Proxy client from cache, rather than the web server from which the object
originated. This improves the perceived performance from the client end, and can
reduce bandwidth utilization on the external interface of the Proxy Server.
Like all three of the Proxy Server services, the
Web Proxy clients can be subject to access controls. You can control what users
or groups can access various Web Proxy Protocols. Figure 1 shows the
configuration dialog box to configure these permissions.
The Web Proxy Service is an ISAPI
"plug-in" to the WWW Service of the Microsoft Internet Information
Server. This makes the Web Proxy Service dependent on the WWW Service in order
to function properly. The authentication mechanism used by the Web Proxy Service
is configured in the WWW Service's properties dialog box.
The WinSock Proxy Service
The WinSock Proxy Service provides Internet
access to WinSock applications that are not CERN compliant. Since the Web Proxy
Service provide support only for CERN complaint browsers, and only supports FTP,
HTTPS, HTTP and Gopher, the WinSock Proxy Service provides the support for other
important protocols. SMTP, NNTP, IRC, POP3 and Telnet are just a few of the
protocols that are supported out of the box. You can configure support for other
protocols if you require them.
Unlikely the Web Proxy Service, the WinSock Proxy
Service is not dependent on Internet Information Server, and is specifically not
dependent on the WWW Service. Another important consideration is that the
WinSock Proxy Service clients do not take advantage of the Web Cache.
Remember that the Web Cache is solution a service provided by the Web Proxy
Service for Web Proxy Clients. However, there is no reason why network client
machines cannot be both Web and WinSock Proxy Clients.
Access Controls for the WinSock Proxy Service are
configured in a fashion similar to that of the Web Proxy Service. Figure 2 shows
the configuration dialog box for the WinSock Proxy Service.
The SOCKS Proxy Service
The SOCKS Proxy Service allows Internet access
for your non-Windows clients that need access to protocols not supported by the
Web Proxy Service. You might think of the SOCKS Proxy Service as the Mac/UNIX
version of the WinSock Proxy service. However, the two services are managed
quite differently from one another.
Proxy Server 2.0 supports SOCKS version 4.3a and
does not support SOCKS version 5.0. This is important to keep in mind if
you have games or other applications that require SOCKS support.
Security configuration of the SOCKS Proxy Service
is somewhat clumsy when compared to the Web and WinSock Proxy configuration
schemes. The SOCKS Proxy Service is not security account aware. You configure
access based on source and destination IP addresses or network IDs. Figure 3
shows an example of the SOCKS Security configuration dialog box.
It is interesting to note that the SOCKS Proxy
Service is implemented as a part of the Web Proxy Service, and therefore it too
is dependent on the WWW Service of the IIS Server to function properly.
Troubleshooting Microsoft Proxy Server 2.0
Although Proxy Server 2.0 appears on the surface
to be relatively simple in design and implementation, it can be challenging to
get all parts of the program to work the way you want them to work. Since Proxy
Server 2.0 is actually several servers in one, you must be able to mange,
configure and troubleshoot multiple services and server configuration issues.
We can break down problems you might encounter
with Proxy Server 2.0 in the following ways:
- Troubleshooting the Proxy Server Configuration
- Troubleshooting the Web Proxy Service
- Troubleshooting the WinSock Proxy Service
- Troubleshooting the SOCKS Proxy Service
- Troubleshooting Network Services Interaction
with Proxy Server 2.0
Let's begin with Troubleshooting common Proxy
Server 2.0 Server Configuration issues.
Troubleshooting the Server Configuration
The most common server configuration issues you
will run into are related to either the Network Interface Card, the Local
Address Table, and Packet Filtering issues.
Network Interface Configuration Issues
There are a few issues that are commonly
encountered by both new and experienced administrators when they configure the
interfaces on the proxy server. One of these has to do with how the Default
Gateway is configured for the machine.
For the Proxy Server to work correctly, you need
to assign only one default gateway on that computer. The default gateway
entry should be made only on the external interface of the Proxy Server
machine. If you add other gateways, you might find yourself getting into
trouble, and having some of the packets routed back to your internal network.
The most common problem we run into is that the
administrator has configured a default gateway on the internal interface of the
proxy server computer. Once that entry is removed, everything ends up working
fine. Also remember to disable IP Forwarding on all the interfaces so that users
won't be able to circumvent the Proxy Server.
When setting up the Proxy Server, be sure that
you are able to supply all the required information for the external interface.
This includes the remote router (default gateway), the Proxy Server's public
IP address and subnet mask, and the DNS Server's address. If you find that
clients are able to connect to resources via IP address and not via FQDN, then
check on the configuration of the DNS Server address.
Local Address Table Issues
The local address table is used to determine
which machines are located on the internal network, and therefore putatively do
not require processing by the Proxy Server. If a request comes to the Proxy
Server for a machine who's IP address is located in the Local Address Table
(LAT), then the Proxy Server will forward the request to the internal server
without subjecting it to further processing, such as the application of access
Be sure not to place the external interface's
IP address on the LAT. If you do so, the Proxy Server will interpret the
external interface as a local address, and the proxy server will not forward
requests to Internet hosts!
If you find that clients are suffering from poor
performance when accessing local servers on the network, check to see if those
local server's are on the LAT. The Proxy Server must evaluate all requests for
resources that are not contained in the LAT. If you internal server's IP
addresses are not on the LAT, then the Proxy Server must evaluate all requests
made to those internal servers. This might lead to a situation where the Proxy
Server has to evaluate large volumes of requests for internal resources. If the
Proxy Server becomes "bogged down" evaluating such request, overall
performance will suffer.
To prevent the Proxy Server from being
overwhelmed by these internal requests, check that all internal server's IP
addresses are included in the LAT.
Client-side Array Routing
When a Proxy Server that is a member of a Proxy
Array receives a request for an Internet object, it must perform a series of
calculations to determine where the object is located in the Web Cache, and if
it is located in there at all. This takes a number of processor cycles on the
Proxy Array member. When Array members must to all the intra-array cache route
processing, it can have a negative effect on the overall performance of the
To reduce the impact of array routing on the
Proxy Servers, you can have the clients perform this function. In order to do
so, you must configure the clients to use the Automatic Configuration Script,
which can be configured in the client's browsers. This scripts takes the
and you replace <servername> with the name
of a Proxy Server that is a member of an array.
When you configure the clients to use this
script, the clients will perform the routing functions necessary to identify the
location of web objects that may be located in cache. This offloads the
processing overhead on the Proxy Servers, and distributes it across all the
proxy clients on the network.
Keep in mind of who the Proxy Clients are on your
network. Client workstations are always thought of as Proxy Server client.
However, another important Proxy Server client are down-stream Proxy Servers in
a Proxy chain. Be sure to configure the down-stream servers to use the automatic
configuration script as well.
Proxy Server can also act as a rudimentary
firewall product by implementing Packet Filtering on the external
interface. The proxy server will examine all packets received on the external
interface and assess whether or not that packet should receive further
processing. If the packet arriving on the external interface does not meet the
requirements set for the packet filters, the packet will be immediately dropped
without any futher processing.
The key problem a lot of administrators
implementing Proxy Server run into is that they don't realize that these
packet filters apply to the external interface only. The packet filter
settings you configure on the Proxy Server do not apply to any of the internal
interfaces. In addition, you won't even be able to configure packet filters at
all unless you have configured an external interface on the Proxy Server.
In this next installment of the Back to Basics,
we'll go over issues related to troubleshooting the Web Proxy, WinSock Proxy,
and SOCKS Proxy Service. We'll also cover special configuration issues and DMZ