Internet Service Manager and Proxy Server
Erik Rozell and Todd Lammle, with James Chellis
Chapter 6 from MCSE: Proxy Server 2 Study Guide, Exam 70-088, published by Sybex, Inc.
What is the ideal solution to a not-so-ideal problem? Internet access management is such a problem. It may require that you, the administrator, learn a new interface, or add yet another utility to every desktop in the system's management organization, or do "who knows what." In this chapter, we will discuss the ideal solution to Internet access management by presenting an overview of the controls provided by Microsoft's Internet Service Manager as they apply to Proxy Server.
The material we cover in this chapter is quite straightforward. You should have no problem with the concepts and descriptions presented here, whether you are a beginner or an expert. By the end of this chapter, you will be armed with all you need to know about:
| • | Internet Service Manager administration Note: Exam objectives are subject to change at any time without prior notice and at Microsoft's sole discretion. Please visit Microsoft's Training & Certification website (www.microsoft.com/Train_Cert) for the most current exam objectives listing. |
| • | Configuring the Web Proxy service with IIS |
| • | Configuring the WinSock Proxy service with IIS |
| • | Configuring the Socks Proxy service with IIS |
The focus of this chapter is on where the various controls are located and how to use them. The functions you'll configure here are in many cases quite complex, and you'll find more detailed information about them in other chapters, as noted throughout.
On This Page
Internet Service Manager Administration
The previous chapter gave a full overview of the Internet Service Manager provided with Internet Information Service. At this point, you should be familiar with the following:
| • | The services controlled from the interface |
| • | How the service works as a management tool on different systems |
| • | The general abilities of the IIS interface |
To manage Microsoft's Proxy Server with IIS, simply click Internet Service Manager from the Microsoft Internet Server folder, located in Programs on the Start menu. Once the management screen appears (see Figure 6.1), you may select any of the services listed to begin configuring it.
If you are using a version of IIS older than version 2.0, it is highly recommended that you upgrade to the most current version. On its Web site, Microsoft provides Windows NT service packs that contain upgrades and new pieces of software designed to fix various problems that may occur within a particular NT version. Service pack 3, for instance, includes IIS 3.0. You should also check for more recent "hot-fixes" on the Web site.
Microsoft Proxy Server 2.0 will integrate with all versions of IIS starting with 3.0 and greater. As of this writing, Microsoft Proxy Server requires that you install to a server and not the personal Web services that you would find on a workstation. Through IIS version 4.0, no major problems with the integration of Proxy Server have been noted.
Microsoft Exam Objective | Given a scenario, decide which user interface to use to perform administrative tasks. |
As you work through this chapter, you should note the functions and uses of each service and their respective tabs. As we progress, you will see that there are certain situations to which each service tab applies. For instance, suppose that you wanted to publish Web pages. You would use the Publishing tab on the Web Proxy service described in this chapter. Also, you will want to apply security, which we discuss in chapter 7. Figure 6.2 reflects the services as they relate to IIS. As you can see, once the Proxy Server services have been installed, they appear as part of IIS itself.
Note: Having full knowledge of the user interface is importance so you have a basic knowledge to be able to do the scenario configurations in the book.
Microsoft Exam Objective | Configure the various Proxy Server services. |
Setting Up the Web Proxy Service
Microsoft's Web Proxy service is configured from the Internet Service Manager. From the main IIS management screen, select the Web Proxy service icon. From here, you have the option of selecting which aspect of the service to control.
The control parameters are grouped into six sections, each of which has a tab on the Web Proxy Service Properties window: Service, Permissions, Caching, Logging, Routing, and Publishing. A number of the controls affect the other proxy services. The controls that span multiple services are the Shared Services and Configuration, both located on the Service tab. To avoid repeating information, these configuration items are discussed in a later section of this chapter. The relationship of the Web Proxy service controls is reflected in Figure 6.3.
Viewing and Configuring Web Proxy service Information
The Service tab is used to view and configure general Web Proxy service information. The administrator's view of this tab is reflected in Figure 6.4.
From this tab, an administrator can perform the following tasks:
Review the Product Version The first item displayed reflects the version of Proxy Server that you have installed. This information is more important for troubleshooting than anything else. As service packs and updates are released, the version number can be used to track the revision and the build.
View the Product ID You can also view the product that was installed to a particular system. This is useful for maintaining legitimate licensing and for support when determining which media was used during installation.
Define the server's functionality by placing a comment The comment you enter here will appear in the Internet Services Management tool's list of proxy servers, so you will typically use it to identify each server uniquely by name. Any text typed in the Comment box will appear in the manager.
Microsoft Exam Objective | Monitor current sessions. |
Display the current sessions This option allows an administrator to determine which users are currently connected to the Web Proxy Server. The displayed information includes the connected user's name, the time connected to the server, and the duration of the connection. At times, it is useful to see which connections are in use. For example, to determine whether a system can be taken off-line, and also to see which users are being selfish with connections, possibly by leaving their system on the Internet even when they're not using the connection. The connection screen, shown in Figure 6.5, simply allows you to view this information; you cannot control the connections.
Figure 6.5 Displaying current sessions
Access the Shared Services This is a group of services that are shared among all three proxy services. The services include security, array controls, auto dialing, and Web page plug-ins. (The Web page plug-ins do not apply to the Socks service.) See the Configuring the Shared Services section later in this chapter for details.
Access the Common Configuration controls Similar to the shared services, the common configuration controls are used among all three proxy services. These configuration items include client configuration, local address table settings, and server backup and restoration. (The Socks service does not use client configuration settings.) See The Shared Configuration Services later in this chapter for details.
Assigning Web Proxy User Permissions
Setting up access control—establishing which users and groups have access to which Web resources on the proxy server—is one of the most important tasks an administrator can perform. Chapter 7 provides a complete discussion of proxy server access control. As discussed there, establishing user permissions is the most basic form of security a network can implement.
Microsoft Exam Objective | Grant or restrict access to the Internet for selected outbound users and groups who use the various Proxy Server services to access the Internet. |
From the Web Proxy Permissions tab, an administrator can assign users rights to access the Internet Web pages, as shown in Figure 6.6. To give you some hands-on experience working with permissions, Exercise 6.1 shows the steps for setting up user access rights.
Microsoft Exam Objective | Choose a secure access strategy for various situations. Access includes outbound access by users to the Internet and inbound access to your Web site. Considerations include: |
Exercise 6.1: Setting Up User Permissions
To set up user access rights, use the controls on the Permissions tab in the following order:
1. | Enable Access Control. Selecting this option changes the proxy server from an open system, in which anyone can use any Web service, to one in which only specific users and groups are allowed access to specific services. Protocol. After enabling access control, use this pull-down box to select the protocol for which you'll grant access to the users and groups you specify in step 3. The protocols include:
| ||||||||
2. | Grant Access To. Initially empty, this list box displays the users and groups to which access to the selected Internet protocol has been authorized. To add users or modify their access rights, select the Edit button. This displays a standard Windows NT user add/edit window, in which you select users and groups from a domain list, as shown in Figure 6.7. | ||||||||
3. | Remove From. This option simply deletes users or groups from the list. | ||||||||
4. | Copy To. This option copies user permissions between protocols. |
Proxy server management works on the basis of separating services but allowing rights to be granted or revoked to all at one time. To set up permissions for more than service (protocol), you'll need to repeat steps 2 and 3 above or use the Copy To function.
Tip When initially setting up permissions, it's a good idea to create your groups in User Manager, and then assign the groups' rights in Internet Service Manager. As users are created, you will be able to give them access to the proxy server without actually having to configure anything beyond adding each user to a group.
Microsoft Exam Objective | Configure server authentication. Authentication options include: |
When the Enable box is cleared, users are logged into the proxy server anonymously. This means that any user on the network can access the proxy server. Leaving the permissions disabled is useful in situations where users are all trusted not to abuse the service. Allowing the service to maintain open access potentially creates security-related issues.
However, there are a few methods you can use to control anonymous access. The most common is to manipulate the access to the local service so that control is cached according to a specified user (usually IUSR_systemname).
Remember that you also control anonymous access by disabling the function—that is, by checking the Enable Access Control box—and then granting specific access rights to the username "anonymous" using the procedure just shown.
Customizing and Fine Tuning Web Proxy Caching
Aside from the relay functions of the proxy server, the ability to configure caching is perhaps the most important part of the service. As you have seen in earlier chapters, if it was not for caching, the Internet would have fallen victim to its own success—there would simply be more traffic than the infrastructure could handle. Recall that you may configure a cache as either active or passive. Passive caching simply means recording data as it is requested. Active caching, on the other hand, is updating frequently when accessed periodically. The Caching tab enables an administrator to customize and fine tune performance.
Microsoft Exam Objective | Configure active caching and passive caching. |
Tip A cache stores information locally, so that it can be accessed more quickly than from its original resource. This means less time and network traffic. Cache memory is commonly used in computers to load data quickly from RAM. It is not something to be stingy with. Allocate generously.
Clicking the Enable Caching checkbox allows the Proxy Server to store information requested by a client and later respond quickly to an identical request to the same resource. To determine how long the cache remains in effect, Microsoft Proxy Server allows administrators to define a Cache Expiration Policy. To set the expiration time, you select to request either more updates, fewer Internet requests, or a balance between the two. Select the first option for more update checks if the information you're caching is so time-critical that you would rather slow down the system to check for updates than give the user outdated information. This tends to slow things down a bit since the proxy server will check for changes more often. Selecting fewer Internet requests reduces traffic significantly and sets the cached object's Time to Live (TTL) period to the maximum duration as defined in the Advanced section of the tab. Figure 6.8 shows the Caching tab.
Warning: When the Enable Caching box is cleared, no caching occurs and there is no reduction of network traffic. The cache expiration policy can mean greater efficiency to the system. Be aware, however, that it may also respond to clients with obsolete data. Many Web sites do not change very often, but for other sites such as those with volatile information, this can be a serious issue.
You enable active caching by clicking the corresponding checkbox. Active caching is a technique designed to save time and traffic. It's typically used so that the updates are made while system utilization is low. When users request updates, they may never see the actual data directly from the resource, rather they may just receive the cached object. Active caching can be adjusted for more pre-fetching, less pre-fetching, or a balance. Pre-fetching is when the server requests and caches data before a user makes a request for it. Note that the TTL on actively cached objects is reset only when a client requests data, not when the request was last updated. For more information on caching design, refer to Chapter 3.
To apply what we have learned about caching, let's pretend your company network (proxy server) is highly utilized during business hours, but not during all other hours. A good application of caching would be to configure the passive cache for more hits, while setting the active cache for more pre-fetching. In this configuration, users during the day will use less bandwidth since they will be receiving more data from the cache; and while network utilization is low in non-business hours, the proxy server can actively request updates to objects stored in the cache.
Microsoft Exam Objective | Choose the location, size, and type of caching for the Web Proxy service. |
The cache size can also be configured from this page. Selecting Change Cache Size displays the Cache Drives window, shown in Figure 6.9, where you can adjust the number of reserved megabytes. It is a bad idea to allocate a small size, since objects are dropped from the cache as it reaches its capacity according to the objects' popularity for request from clients. While setting the cache size, you must also define the drive location of the cache. As the window warns, an NTFS partition must be used for caching. Typically, the best performance is obtained by selecting a drive that the main proxy system and Windows NT operating system is not installed on. That is, you should select not just a different partition, but a different physical drive. Note that caching is allowed only on local drives, and defining alternate drives on RAID-striped systems has no benefit beyond selecting the drive for free disk space. When multiple drives are available, using multiple caches often adds speed. When using a RAID-striped storage system, the cache is automatically spread across multiple physical drives.
You can further fine-tune the cache by clicking the Advanced button on the main Caching tab. This displays the Advanced Cache Policy window, shown in Figure 6.10, where you can define the size of cached objects to use expired objects to fill requests when a site is unavailable, and filter which types of resources are cached. The options include the following:
Limit Size of Cached Objects To Select this checkbox and then define the number of megabytes to be reserved for a given object. Any object that exceeds this specified size will not be cached.
Returned Expired Objects For Up To Check this box to return a cached Web page, even though the TTL has expired, when the original site is unavailable. When you choose this option, you also set the percentage of the TTL period for which the outdated information will be available. For example, if the TTL is 1440 minutes (24 hours) and you set this option at 50 percent, users will be able to get a cached page for 12 hours after expiration if the original site is unavailable. Note that while this has the advantage of providing data when an object cannot be accessed, it can also provide a false impression if the data retrieved is now different from what is at the site. The return percentage must be greater that 0 percent for the function to have any meaning.
Object Time To Live (TTL) Set this according to type (HTTP or FTP) by selecting the appropriate checkboxes. When HTTP caching is enabled, you can set the TTL to an unlimited time by selecting TTL=0. Only when the ISP or the Web page itself defines an expiration date will an object ever expire. Alternately, you can define the TTL as a percent of an object's age if the source provides time last modified. Both a Maximum and Minimum TLL in minutes must be set. When FTP caching is enabled, the TTL can be set by a flat period of time defined in minutes. Setting the Minimum TTL and the Maximum TTL to 0 will force the proxy server to issue a GET-if-Modified-Since HTTP header for client Web browser requests.
Cache Filters This button displays a screen where you can specify which sites or pages should be cached. You configure the cache filter by selecting Add, Edit, or Remove for any entry or object. This allows you to define which objects are stored in the cache. Entries may include only the URL (to allow or disable caching for an entire site), or an entire URL with object path or wildcard (*). Note that when making an entire site cacheable, you are, in fact, only caching those items which are accessed. You will not cache objects on a site that users do not request. Objects can be set as always being cached or never being cached. Sample entries are shown below:
| • | www.sybex.com/books~MSCaches the books directory on the Sybex Web site. |
| • | www.sybex.com/books*~MSCaches the books directory and all its subdirectories on the Sybex Web site. |
| • | *.sybex.com/books~MSCaches the books directory on all systems (WWW, FTP, and so on) in the Sybex domain. |
| • | *.sybex.com/books*~MSCaches the books directory and all its subdirectories on all systems (WWW, FTP, and so on) in the Sybex domain. |
Routing Proxy Requests
The Routing tab, shown in Figure 6.11, is the primary interface for working with multiple proxy servers. Here you can define upstream routing, backup routing, and routing within an array. As explained further in Chapter 9, multiple proxy servers can be chained together or made to operate in an array configuration.
Microsoft Exam Objective | Choose a strategy to balance Internet access across multiple Proxy Server computers. Strategies include: |
When configured in an array, multiple proxy servers operate as a single system. This provides load balancing, fault tolerance, and enhanced performance. This configuration is most often used in networks where a large concentration of users are in a single location. For more distributed networks, chaining proxy servers is a common practice. This allows caching between WAN links and between proxy servers.
Each proxy server must define itself according to an HTTP Alias. This is the name that is appended to the proxy request so that it may be returned to the correct server. Typically, the alias is the same as the name of the system where the proxy server resides. Once this has been configured, you may define upstream routing. This may be a direct connection to the Internet or a Web proxy or array, as shown in Figure 6.11.
A direct connection would be applicable if the server was linked either directly to the Internet or via a dial-up connection. Otherwise, you'll select Use Web Proxy or Array and use the Modify button to select an upstream Web proxy server. Supply the host name and port number for the upstream server as shown in Figure 6.12. With the Auto-poll Upstream Proxy for Array Configuration box checked, the array will automatically set itself. This setting should be accurate assuming the upstream server is also a Microsoft product. If a user name and password are required, check the Use Credentials to Communicate with Upstream Proxy checkbox. You may select either to send the credentials as basic/clear text or as NT Challenge/Response encrypted.
Figure 6.12: Use the Advanced Routing Options window to select a proxy server located upstream
See full-sized image.
Optionally, a backup route may be defined by checking the corresponding checkbox. The rules of operation are identical to those for defining a primary upstream routing path.
If an array has been configured (see Chapter 9) you may optionally attempt to resolve Web requests within the array prior to routing them upstream. To enable this, check the corresponding box on the main Routing tab in the Web Proxy Configuration dialog box. Selecting the Advanced button allows an array to be defined according to the appropriate IP address, as shown in Figure 6.13. The Advanced button is shown in Figure 6.11.
Routing options are discussed in further detail in Chapter 9, Multiple Proxy Servers.
Publishing Web Pages
On the Publishing tab, you can check the Enable Web Publishing box to allow Web content to be published to the Internet. By default, this option is disabled. However, checking this box will enable users to publish Web pages through the proxy server. This function allows port 80 connections to pass. Similar to the way in which Web proxy clients communicate with the proxy server, Internet clients talk directly to the proxy server as if it were the actual Web server. Recall that if multiple servers are running, multiple addresses may be required. The Publishing tab is shown in Figure 6.14.
When this function is enabled, requests from the Internet can be discarded, sent to the local Web server, or sent to another Web server as a default filter for incoming requests. By adding a specific URL to an exception list, you can route valid requests to an alternate server other than the default. For example, suppose that all requests to www.netpro.com should be rejected. However, those that access www.netpro.com/field_info should be routed to the internal corporate Web page. Setting the exception for /FIELD_INFO will allow those external users who have been informed and authorized to access the site to connect, while others will assume that there is nothing to see. Obviously, if you do not want to accept packets, you should discard them. If you want to use the proxy server as a Web server as well, you should select Send to the Local Web Server. Otherwise, if you want to redirect Web requests to another Web server, you should select Sent to Another Web Server. In our example with netpro, we were redirecting requests to another server that was not the proxy server. As you can see, the Web publishing feature allows both reverse hosting and proxying.
The reverse proxying feature enables inbound requests to be routed to an internal server. That server may exist on the private network, which may use a private IP address. Inbound requests may be cached at the proxy server.
The reverse hosting feature allows multiple Web servers to be represented at the proxy server. When requests are received, they can then be routed according to the URL request. Inbound requests may be cached at the proxy server.
The Web Publishing function of Microsoft Proxy Server is discussed in further detail in Chapter 7, Access Control.
Logging Web Proxy Activities
An important part of securing the Proxy Server is maintaining a log file of Internet resources accessed. This allows an administrator to view how the Proxy Server has been used. For example, suppose that many users were complaining about slow Internet access. While this could be attributed to many factors, including some that are server-related, it is possible to see whether certain users are monopolizing the server. In such cases, it may be desirable to either increase bandwidth to meet demand, or separate users to different proxy servers. Or suppose managers suspect that some employees are spending company time on sites that aren't work-related, or visiting obviously inappropriate sites. A log will document who is abusing their Web privileges and possibly lead to further action. In short, the logging options allow you to audit Internet access. Figure 6.15 summarizes the controls available to an administrator from this tab.
Microsoft Exam Objective | Configure auditing. |
The Web Proxy Server has powerful logging features that enable you to log all activities. Depending on the level of control that an organization wants to impose on their users, log files can be either recorded to a text file or an SQL/ODBC database. This flexibility allows an administrator to use practically any management tool or custom database to record and analyze data. Regardless of the data output format, each log file entry contains a client's name, the protocol type (TCP or UDP), the protocol, the size of requested objects, and the time and date of a request. When data is collected into an SQL format, companies can compile statistical data which managers use to track employee performance.
Note: Structured Query Language (SQL) is a platform-independent programming language that can be used to interface with a database program. Open Database Connectivity (ODBC) is a connection technology that allows communication to a driver, which then communicates with a database.
Microsoft Exam Objective | Configure Proxy Server to log errors when they occur. |
Check the Enable Logging box on the Logging tab page to turn on logging. You then have the option of performing regular or verbose logging. Regular logging provides a simplified subset of the data provided by the verbose option. This is often more desirable in situations where storage space is at a premium. The target data is based on server, client, connection, and object information.
Regular logging includes the following information:
| • | Client Machine and User Names |
| • | Destination Name and Port |
| • | Log Date and Time |
| • | Object Name and Source |
| • | Protocol Name |
| • | Result Code |
| • | Service Name |
Verbose logging maintains a list of all possible information access on the Internet. This includes all items listed in Regular logging, plus the following information:
| • | Authentication Status |
| • | Bytes Sent and Received |
| • | Client Agent and Platform |
| • | Destination Address |
| • | Object MIME |
| • | Operation |
| • | Processing Time |
| • | Proxy Name |
| • | Referring Server Name |
| • | Transport |
If you choose to log data to a text file, you need to make further selections. For example, you can select Automatically Open New Log to create a new text file on a periodic basis (Daily, Weekly, or Monthly). Under this option, the log files are automatically named according to the duration. For example, if Daily logging were selected, the file would be named W3yymmdd.log (W3Wyymmw.log for weekly, and W3Myymm.log for monthly). To prevent storage from becoming overrun with log files, you can also instruct the server here to keep only the most current logs, and specify the number to keep. If, for example, you need a daily report that is turned in once a week, you would keep five logs on a daily basis. That is to say, the one that you are working on in addition to five that are stored on the hard drive. If you need time for days off or illness, an administrator should keep enough logs so that information is still available when they return. Also, to ensure that existing logs are kept, there is also an option to stop the service if the disk is detected as full. (The packet filter log will stop all services if the disk is full.) Note that the log file will be saved to the directory you specify on this screen.
Tip Since the log files (if they are not SQL/ODBC) are text-based, an administrator may choose to e-mail logs to a designated account. This can be done using Windows NT's scheduling abilities and a product such as Exchange. Essentially, the AT command is used in conjunction with Exchange's command-line mail utility MAPISEND (from the Exchange Resource Kit). The command-line tools included with Microsoft Exchange work in the same manner as UNIX's SENDMAIL utility.
When Log to SQL/ODBC Database is selected, products such as Sybase, Oracle, Microsoft SQL Server, Microsoft FoxPro, and many other SQL/ODBC programs may be used to manage data. As logs are stored, they are kept in a single file in which each logged event is stored as a record.
In order to use SQL/ODBC, you need to define the following information:
| • | ODBC Data Source Name (DSN) Designates the Proxy Server. This is a logical name that is used by ODBC to reference the driver and related information used to access data. This related information may include the name of the system where the database is kept. |
| • | Table Defines the database within the SQL program. Note that this is the entry that specifies where the logs will be stored. |
| • | User Name Used to log into the SQL database. This is typical of most secure database programs. |
| • | Password Used in association with the user name to log into a secure database program. In general, most databases use identical security program entry points, and so programs such as Proxy Server can interface with the database without being concerned with the security requirements of the program. |
Note: Understanding how to set up SQL logging is essential to working with Proxy Server.
In order to communicate directly with an SQL or ODBC database, a driver must be installed. You can observe the installed drivers by looking in the Control Panel of either a Windows NT or Windows 95 system by clicking the 32-bit ODBC icon.
After installing the driver associated with a given database, you must define a unique system DSN (Data Source Name) for database logging. Optionally, you can use the default Proxy Server DSN, Proxy Server SQL. The DSN specified must be identical to the SQL Server or Microsoft Access database DSN specification used for logging. Note that there are user DSN settings, system DSN settings, and file DSN settings. When working with Microsoft products, remember the following:
Microsoft SQL Server allows the DSN configuration to be set according to the server name, network address, and network library parameters. While both the default network address and network library parameters may be used, a unique system name must be specified.
Microsoft Access is designed such that the system DSN is the file name of the database. For instance, if you are logging into a Microsoft Access database named PRXYINFO.MDB, the system DSN is PRXYINFO.
A user's ODBC is on a user-level basis and is visible only to the current user on the local system. For this reason, these are not commonly associated with server-level logging programs. On the other hand, system DSN are visible to all users on a system, including services.
File DSN are used for users who all have the same driver installed. Commonly, users will see this type of DSN when working within a workgroup. These data sources need not be dedicated to a user or local computer.
Tip It is highly recommended that you review ODBC options prior to configuring your SQL database with Proxy Server. If you are already experienced in working with a database, this is typically not an issue; however, for those who are not, this information may help your understanding.
Certain Proxy Server events are also logged to the Windows NT event log. This logging is automatic and occurs in the event of program errors, certain user authentication errors, and internal problems. For example, suppose that the Proxy Server cannot connect to the ISP, or that it does not start up. These errors will be logged directly into the NT event log. An administrator may view these errors through the event viewer. Internal errors and such are discussed later on in the problem-solving chapter.
Note that some administrators will also want to use the auditing features from Users Manager for Domains. However, this tends to be less useful in Proxy Activities since it only logs successes and failures of a limited number of items, as shown in the diagram below.
Setting Up the WinSock Proxy Service
Like the Web Proxy service, the WinSock Proxy Server service is configured from the Internet Service Manager. From the main management screen, select the WinSock Proxy service icon. From here, you have the option of selecting which aspect of the service to control. The control parameters are broken down into four sections: Service, Protocols, Permissions, and Logging.
A number of the controls affect the other proxy services. The controls that span multiple services are the Shared Services and Configuration, located on the Service tab. To avoid repeating information, these configuration items are discussed later in this chapter. Figure 6.16 shows the hierarchy of the WinSock Proxy service controls.
Viewing and Configuring WinSock Proxy Service Information
The Service tab is used to view and configure general WinSock Proxy service information. From this tab, an administrator performs the same basic functions as with the Web Proxy service. Figure 6.17 shows this tab.
From the Services tab, an administrator can perform the following tasks:
Review the product version Near the top of the window you see the version number of the Proxy Server you have installed. This information is more important for troubleshooting than for anything else. As service packs and update occur, the version number can be used to track the revision and the build.
View the product ID You can also view the product that was installed to a particular system. This is useful for maintaining legitimate licensing and for support when determining which medium was used during installation: Internet download, floppy disk, CD-ROM, and so on.
Define the server's functionality by placing a comment The comment you enter here will appear in the Internet Services Management tool's list of proxy servers, so you will typically use it to identify each server uniquely by name. However, any text typed in the Comment box will appear in the IIS Manager main screen.
Display the current sessions This option allows an administrator to determine which users are currently connected to the Winsock Proxy Server. The displayed information includes the connected user's name, the time connected to the server, and the duration of the connection. At times, it is useful to see which connections are in use. For example, it can be used to determine whether a system can be taken off-line, and also to see which users are being selfish with connections, possibly by leaving their system on the Internet even when they're not using the connection. The connection screen, shown in Figure 6.18, simply allows you to view this information; you cannot control the connections.
Figure 6.18 Displaying current sessions
Access the shared services This is a group of services that are shared among all three proxy services. The services include security, array controls, auto-dialing, and Web page plug-ins. (The Web page plug-ins do not apply to the Socks service.) See Configuring the Shared Proxy Services later in this chapter for details.
Access the common configuration controls Like the shared services, the common configuration controls are used among all three proxy services. They include client configuration, local address table settings, and server backup and restoration. (The Socks service does not use client configuration settings.) See The Shared Configuration Options later in this chapter for details.
Adding, Modifying, or Removing Winsock Protocol Entries
The WinSock Proxy Server works with virtually all WinSock applications (protocols). Typically, each of these services uses a port defined by convention for that application. For instance, FTP uses TCP on port 21. These applications and their port assignments can be found in the SERVICES file; and you can view, add, remove, or modify them using the Protocols tab. By default, the more common WinSock applications are included in the default installation of Microsoft Proxy Server. Figure 6.19 shows what you will find in a default installation.
Each supported WinSock protocol defines a port, type (TCP or UDP), and the direction of the request (inbound or outbound). From the Protocols tab, you may add, modify, or remove entries. For example, to keep users from using a certain service you may want to remove the protocol definition from the WinSock Protocols list. The reason that you may want to remove the definition is that you may have users with unlimited access and you want to block anyone from using a specific service.
New or unlisted protocols that operate on TCP or UDP can easily be added to the WinSock Proxy Server. Exercise 6.2 will take you through the steps.
Exercise 6.2: Adding Protocols to the WinSock Proxy Service
1. | Verify that the protocol to be added does not already exist in the supported list, then click Add. The Protocol Definition dialog box will appear as shown below. |
2. | Type the name of the protocol in the Protocol Name box. Although the name should match the actual protocol, you may use variations as required. |
3. | In the Initial Connection section, select the type of communication that this protocol will use. Again, use UDP for connectionless and TCP for connection-based configurations. Remember that outbound TCP will actually enable a client to make a connection, but outbound UDP will simply pass or relay data to a destination. Next, choose the direction that the initial connection will use, either inbound or outbound. |
4. | In the Port Ranges for Subsequent Connections section, you may select Add, Edit, or Remove. In this case, since we are adding a new protocol, the list should be empty. In the case of our graphic above, we included some settings to illustrate example settings. At this point, we should select Add. The Port Range Definition dialog box will appear.
|
5. | In the Port Range Definition window, select the port or range of ports that can be used with the newly defined protocol. Selecting 0 for inbound connections will allow the server to use any port in the range 1024 to 5000. The valid port range on the Proxy Server is between 0 and 65535. Select OK when completed. |
6. | After the Protocol Definition screen reappears, select OK, and the new definition will be created. Note that before this new protocol can be used, permissions must be granted to users. Refer to the Permissions tab for further details. |
Defining WinSock Proxy User Access
The WinSock Proxy Permissions tab enables an administrator to define access according to users and protocol. To enable permissions, simply click the Enable Access Control box as shown in Figure 6.20.
Figure 6.20: Use the Permissions tab to enable and define WinSock access control.
See full-sized image.
Once access control has been enabled, use the Protocol drop-down box to select the protocol for which you will define access rights. For example, you might select Archie, as in Figure 6.20. Notice that the protocols listed in the drop-down box are the same ones found in the Protocols tab. Once you've specified a protocol, you can edit, remove, or copy user assignments. Since there aren't any default rights, select Edit to assign access to a user or group of users. You'll see the window shown in Figure 6.21. Here you may add users as you would with any other security object.
Tip To grant access to all protocols and ports on a server, select Unlimited Access in the Protocol drop-down box on the Permissions tab. This allows all users listed in the Unlimited Access section rights to all WinSock protocols. Note that if you deny a user access to the Web Proxy Server, but grant them unlimited access to the WinSocks Server, they can still access Web pages via the WinSock Proxy, provided they have the WSP client installed.
Logging WinSock Proxy Server Activities
The event-logging functions of the WinSock Proxy service are practically identical to those of the Web Proxy service, as are the steps for configuring them. As it is with the Web Proxy service, logging is an important part of securing the server. It allows an administrator to view how the Proxy Server has been used. In short, the logging options enable you to audit Internet access.
Note: Please refer to the Logging section for the Web service for exact details about configuring the logging functions.
As with the Web (and Socks) logging functions, logs may be stored in text files or in an SQL database. The only major difference is that the automatically-generated log file names are as follows:
| • | Daily: WSyymmdd.log |
| • | Weekly: WSWyymmw.log |
| • | Monthly: WSMyymm.log. |
A sample screen is shown in Figure 6.22.
Note that although the configuration of the WinSock Proxy and Web Proxy logs are identical, they each store information relative to their design. For example, the WinSock Proxy will store information regarding access to it and the respective protocol, such as Telnet. You will not find this item in a Web Proxy log.
Setting Up the Socks Proxy Service
Like the other two Microsoft Proxy Server services, the Socks Proxy is configured from the Internet Service Manager. From the main management screen, select the Socks Proxy service icon. From here, you have the option of selecting which aspect of the service to control. The control parameters are broken down into three sections: Service, Permissions, and Logging. A number of the controls affect the other proxy services. The controls that span multiple services are in the Shared Services and Configuration areas of the Service tab. To avoid repeating information, these configuration items are discussed later in this chapter. The hierarchy of the Socks Proxy service controls is shown in Figure 6.23.
Viewing and Configuring Sock Proxy Service Information
The Service tab is used to view and configure general Socks Proxy service information. From this tab, an administrator can perform the same basic functions as with the Web and WinSock Proxy services. Figure 6.24 shows this tab.
From this tab, an administrator can perform the following tasks:
| • | Review the product version Near the top of this window you'll see the version of Microsoft Proxy Server that you have installed. This information is more important for troubleshooting than anything else. As service packs and updates occur, you can use the version number to track the revision and the build. |
| • | View the Product ID You can also view the product that was installed to a particular system. This is useful for keeping legitimate licensing and for support when determining which media was used during installation. |
| • | Define the server's functionality by placing a comment The comment you enter here will appear in the Internet Services Management tool's list of proxy servers, so you will typically use it to identify each server uniquely by name. However, any text typed in the Comment box will appear in the manager. |
| • | Display the current sessions This option allows an administrator to determine which users are connected to the Socks Proxy Server. The displayed information includes the connected user's name, the time connected to the server, and the duration of the connection. At times, it is useful to review what connections are in use. For example, it is useful to determine whether a system can be taken off-line, and also to see which users are being selfish with connections, possibly by leaving their system on the Internet even when they're not using the connection. The connection screen, shown in Figure 6.25, simply allows you to view this information; you cannot control the connections. |
| • | Access the shared services This is a group of services that are shared among all three proxy services. These services include security, array controls, auto-dialing, and Web page plug-ins. Note that the Web page plug-ins do not apply to this service. These shared services are discussed in a separate section later in this chapter. |
| • | Common Configuration Access Similar to the shared services, the common configuration controls are used among all three proxy services. These configuration items include client configuration, local address table settings, and server backup and restoration. Note that the Socks service does not use client configuration settings. These shared services are discussed in a separate section later in this chapter. |
Defining Socks Proxy User Access
The Socks Proxy Permissions tab enables an administrator to define access according to action, such as to permit or deny access to a system. Requests to the Socks Proxy Server are supported for version 4.3a of the Socks protocol. Each entry in the permissions list contains a source, destination, and whether the request should be allowed or not. Figure 6.26 shows the Socks Permission tab.
From this screen, an administrator can add, edit, or remove listed items. When adding items, an administrator must define whether the action will be allowed or denied, and the request's source and destination. For both of these the options are All, a Domain/Zone you specify, or an IP address and mask. Additionally, you may set the port (number) interface as Equal To (EQ), Not Equal To (NEQ), Greater Than (GT), Less Than (LT), Greater Than or Equal To (GE), or Less Than or Equal To (LE) (see Figure 6.27).
To apply this function to users, let's suppose that you wanted to block all UNIX users from using a service such as IRC. To do this, open the Socks Proxy service, select Add, and choose Deny in the action box. To help us remember what we are doing, we should type IRC in the Comment box. You can be descriptive; however, short and to the point is usually preferred. Since IRC operates on port 6667, we should select the Port checkbox, select EQ in the Options box, and type 6667 in the Port box. Finally, since we want to all users, we should select All in the Source box, and then, optionally, select Destination and choose All. The reason that the destination is optional is that we have all sources blocked that would otherwise attempt to contact any given destination.
Now, suppose that your policy on IRC changed and you wanted to allow all users to use this service. This process can be completely reversed by changing the Deny option in the Action box to Permit.
Logging Socks Proxy Server Activities
The event-logging functions of the Socks Proxy service, and the procedures for configuring those functions, are practically identical to those of the Web and WinSock Proxy services. As in the Web and WinSock Proxy services, logging is an important part of securing the server. It allows an administrator to view how the Proxy Server has been used. In short, the logging options enable you to audit Internet access.
Please refer to the Logging section for the Web service for exact details about configuring the logging functions. As with the Web and WinSock logging functions, logs may be stored in text files or in an SQL database. The only major difference is that the automatically generated log file names are as follows:
| • | Daily: SPyymmdd.log |
| • | Weekly: SPWyymmw.log |
| • | Monthly: WSMyymm.log. |
A sample screen is shown in Figure 6.28.
Configuring the Shared Proxy Services
You can configure the shared proxy services from the Service tab of any of the three proxy services. Typically, you should perform configurations from the WinSock or Web Proxy services tabs, as the Web plug-ins are disabled on the Socks service tab. The control parameters are grouped into four sections:
| • | Security This is used to secure a network from external (Internet-based) attacks. In this section, a firewall can be configured such that static and/or dynamic packet filters can be applied. The firewall function under Proxy Server is known as packet filtering. By allowing only specified packets into the network, your server can be secured from attack. However, note that security works in two ways and can limit users to use only those ports and services that the firewall is configured to allow. Also, a domain filter can be configured to allow or disallow users access to certain sites. This keeps people from spending their day on the stock market watch or at some other site. However, if access is completely restricted to just a few sites, it can be a nightmare to keep up with when users request additional sites. Exceptions must be configured for each site. This tab is discussed in detail in Chapter 7, Access Control. |
| • | Web Plug-Ins Add-on products that may be purchased from third-party vendors, such as on-the-fly virus scanning. Further details are provided in Chapter 8, Internet and Intranet Access. |
| • | Array This tab is used to configure and control multiple proxy servers for fault tolerance, joint caching, and so forth. The use of this tab is reviewed in Chapter 9, Multiple Proxy Servers. |
| • | Auto Dialer This tab is used to configure an on-demand link to the Internet. This tab is used as an extension of the RAS service, defining user account, protocol, and schedule information. This tab is discussed in Chapter 10, RAS and Proxy Server. |
The hierarchy of the shared services is shown in Figure 6.29.
Figure 6.29: Shared proxy services you can configure from either the Web or WinSock Services tab
See full-sized image.
The Shared Configuration Controls
The Configuration proxy controls are used to define basic information that is common among all proxy services. There are four basic controls—Client Configuration, Local Address Table, Server Backup and Server Restore.
Typically, you will not perform a lot of changes in this section except when changing the network configuration. For example, if the network changed such that additional IP ranges were added, you would use this section to update the LAT. The majority of the controls, however, are less likely to be used often. Most changes are to adjust user rights, Web pages, and so forth. Shared configuration controls is intended to be more of an after-the-fact setup utility. The hierarchy of the shared configuration controls is reflected in Figure 6.30.
Figure 6.30: Shared configuration controls you can configure from any Service tab
See full-sized image.
Configuring Clients from IIS
The Client Installation/Configuration tab is used to configure Web and WinSock Proxy clients automatically. From this tab, an administrator can control the values assigned to proxy clients from the MSPCLNT share on the proxy server.
The WinSock client can be defined to connect to a proxy server by Name, IP address, or manually. Simply select one of these and provide the information required to define the connection.
The Web Proxy client has a more advanced configuration than its WinSock counterpart. A Web Proxy client can be configured to connect to any proxy server you define in this dialog box. From here you can use either an automatic or custom script to customize the proxy server as shown in Figure 6.31. Note that the URL is the location where a client will download an automatic configuration script.
When using the automatic configuration option, the Properties button enables an administrator to fine-tune the Web Proxy service. In the Advanced Client Configuration window you define whether a client should use a proxy server for local systems, whether to skip the proxy server on given IP addresses or domains ending in a specific suffix (subnet mask), and how backup connections should be established. These options are shown in Figure 6.32.
Configuring the Local Address Table
The local address table (LAT) is used to determine which systems are on the private network instead of the Internet. To view the LAT, open any Proxy service and click Local Address Table in the Configuration group of the Services tab. The Local Address Table Configuration screen is identical to the one you used during Proxy Server setup and is shown in Figure 6.33.
Microsoft Exam Objective | Create a LAT. |
The LAT is used to define which IP addresses are used on your private network, as well as to reserve those ranges that should not be used on the Internet. From the installation, in which you clicked the Construct Table button to create the LAT, you should have the private IP address ranges 10.x.x.x, 172.16-31.x.x and 192.168.10.x already excluded. You can click the Construct Table button again to refresh these settings; including those found in the local system's routing table. To manually add or remove ranges, click the appropriate button after selecting the range.
When creating a LAT, you should never include any addresses other than those on the private network. This means that you do not add the external interface of the Proxy Server, any Internet sites, any addresses including the DNS at your ISP, and so forth. Only add an address to the LAT when it is on the local network. If creating the LAT accidentally adds a wrong address, you should remove it.
The LAT range of the private network should include all those ranges designated by the subnet mask of the system on the network. Do not just add the IP addresses of each client, but rather the entire network range. For example, if your Proxy Server had an IP address of 192.168.10.5 and a subnet mask of 255.255.255.0, you should include the range 192.168.10.0 to 192.168.10.255. Also, if your external interface was 134.57.8.2 with a mask of 255.255.255.0, you should not include any numbers from here. Adding even a range such as 134.57.8.3 to 134.57.8.255 could allow Internet users to access the intranet through the proxy server since, locally, users could connect to the external interface, but they have a number which is included in the LAT. In other words, the external interface with its subnet mask defines a range of 134.57.8.0 to 134.57.8.255, which should not be included in the LAT.
Backing Up And Restoring Proxy Information
The server backup function is used to store information about the server's installation, client configuration, and so forth. The Backup option located in the Shared Configuration section allows an administrator to make a complete backup of all server options to C:\MSP\CONFIG or another specified directory. The backup file will be called MSPyyyymmdd.MPC, where yyyy is the year, mm is the month, and dd is the day. Note that for security reasons, the backup data should be stored on an NTFS volume. An example of the administrative backup interface is shown in Figure 6.34.
Microsoft Exam Objective | Back up and restore Proxy Server configurations. |
Restoring server information is just as simple as creating the backup. Simply choose the file that you would like to restore from by typing its path in the text box or select the file using the Browse function. You may restore either partial or full material. When restoring partial information, only data that's not system-specific, such as information about user permissions and arrays, will be recalled. Partial restorations are sometimes used between proxy servers to ensure that both have identical permissions. Full restores tend to be used when replacing a server or when rolling back to a previous configuration. Figure 6.35 shows the administrative restore options.
Summary
This chapter presented a general overview of the functions available in the IIS Internet Service Manager. Because most of the features of the three services that you configure with IIS Manager are covered in greater depth in other chapters, this chapter's purpose was simply to provide a basic understanding of where the various controls are located.
In the Service tab of each proxy, we essentially found miscellaneous information that could be used to describe a specific system. Information in this tab is especially useful in multi-server environments, where identification of each server is difficult. This tab is also the key point to access the shared configuration and security settings.
The user Permissions tab in all services allows an administrator to designate which users have permission to access specified protocols on a given proxy server. User rights may be granted on an individual user or group basis. Clearing the Enable Permissions box allows users to use the proxy server anonymously. In the case of Socks, authorization is moreover an option to perform an action on the server rather than define who has the ability to determine where users are defined according to their IP addresses. With Socks, user definition is by source IP address.
All services also provide a Logging tab, which offers full-featured information tracking capabilities. The log files may be generated based on size or frequency such as monthly, weekly, or daily. Proxy Server maintains management capacity by allowing its log files to be stored either as plain text or in an SQL database. Reported data may be verbose, including all available data, or in a reduced (regular) format that reports only the more commonly monitored information.
The Web Proxy Server maintains only a handful of protocols (FTP Read, HTTP, Secure, and Gopher), and there is no provision for adding other protocols. However, the WinSock Proxy contains an additional tab for specifically configuring additional protocols not in the default list. The additional protocols may be either TCP- or UDP-based, and you specify an outbound or inbound port accordingly. This tab allows the WinSock Proxy to support virtually all WinSock applications. Note that of all three proxy services, WinSock is the only one that supports UDP-based connections.
Since the Web Proxy Server contains predictable data and a limited number of protocols, which tend to be used frequently, this service maintains a cache. The caching system allows data to be accessed more quickly, giving the appearance of more bandwidth. The Cache tab allows you to balance caching types and to manipulate the cache size and location.
Finally, since all of the IIS servers (WWW, FTP, Gopher) are related in that they share a browser-compatible interface, the Web Proxy service also includes a Web Publishing tab, for publishing to the Internet.
The Security subsection is used to filter traffic for all services. Security is used to either grant or restrict access to Internet resources and to block certain types of packet traffic. Likewise, the shared configuration options control common resources, such as the LAT, across all services. These options are also used to set client settings for WinSocks and Web clients as well as backup and restore server configuration settings.
Review Questions
1. | Explain how logs work. What is regular logging? Verbose? When should they be used? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2. | Explain how filtering helps in securing a site. How can it be limiting? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3. | Will Microsoft Proxy Server 1.0 integrate with IIS 4.0? Explain. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4. | How do you instruct Proxy Server not to cache certain sites? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5. | Explain how to change the cache after an installation. How does the cache size differ from caching (passive and active)? Where are the log files stored?
Without customization, how can Proxy Server be managed through HTML?
What operations can be performed from the Service tab of the WinSock Proxy property page?
What types of log files are supported?
Of the following, which are the default log name formats?
What should you do on the Logging tab in the WinSock Proxy Service Properties dialog box when trying to compile a weekly report containing the Internet IP addresses accessed by applications that use the WinSock service?
You need to support Microsoft SQL Server with your Proxy Server. The initial inbound port uses port 1433 and then generates an outbound port somewhere between 5000 and 32767. How should you configure the ports on your Proxy Server?
Your users are using the Internet to get weather and sports, and using all the bandwidth so that your Internet connections are starting to get slow. What should you do to stop users from getting sports and weather information?
What must you do on the Publishing tab of the Web Proxy Service Properties dialog box if you want to forward all requests from the Internet to your Web service installed on the local server network?
What should you do to the Advanced Cache Policy dialog box to prevent large files from being stored in the cache?
Your clients run only TCP/IP and connect to the Internet by way of the Web Proxy service. How do you find out what sites the users are visiting?
|
About The Authors
Erik Rozell is a Microsoft Certified Trainer (MCT) and MCSE with more than ten years of experience in internetworking and system design. He is the owner of NetPro Computer Services, specializing in LAN/WAN services and related product training.
Todd Lammle is a Microsoft Certified Trainer (MCT) with more than fifteen years of experience with LANs and WANs. He is president of GlobalNet System Solution, Inc., a network integration firm.
James Challis, a Microsoft Certified Professional, is president of EdgeTek Technical Education, a national network training company and Microsoft Solution Provider specializing in Windows NT.
Copyright © 1998, Sybex, Inc.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.
International rights = English only.
Copyright © 2000, Microsoft Corporation.