You are on page 1of 93

Microsoft Proxy

Server 2.0
Presentation Outline

Overview of Proxy Server.


Examples of Capacity Planning.
Web Proxy Server Configuration.
Proxy Server Auto Dial.
Overview of Proxy
Server
Overview of Proxy
Server
What is Proxy Server ?
Firewall Server.
Web Cache Server.
3 Proxy Services – Web Proxy,
WinSock Proxy, and SOCKS Proxy.
System Requirements.
What is Proxy Server ?
A secure gateway between a protected
network (LAN) and the Internet.
Mediates traffic and processes all
incoming and outgoing requests.
Application server that acts as both a
firewall server and a web cache server.
Only One IP address is “visible” to
outside world.
Proxy Server Example

One IP address
is visible. LAN
Internet
FTP Proxy
Gopher
HTTP
Traffic IIS
Win NT LAN

IP addresses are hidden.


What is a Firewall ?
System that enforces an access control
policy between two networks.
Some block traffic; others permit traffic.
Protects against unauthenticated logins
from the “outside.”
A “phone tap” and tracing tool.
Cannot protect against attacks outside
of the firewall and viruses.
Types of Firewalls
Network Level (Router).
 Decisions based on source, destination addresses
and ports in IP packets.
 Route traffic directly, fast and transparent.

Application Level (Proxy Server)


 Permit no direct traffic between networks.
 Good for logging and access control.
 Provide detailed audit report.
 Enforce more conservative security.
Proxy Server as Firewall
Server
Packet Filtering – examines all TCP/IP
based attempts in & out of the network.
 Static and Dynamic.
Logs all connection attempts & alerts in real-
time of the suspicious activities.
Reverse Proxy - Places the web server
behind Proxy Server to publish to the Web.
 “Impersonates" a Web server to the outside.
 Reverse Hosting & Server Proxying.
Reverse Proxy Example
Secure Network
www.company.com
www.company.com

Web Server

Client Internet Proxy


Mkt Dept
LAN

www.company.com
MS Proxy Server as Web
Cache Server
Web Caching – process of storing Web
content locally to reduce network traffic.
 Active and Passive.
Allow internal clients to have full Web
access behind the firewall without
compromising security.
Hierarchical Caching.
Distributed Caching.
Cache Example
Connection
to Internet
Content
Proxy Cached
Internet
Cache Hit!

50% Traffic
Saving
1st client 2nd client
Hierarchical Caching
Example
New York
Internet
Proxy
Boston Los Angeles

Proxy Proxy

Client Client Client Client


Distributed Caching
Example Load Balancing
Fault tolerance
Scalability

Internet

Proxy 1

Proxy 2

Proxy 3

Proxy 4
Client Client Client Client Client Client
WinSock, SOCKS, Web
Proxy
Protocols allow the application clients to
communicate to application servers.
Performs three functions:
 Interceptsconnection requests.
 Sets up proxy circuit.

 Relays application data.


WinSock & SOCKS
Proxy
WinSock Proxy.
 For Window application.
 Creating virtual connection between Internal and
Internet application.
 Acts as gateway protocol for IPX/SPX.

SOCKS Proxy.
 Allows Unix, Mac and Window client application
that support SOCKS protocol specification.
 Handles all TCP/IP traffic through the proxy
server.
 Cannot Handle UDP based protocols.
Web Proxy
Web Proxy
 Supports any CERN web browser.
 Supports HTTP, FTP, SSL and Gopher
protocol.
 Enables its caching capabilities.
System Requirements
WinNT Server 4.0 with service pack 3 or later.
IIS – Internet Information Server.
Network interface card.
CPU and disk space:
 Intel based: 486/33MHz or higher & 125MB.
 RISC based: RISC processor compatible with
WinNT 4.0 & 160MB.
16MB of RAM.
Examples of Capacity
Planning
Examples of Capacity
Planning
Small Office Network.
Medium-Size Office Network with a
Branch Office.
Large Enterprise Network.
Example of Small Office
Network

ISP
Interne
t Modem or ISDN line

Content
Proxy Server
Cached
(Win NT RAS client)
LAN

Web Server Mail Server Client Client Client


Small Office Network
Characteristic:
 A single LAN segment.
 Use of the IP network protocol.
 Demand-dial connectivity to an ISP.
 Fewer than 300 clients.
The proxy-based computers set up:
 One NIC to the internal network.
 One modem to the external network (Internet).
Uses Auto Dial for demand-dialing to Internet.
Caching is enabled and configured to limit the
demand-dialing to the Internet.
Small Office Network
Cont . . .
Stores a local copy of popular URLs in
dedicated disk drive.
Uses a single network security policy.
 Password authentication.
 User permissions.
 Protocol definitions.
 Domain, cache and packet filtering.
Example of Branch
Office Network
Router on
Internet ISP T1 line

Proxy
Server
Web Server Mail Server
Array
LAN
Router Modem or ISDN Line
Proxy server
Web Server (Win NT
RAS client)
Web Server

Clients Clients
(Department LAN) Remote Branch Office
Branch Office Network
Characteristic . . .
 A central office with several LAN segments.
 A branch office with a single LAN segment.
 Use of the IP network protocol.
 Demand-dial connectivity from the branch office to the
central office.
 Dedicated-link connectivity from the central office to an
ISP.
 Fewer than 2,000 clients.
Auto Dial feature provides demand-dialing
from remote office to central office.
Branch Office Network
Cont . . .
Proxy-based computer set up at branch:
 One NIC to the local network (branch).
 One modem to remote network at the central office.
Caching is enabled to minimize demand-dialing
to central office and to reduce long-distance
phone charge.
Active caching should not be used at remote
branch.
Branch Office Network
Cont . . .
Global Security policy:
 Administrated at central office.
 Central office can also set and override local policy.
Remote branch proxy has no direct Internet
access.
All clients requests are routed upstream to
the proxy array at central office.
Example of Large
Enterprise Network
Internet Router
ISP Proxy Server
Array

Router on T1 line
Corporate
Network Proxy Server
Mail Server Web Server Array

LAN
Router Web Server Router
Web Server

Clients Clients
Department LAN Department LAN
Large Enterprise Network
Characteristic . . .
 A central corporate office with many LAN
segments and a backbone LAN.
 Several branch offices, each with a single LAN
segment
 Use of both IP and IPX network protocols.
 Demand-dial connectivity from the branch office to
the central office.
 An ISP & Dedicated-link connectivity from the
central office to an ISP.
 More than 2,000 clients.
Large Enterprise Network
Cont . . .
Proxy array is used for:
 Distributed caching.
 Load balancing.
 Fault tolerance.

Proxy array handles all client Internet


requests (locally or branch).
Active caching to retrieve popular URLs.
Large Enterprise Network
Cont . . .
Uses single array member to administration all other
proxy.
Proxy array is used on the backbone LAN.
Is used at ISP to demonstrate scalability.
Local branch clients use Auto Dial for demand-dialing to
RAS server.
Internet requests not serviced locally are forwarded to
corporate proxy array.
Server administration is set and enforced at the central
office.
Large Enterprise Network
Cont . . .
Departmental proxy connection:
 One NIC to departmental LAN.
 One NIC to backbone LAN.
Proxy array at backbone is dual-homed.
 Internal NIC.
 External NIC to Internet.
Proxy array at ISP:
 Massive scalability, load-balancing, and fault-tolerance.
 Can cache massive amount of information.
 Increases client performance.
 Preserves ISP’s bandwidth out to the Internet
backbone.
Web Proxy Server
Configuration
Proxy server configuration
Uses Internet Service Manager.
General Proxy.
 Service page.
 Logging page.

Service Specific Proxy.


 Permission page.
 Caching page.

 Routing page.

 Publishing page.
Service Page Notes
Product release and ID.
Current sessions – current user info.
Shared service:
 Security – packet, domain filtering, alerting
and logging.
 Array, Auto Dial, and Plug & play.

Configuration:
 Clientconfiguration, LAT, server backup
and restore.
Service Page
Current Sessions
Client Installation
Logging Page Notes
Sets logging options for web proxy, WinSock
proxy, and SOCKS proxy.
Provides auditing trail.
Records client, server, connection, and object
information.
Can log to text file or SQL/ODBC database.
 Database file requires more resources.
Logging Page
Permissions Page Notes
Grant or deny access to services.
Can provide unlimited access to an
individual user group.
Permission based on protocol via
protocol definition.
 For example:
 FTP.

 FTP Read.
Permission Page
Caching Page Notes
Sets location and size of the disk
cache.
Enable or disable caching.
Can specify how often to update cache.
Increase cache size does not effect the
data already cached.
Delete all cached content by setting
cache size to zero.
Caching Page
Routing Page Notes
Information on directing client requests
for Internet objects.
Direct connection or use proxy.
Can enable backup route.
Can enable routing within proxy array
before routing upstream.
Can also configure web proxy clients.
Routing Page
Publishing Page Notes
Configures publishing requests.
Configures Reverse proxy and hosting.
Incoming requests:
 Discard.
 Sent to local web server.
 Sent to another web server.

Set default web server host by Default


Mapping.
Publishing Page
Proxy Server AutoDial
What is AutoDial?
Proxy server automatically dial out to an ISP for
Internet connection.
Uses Windows NT Server Remote Access Service
(RAS) and Dial up Networking to establish a
connection to an ISP.
Event-driven
 Client requests can activate Auto Dial from the
WinSock and SOCKS Proxy Service.
 Web Proxy Service is activated when an object
requested is not located in the cache.
Auto Dial Benefits
Can save company Internet charges
 Event-Driven - activated only when Internet connection
is needed.
 Regulate Usage - configured to connect to the Internet
during office hours only.
Can be used as backup to an existing
continuous Internet links.
 only cost of configuring Auto Dial as continuous Internet
connection are the hardware & the online time when a
continuous Internet link is down.
Steps to Configuring
Auto Dial
Install Window NT Server Remote Access
Service (RAS) and Dial-up Network before
implementing Proxy Server Auto Dial.
 For security reasons, install RAS Server on
separate computer of the Proxy Server computer.
RAS and Dial-up Networking can be installed
after or before the installation of Window NT
Server 4.0.
Remote Access Service
Remote Access Service can be
configured in Auto Dial as an:
 RAS Client - to dial out only.
 RAS Server - can be both dial out and
receive calls or just receive calls only.
 RAS Server requires a high level of
security on you Intranet.
Dial-up Networking
Used to connect client to remote
networks.
A phonebook entry stores all the setting
needed to connect to a particular
remote network.
 Personal phonebook.
 Company phonebook (public use).
Phonebook Entry Includes
Name of phonebook entry.
Connection method.
Phone number.
Serial line protocol offered by the server you
are calling.
Whether or not to include a login script
IP address.
IP address of a DNS or WIN Server on the
remote network or both.
Netscape Proxy Server
3.25
Course Outline
General Overview.
Implementation.
Configuration.
Features

Caching on command.
Client IP address forwarding.
Automatic content discovery
 Dynamic proxy routing.
Enterprise Management.
Fine Grained Filtering.
Administrative Control.
Caching on Command
Automatically update and caches
frequently accessed documents.
Documents or entire sites can be
preloaded into the cache, and
administrators can schedule updates of
cached content.
Client IP Address
Forwarding
Sends clients IP address to remote
server if the Proxy is one of a chain of
internal proxies.
Enterprise
Management
Centralize Management.
 Support LDAP.
 Uses Directory Server to manage users and
password centrally.
Clustered Management.
Manual Configuration Files.
Custom log formats.
Fine Grained Filtering
Access controls for sites, documents,
and protocols.
Content filtering - built-in virus scanning.
Cross - platform generic protocol
support.
Administrative Control
Ensures that users access network
resources safely and productively.
Can specify distinct access controls based
on access type.
Allows administrators to create custom
HTML files to be returned to users when
access is denied.
Netscape Proxy Server
Implementation
Bottleneck locations for implementing
Proxy Server.
 Internet Gateway—Forward Proxy.
 Branch Office—Forward Proxy.

 Internet Gateway—Reverse Proxy.


Internet Gateway - Forward
Proxy
Provides gateway services at the application level
with a web proxy as well as at the circuit level
through SOCKS.
Enhances Internet access.
Web content caching reduces response times.
Facilitates bandwidth conservation.
Helps reduce overall communications expense.
Content filtering and access control allows easy
management of intranet material.
Proxy Server inside
firewall
PC

Interne Proxy LAN PC


t

PC
Firewall
Branch Office—Forward
Proxy
Multiple proxy server allows chaining
proxies together to create a hierarchical
caching system
Proxy chaining allows multiple
Netscape Proxy Servers to cache
content locally setting up a hierarchy of
servers for client access.
Proxy Server at Remote and
Internet

Interne Proxy Backbone


t

Proxy
Firewall
LAN PC
Internet Gateway—
Reverse Proxy
Proxy Server is placed outside firewall to
represent a content server to external clients.
Expose selected content without exposing
web servers that host it or other elements of
private network.
Multiple reverse proxy servers can be used to
balance the load on an over-taxed web
server.
Reverse Proxy Server
PC

Interne Reverse Web


Proxy LAN PC
t Server

Firewall PC
Architecture
Dual-Homed Reverse Proxy
Host Server Stand-in
Architecture Load Balancing
Screened Host

Screened
Subnetwork
Dual-Homed Host
Architecture
Has two network interfaces, one
connected to an internal LAN and the
other to the Internet.
Incorporates a firewall software
package.
Provides caching, fine-grain filtering and
virus scanning.
Proxy Server with a Dual-Homed
Host Firewall
LAN

Internet Client

Proxy Server Client


& Firewall
Screened Host
Consists of a router deployed in front of a
server that is hosted on a private network.
Router can be traditional hardware router or
firewall software application providing packet-
filtering capabilities and restricting inbound
access to internal network.
Appropriate for small to medium-sized
intranets that require a simple, yet effective
security solution.
Proxy Server implemented
behind a screening router
LAN

Client

Interne
t
Router Client
Proxy
Server
Proxy Server Implemented
Behind a Screening Firewall
LAN

Client
Interne
t

Client
Firewall Proxy
Software Server
Router
Screened Sub-network
Consists of multiple routers sandwiching a
non-secure network that is outside or part of
the firewall solution.
Commonly referred to as a DMZ
(demilitarized zone). Proxy is deployed in
DMZ and is allowed access to both internal
and external networks through routers.
Popular architecture choice for larger
organizations with heavily trafficked
gateways.
Proxy Server in Reverse Mode as
a Stand-in for a Web Server

Client

Interne
t

Proxy Firewall Enterprise


Server Server
Multiple Proxy Server in Reverse
Mode to Balance the Load on a
Web Server

Interne
t
Firewall
DNS Server Enterprise
Server
Reverse
Proxies
Possible enterprise
implementation
Bottlenecks Central Office LAN BRANCH LAN
OFFICE
Subnet
Client Client

Interne Client Client


t Router Router
Proxy
Server
Router Router Proxy
Server
Chained Proxy Servers Providing
Load Balancing and Fail-Over
Capabilities
Proxy 1 LAN
LAN

Client Client
Proxy 2
Interne
t
Client
Client
Proxies Proxy 3

Proxy A
Router Router
Configuration
Automatic Client Configuration.
Caching.
Templates.
Filtering.
Server Plug-in Functions.
Automatic Client
Configuration
Enables automatic proxy configuration in
Navigator clients on intranet.
Administered by a Proxy Automatic
Configuration (PAC) file.
PAC allows load balancing across multiple
proxy servers and alteration of proxy
architecture without modifying end user
settings.
Caching
Caches should be approximately 1 GB
per partition and spread across multiple
disk controllers.
Refer to Administrator’s Guide for in-
depth instructions on creating batch
update configurations.
Templates
An object created in Proxy Server’s object
configuration file, obj.conf.
Used to assign unique procedures to
specific URLs.
Can make the server behave differently
depending on the URL the client tries to
retrieve.
Allows customization of how Proxy Server
interacts with clients.
Server Plug-in Functions
Extends capabilities of proxy by using
Netscape Server Plug-in Application
Programming Interface, NSAPI.
Set of functions and header files use to create
functions in the server configuration files.
 AuthTrans, PathCheck, NameTrans,DNS, Connect,
Addlog.
Use to create functions that uses a custom
database for access control or create custom
log files with special entries.
Maintenance/Upgrade
Maintenance
 Tuning the Servers
 Monitoring the Servers

Upgrade
 Growth Issues
 Licenses

 Software Updates
Tuning Servers
Time-outs.
Up-To-Date Checks.
DNS Lookups:
 Enable DNS Caching.
 Log Only Client IP Addresses.
 Disable Reverse DNS.
 Avoid ACLs with Client Host Names.

HTTP Keep-Alive.
Monitoring Servers
Analyzing Logs.
Monitoring Performance:
 CacheUtilization.
 CPU Utilization.

 Memory Utilization.
Upgrade
Growth Issues
 Isproxy services strategic for business?
 Network bandwidth saturated?

 CPU utilization too high?

 Has a new field office been opened or a


department added
 Has access content type been changed?
Upgrade (cont)
Licenses
Proxy User Licenses Proxy Servers
Purchased Deployed
1000 1
2000 2
3000 3
4000 4
Upgrade (cont)
Software Updates
 Refer to the Netscape Software Download
Site.
 Netscape Proxy Server provides on-the-fly
virus scanning of all incoming data, using
the Trend Micro’s InterScan VirusWall
Purchase of Proxy Server give you 90 days
of free virus pattern updates.
END OF COURSE

You might also like