Building an Internet Presence with Servers: Part I

by Mark Richards

How can a business build a presence on Internet? By deploying the proper servers for specific tasks. In this article Mark Richards explains what servers are needed for internal needs.

In this article, we present the first phase of how a business would use Internet servers to build a business on the Internet -- establishing an Internet connection. This allows the employees of a company to act as an Internet peer, enabling them to browse the web, communicate via email, download files, and more.

Providing an entire organization with Internet connectivity presents a number of technology and management challenges. Immediately, the organization must be concerned with a myriad of threats posed by the mere act of connecting employees directly to the Internet without the proper management tools:

  • Security -- providing employees with direct connections to the Internet without the proper security considerations creates unacceptable risks. Threats include the risk of virus infection and distribution, hacking and penetration of Internal network, the exposure of sensitive data, and more.
  • Productivity -- a strong potential exists for the abuse of Internet access within the Internet connected organization. Businesses need the ability to enforce their policies with regard to the appropriate use of company resources.
  • Liability -- unrestricted Internet use can expose companies to potential legal liabilities.

The proxy server software packages available today can, to a varying degree, provide a secure and manageable environment for connecting business users to the Internet by sharing a single Internet connection with employees attached to the corporate network. Selecting the right proxy server software for your organization first involves understanding how the software addresses the above concerns. Here are some features to look for:

  • Anti-virus -- choose proxy server software that provides built-in anti-virus scanning capability for all Internet traffic (email, browsing, FTP, etc.). This provides a layer of protection for your employees and the customers with whom they interact.
  • Content filtering -- prefer proxy server software that provides a layer of content filtering to manage legal liability and enforce resource policy compliance.
  • Firewall features -- reduce the risk of network security breaches with proxy server software that offers firewall functionality.

Proxy server software can further allow organizations to manage and monitor Internet usage through authentication requirements, the ability to tailor service to local users through the assignment of rights and privileges, logging of Internet usage by employees, integrated reporting tools, and more.

Another direct benefit of deploying proxy server software is the effective privatization of the computers that connect to it. When employees connect directly to the Internet, they are assigned a public IP address accessible to everyone else on the Internet. This creates a significant exposure risk, as well as further depleting the already limited pool of public IP addresses. Proxy server software, on the other hand, generally uses integrated DHCP (Dynamic Host Configuration Protocol) services to assign private IP addresses to the local computers connecting through it, thereby presenting a common, protected gateway for Internet connectivity and simplifying deployment.

Core Proxy Service Technologies
Organizations seeking a proxy server software solution may encounter an array of confusing technologies upon which these solutions are based. Each has their pros and cons, which are discussed below.

Network Address Translation (NAT) is a low-level protocol that allows proxy servers to behave much like a software router. Proxy servers supporting NAT work by forwarding packets between the local area network and the Internet while performing translation of the source and destination IP addresses. Each client computer uses the NAT proxy server as the TCP/IP gateway.

The primary benefits of NAT-based proxy solutions are the degree of transparency and the minimal client computer requirements. For many types of interactions with the Internet, such as web browsing, email, and FTP, NAT "just works," without the need to install special software on client computers, or configuring Internet applications individually.

(Be sure that any proxy server packages that you're considering supports bi-directional port mappings. The downsides of NAT-based proxy solutions reflect the limitations of the NAT protocol itself. Software applications that support network protocols requiring multiple connections or connections that originate from an external source may require special consideration from the proxy server vendor. Also, running services behind a NAT device will generally require special port mappings to handle incoming requests.)

Application Proxies
Many of the first proxy server solutions were built on the concept of application proxies. Application proxy servers require the individual configuration of each software application that uses them. For example, a web browser must be configured (through its connection settings) to direct its HTTP requests to the proxy server on a specific port.

Since each user's software applications must be configured to use an application proxy server, managing them can become a burden. Further, not all Internet software applications support the traversal of proxy servers.

Winsock Replacement
Most software applications that access the Internet establish TCP/IP connectivity through calls to the operating system's Winsock (Windows sockets) facility. This facility is provided via the presence of a special DLL located in the Windows system directory.

Some proxy servers require client computers to install software that replaces the operating system's Winsock DLL with a version that they've modified to allow for the interception of network requests, which are then redirected to the proxy server.

The downside of Winsock replacement proxy servers is that because they introduce proprietary functionality into a standard operating system facility, it can be difficult to ensure that any software application that utilizes Winsock will continue to operate normally. Due to the potential for stability problems and because Windows is gradually migrating to a protected system architecture model, Winsock replacement proxy technologies have largely fallen out of favor.

LSP Client Software
The last proxy server technology we'll discuss in this article is the installation of LSP (Layered Service Provider) software on the network client computers. LSP software is effectively installed at the layer just beneath Winsock, allowing it to intercept and redirect software network requests to a remote proxy server. This approach is far safer than Winsock replacement methods because it uses a well-known and supported operating Windows system facility (the Service Provider Interface). In addition, some LSP client software applications can automatically manage the port mappings required to run services behind a proxy server.

Although LSP proxy solutions require the installation of software on the client computers, it has the benefit of relatively transparent operation. It needs only to know which application requests to intercept and redirect. LSP client software can even work nicely in conjunction with NAT services -- simply configuring the LSP client software to "ignore" certain applications will cause those applications to use a NAT server instead (if available).

Most modern proxy servers employ NAT (Network Address Translation) technology, which often provides a seamless experience for end users, with no requirement to configure applications for use with the proxy server. The best proxy server solutions also allow for the use of application-level proxies or client-side application request redirection, effectively providing a greater level of overall flexibility should special needs surface.

In Part 2 of Building an Internet Presence with Servers, we'll explore the prospects of hosting Internet services such as web, FTP, email, and others.

Mark Richards is the Internal Product Manager for Deerfield.com, a server vendor.

This article was originally published on Wednesday Apr 2nd 2003
Mobile Site | Full Site