RevGuide - Netline

wispsyndicateSécurité

23 févr. 2014 (il y a 2 années et 9 mois)

64 vue(s)





High Performance Web Caching and Firewall Security
in One Affordable, Integrated Product

Reviewer Guide





Version 2.0




Microsoft Proxy Server 2.0

is the first product to combine
extensible firewall security and h
igh
-
performance content
caching in one integrated package.

Microsoft Proxy Server 2.0 is more than just an economical and
secure way to provide managed Internet access to every
desktop within an organization. The new product also provides
important perform
ance and security features that make it a
cornerstone within next
-
generation Intranets and even within the
public Internet infrastructure.

Microsoft Proxy Server, with version 2.0, offers unbeaten
scalability and proxy performance with its new distributed
caching


array
-
based and hierarchical. Plus the product is now
a firewall, providing packet layer, circuit layer, and application
layer security, along with extensive logging and real
-
time alerting
features.


This guide highlights important features inc
luded in Microsoft’s
Proxy Server 2.0 for Windows NT


Server 4.0.

This guide is as concise as possible to help ensure your review
cycle proceeds smoothly. The document highlights product
features and describes how these features can benefit large and
smal
l enterprises as well as Internet service providers.

The feature walk
-
through also provides some useful tips to help
you install and set
-
up a testbed network for your evaluation. For
additional configuration and usage information, please refer to
the Micr
osoft Proxy Server 2.0 online documentation and
ReadMe document, both of which accompany the product.

Overview

















Using this
Guide

Version 2.0



3




The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication.

Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the publication date. This document is f
or inform
a
tional purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Microsoft, ActiveX, BackOffice, the BackOffice logo, MS
-
DOS, NetShow, Windows, and Windows

NT are registered
trademarks of Microsoft Corporation in the Uni
ted States and/or other countries.

Java is a trademark of Sun Microsystems, Inc.

Other product and company names herein may be the trademarks of their respective owners.

Originally Published June 1997


Updated September 1997



Copyright 1997 Microsoft Cor
poration




Overview


Network Security, Performance, and Affordability

................................
........................

1

The Need for Network Security, Performance and Affordability

1

Firewalls Provide Security

1

Content Caching Provides Network Performance and Cost Savings

2

Defining the Term “Proxy”

2

Connecting to the Net via Proxy
-

a Secure Gateway

3

Beginning to Address the Need


Microsoft Proxy Server 1.0

4

What’s New in Microsoft Proxy Server 2.0

................................
................................
.........................

5

Overview


Microsoft Proxy Server 2.0

5

Extensible Securit
y

5

Unbeaten Performance, Scalability, and Cost
-
Savings

6

Easy, Comprehensive Management

6

Features At A Glance

................................
................................
................................
............................

7

Testbed Configuration
for Proxy Server 2.0

................................
................................
.....................

10

Dynamic Packet Filtering Security

................................
................................
................................
....

14


Application Layer and Circuit Layer Security

................................
................................
................

18

Microsoft Proxy Server


Multi
-
Layered Security

18

Application Layer Security with Web Proxy

18

Circuit Layer Security with WinSock Proxy

19

Circuit Layer Security with SOCKS Proxy

21

Real Ti
me Security Alerts and Logging

................................
................................
............................

23

Reverse Proxy, Virtual Hosting and Server Proxying

................................
................................
.....

25

Enhanced Web Publishing Support

25

Server Proxying

26

Distributed Content Caching

................................
................................
................................
.............

31

Cache Arrays


A New Approach to Scalability & Fault Tolerance

31

Array Administration

32

Hierarchical Caching

36

Cache Array Routing Protocol


A Better Way to Scale

38

Active, Intelligent Caching

................................
................................
................................
.................

39

Performance

................................
................................
................................
................................
........

41

Real
-
World Proxy Server Usage

41

Real World Proxy Server Performance Improvements

41

Windows NT Server Integration for Great Manageability

................................
................................

43

Windows NT Server 4.0 Integration

43

CONTENTS



User A
ccess Control

................................
................................
................................
...........................

45

Site Filtering Control
................................
................................
................................
...........................

48

Enabling Managed Internet Access

48

Value
-
Added Site Filtering Services

49

Automatic Client
C
onfiguration

................................
................................
................................
.........

50

IPX
-
to
-
IP Gateway

................................
................................
................................
...............................

54

Auto
-
Dial Internet Connection

................................
................................
................................
...........

55

Cost
-
Savings and Added User Access Control

55

Makes Use of Windows

Dial
-
Up Networking

55

New Enhancements


Back
-
Up Routes and Easier Use

56

Extensibility and Complementary Products

................................
................................
.....................

58

Third Party “Plug
-
In” Products


The Virtual Bu
ndle

58

Other Firewalls


Complementary or Competitive?

59

Detailed Feature Matrix
................................
................................
................................
.......................

60

For More Information

................................
................................
................................
..........................

61

Appendix A

What is th
e Local Address Table (LAT)?

................................
................................

62

How is the LAT Defined?

62

Appendix B

Windows NT Server


Overview of a Secure Operating System

...........................

64

Windows NT Features

64

Single Log
-
on and Remote Sessions

65

Password Management

66

Access Control Lists (ACLs)

66

Central Admin & Roles

67

Security Audit Trail

67

Routing and Remote Access Service (RRAS) & Point
-
to
-
Point Tunneling Protocol (PPTP)

67

Basic Protocol Security

68

C2 and its Companions

68

And the story continues…

69

Enabling Technologies

70

CryptoAPI & S
-
Channel

70

P
-
Store, Microsoft Wallet & PFX

71

Smart Cards

72

SSPI & Secure RPC & DCOM

72

Applications

73

Summary

................................
................................
................................
................................
..............

74


1
The Need for Network Security, Performance and Affordability

Commercial and residential Internet access growth is exploding. Every day, more
and more companies connect their internal networks to the Internet for a variety of
reasons


productivity, cust
omer service, collaboration, and more. Some of the
biggest issues these organizations


small and large alike


face as they extend
their networks to the Internet are security, manageability, and cost. Firewalls and
content cache servers help organizations

address these issues effectively.

Firewalls Provide Security

Most people are familiar with the term “Internet firewall.” It is commonly used and
reasonably well accepted as a reference to hardware and software used to restrict
entry to an organization’s

network from the Internet. Firewalls typically provide
multi
-
layered security


at the packet and application layers


although many
routers that provide only packet filtering are often called firewalls. Firewalls also
usually provide alerting mechanisms
to let network managers know if their networks
are under attack by intruders. Some firewall products also support virtual private
networks (VPNs) between locations. VPNs provide a low
-
cost, secure connection
path between, for example, a branch office and a

corporate headquarters location,
across public network facilities.

The firewall market is experiencing significant growth, fueled by the growth in
Internet access and the importance of security. The market has evolved from an era
just a few years ago in w
hich customers had to design or have built for them their
own firewalls from the ground up. These custom
-
made firewall solutions were very
expensive to create and often difficult to manage. In the early ‘90s a number of
commercially available firewall prod
ucts started to appear making the process of
securing internal networks a bit easier. Today firewall solutions are much less
expensive than just a couple of years ago, but the typical $5,000 to $20,000 price
tag often prevents all but large organizations f
rom benefiting from firewalls. Many
industry analysts expect firewall prices and usability to reach broad market status
by the year 2000.

OVERVIEW


NETWORK
SECURITY, PERFORMANC
E,
AND AFFORDABILI
TY








2

Content Caching Provides Network Performance and Cost Savings

The content cache server category is a relatively new c
ategory and less well
understood in general than firewalls. Like the firewall market, growth in the content
caching category mirrors the growth in Internet access. While firewalls provide
security, content cache servers and application proxy servers typica
lly provide
better network performance and cost savings. Content caching servers are often
used alongside firewall solutions, but firewalls, to
-
date, have not included content
caching.

Caching reduces network traffic and, therefore, network costs, because

it moves
data closer to the users who are accessing the data. As a result, the data does not
have as far to travel across the public Internet or across an enterprise network to
reach the person who needs it. This reduces network traffic and congestion. In

addition, many proxy servers enable network managers to control which Internet
services their users are able to access. This is referred to as
user access control

and
site filtering
.

Content caching is already important to many large enterprises and Inte
rnet Service
Providers (ISPs) and it is making its way into smaller organizations. Looking ahead,
content caching is expected to take on a critical role for organizations of all sizes.
The increasing use of Internet technologies within organizations for In
tranets and
the emergence of “push” technologies, which proactively move content across the
Internet or Intranets for more personalized service, is expected to further increase
the need for proxy server products.

Defining the Term “Proxy”

The term
proxy

m
eans “to do something on behalf of someone else.” In networking
terms, a proxy server computer can act on the behalf of several client PCs
requesting content from the Internet or even elsewhere on an Intranet. In this case,
the proxy server is the secure g
ateway to the Internet for several client PCs.













A proxy server interacts with the Internet on behalf of the client PCs

Internet

Microsoft

Proxy

Server

Secure Network

LAN

LAN


3


The proxy server is more or less transparent to the other parties in this
communications path


the user and the Internet
resource. The user interacting with
the Internet at his desktop PC should not be able to tell that a proxy server is
interceding, that is unless the user attempts to access a service or go to a site the
proxy server is disallowing. The web server being acc
essed across the Internet
interprets the requests from the proxy server as requests from a browser or FTP
client.


The proxy server in this scenario is
dual
-
homed
, meaning the server computer has
two network cards. One card connects the computer to the ent
erprise network. The
other card connects the computer to the outside world, in this case, to the Internet.

Connecting to the Net via Proxy
-

a Secure Gateway

Organizations wanting to extend Internet access to user desktops would be well
advised to use a p
roxy server. A secure gateway from the organization’s Intranet
out to the Internet has several important advantages over other possible methods.


There are two primary alternatives to using a proxy server that some organizations
use to provide Internet ac
cess to their users: (1) run phone lines directly to those
users who want Internet access; or (2) set up a few PCs and place them in
locations where they can be shared resources among several people. Both of these
alternatives have serious drawbacks when c
ompared to using a proxy server.


Disadvantages of using dedicated lines to each user for Internet access:



Extra hardware (e.g., modem) expense at each desktop



Recurring phone line charge for each user



No sharing of the phone line or Internet account resou
rce



No network manager control over user’s Internet experience



Major security breach if modem
-
equipped PC is connected to LAN



Poor performance for the user (due to modem connectivity)


Disadvantages of sharing Internet
-
ready PCs among several users:



Inconv
enience for user



Frequent lack of availability (other people using the computer)



Everyone using the Internet on those PCs gets the same service


no ability to customize
the Internet services to make them appropriate to the individual



Tracking and logging

usage by user is difficult to impossible


A proxy server, by contrast, offers several advantages:



Sharing of the Internet connection resource among many users



Single, secure gateway to manage and monitor



Ability to offer Internet access appropriate to the

individual or group



Ability to track usage by user



Much better performance


especially if proxy server includes caching



Very affordable










4

Beginning to Address the Need


Microsoft Proxy Server 1.0

In November 1996, Microsoft introduced Microsoft Proxy S
erver version1.0. The
product provides an easy, secure way to bring Internet access to every desktop
within an organization. With content caching, Microsoft Proxy Server accelerates
the Internet experience and reduces the cost of network communications. Th
e
product also provides user access control and site blocking for management
oversight of Internet use. Version 1.0 has been well received, particularly among
small to mid
-
size organizations, moving rapidly alongside Netscape Proxy Server as
the leading pr
oduct in the category based on unit volume and market presence.

Unlike other proxy or content cache servers, Microsoft Proxy Server 1.0 provides
great security with its application layer and circuit layer proxies. The product is
secure enough that it can b
e placed at the boundary of an organization’s network
(i.e., where the internal network meets the outside world) without additional firewall
support required. Microsoft Proxy Server is complementary to other firewalls,
however.


Although Microsoft Proxy S
erver 1.0 provides application layer security and is
resistant to most of the attacks firewalls resist, the product does not provide all the
features commonly associated with a firewall. Namely, the version 1.0 product does
not include packet filtering nor

does it perform alerting or detailed logging of live
network attacks. In addition, large enterprise customers and ISPs often find they
need to have a group of proxy servers working together to provide better scalability
and performance across their networ
ks.


Microsoft is now moving forward with the next version of Microsoft Proxy Server


version 2.0. The new product, now available, addresses the need for firewall
security and for scalable content caching for any size enterprise customer or ISP.






5
Overview


Microsoft Proxy Server 2.0

Microsoft Proxy Server 2.0 is an extensible firewall and content cache server,
providing Internet security while improving network response time and efficiency by
50%, on average
, for businesses of all sizes. The product is re
-
defining the firewall
and content caching categories. It is the first firewall product to include high
-
performance content caching. Similarly, it is the first content cache server to provide
firewall support
.

Microsoft Proxy Server 2.0 delivers a compelling combination of security and
performance and the product is within reach of organizations of virtually any size
This should help broaden and accelerate distribution channel presence and
expertise of these
networking solutions so more customers can take advantage of
Internet technologies. Microsoft Proxy Server is a member of the Microsoft
BackOffice


family of server applications.










Extensible Security

Microsoft Proxy Server acts as a gat
eway with firewall
-
class security between a
Local Area Network (LAN) and the Internet. Several new features have been added
to Microsoft Proxy Server 2.0 to enable its use as a firewall. The product supports
dynamic packet filtering
, in addition to
applica
tion layer security

and
circuit
layer security
. The product also provides the
alerting

and
logging

features
demanded by firewall users. Plus, when Microsoft Proxy Server is used with the
Routing and Remote Access Service Update for Windows NT Server, custo
mers
can enjoy the cost
-
savings and security of
Virtual Private Networks (VPNs)
.

Microsoft Proxy Server can play an important role in enforcing an organization’s
overall security policy. Customers can choose from a variety of virus scanning,
JavaScript a
nd ActiveX


filters, site blocking enhancement products and other
security products built on the Microsoft Proxy Server platform that are available
today from third party companies. Third party developers can use Microsoft Proxy
Server 2.0 as a platform fo
r value
-
added development due to the product’s
WHA
T’S NEW IN MICROSOFT

PROXY SERVER 2.0


Security

F
F
i
i
r
r
e
e
w
w
a
a
l
l
l
l


P
P
r
r
o
o
d
d
u
u
c
c
t
t
s
s


Performance

(Caching)


V1.0

V2.0

Firewall Security



Dyn
amic Packet Filtering



Reverse Proxy



Reverse Hosting



Server Proxying



Real time alerts & logging



VPN support

Performance / Cost
-
Savings



Array
-
Based Content
Caching



Hierarchical Caching



Cache Array Routing Protocol
Support



FTP Caching



40% Better Performance



HTTP 1.1 Support



SOCKs support

Management



HTML
-
Based Admin
(available via Web download
shortly after Proxy 2.0
general release)



Command
-
Line & Scripting



Array Administration



Config Backup & Restore


Key New Features :

Web

Cache

Products








6

extensibility
. In addition, because the best security policy is one that includes
multiple mechanisms to provide backup and depth, Microsoft Proxy Server 2.0 can
be used in a very complementary way with other
security products, including high
-
end firewall solutions, to meet the specialized security needs for a wide spectrum of
customers.

Unbeaten Performance, Scalability, and Cost
-
Savings

With version 2.0, Microsoft Proxy Server introduces
array
-
based and hier
archical
(or chain
-
based) caching

to deliver unbeaten linear scalability. This enables large
enterprises and ISPs to make use of the product in their most demanding locations.
Content caching is becoming distributed


moving to branch offices and to the
de
partmental level within enterprises and in various ISP Points of Presence.
Microsoft Proxy Server, with support of a new industry standard called

Cache Array
Routing Protocol
, provides unbeaten distributed content caching performance and
deployment flexibi
lity.


Microsoft Proxy Server’s caching can reduce network bandwidth by 50% on
average, improving response time for clients, reducing network congestion, and
improving control over network resources without burdening end users or network
administrators. It

filters

and
stores

popular Web content locally for corporations or
Internet Service Providers. Microsoft Proxy Server
proactively

caches

frequently
accessed documents to ensure the freshness and availability of data, automatically
pre
-
loading and updating

popular web pages based on heuristics of usage.
Customers moving from Microsoft Proxy Server 1.0 to version 2.0 will
enjoy real
-
world performance improvements of about 40%.


Easy, Comprehensive Management

Since Microsoft Proxy Server is
integrated with Wi
ndows NT Server
,
administrators can use a single set of tools (including the performance monitor, user
manager, event log, and access logging) to manage their intranets and Internet
access. This provides a lower total cost of ownership. Version 2.0 introdu
ces more
ways to manage Microsoft Proxy Server


HTML
-
based administration

and
command line

support with scripting complement the graphical user interface
-
based support. Easy
-
to
-
configure
array administration

is added. There are more
tools to
automate
the

deployment, configuration
, and
back
-
up

of Microsoft Proxy
Server than before. Plus network managers can enjoy the additional flexibility
provided by
SOCKs v4.3

support,
HTTP 1.1
, and
FTP

caching to enable expanded
use of Internet and Intranet services to t
heir users.




7
Microsoft Proxy Server 2.0
-

Features At A Glance

Feature

Description

EXTENSIBLE FIREWALL SECURITY

Packet Layer Security with
Dynamic Packet Filtering

New
! Microsoft Proxy Server 2.0 supports inbound and outbound
packet filtering. Unlike other packet
filtering firewalls, Proxy Server intelligently & dynamically determines which packets to allow to pass through
to the secured network’s circuit & application layer proxy services. Rather than force a network manager

to
manually pre
-
define and permanently open a set of ports for different applications, this feature opens ports
automatically

only

as needed
, then closes the ports when the communication ends. This approach minimizes
the number of exposed ports in either

direction and provides a unique measure of hassle
-
free security.

Circuit Layer Security

Protect your Intranet via the Winsock proxy and the new SOCKS proxy. These services provide application
-
transparent circuit gateways. Microsoft Proxy Server 2.0 pro
vides multi
-
platform access to Telnet, RealAudio,
NetShow, IRC, and several other Internet services. Unlike other circuit layer proxies, Microsoft Proxy Server
2.0 circuit layer security works with dynamic packet filtering for enhanced security and ease o
f use.

Application Layer Security

Microsoft Proxy Server 2.0 understands and interprets commands within the application protocols (such as
HTTP, FTP, and Gopher) from client PCs. Proxy Server acts on behalf of the client PC to interact with the
Internet

resource. The network topology and IP or IPX addresses are not revealed to the outside network.

Real
-
time Security Alerts

New!

Now you can be notified immediately if your network is under attack so you can take action. Microsoft
Proxy Server 2.0 suppo
rts several alerting thresholds and variables for great flexibility.

Reverse Proxy

New!

Now you can place your web server behind Proxy Server to publish to the World Wide Web without
compromising the security of the web server or its data. Proxy Server "
impersonates" a Web server to the
outside world, while your Web server maintains access to internal network services.

Reverse Hosting

New!

This extension of reverse proxy allows several web servers sitting behind Microsoft Proxy Server
to publish to th
e Internet, providing great flexibility and security in Web publishing. These additional web
servers can publish independently or appear as directories in a single large virtual web server

Server Proxying

New!
Microsoft Proxy Server 2.0 has the ability
to listen for inbound packets destined to a server
computer that is connected behind the Proxy Server computer. Proxy Server then forwards the incoming
requests. For example, incoming mail can be directed to your Microsoft Exchange Server computer.

Extens
ive Logging Support

Microsoft Proxy Server 2.0 logs via log files or to ODBC databases so network managers have a complete
profile of inbound and outbound traffic moving through the Proxy Server computer. Logging has been
expanded in Microsoft Proxy Server

2.0 to include alert information and other new firewall
-
related activity.

Virtual Private Networking with
Routing & Remote Access Service
Update

You can use Microsoft Proxy Server 2.0 on the same server with Routing and Remote Access Service for
Windows
NT Server to connect branch offices to a corporate network via the Internet. Using the Internet as a
Virtual Private Network provides big cost savings compared to traditional Wide Area Network (WAN) options.
This provides all
-
in
-
one access and control for
use with Internet and connectivity to a multi
-
site Intranet.

Secure Sockets Layer Tunneling

Microsoft Proxy Server permits SSL tunneling, which provides an encrypted path between the client and
remote server. This feature is useful for secure Internet tr
ansactions and other applications.

Full authentication / logging

The built
-
in WinSock Proxy performs full access control, encrypted authentication, and logs all transactions.

Complementary Third Party
Applications


the Virtual Bundle

A variety of third
party products “plug in” to Microsoft Proxy Server 2.0 for value
-
added or specialized security.
For example, you can use filters to prevent viruses, Java scripts or ActiveX controls from being downloaded
into your secured network. Third party applications
work with Proxy Server via the Internet Server Application
Programming Interface (ISAPI). This extensibility gives customers great choice and flexibility.

PERFORMANCE AND COST
-
SAVINGS

Array
-
Based Content Caching

New!

Proxy Server now allows you to se
t up distributed caching among multiple Proxy Server computers.
Arrays allow a group of Proxy Server computers to be treated and administered as a single, logical entity.
Arrays provide load balancing, fault tolerance, scalability, and ease of administrati
on.

Hierarchical Content Caching

New!

Proxy Server now enables caching across a hierarchical connection of individual Proxy Server
computers or arrays, enabling distributed deployment to branch offices and departments. Requests from
clients are sent upstr
eam through the hierarchy until the requested object is found.

Cache Array Routing Protocol

New!

This is a new approach for performing scalable array
-
based and hierarchical
-
based

caching that has
been submitted to the IETF. The new protocol, developed
by Microsoft, provides substantial advantages over
alternative approaches in performance to enable linear scalability with cache arrays or hierarchies. Microsoft
Proxy Server 2.0 is the first product to make use of this protocol.


FEATURES AT A GLANCE









8

Microsoft Proxy Server 2.0
-

Features At A Glance

Feature

Description

Active Intelligent Ca
ching

Microsoft Proxy Server 2.0 automatically determines which web sites are most used and how frequently their
content is refreshed. Proxy Server uses this information to proactively pre
-
load that web content into its
cache during periods of low network

use. This provides a consistent, accelerated Internet experience for all
users accessing these web sites, without requiring network manager intervention.

FTP and HTTP Cache Support

New!
Now you can cache not only HTTP 1.0 objects
-

you can also cache

HTTP 1.1 and FTP objects. There
is greater control over the Time
-
to
-
Live (TTL) setting, as well, with Microsoft Proxy Server version 2.0.

Hypertext Transfer Protocol
(HTTP) version 1.1

New!
Implementation of HTTP 1.1 allows Proxy Server to use persisten
t client
-
to
-
proxy server connections,
persistent proxy server
-
to
-
Internet server connections, read
-
range, and virtual hosts. Full support of HTTP 1.1
helps Microsoft Proxy Server deliver significant performance gains. (NOTE: Full HTTP 1.1 support requires

use of the Internet Information Server 4.0 HTTP engine which is not supported in the initial beta)

Improved Cache and Proxy
Performance

New!
Microsoft Proxy Server 2.0 offers unbeaten performance to meet real
-
world requirements of fulfilling
requests n
ot only from the cache but also from across a live Internet connection


all while performing the full
range of security and managed access. Microsoft Proxy Server 2.0 is up to 40% faster than Proxy Server 1.0

EASY, COMPREHENSIVE MANAGEMENT SUPPORT


Win
dows NT Server Integration

Microsoft Proxy Server capitalizes on features that make Windows NT Server a secure, scalable network
operating system. This includes the best integration with the Windows NT Server directory service for easier
manageability and

reduced total cost of ownership. Microsoft Proxy Server supports a single user logon for
network services and applications so user accounts do not have to be re
-
created for Proxy Server.


User Access Control

Network managers can use Microsoft Proxy Se
rver to set detailed user & group permission lists by Internet
protocol in the Web Proxy, WinSock Proxy, and SOCKS Proxy components

Site Filtering

Network managers can specify a list of Internet addresses (IP addresses, IP address ranges, or URLs) to be
e
xclusively permitted or denied for access by users behind the Proxy Server.

GUI
-
Based Administration

Microsoft Proxy Server’s Internet Service Manager provides an easy to understand way to administer a local
or remote proxy server computer, proxy array, o
r proxy hierarchy.

HTML
-
Based Administration

New!
You can administer Microsoft Proxy Server locally or remotely via a web browser for added
management flexibility and ease
-
of
-
use. You can even create customized HTML error pages. (NOTE: HTML
-
based admin
is available as a Web download.)

Command Line Administration

New!
This tool lets you manage Microsoft Proxy Server through MS
-
DOS prompts if that is your preference.
You can configure and manage one or more local or remote servers with this tool.

Array
Administration

New!

Multiple proxy servers can be administered simultaneously via transparent Array based administration.
This allows change to be propagated to other proxy servers with a single mouse click.

Configuration Backup & Restore

New!
You can
now back up your server configuration to a file or roll back to a previous configuration.

Client Auto
-
Configuration

New!
You can automatically configure Web Proxy clients by using predefined JavaScripts or by creating your
own scripts for great ease
-
of
-
u
se and fast enterprise
-
wide deployment. You can also use the Internet Explorer
Administration Kit or Microsoft Systems Management Server to automate the proxy client installation.

SNMP Support

A network manager can monitor and examine the current status o
f any Microsoft Proxy Server on the network
using an SNMP console such as HP OpenView for added flexibility and reduced cost of ownership.

FLEXIBLE NETWORKING AND APPLICATIONS SUPPORT

IPX
-
to
-
IP Gateway

Unlike other proxy servers, Microsoft Proxy Server 2
.0 does not require that network managers “rip and
replace” existing legacy IPX network with IP networks. This built
-
in IPX
-
to
-
IP gateway can be much less
expensive than other solutions. Windows 95 and Windows NT Workstation 4.0 clients are supported.

Auto
-
Dial Connection

This unique feature dynamically connects your network to your ISP, as needed, providing even more cost
savings and user access control.This also includes a backup route to the Net if primary path is busy.

SOCKS Support

New!
You can
now configure Microsoft Proxy Server as a SOCKS server or as a SOCKS client to an
upstream SOCKS server for easy access to rich Internet services for Macintosh, Unix or other client PCs.

Unbeaten LAN & WAN
Connectivity Options

Microsoft Proxy Server 2.0 c
an be used with over 2,000 LAN and WAN cards that have earned the Windows
NT Compatible logo. This provides unbeaten customer choice and flexibility.

Great Protocol Support

Great variety of protocols are built in to Proxy Server plus more protocols can be

added, The Web Proxy
supports: HTTP, HTTP
-
S, FTP, and Gopher. The WinSock Proxy includes: AlphaWorld, AOL, Archie, Echo,
Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP, Telnet, and VDOLive.
Other protocols can be added with the

WinSock Proxy service and with the SOCKS Proxy service.


9










10

To experience first
-
hand the majority of new features in Microsoft Proxy Server 2.0,
you’ll need a minimum of four PCs. It is possible to build a tes
tbed with 2 machines
(just a client and a Proxy Server connected to the Internet), but you will only be able
to review the easy configuration and setup of Proxy Server, not the performance
-
enhancing features, so we'll review the full configuration here.


For the full test, two PCs will be setup with the Proxy Server software running on
Windows NT Server 4.0. For purposes of this demonstration, it is assumed your
testbed has no direct connection to the Internet or other external Web servers.
Therefore, you

will use the third machine to act in this capacity, running Windows
NT Server 4.0. This PC will run the Domain Name Service (DNS) and also serve as
an external ‘public’ client. The last system will be an internal client, running
Microsoft Windows 95.


Whe
n deployed in smaller sites, you would most likely configure the dial
-
up service
of Microsoft Proxy Server 2.0 to make an automatic connection to your ISP. This
guide does not cover dial
-
up access, but if you want to test this capability, you will
find the

information you need in the RAS section of the on
-
line help.


Please refer to the diagram below as we detail how to configure the test systems.
The idea here is to create an internal private network, and an external network
mimicking the Internet.


Pr
oxy Server Testbed Configuration Diagram.

Platform Setups

Follow these steps to configure each computer. (For a complete list of minimum
hardware requirements and detailed setup information please see the System
Requirements section at the back of this doc
ument or in the user documentation.)

Server #1

-

Primary computer used to examine the features of Microsoft Proxy
Server 2.0.

1.

Install two network interface cards (NICs).

2.

Connect one NIC to the internal hub and one NIC to the external hub.

3.

Normally, a pro
xy server is setup as a stand
-
alone server for maximum security. For
this evaluation, setup this machine as a Primary Domain Controller (PDC). Give it a
Windows NT domain name
INTERNAL

and a server name
PROXY1
.

TESTBED CONFIGURATIO
N
FOR PROXY SERVER 2.0



11
4.

Be sure to install Internet Information Ser
ver, and create at least one Windows NT
File System (NTFS) partition. (For caching.)

5.

From the
Microsoft TCP/IP Properties

dialog, set the IP address of the internal
NIC to 10.0.0.1, and the external NIC to 12.0.0.1. (Subnet masks for both should be
255.0.0
.0)

6.

Define the
Default
G
ateway:

for the external NIC as 12.0.0.5. Do
not

set a gateway
address for the internal NIC.

7.

Choose the
DNS

tab and set the
D
o
main:

name to
private.com
.

8.

Click the
Add

button and define the DNS Server address as 12.0.0.5. Ignore th
e
warning message and do
not

designate any WINS servers.

9.

Verify that only the internal network’s addresses are entered in the LAT. Do this by
starting Internet Service Manager, double
-
clicking the WinSock Proxy Service icon,
then clicking the
L
ocal Address

Table

button.


Checking the Local Address Table.

10.

If you have entries besides the one shown below, highlight them and click the
R
emove

button. (For a detailed explanation of LAT, see Appendix A.)


Correcting the LAT information.








12

Server #2

-

Used as a
n Array partner, and also to demonstrate the routing features
of Microsoft Proxy Server 2.0.

1.

Install one NIC and connect it to the internal hub.

2.

Setup as a Stand
-
alone server but add the machine to the Windows NT domain
INTERNAL, and name it
PROXY2
. Be su
re to install Internet Information Server,
and create at least one NTFS partition. (For caching.)

3.

Set the IP address to 10.0.0.2, with a subnet mask of 255.0.0.0. Do
not

designate
any Default Gateway, DNS, or WINS server addresses.

Internal Client

-

Used t
o show how Web Proxy and WinSock Proxy operate
transparently from the user’s perspective.

1.

Install one NIC and connect it to the internal hub.

2.

Designate this client’s workgroup as
INTERNAL
.

3.

From the
TCP/IP Properties

dialog, set the IP address to 10.0.0.5,
with a subnet
masks of 255.0.0.0. Do
not

designate any WINS servers.

4.

Install Microsoft Internet Explorer 3.02.

5.

Install the WinSock Proxy client component. The simplest way to do this is to open
the shared folder
mspclnt

on PROXY1. Then run SETUP.EXE and f
ollow the on
screen prompts. Restart Windows 95 after installation completes.


Running the WinSock Proxy Client setup.

External Web Server/DNS/Client

-

Plays the part of the outside world for testing.

1.

Install one NIC and connect it to the external hub.

2.

Th
is machine can be either a PDC or a Stand
-
alone server. Name it
PUB1
, and be
sure to install the IIS and DNS services.

3.

Set the IP address to 12.0.0.5, with a subnet mask of 255.0.0.0.

4.

Choose the
DNS

tab and set the
D
o
main:

name to
world.com
.

5.

Click the
Add

button and define the DNS Server address as 12.0.0.5. Do
not

designate any WINS servers.


13
6.

After re
-
booting, you’ll need to create two zones in the DNS Manager. The first zone
should be called
world.com
. Add one host entry, for PUB1 itself. Setup a secon
d
zone called
private.com
. Add the host PROXY1 to this zone. (Consult the on
-
line
help for assistance in setting up DNS zones.) When finished, your DNS zone
configurations should look like those below.



DNS Zone settings for private.com.


DNS Zone setti
ngs for world.com.










14

As more end users clamor for connectivity to the Web and external network
resources, administrators face a tough challenge trying to deliver the goods, without
compromising corporate security. S
maller companies venturing out into the realm of
on
-
line connections face an even greater problem, because they frequently lack the
staff or knowledge to implement a secure computing environment.


Dynamic Packet Filtering is a new feature for Microsoft Pr
oxy Server v2.0 and is
critical to its ability to provide easy
-
to
-
use firewall security. In short, Dynamic Packet
Filtering allows Microsoft Proxy Server to:




Drop all packets on an “external” interface by default.



Dynamically determine whether or not to a
ccept a packet from the Internet
while minimizing:



Number of exposed ports in either direction.



Duration that a port is open to the Internet.


The actual process for enabling Dynamic Packet Filtering is deceptively easy. From
the WinSock Proxy Serv
ice Properties page, click the
S
ecurity

button.

















Selecting the Shared Services Security option.

DYNAMIC PACKET FILTE
RING
SECURITY

Large Sites



Easy to administer



Reduces chance of attack



Automated, intelligent
operation



Works with circuit layer and
application layer security


ISP

Small Sites

Key Benefits

:

Audie
nce Relevance :


15
Next, select the
Packet Filters

tab. By placing a checkmark in the two Enable…
boxes, you’ve now secured your internal network. That’s all it
takes.


Dynamic Packet Filters, enabled using two checkboxes.

Use A
d
d button to create custom filters.

Even though it takes only a few seconds to enable, the Dynamic Packet Filter
feature is a very powerful feature of Microsoft Proxy Server 2.0. To give

you a better
understanding of how Dynamic Filtering works, this brief explanation and diagram
should help clarify the process.


Architecturally, dynamic packet filtering consists of two components:


1.

Packet Filter Driver



implemented deep within the Windo
ws NT Networking
architecture which talks directly to the external network interface and

2.

Packet Filter Manager



provides the higher level interface for Proxy Server
services to interact with the driver.









16

Here’s a quick illustrative example of how the com
bination of the Proxy Services,
the Packet Filter Manager, and the Packet Filter Driver combine to create secure,
dynamic packet filters.

Dynamic packet filtering with Microsoft Proxy Server 2.0


1.

A client with the WinSock Proxy client component launches a

telnet application
and attempts to connect to an Internet Server.

2.

The WinSock Proxy client component intercepts the Internet telnet request and
“remotes” that connection request to the WinSock Proxy Server.

3.

The WinSock Proxy Server interrogates the client

to ensure that he/she has
proper Windows NT User Directory Service permissions to access the telnet
protocol on the Internet.

4.

If permissions are correct, the Server instructs the WinSock API to create a
local “socket” with a local port address of 6008 (f
or example).

5.

The WinSock Proxy Server then notifies the Packet Filter Manager that
outbound

connections from
local port 6008

to a
remote telnet service

have
been “approved” by the proxy service.

6.

The Packet Filter Manager instructs the Driver to open port 6
008 for outbound
telnet connections and tells the WinSock Proxy Server to begin a telnet session
on behalf of the original client.


Internal NIC
External NIC
Packet Filter Driv er
TCP/IP Stack
WinSock API
File Sharing
RPC
WinSock
Apps
Packet Filter Manager
SOCKS Proxy
WinSock Proxy
Web Proxy
User Interface

17
The result of these operations is a logical “filter” which only allows packets from the
approved communications but blocks
other disapproved packets:


Open a port only for as long as it needs to be open


then close it for security

As soon as the WinSock Proxy detects that the client has closed his/her telnet
session, it instructs the Packet Filter Manager to close that clien
t’s port (6008)
blocking any further packets from the remote system.


If your installation requires opening a special port between the proxy and an outside
host, you have a high degree of control over the custom packet filter setup. To
install a filter, cl
ick the
A
d
d

button located on the bottom of the Packet Filters tab
shown earlier.


Defining a custom Packet Filter.

As you can see, either fixed or dynamic ports can be configured here, and you can
define this filter to be active for a single host or all
external hosts. In addition, you
can designate the type of protocol, and the direction of the flow.


Packet Filter
Telnet
FTP
21
23
TCP Port
Client Telnet
6008
To Internet Host







18

Microsoft Proxy Server 2.0 security is multi
-
layered. In addition to packet layer
filtering, Micros
oft Proxy Server also supports application layer security via the
product’s
Web Proxy service

and circuit layer security via the product’s
WinSock
Proxy service

and
SOCKS Proxy service
. These various proxies are frequently
only available in separate prod
ucts. Microsoft Proxy Server 2.0 includes all of them
in one integrated package.

Microsoft Proxy Server


Multi
-
Layered Security

As the table indicates, Microsoft Proxy Server 2.0 really provides three basic types
of proxy services


a Web Proxy, a WinSoc
k Proxy, and a SOCKS Proxy


all in
one integrated package. Significantly, all of these proxies work with the dynamic
packet filtering for a multi
-
layered approach to security.


There are some important differences between what an application la
yer, (Web
proxy) can do and what a circuit layer (WinSock and SOCKS proxies) can do, as
this section of the Reviewer Guide articulates. This table below summarizes some
of these differences.







Web

Winsock

SOCKS


Item

Proxy

Proxy

Proxy




Securi
ty Layer (type of proxy)

Application Layer

Circuit Layer

Circuit Layer


Protocols supported

HTTP, FTP, Gopher, HTTP
-
S

Many

Many


Client support

Any CERN
-
based browser

Windows

Many



Special Client software needed

No

Yes
-
included

Yes
-
included


Cache
-
able

content

Yes

No

No


Dynamic packet filter support

Yes

Yes

Yes

Application Layer Security with Web Proxy

An
application

layer proxy server understands and interprets client PC commands
within the applications protocols. For example, Microsoft Proxy Server’s

Web Proxy

is an application layer proxy for HTTP, Secure HTTP, FTP, and Gopher.

Microsoft Proxy Server’s application layer proxy provides security because it hides
the internal network IP or IPX addresses from the outside world. To attack a
network resou
rce, a person must first find a way to communicate with that resource.
Without access to the resource’s address, it is much harder to attack it.

The application layer proxy permits more kinds of support for additional capabilities
within each protocol than

circuit later proxies permit. For example, an application
layer proxy can support additional virus scanning while a circuit layer proxy cannot.

Another advantage of an application layer proxy is that it is client
-
neutral. No special
software should be re
quired on the client PC
-

other than a CERN
-
compatible web
browser like Microsoft Internet Explorer or Netscape Navigator
-

to enable the client
to communicate to the Internet via the proxy server computer. As a result, an
application layer proxy can suppor
t several types of client operating systems.


APPLICATION LAYER A
ND
CIRCUIT LAYER SECURI
TY



䡩摥d⁩湴敲湡n整睯rk
慤摲敳s敳



M慮慧敤⁩湤nv摵慬⁧慴 睡w
扥瑷敥渠湥瑷潲ts



Works⁷ 瑨⁤t湡nc⁰慣
k整e
fl瑥物湧

䥓P

Sm慬l⁓瑥t

Key Benefits :

ISP

Audience Relevance

Large Sites


19
If you wish to see an example of an Application Layer Filter, double
-
click the Web
Proxy icon from the Internet Service Manager screen.


Application Layer Filters with the Web Proxy service.



Now pick the P
ermissions tab and check the
E
nable access control

box. Next
choose an entry from the
P
rotocol:

drop
-
down box. For your final step, click the
A
d
d

button to grant users or groups from your Windows NT domain the right to use
that service.

Microsoft Proxy Ser
ver can be configured to allow anonymous requests by users or
to require that users be authenticated (validated) by the server. Once users are
authenticated, you can determine which protocols (Web, FTP, or Gopher) are
accessible for each user.


You can gr
ant users access to selected protocols and you can restrict access to
remote Web sites by domain name, IP address, and subnet mask, as addressed
later in this guide. Microsoft Proxy Server provides a secure, encrypted logon for
those browsers that support
Windows NT Challenge/Response authentication. The
product also provides basic authentication for other browsers and allows data
encryption by means of Secure Sockets Layer (SSL) tunneling.

Circuit Layer Security with WinSock Proxy

One disadvantage of any a
pplication layer proxy is the limited number of protocols it
can support.
Circuit

layer proxying is another approach for connecting a client to a
server across the Internet or Intranet. A circuit layer proxy supports a much wider
variety of protocols, such

as streaming audio and video protocols, messaging
protocols, and Internet Relay Chat (IRC).

WinSock Proxy is a service that makes a Windows Sockets
-
compatible client
application, such as the NetShow client, RealAudio, or IRC, perform as if it were







20

direct
ly connected to the Internet. The WinSock Proxy service provides Windows
NT Challenge/Response authentication
-

a secure, encrypted logon process
-

regardless of whether the client application supports it.

You can use Windows NT Challenge/Response authent
ication between clients and
the WinSock Proxy service to avoid sending passwords across the internal network.
Once the client is authenticated, the WinSock Proxy service uses the logon user
name to verify that the user has permission to use the Internet re
source requested.
Authentication for an application is done only once, when the application first links
to Windows Sockets. This reduces network traffic generated for authentication.

Microsoft Proxy Server’s Winsock Proxy service is compatible with virtual
ly any
existing Windows Sockets version 1.1
-
compatible application and can be used with
Windows
-
based client PCs. Access is controlled by port number, protocol, and user
or group. Each port can be enabled or disabled for communications by a specific list
o
f users or user groups. The list of users allowed to initiate outbound connections
on a port can be a different list than the list of users allowed to listen for inbound
connections on the same port. Access for TCP protocols is controlled separately
from U
ser Datagram Protocol (UDP) protocols. In this manner, the WinSock Proxy
service could prevent users from accessing their personal on
-
line accounts, such as
MSN, for example. WinSock Proxy supports user access control and site filtering.

To see an exampl
e of Circuit Layer Filters, choose the
Protocols

tab from the
WinSock Proxy Service Properties page.


Predefined Circuit Layer protocols plus you can add more protocols.

The extensive list of pre
-
defined filters means that in most installations there will

be
little need to create your own.


Should you find yourself requiring a custom filter, all you need to do is click the
A
d
d
button. This takes you to the Protocol Definition page. Here you’d enter the specific
port and protocol used, and the direction of
the traffic flow.


21

In case you need to create a customized Circuit Layer filter.

The Add button is used for subsequent connection information
.


Microsoft Proxy Server 2.0 can even handle conditions where a protocol uses one
port for initial negotiation

and a different port or range of ports for subsequent
communications.

Defining ports for subsequent communications.

By clicking the
A
dd button, you’ll bring up the Port Range Definition dialog. Here
you can specify the Port or Range of Ports for subsequ
ent communications over
this protocol. (One well
-
known example of this type of port hopping after negotiation
is the RealAudio streaming protocol.)

Circuit Layer Security with SOCKS Proxy

Microsoft Proxy Server extends its support for circuit layer securit
y in version 2.0
with new support for SOCKS 4.3. While the WinSock Proxy service supports
Windows
-
based client PC, the SOCKS Proxy supports Macintosh or Unix
-
based
client PCs so this service enhances the multi
-
platform nature of Proxy Server.








22


Microsoft

Proxy Server now supports SOCKS.

Microsoft Proxy Server can act as a SOCKS client to an upstream SOCKS server or
Proxy Server can be a SOCKS server to a client computer running SOCKS
software on it. Microsoft Proxy Server 2.0 supports SOCKS version 4. SOC
KS uses
TCP and can be used for Telnet, FTP, Gopher, and the World Wide Web. The
SOCKS Proxy service does not support RealAudio, streaming video, or NetShow.









23
It almost goes without saying, but staying inf
ormed is a must when trying to provide
a secure computing environment for any enterprise. With Microsoft Proxy Server
2.0 it’s easy to monitor critical functions in real
-
time. In addition, logging of packet or
protocol violations to the Windows NT Event Lo
g is easily accomplished.


From the Security menu, choose the Alerting tab. Next pick the
E
vent

you wish to
define an alert for from the drop down box. Each event has a predefined threshold,
but you may change this to any value you’d like.


If you’d like
to be alerted via E
-
mail, select the
S
end SMTP mail

checkbox, then
click on the
C
onfigure Mail

button.


Setting Alerts and E
-
mail notification options.

Now fill in the information for your mail server, and the person to whom you want
the mail sen
t. Now whenever an event’s triggered by Microsoft Proxy Server 2.0,
you’ll know about it right away. Many email systems support paging integration so
this feature can trigger paging, as well as email, alerting with those systems.


E
-
mail notification set
up parameters.

Now lets look at the Microsoft Proxy Server 2.0 logging feature.

REAL TIME SECURITY A
LERTS
AND LOGGING

Large Sites



K敥灳⁹潵⁩湦潲o敤f⁳瑡瑵s



䑥瑡Dl敤⁡畤u琠瑲慩l



啳敦ul f潲整睯okⰠ,散畲楴y
灬慮湩湧



P敡e攠潦湤

䥓P

Sm慬l⁓瑥t

Key Benefits :

Audience Relevance :








24

Choose the Logging tab from the Security menu. Once you check the
E
nable
box,
you have a high degree of control over the various ways Proxy Server 2.0 keeps
tabs on activity.
If your location will see large amounts of traffic

such as an ISP
would encounter

a daily log is probably the best bet for you. These high
-
traffic
sites could also log data directly to an SQL or ODBC
-
compliant database for further
analysis. To keep from mi
ssing a possible unauthorized access attempt, you can
also check the
Stop all services if disk full
option. (
Note:

This option applies to
the three proxy services; WinSock Proxy, Web Proxy, SOCKS Proxy.)



Setting logging options for optimal monitoring.

You’ll also find a logging configuration option for the regular services (WWW,
Gopher, FTP). Each services’ settings is independent of the others.


25
Enhanced Web Publishing Support

Microsoft Proxy Ser
ver 2.0 allows you to publish to the Internet without
compromising the security of your internal network. Proxy Server uses reverse
proxying and reverse hosting to send requests downstream to a Web server or
group of web servers located behind the Proxy Se
rver computer.












Reverse Proxy and Reverse Hosting offload Web publishing duties from the Web
servers and let you securely connect your Web servers to the rest of your Intranet.


Reverse proxying causes the Proxy Server computer to "impe
rsonate" a Web
server to the outside world. The Proxy Server computer fulfills client requests for
web content from its cache and forwards requests to the real web server only when
the requests cannot be served from its cache. Meanwhile, your Web server(s)

sits
in its secure environment and maintains access to other internal network services.


Virtual, or
reverse
, hosting is an extension of the concept of reverse proxying.
Virtual hosting allows any server sitting behind Proxy Server to publish to the
Inte
rnet, giving superb flexibility in Web publishing. In this case, the Proxy Server
simulates virtual roots on a web server and then re
-
directs requests for a particular
domain and root combination to a single web server. Reverse proxy works at the
applicati
on layer and supports HTTP only.


This approach to web publishing requires that only one “hole” be punched through
the Microsoft Proxy Server’s firewall for HTTP requests thereby enhancing security.


REVERSE PROXY, VIRTU
AL
HOSTING AND SERVER
PROXYING

Large Sites



䥭灲pv敳⁷敢⁳敲eer⁣慰慣瑹
灬慮湩湧n



K敥灳⁤慴 ⁳散畲攠睨ul攠
慬l潷o湧⁡cc敳s⁡ r潳s⁴桥
乥N



All潷o⁷敢⁳敲ee
rs⁴漠 ccess
潴桥r⁩湴敲湡n⁳敲e敲e⁡湤⁤ 瑡t
f潲⁰畢os桩湧

䥓P

Sm慬l⁓瑥t

Key Benefits :

Audience Relevance :

Web Server


Internet

Microsoft

Proxy

Server 2.0

Secure Network

/mktg

“www.company.com”

“internal.company.com”

“www.company.com/mktg”

Web Server








26

Server Proxying

Microsoft Proxy Server 2.0 also has t
he ability to “listen” for incoming packets
destined for computers connected to the secured network behind the Proxy Server
computer. Proxy Server then forwards packets, as appropriate, to those other
server computers. For example, Microsoft Exchange Serve
r can now sit securely
behind a computer running Microsoft Proxy Server.













Server Proxying lets you run Internet applications behind a secure network connection.

As noted, reverse proxy is an application layer service that supports HTTP only. B
y
contrast, server proxying is a circuit layer service so it supports a wide variety of
protocols.

By following the procedures outlined over the next few pages, you can experience
how Microsoft Proxy Server 2.0 performs Reverse Proxying and Reverse Hosting
.
Let’s try Reverse Proxy first. From Internet Service Manager, select Web Proxy,
right
-
click and choose Service Properties. (Double
-
clicking the icon will do also take
you there.)


Opening the Web Proxy Service Properties.

Internet

App Server

Microsoft

Proxy

Server 2.0

Secure Network

MS Exchange

Server

Other


Internal


Servers

(SQL, DBMS)

RPC

ODBC


27
Next click the Publishing tab
, then put a checkmark in the
E
nable Web publishing
box. Now move down to the three radio buttons and pick the
sent to another
w
eb
server

option. In the box to the right, type in
PROXY2
. The reason you don’t need
to enter a fully qualified domain name (FQD
N) is because the internal network was
setup without a DNS

it will resolve hosts using their NetBIOS names instead. The
P
ort:

number should set to 80, which is the default used by the HTTP protocol.


Entering the Reverse Proxy information.

When you’re a
ll done with this page, click OK. Before we can test this fully, you will
need to open this same Properties page on the PROXY2 server. This time, select
the
sent to the
l
ocal web server

option, and click OK once more.








28

Now go to the external machine (PUB1
) and fire up Microsoft Internet Explorer. In
the
Address:

box enter the URL
http://proxy1.private.com
. If everything works as
planned you should see the familiar Microsoft Internet Information Server screen.


Sinc
e both proxy servers are running the same software, it would be very hard to
tell which one was actually servicing your request. Therefore, we suggest you
modify the DEFAULT.HTM file (located in the directory drivepath
\
InetPub
\
wwwroot)
to denote the server

on which it resides. As our screen shot depicts, we just added
some text above the regular Microsoft logo. You can use any ASCII editor to do
this, such as WordPad or Notepad.


Web page being served from PROXY2 via Reverse Proxy on PROXY1.


29
With that c
apability now understood, we’ll get a little more sophisticated and try
Reverse Hosting.


Return to the Web Proxy Publishing page on PROXY1. This time, click on the
d
iscarded

radio button up top, then move to the bottom of the screen and click the
A
dd

but
ton. What you will be doing now is telling Microsoft Proxy Server 2.0 which
web requests should be redirected to a different downstream web server.


Preparing to designate a Reverse Hosting target.

In this box you’ll enter data instructing Microsoft Pr
oxy Server 2.0 to forward
requests to another web server. But this time, the URL path will be a virtual path off
of PROXY1. These virtual paths effectively hide the true identity of the source
machine. By doing so, they allow workers within the secured net
work to publish web
pages to the Internet without fearing attacks.


In the
P
ath:

box enter
http://proxy1.private.com/p2
, and in the
U
RL

box enter
http://proxy2
. Again, because we have

no internal DNS, the name entered for
PROXY2 is the NetBIOS name only. Click
O
K
, then
OK

once more.


Entering paths for Reverse Hosting.







30

Back once more at the PUB1 server, enter the URL
http://proxy1.private.com
/p2

into the Address: box. While the resulting page will look like it did in the previous
example, you’ve now made it appear as if the source is located on the PROXY1
host.


Redirected request resolved to virtual path on PROXY2 server using Reverse Host
ing.






31
One of the most exciting and powerful sets of new features in Microsoft Proxy
Server 2.0 is its support for distributed caching. This new set of capabilities makes
Microsoft Proxy Server the ideal way to meet th
e rigorous demands of large
enterprise and even ISPs.

Distributed caching is significant because it enables caching to take place closer to
users. In addition, distributed caching allows caching activity to be balanced across
several proxy server computer
s for enhanced scalability and fault tolerance. For
example, within an enterprise, caching can move beyond a single, central location
at the edge of an organization’s network and toward the branch office and
workgroup levels. Within an ISP, caching can mo
ve toward a regional ISP point of
presence as opposed to one central ISP point of presence.

Distributed caching becomes even more important as organizations and ISPs
deploy support for Internet “push” technologies. “Push” technologies provide a mor
e
personalized Internet or Intranet experience, but these technologies tend to drive up
network traffic demand. Microsoft Proxy Server is the ideal way to mitigate this
traffic increase.

Microsoft Proxy Server now allows you to set up distributed caching
among multiple
Proxy Server computers. It enhances active and passive caching by distributing the
load of cached objects. This provides scalability and fault tolerance. Distributed
caching is implemented using
arrays
,
chaining
, or a combination of both met
hods.


Cache Arrays


A New Approach to Scalability & Fault Tolerance

Now an array, or group, of Microsoft Proxy Server computers can be treated and
administered as a single, logical entity. An array provides load balancing, fault
tolerance, scalability, a
nd ease of administration.











A cache array is a group of Proxy Server computers behaving like a single, logical entity.



A cache array performs load balancing. Proxy Server computers can off
-
load cache
hits to other Proxy Server computers in the

array. An array will tend to provide a
higher cache “hit rate” than an individual proxy server due in part to the larger size
DISTRIBUTED CONTENT
CACHING



Linear Scalability



Great performance



Fault tolerance



Load
-
balancing



Easy to administer

ISP

Small Sites

Key Benefits :

Audience Relevance :

Internet

Microsoft

Proxy

Server 2.0

Secure Network

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Client PC


Proxy


Array

Large Sites








32

of the virtual cache.. The term
cache hit rate

refers to the percentage of Web
requests that can be served from the cache as opp
osed to requiring network traffic.


Cache arrays can be useful in the following environments:



Corporations and ISPs that are too big to operate with a single Proxy
Server computer and need additional robustness.



Corporations and ISPs that require mission
-
critical back
-
up capabilities
for content caching.


Going far beyond conventional hierarchical designs, this new feature permits truly
scalable proxy setups without the drawbacks associated with other approaches. For
Internet Service Providers or large
-
sc
ale enterprise installations, there is no better
way to achieve effectively linear performance scaling. At the same time, the array
provides fault tolerance, while reducing administrative overhead.

Array Administration

Microsoft Proxy Server 2.0 makes it
easy to build and manage an array or a group
of them. To build an array, go to the Internet Service Manager and double
-
click the
Web Proxy icon. Then click the
A
rray

button.


Array creation starts at the Shared Services page.


33
Now click the
J
oin Array

button. Since there isn’t any existing Array, you get to
make a new one.

Step one in building an Array.

Now you need to specify which other computer is to be a partner for the new Array.
The system must be running Microsoft Proxy Server 2.0, which in our
case means
the PROXY2 machine. Go ahead and enter that name in the Join Array dialog box.


Designating the name of the new Array partner.








34

Since there was no pre
-
existing Array, you also get to name the Array here. In this
case, we just called it Array 1.

Most likely in a production environment you’d give it
a name reflective of its purpose or location. Now just click the
O
K

button.


Naming the newly formed Array.

You’ll be left at the Array status screen. Here you can see which machines are
members of th
e Array. To the right of each entry is the port used, the size of the
disk cache allotted, and the operating status. At this point the Array is defined, but
the two servers haven’t actually synchronized with one another. You must click the
O
K

button here,
then the
A
pply

button back on the Shared Service page.


Array status screen showing both systems operational.



35
You will hear a flurry of disk activity as the two machines get in sync. At this point
the Array is fully functional. But to take advantage of
it, you’d need a third proxy
sitting downstream of the Array to pass requests to it. Since our testbed doesn’t
include that third Proxy Server computer, we’ll move on to look at two other features
of the Array: security and backup routing.


As this scree
n indicates, Microsoft Proxy Server enables secure communication
between the members of an array.


Secure communication within an array.

Under the Routing tab, you can enable backup routing within the array. This
provides fault
-
tolerance.


Back
-
up Routing support within arrays keep the array going when there’s a failure.







36


Hierarchical Caching

Now you can arrange Proxy Server computers in a hierarchy for branch office or
departmental use. Requests from clients are sent upstream through the hierar
chy
until the requested object is found. For example, a client request in a branch office
would go to the branch office Proxy Server, then on to the regional or corporate
headquarters before sending the request to the public Internet.


















Hierarchical (or
chain
-
based)
caching.


Individual computers and arrays can be arranged in a Proxy Server hierarchy.
Chaining with arrays provides an added measure of fault tolerance. By the way, a
Secure Sockets Layer (SSL) hierarchy is also
now supported.




















Internet

Corporate HQ

Client PC

Branch Office

Client PC

Branch Office

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Internet

Client PC

Branch Office

Client PC

Branch Office

Micros
oft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Microsoft

Proxy

Server 2.0

Cache Array at HQ

Hierarchical caching working with a cache array.



37
Hierarchical caching can be useful in the following environments:



Corporate branch offices with Internet connectivity at headquarters.



Consolidated ISP connections

multiple, geographically
-
distributed
servers routed int
o a central server which has Internet connectivity.


To experience hierarchical caching, from the Web Proxy Service screen, choose
the Routing tab. This is where you define the path user requests take when
accessing the Internet. This is also the place
to enable backup route options. If the
Proxy Server you’re managing is at the top of the hierarchy, you should select
Use
d
irect connection

for Upstream Routing. On the other hand, if you have other
arrays or proxy servers installed in your network, you ca
n ‘chain’ them together via
the
Use
W
eb Proxy or array:
, option. Go ahead and pick that option, then click on
the
M
odify

button.

Routing options allow chainng and alternate paths for fault tolerance.

At the top of this screen, enter the name of the proxy
. For an array, you should
enable the
A
uto
-
poll

option, which saves the trouble of manual configuration
management. As you type the proxy server name, the
Arra
y

URL:

box gets filled in
automatically. The bottom of this screen is used for authentication cre
dentials
between proxies.

Setting the address and credentials for upstream proxy routing.








38

Cache Array Routing Protocol


A Better Way to Scale

Microsoft has developed an innovative way for Proxy Server computers in an array
or hierarchy to communicate with one another to enable efficient, scalable caching.
The new appr
oach, called
Content Array Routing Protocol (CARP)
, has been
documented and is making its way through the Internet Engineering Task Force as
an industry standard.


Similar to clustering, Microsoft’s Proxy Server Array architecture is based on a
loosely cou
pled design, but with a twist. The proxy array, using CARP, provides
scalability and other benefits while using standard HTTP protocols. This is in
marked contrast to other vendors’ solutions that employ the legacy and relatively
inefficient Internet Cache

Protocol (ICP).


The main purpose of distributed caching is to provide scalability. On this measure,
CARP has a number of fundamental advantages over ICP. ICP requires several
queries to resolve an individual request for a web object or service. The nu
mber of
these queries, along with the duplication of cache content and the near
-

multiplicative growth in network traffic caused by ICP
-
based content cache,
ironically delivers
negative scalability.
Performance is negatively affected with each
new ICP
-
base
d content cache.















CARP has scalability advantages over ICP.

CARP, by contrast, supports a
queryless

approach to routing requests among
cache arrays and chains and delivers linear scalability. The illustration in the
figure
above highlights this comparison of the two protocols. The scalability profile is
based on published materials related to both protocols.


For more details and a comparison of why Microsoft’s Proxy Array running CARP
outshines existing ICP
-
based pr
oducts, see the associated white paper available on
the Microsoft Proxy Server Web site at:
http://www.microsoft.com/proxy
.


Requests
Per Sec
Fulfilled

By Cache

Servers

Total number of cache serv
ers

CARP

ICP


39
Microsoft Proxy Server provides a unique way of

making sure the Internet or
Intranet sites that are most used by a group of people are readily available to those
users for quick access. That is because Microsoft Proxy Server can proactively pre
-
cache content.


Content cache servers typically provide re
gular or
passive caching
. That is, the
content cache server reacts to a specific user request for content. As the request is
being fulfilled and the information passed through to the user, the content cache
server will determine if the content is cache
-
abl
e. If it is cache
-
able content and if
there’s room in the cache, the server will store it in the cache. Microsoft Proxy
Server can perform passive caching.


Microsoft Proxy Server 2.0 goes beyond passive caching to automatically determine
the most p
opular Web sites visited by the users the proxy server computer
supports. Proxy Server determines how frequently content at those sites is
refreshed, then automatically, goes out and pre
-
caches new content when the old
content in the cache has been determ
ined to have expired. A simple checkbox
enables this very powerful feature.


Once enabled, the feature works automatically that is why the feature is called
Active Intelligent Caching
. No network manager intervention is needed, although
Microsoft Proxy Se
rver provides monitoring tools to help you track certain
parameters related to Active, Intelligent Caching.


Some competitive proxy content cache servers require the network manager to
specify in a list the web sites to be pre
-
cached. Microsoft Proxy Serv
er provides
network managers with the option of specifying the sites to be pre
-
cached, but in
practical terms, most organizations will take advantage of the automatic nature of
active caching


a unique feature in Microsoft’s Proxy Server. Network managers

have enough to do already without requiring they specify a list of sites for caching
purposes. This is especially true considering that traffic patterns and favored Web
sites can change so frequently. The popular sites this month are probably not the
same

sites that were the most popular three months ago.


Active caching helps provide a more consistent, accelerated Internet and Intranet
user experience. And it makes very efficient use of network resources. Microsoft
Proxy Server keeps up with CPU utilizati
on and uses this information to determine
when to perform the pre
-
caching. To avoid interfering with other network traffic
during periods of high usage, Microsoft Proxy Server will proactively pre
-
cache
content at periods of low network (CPU) usage.


Whil
e most of the intelligent caching activities take place behind the scenes, there
are several administrative pages we can look at. Double
-
click the Web Proxy icon,
then choose the Caching tab. The top half of the page is for controlling regular
caching, whi
le the bottom is used to manage the active caching. As you can see,