Proxy Server 2.0 - Cramsession

Installation
Minimum requirements for Proxy Server 2.0:
  • 486 or higher CPU
  • 24mb RAM (with Intel processor)
  • 32mb RAM (with RISC processor)
  • 10mb free hard drive space
  • 5mb required minimum free hard drive space for caching. (Although it is recommended you have 100MB + 0.5MB per client)
  • NT Server 4.0 with Service Pack 3 installed.

SETUP.EXE can be used to install Proxy Server. Options:

  • /r - Reinstall Proxy Server
  • /u - Uninstall Proxy Server
  • /k "keynumber" - Specifies the CD Key

  • MPSSETUP.LOG - Log file displaying problems found during server installation.

    • Proxy Server 2.0 is added into the MS Management Console (Internet Service Manager) administration utility.

    Client installation
    Client software can be installed through the //servername/mspclnt share and running SETUP.EXE, or by connecting to http://servername/msproxy and running the installation program.

  • MPCSETUP.LOG - Log file displaying problems found during client installation.

    • The following items are installed with the client software:

    • WinSock Proxy client application
    • MSPCLNT.INI - Contains client configuration information.
    • MSPLAT.TXT - Contains the Local Address Table.

    Cache
    Recommended cache space allocation is 100mb + .5mb free disk space per client.

    The default setting for cache is 100mb when the drive has at least 150mb free hard drive space.

    Caching can only be performed on an NTFS partition. It cannot be performed on a FAT partition.

    To convert a FAT partition to NTFS to allow caching, use the CONVERT.EXE utility.

    Connections requiring authentication or SSL connections will not be cached.

  • Passive caching - All objects are cached. Cached objects will be removed after their TTL has expired. Objects will then be re-cached only when a client accesses that site again.

  • Active caching - Frequently requested objects are retrieved from the Internet by the proxy server when the TTL of the object in cache is getting ready to expire.

    • Caching options:

      Cache expiration policy
    • Updates are more important - Lowers cache performance to keep popular pages updated frequently.
    • Equal importance - Balances cache performance with cache updates.
    • Fewer network accesses are more important (more cache hits) - Provides best cache performance.

      Enable active caching

    • Faster user response is more important - Saves less cache, but updates what is saved very frequently. Causes more users to access data from the Internet rather than cache.
    • Equal importance - Balances cache performance with cache updates.
    • Fewer network accesses are more important - Allows least amount of Internet traffic and will not update cache as often.

    To limit the size of cache objects, use expired objects in the cache, or change an object's TTL, set the proper options in the page accessed through the Web Proxy Service Properties window by clicking the Caching tab, then click Advanced.

  • Cache Filters - List of specific URLs that are in the cache. You can edit the cache list in the Web Proxy Service Properties window by clicking the Caching tab, Advanced, then click Cache filters.

    • LAT (Local Address Table)
  • LAT - Contains IP addresses of the internal network and IP address of the proxy server.

  • MSPLAT.TXT - Contains the Local Address Table. The master copy of this file is stored on the server, and can be downloaded to client systems.

  • LOCALLAT.TXT - Custom LAT for clients that need access to network ranges not specified in the MSPLAT.TXT

    • You can construct the list of internal IP addresses by clicking Construct Table.

    Add Internal IP ranges from your network to specify addresses of clients that will be connecting throught the proxy server.

    IP ranges can be changed in the individual service's properties by clickin the Local Address Table button.

    CARP (Cache Array Routing Protocol) and Multiple Proxy Servers
  • CARP - Multiple proxy servers are configured in an array to provide a single logical cache. These servers communicate between each other, so that each server knows the exact contents of each other. This disallows cache duplication.

    • Uses HTTP to communicate.

    CARP can be implemented on clients using PAC - Proxy Auto-Config file.

    Proxy arrays use an array membership list. They use TTL to determine when to check for active servers, and maintains the list of active servers in the array membership list.

    Array manager is used to maintain the array membership list. List includes TTL until next check, URL to receive array information for a remote manager, and load factors for each server.

    The proxy server will query array for a new table when TTL expires.

  • Heirarchical routing - Requests are forwarded from a downstream proxy or array to an array of upstream proxies when they cannot be serviced. One hop is performed in each array before being forwarded to the next level.

  • Distributed routing - One member of the array will answer a request received by another member of the array, when it is determined that they are the highest scoring proxy (through hash-based routing).

  • Hash routing - Computes list of available servers and the URL to determine which proxy server in the array to use.

    • Array members contain a script, written in JavaScript, which tells clients how to connect to the array.

    To view the array membership table, input the following URL into your browser:

      http://servername/array.dll?Get.Info.v1

      The list you will receive will resemble the following:
      server1 192.168.0.1 80 http://server1:80/array.dll MSProxy/2.0 7521 Up 100 150
      server2 192.168.0.2 80 http://server2:80/array.dll MSProxy/2.0 7521 Up 100 150

      The table describes the information for server1:
      servername server1
      IP Address 192.168.0.1
      Port number 80
      URL for array.dll http://server1:80/array.dll
      Version of Proxy Server MSProxy/2.0
      Number of seconds in current state 7521
      Current state (up or down) Up
      Load factor of server 100
      Cache size 150

    Under the Routing tab of the proxy's properties, you can configure Upstream routing to automatically forward client requests to the Internet or to another proxy server or array.

    Under the Routing tab of the proxy's properties, check the Enable backup route box and insert the proper parameters to automatically forward requests to the Internet or another proxy server or array in case the first upstream choice is unavailable.

    Routing within array can be enabled to resolve proxy requests within the array prior to routing the client to an upstream server or array. This allows load balancing within the array.

    Administration
    Proxy Server can be administered through the Internet Service Manager and through the command line.

    Proxy Server installs counters into Performance monitor to enhance and troubleshoot more efficiently.

    To remotely administer Proxy server, you must have the same version of client software installed on your system as the server you are connecting to.

    Command line utilities:

    • REMOTMSP - Used to remotely configure and administer Proxy Server, including starting and stopping services, backing up and restoring proxy information, and managing server arrays.
    • WSPPROTO - Used to remotely edit service protocol definitions.

    To stop/start services from the command line:

    • Web - NET STOP|START W3SVC
    • WinSock - NET STOP|START WSPSRV
    • Socks - NET STOP|START W3SVC or use Remotmsp.exe

    Backup and Restoration
    Proxy server parameters are backed up to a text file in the C:\MSP\CONFIG directory, unless otherwise specified.

    To perform a backup, go to the Properties field of any proxy service, click the Service tab, then click Server Backup. Select the directory you would like to backup to and click OK.

    To perform a restoration, go to the Properties field of any proxy service, click the Service tab, then click Server Backup. Select whether to perform a Partial or Full Restore, then specify the directory that the backup was placed in and click OK.

    • Partial Restore - Method is a non-computer specific restore; Items such as array membership and logging information will not be restored.
    • Full Restore - Method is a computer specific restore; All items are restored.

    Security
    To prevent unauthorized access to your network from external users:
    • Disable IP forwarding in TCP/IP section of the Control Panel/Network configuration screen.
    • Do not add external addresses to the LAT.
    • Deny listening on inbound service ports.

    Authentications:

    • Anonymous - Any user is able to access the site.
    • Basic - Login and Password are necessary to access the site.
    • Windows NT challenge/response - Uses current login information to allow/disallow access to site. Only available in same or trusted domains.

    Challenge/response will only work properly with IE 3.0 and later. When a non-IE browser accesses a challenge/response site, access will be denied.

    Web and Winsock proxy
    Within the Web proxy and WinSock proxy properties screens, you can choose which users/groups are able to access the Internet through particular protocols. Permissions must be assigned separately to each protocol.

    Web proxy covers only FTP, Gopher, Secure and Web protocols. The web protocol covers HTTP and HTTPS protocols. The secure protocol covers protocols setup to use secure ports.

    WinSock proxy covers many protocols including HTTP, HTTPS, FTP, Telnet, Gopher, IRC, RealAudio, POP3, SMTP, and others.

    Once users have been assigned permissions to a protocol, they then have access to the Internet through those specified ports. For example, when a user is assigned permission to use HTTP, they then have access to the Internet through port 80.

    To assign or revoke permissions for users to other protocols, highlight the user and click Copy to or Remove From, select the proper protocol, and click OK.

    WinSock proxy allows Unlimited Access to be specified. This allows all users full access to all ports on that defined in the WinSock proxy service.

    WinSock proxy protocols can be editted, or new protocols can be added, to customize or create ports that are needed for certain application communications. Protocols can also be defined to only allow outbound or inbound access.

    Socks proxy
    Socks proxy uses the Identification protocol and IP addresses to authenticate clients.

    Socks proxy service depends on the Web proxy service to be running. If the Web proxy service stops, the Socks proxy service also stops.

    Socks proxy does not support IPX/SPX.

    Socks permissions can be moved change the orders of the listed permissions.

    Custom Socks permissions can have functions matched to specified port numbers:

    Socks can be set to deny or allow access from specific IP ranges, domain names, or all users. Options for this can be set to:

    • Allow or deny access to these clients only to a certain destination.
    • Allow or deny access to these clients for certain port numbers/ranges.

    Socks port settings are defined by the following determiners:

    EQ Equal to
    NEQ Not equal to
    GT Greater than
    LT Less than
    GE Greater than or equal to
    LE Less than or equal to
    For example, you can choose to deny access to any port greater than 80 by specifying Deny in the Action box, GT in the Port box, and 80 in the Port number field.

    Another example is portrayed in the following graphic:

    This allows all clients from geocities.com to access anything in cramsession.com through port 80.

  • Identification (Identd) protocol - Provides a false user name to servers that block MS Proxy clients, to allow them to access the server's services. Is installed by running IDENTD.EXE --INSTALL. Is run through the NET command: NET START|STOP IDENTD.

    • Domain Filtering
    Domain filtering is used to grant or deny client access to certain domains/IP addresses.

    Click the checkbox next to Enable Filtering to allow filtering.

    Options:

    • Grant - Grants access to all domains except the domains that are specified.
    • Deny - Denies access to all domains except the domains that are specified.

    You can grant or deny access to:

    • Single computer - Must specify the IP address of a specific system. Can click the ellipsis button next to the IP field, and specify a DNS name. It will then return the IP address of that DNS name.
    • Group of computers - Must specify the IP address and subnet mask of the systems.
    • Domain - Must specify the domain name to grant or deny access to.

    Packet Filtering
    Must have an external network interface before this can be enabled. If using a modem or ISDN adapter as the external network interface, you must have RAS Auto Dial setup. Only the external network adapter will provide packet filtering.

    Provides filtering on packets, addresses and spoofs/attacks.

    All packet types will be blocked, except for those specified in the Exceptions list.

    Alerts
    Proxy server can send alerts for events through the Event Viewer, log files or email.

    Alerting can only be enabled when packet filtering is enabled.

    Alerts can be sent for:

    • Rejected packets - Notifies you when numerous packets are being rejected in high rates. Rates can be set to alert you when rejected packets occur at a certain frequency. High frequency rates can mean an attack is taking place.
    • Protocol violations - Notifies you when packets or frames are dissimilar from the typical protocol structure.
    • Full disk drive warnings - Notifies you when disk drive that holds the service or packet logs is full.

    Reverse Proxy Servers
    A reverse proxy server services requests made to an internal web server. It will serve as a "firewall" by only letting visitors through one port to retrieve the information.

    Reverse hosting can be enabled to allow multiple web servers to be contacted through the reverse proxy server.

    To enable reverse proxy support, under the Publishing tab of the proxy service properties panel, click the Enable Web publishing box. There are three options available:

    • Discarded - All web server requests will be discarded.
    • Sent to the local web server - All requests will be sent to the default web server.
    • Sent to another web server - All requests are sent to a specific web server.

    To create a reverse host route, click Add. In the Path field, insert the URL to be routed. In the URL field, insert the URL of the internal web server that will service this request.

    Logging
    Log files are stored in the C:\WINNT\SYSTEM32\MSPLOGS\ directory by default.

    • W3filename.LOG - Web Proxy service log
    • WSfilename.LOG - WinSock Proxy service log
    • SPfilename.LOG - Socks Proxy service log
    • PFfilename.LOG - packet filters

      filename = yymmx; yy=year, mm=month, xx=day/week/month of log.

    Logging to a text file takes considerably less resources than logging to database.

    An OBDC driver must be installed on the proxy server to be able to log to a database.

    A DSN (Data Source Name) must be added to describe which server or database file you are writing to.

  • MPKLOG.EXE - Included with Proxy Server. Tool to create SQL tables for proxy server logging.

    •  

    Common Port Numbers

    FTP 21
    Telnet 23
    SMTP 25
    Gopher 70
    HTTP 80
    POP3 110
    PPTP 1723
     

    Proxy Clients

    Proxy Server does not support IPX on Windows 3.x clients.

    Windows 3.x clients cannot use the WinProxy service, but can use the Socks and Web services.

    Windows 95 clients must have the Novell Client 32-bit IPX stack installed in order use IPX through the proxy server.

    The default URL for clients to get the array routing script is http://servername/Array.dll?Get.Routing.Script

    To prevent Exchange clients from connecting to Internet POP3 servers, put DISABLE=1 under the [EXCLNT32] header in the MSPCLNT.INI.

    Clients with the WinSock proxy client application download the MSPCLNT.INI file every time the client system is restarted, and every six hours after the last refresh.

  • WSPCFG.INI - Contains server proxying information pertaining to the local client. It will never be overwritten by the server. This file contains application-specific settings for each WinSock application.

    •  

    RAS (Remote Access Services)

    RAS is capable of using the following connection protocols:
    • SLIP
    • PPP
    • RAS

    RAS supports call back security to either the calling number or to a specified, non-changing number.

    RAS for NT 4.0 supports multilink (the use of more than one modem to achieve higher transmission speeds). Multilink cannot be used with callback security unless there are two (or more) ISDN modems configured on the same phone number.

    RAS uses NetBEUI as the default network protocol, but can also use TCP/IP and IPX/SPX. TCP/IP will need to be used if you are using programs that utilize the Windows Sockets (Winsock) interface over the RAS services.

    RAS encryption settings

    Allow any authentication including clear text This will allow RAS to use a number of password authentication protocols including the Password Authentication Protocol (PAP) which uses a plain-text password authentication. This option is useful if you have a number of different types of RAS clients, or to support third-party RAS clients.
    Require encrypted authentication This option will support any authentication used by RAS except PAP.
    Require Microsoft encrypted authentication This option will only make use of Microsoft's CHAP (Challenge Handshake Authentication Protocol). All Microsoft operating systems use MS-CHAP by default.
    Require data encryption This option will enable the encryption of all data sent to and from the RAS server.

    RAS will write to a log file which can be used for troubleshooting RAS services. In order to enable RAS to write to the log, you have to enable it in the Registry.

    Auto Dial is used to automatically dial-up to the Internet when a client is attempting to gain Internet access through the Proxy Server with RAS Auto-dial capabilities.

    A RAS phonebook entry to your ISP will need to be created to allow Auto Dial to work. Credentials can be setup to set the user name and password used to connect with the ISP.

    When Auto Dial is configured for the first time, or if settings are cleared, the services will need to be restarted before settings can take effect.

     

    Computer name resolution

  • DNS (Domain Name Services) - Used to resolve DNS host name to an IP address.

  • WINS (Windows Internet Naming Service) - Used to resolve NetBIOS computer name to an IP address.

  • HOSTS - File which contains mappings between DNS host names and their IP addresses.

  • LMHOSTS - File which contains mappings between NetBIOS computer names and their IP addresses.