Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity

Overview Introducing Proxy Server Designing a Functional Proxy Server Solution Securing a Proxy Server Solution Enhancing a Proxy Server Design for Availability Organizations connect

Contents

Overview 1

Designing a Functional Proxy Server

Solution 7

Securing a Proxy Server Solution 15

Enhancing a Proxy Server Design for

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the information and experiences needed to evaluate and design Internet connectivity solutions by using Microsoft Proxy Server 2.0 (Proxy Server) in a Microsoft® Windows® 2000 network

infrastructure Proxy Server is a separately purchased family of services that runs on Windows 2000 Proxy Server connects private networks to the Internet

while protecting private network resources

At the end of this module, students will be able to:

Evaluate Proxy Server as a solution for Internet connectivity

Evaluate and create a functional Proxy Server Internet connectivity solution

Select appropriate strategies to secure a Proxy Server solution

Select appropriate strategies to enhance Proxy Server availability

Select appropriate strategies to improve Proxy Server performance

On completion of the lab, students will be able to evaluate and design Proxy Server solutions to support the Internet connectivity requirements of an organization

Course Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 1562B_07.ppt

Preparation Tasks

To prepare for this module, you should:

Review the contents of this module

Module Strategy

Use the following strategy to present this module:

Introducing Proxy Server Proxy Server provides Internet access to users on a private network while protecting the network’s resources

In this section:

• Explain that Proxy Server is not included with Microsoft Windows 2000 but runs on a Microsoft Windows 2000–based server Throughout the module, Proxy Server with initial capitalization is used to indicate the Microsoft Proxy Server 2.0 product When proxy server appears without initial capitalization, it indicates a computer that is providing proxy services

• Emphasize that the design requirements for a Proxy Server solution include the security requirements, network configuration, number of Internet-exposed resources, and number of locations

• Emphasize that Proxy Server works in routed or non-routed environments, provides restriction to the Internet on a user-by-user basis, and restricts access to private networks on a resource-by-resource basis

• Point out that Proxy Server integrates with other networking services to take advantage of their features

Designing a Functional Proxy Server Solution The solution provided by Proxy Server is based on the requirements for Internet Protocol (IP) addresses and Internet connectivity

In this section:

• Explain that the required public and private IP addresses are obtained from an Internet service provider (ISP) or Internet registry, and then assigned to the appropriate interfaces and devices

• Describe how to determine the appropriate interface and select the appropriate connection

• Explain that the private network address ranges are specified and the appropriate software is selected to connect the private network computers to the Proxy Server

• Make sure students understand the illustration, scenario description, and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Securing a Proxy Server Solution Isolating the private network from the Internet and restricting traffic between the private network and the Internet enhance the security of a Proxy Server solution

• Explain that access to Internet resources can be restricted on a user basis, with users defined in the Active Directory™ directory service,

user-by-or as local user accounts on member servers

• Emphasize that screened subnets are used to prevent traffic from passing through the proxy server The required number of screened subnets is based on the organization’s security requirements

• Emphasize that to ensure a secure network, traffic must not pass between the private network and the Internet Explain the use of Proxy Server packet filters to prevent traffic between the private network and the Internet

• Describe the use of Proxy Server domain filters to restrict private network traffic to Internet resources

• Point out that to restrict inbound traffic, access to Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) servers that are located

in the private network can be enabled with Proxy Server Web Publishing

Enhancing a Proxy Server Design for Availability The availability of the Proxy Server solution can be enhanced for both outbound and inbound client requests

• Emphasize that distributing IP traffic across multiple Proxy Servers and using round robin DNS entries, proxy arrays, or Network Load

Balancing, optimizes the performance of the Proxy Server solution

• Make sure students understand the illustration, scenario description, and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Lab Strategy

Use the following strategy to present this lab

Lab A: Designing a Proxy Server Solution

In the lab, students will design a Proxy Server solution based on specific requirements outlined in the given scenario

Students will review the scenario and the design requirements and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design by using Proxy Server as a solution

To conduct the lab:

Read through the lab carefully, paying close attention to the instructions and

to the details of the scenario

Divide the class into four teams and assign each team one section (either the Regional Reservations Center or one of the types of airports) of the lab exercise

Present the lab, and make sure students understand the instructions and the purpose of the lab

Direct students to use the Design Worksheet to record their solutions

Remind students to consider any functionality, security, availability, and performance criteria provided in the scenario, and how they will incorporate strategies to meet these criteria in their design

Allow some time to discuss the solutions after the lab is completed A solution is provided in your materials to assist you in reviewing the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving their designs

Overview

Introducing Proxy Server

Designing a Functional Proxy Server Solution

Securing a Proxy Server Solution

Enhancing a Proxy Server Design for Availability

Organizations connect to the Internet to provide Internet access to users on the private network, and to allow users on the Internet access to private network resources The Internet connectivity solution must prevent unauthorized users from accessing private network resources

Microsoft Proxy Server 2.0 (Proxy Server) provides solutions to Internet connectivity requirements for Microsoft® Windows® 2000 networks Proxy Server is a group of services that is not included with Windows 2000 but runs

on Windows 2000

At the end of this module, you will be able to:

Evaluate Proxy Server as a solution for Internet connectivity

Evaluate and design a functional Proxy Server solution for baseline Internet connectivity

Select appropriate strategies to secure a Proxy Server solution

Select appropriate strategies to enhance Proxy Server availability

Select appropriate strategies to improve Internet connectivity performance

Throughout the module, Proxy Server with initial capitalization is used to indicate the Microsoft Proxy Server 2.0 product When proxy server appears without initial capitalization, it indicates a computer that is providing proxy services

In this module, you will

evaluate and create Internet

connectivity solutions by

using Microsoft Proxy

Server 2.0

Point out that, throughout

the module, Proxy Server

with initial capitalization is

used to indicate the

Microsoft Proxy Server 2.0

product When proxy server

appears without initial

capitalization, it indicates a

computer that is providing

proxy services

Note

Introducing Proxy Server

Design Decisions for a Proxy Server Solution

Features of Proxy Server

Integration Benefits

Proxy Server connects private networks to the Internet, while also protecting private network resources from unauthorized users Proxy Server supports the essential requirements for any Internet connectivity design, and provides additional features to enhance the security, availability, and performance of the Internet connectivity solution

To design an Internet connectivity solution based on Proxy Server, you must:

Identify the design decisions that influence a Proxy Server solution

Identify how the features provided by Proxy Server support the design requirements for Internet connectivity

Identify the benefits provided by integrating Proxy Server with other services in Windows 2000

Slide Objective

To identify Proxy Server as

a solution for Internet

connectivity in a Windows

2000 network infrastructure

Lead-in

Proxy Server connects

private networks to the

Internet, while also

preventing unauthorized

access to private network

resources

Design Decisions for a Proxy Server Solution

Secure Internet and Private Network Access Required?

Internet

Proxy Server

Private Network

b

By using Proxy Server, your design decisions for an Internet connectivity solution must be based on the security requirements, the network configuration, the number of Internet-exposed resources, and the number of geographically distributed locations of the organization Proxy Server is an appropriate solution for Internet connectivity if:

Internet and private network access is restricted on a user-by-user basis or

on a resource-by-resource basis

The private network is in a routed or nonrouted environment

A number of private network resources need to be shared with based users

Internet-
The private network encompasses multiple geographic locations

Slide Objective

To introduce the factors that

influence the development

of a Proxy Server solution

Lead-in

By using Proxy Server, you

can design an Internet

connectivity solution based

on the security requirements

of the private network, and

the Internet connectivity

requirements of the

organization

Refer to the questions on

the diagram to identify the

information required for

making design decisions for

a Proxy Server solution

Features of Proxy Server

Isolate the Private Network

Restrict Internet and Private Network Traffic

Integrate Into Existing Networks

Internet

Screened Subnet A

Proxy Server

Private Network

Screened Subnet B

To incorporate Proxy Server into your network design, you need to identify how the features of Proxy Server support the Internet connectivity

requirements

Isolating the Private Network

Proxy Server enhances the security of an organization by isolating the private network from the Internet, and acting as an intermediary in the exchange of traffic between the Internet and the private network With the private network isolated, you can reduce the number of required public addresses by selecting a private addressing scheme

Restricting Internet and Private Network Traffic

Proxy Server allows you to restrict the traffic between the Internet and private network so that you can limit the access of private network users to Internet-based resources, and limit Internet user access to private, network-based resources

You can use Proxy Server to restrict the traffic between the Internet and the private network by:

Granting Internet access to authorized users

Establishing filters that forward or discard Internet Protocol (IP) packets based on the IP address and protocol numbers

Intercepting inbound Uniform Resource Locater (URL) requests and determining whether the requests must be forwarded to a private network resource

Using screened subnets to provide the required level of network security

Slide Objective

To introduce the features of

Proxy Server

Lead-in

To incorporate Proxy Server

into your solution, you need

to identify how the features

of Proxy Server support an

organization’s Internet

connectivity requirements

Caching FTP and HTTP Requests

Proxy Server intercepts File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) Internet requests for Web objects and saves the retrieved Web objects in a local cache When private network users request Internet-based resources, Proxy Server checks the local cache to see if the request is stored there If the request is found in the local cache, the Web object is retrieved from the local cache and no Internet request is necessary

Integrating into Existing Networks

If integrated into existing networks, Proxy Server:

Supports both Windows Sockets (WinSock) and non-WinSock clients on a variety of client operating systems

Supports integration with the Active Directory™ directory service accounts

in Windows 2000 to provide single logon access for users on based computers

Windows-
Supports IP and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocols on private networks so that IP and IPX/SPX-based clients can access the Internet through Proxy Server

Integration Benefits

Authentication and IPSec Tunnels

User Account Authentication

Demand-Dial Connections,

IP Filters, and VPN Tunnels

Proxy Server

Active Directory

IPSec Routing and Remote

Access

Proxy Server integrates with other networking services to take advantage of their features The integration of these features requires you to include additional technologies (such as virtual private network (VPN) tunnels that are used for authentication and data encryption) in the design

The following table describes the benefits of integrating Proxy Server with other networking services

Proxy Server integrates with To

Internet Protocol Security (IPSec)

Provide Proxy Server authentication and the encryption of data transmitted between locations over public networks

Routing and Remote Access Provide support for nonpersistent connections by

using specified demand-dial connections

Reduce undesired traffic by using specified IP Filters.Active Directory Provide Kerberos version 5 protocol certificates and

user accounts so that authentication occurs when specified

Slide Objective

To describe the benefits of

integrating Proxy Server

with other networking

services

Lead-in

Proxy Server integrates with

other networking services

such as IPSec and Active

Directory

Point out that because

Proxy Server is running on

Designing a Functional Proxy Server Solution

Placing Proxy Server Within a Network

Integrating Proxy Server into the Existing Network

Discussion: Designing a Proxy Server Solution

There are a few essential decisions that you need to make for an Internet connectivity solution, so that you can derive the specifications for the Proxy Server design After these essential decisions are established, you can optimize the Internet connectivity solution by adding security, availability, and

performance enhancements to your design

The essential decisions for your Proxy Server design include:

Where to place Proxy Server within a network so that network traffic is localized without compromising security

Which IP address, persistence, data rate, and security router interface characteristics affect the integration of the router into the existing network

How the private network clients will access the proxy server, and the software that the clients will use to access the proxy server

Slide Objective

To provide an overview of

the decisions involved in

creating a functional Internet

connectivity Proxy Server

solution

Lead-in

To design an Internet

connectivity solution by

using Proxy Server, you

must establish the essential

requirements for Internet

connectivity

Placing Proxy Server Within a Network

Proxy Server Within the Private Network

Proxy Server at the Edge of the Private Network

Internet

Web Server

Proxy Server

Proxy Server

Proxy Server

Demand-Dial

Screened Subnet

Screened Subnet

Central Office

Branch Office

Branch Office

You must place Proxy Server between the network segments so that network traffic is localized and security is maintained To improve performance, you can place Proxy Server so that Web objects are cached for an entire organization, a location within an organization, or a network segment within an organization

Proxy Server Within the Private Network

Place Proxy Server within the private network so that:

Web objects are cached for network segments within an organization to reduce private network traffic

Screened subnets are created within the private network, thereby protecting confidential data

Network packets can be exchanged between dissimilar network segments, such as between an Ethernet network segment and an asynchronous transfer mode (ATM) network segment

Proxy Server at the Edge of the Private Network

Place Proxy Server at the edge of the private network so that:

Users on the private networks can access the Internet

Web objects are cached for the entire organization

The private network is isolated from the public network, thereby protecting confidential data

Network packets can be exchanged between the private network segments and public network segments, such as between an Ethernet private network segment and an Integrated Services Digital Network (ISDN) public network segment

Slide Objective

To introduce the decisions

involved in the placement of

Proxy Server within a

network

Lead-in

You need to place Proxy

Server between the network

segments so that network

traffic is localized and

security is maintained

Delivery Tip

Use the diagram to show

the placement of Proxy

Server in the network

Integrating Proxy Server into the Existing Network

Interface Data Rate and the Persistence

Internet

Web Server

Proxy Server

Proxy Server

Proxy Server

Demand-Dial

Screened Subnet

Screened Subnet

Central Office

Branch Office

Branch Office

Depending on the size of the network, your network design can include a number of proxy servers Each proxy server in the network design must have at least one interface, although most proxy servers have more than one For each proxy server interface, you must describe the interface characteristics so that the proxy server can be integrated into the existing network

Specify one interface in the proxy server if the design requires only Proxy Server caching or if Proxy Server provides IPX to Transmission Control Protocol/Internet Protocol (TCP/IP) translation

Selecting the Interface Address and Subnet Mask

When selecting the proxy server interface address and subnet mask, remember that:

Each proxy server interface requires an IP address and subnet mask

The IP address assigned to the proxy server interface must be within the range of addresses that are assigned to the network segment that is directly connected to the interface

The subnet mask assigned to the proxy server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface

Slide Objective

To describe how to select

the proxy server interface

characteristics that affect

the integration of the proxy

server into the network

Lead-in

You must select the proxy

server interface

characteristics so that you

can integrate Proxy Server

into the existing network

Note

Selecting the Interface Data Rate and the Persistence

Each proxy server interface connects to a private or public network segment These network segments can be persistent or non-persistent In addition, the data rates for these network segments can vary considerably You need to specify the data rate and persistence for proxy server interfaces so that the proxy server can connect to private and public network segments

Interfaces that connect to private network segments

Private network segments are based on local area network (LAN) technologies that are persistent interface connections The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet

Interfaces that connect to public network segments

Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent Public network segments that appear to Proxy Server as LAN interfaces are persistent, and the data rate is determined

by the LAN technology

Public network segments that appear as demand-dial interfaces are nonpersistent, and the data rate is determined by the underlying technology An example of this would be a 56-Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps

If the public network segments are based on LAN technologies, you include demand-dial interfaces in your solutions, such as a VPN connection over a digital subscriber line (DSL) connection Include a demand-dial interface in your design if:

An exchange of credentials is required to perform authentication, such as VPN tunnel authentication

Charges, such as ISDN connection charges, are accumulated if the public network segment is active

To connect to another location across the Internet, one solution is to specify a VPN tunnel over a DSL network segment In this case, you will need to include the following interfaces in your design:

A LAN interface that supports the persistent DSL network segment

A demand-dial interface to perform the authentication required by the VPN tunnel

Determining Proxy Server Client Requirements

Select Software for Connecting to Proxy Server

SOCKS Client

HTTP/FTP Traffic Using IE 5.0

Internet

Proxy Server

Private Network

All Traffic Using Proxy Server Client

UNIX

You determine the Proxy Server client requirements so that you can specify the private network address ranges and select the appropriate software for

connecting to Proxy Server

Specifying Private Network IP Address Ranges

You must identify the IP address ranges within the private network so that you can specify these address ranges in the Proxy Server design Proxy Server clients can then determine if the destination IP address in an IP packet must be sent directly to the private network destination, or forwarded to the proxy server

The IP address ranges that you specify are stored in the local address table (LAT) file on the proxy server When requests are sent to the proxy server, the proxy server uses the LAT to determine if the request is within the private network or on the Internet

For computers on the private network that do not have Proxy Server client software, you need to specify the IP address of the proxy server’s private network interface as the default gateway Because the proxy server is the default gateway for the computer, all requests that are not on the computer’s local subnet are forwarded to the proxy server The proxy server forwards the request to the Internet

When the computers on the private network have Proxy Server client software installed, they have a local copy of the LAT file The Proxy Server clients use their local copy of the LAT file to determine if requests are within the private network, or on the Internet Private network requests are sent directly to the destination within the private network Internet requests are sent to the proxy server

You must determine the

Proxy Server client

requirements so that you

can specify the private

network address ranges and

select the appropriate

software for connecting to

Proxy Server

Selecting Software for Connection to Proxy Server

You can specify that the private network interface of the proxy server is the default gateway entry for computers on the private network If you specify the proxy server as the default gateway, the private network traffic increases because all traffic destined for other subnets in the private network is forwarded first to the proxy server and then on to the final destination

To prevent the unnecessary private network traffic, specify that the private network computers be configured with software to forward traffic to the proxy server if the final destination is the Internet

The following table lists the software options for private network computers and the reason to include the options in your design

Select If you need to support

Microsoft Internet Explorer 5.0

HTTP and FTP traffic only

Any operating system that includes Internet Explorer 5.0 Packet filters and domain filters for filtering traffic

Proxy Server client All IP protocol traffic

Any operating system that supports the WinSock standard Packet filters and domain filters for filtering traffic

IPX/SPX-based private networks

SOCKS All IP protocols supported by the SOCKS applications

UNIX, Macintosh, or operating systems that run compatible applications

SOCKS-SOCKS rules, Protocol rules, and IP packet filters for filtering traffic

No client software All IP protocols

Any operating system with the default gateway configured to send Internet traffic to the proxy server

Protocol rules, and IP packet filters for filtering traffic

Discussion: Designing a Proxy Server Solution

The following scenario describes the current network configuration of a legal firm that specializes in patent and copyright law Read the scenario and answer the questions Be prepared to discuss your answers with the class

Slide Objective

To evaluate the decisions

involved in designing Proxy

Server solutions

Lead-in

To design a Proxy Server

solution, you must decide

where to place Proxy Server

and how to integrate Proxy

Server You must also

determine the Proxy Server

client requirements

Delivery Tip

Read the scenario to the

students and review the

questions as a group Give

the students time to

consider their answers and

then lead a discussion

based on their responses

Questions

1 The legal firm currently has an existing firewall at the Montreal location and dedicated rack-mount routers at the branch offices The firm would consider replacing any of the existing equipment What solutions could you provide

to the firm by using Proxy Server?

You could make the following recommendations:

• Place a proxy server at each geographic location at the edge of the

• Specify that all operating systems that support the SOCKS standard

use the local proxy server

• Specify that all other operating systems change the default gateway to

the local proxy server

2 The legal firm has just acquired a competing firm in Edmonton The firm in Edmonton currently has an IPX/SPX-based network The senior partner in the firm insists the legal assistants in the new Edmonton branch be productive as soon as possible What would be the best method of providing Internet access to the new Edmonton branch?

You could make the following recommendations:

• At the Edmonton branch, place a proxy server at the edge of the

private network

• Specify that all desktop and laptop computers load the proxy server

client software

• Over a period of time, convert the Edmonton network from an

IPX/SPX-based network to a TCP/IP-based network

Securing a Proxy Server Solution

Restricting Access to Internet Resources

Restricting Traffic with Packet Filters

Restricting Outbound Traffic with Domain Filters

Restricting Inbound Traffic with Web Publishing

The security of a Proxy Server design is measured by the ability of the design to prevent unauthorized access to data transmissions and private network

resources Proxy Server enhances the security by isolating the private network from the Internet and restricting traffic between the private network and the Internet

To secure a Proxy Server solution, consider:

Restricting access to the Internet

Providing access to private network resources by using screened subnets

Restricting IP traffic by using IP packet filters

Restricting IP traffic by using domain filters

Enabling access to private network resources by using Web Publishing

Slide Objective

To provide an overview of

the strategies needed to

secure the Proxy Server

solution

Lead-in

You can specify that Proxy

Server isolates and secures

communication between the

private network and the

Internet

Restricting Access to Internet Resources

Private Network ProxyServer

Internet Active

Directory

Private Network

Proxy Server

Internet Local

Accounts

Active Directory

You can restrict access to Internet resources on a user-by-user basis, with users defined in Active Directory, or as local user accounts on member servers

Networks Based on Active Directory

If your network design includes Active Directory, you can grant access to users and groups in Active Directory Proxy Server is integrated with Active

Directory to provide single logon access to the Internet

The following table lists the users and groups to which you can grant access, and why you would choose to grant access to that user or group

Grant Permission to To enable access to Proxy Server for

Everyone All users, including unauthorized users, when the

Windows 2000 Guest account is enabled

Active Directory Groups Members of a group

Active Directory Users Specific users granted permission on an individual basis

Although not typically a best practice, you would enable the Guest account if your Proxy Server design is integrated in a highly heterogeneous network If you enable the Guest account, you allow anonymous access to the users whose accounts do not exist in Active Directory

You can provide single logon access for users in heterogeneous networks

by using products such as Services for UNIX, Client Services for NetWare, or Services for Macintosh

Slide Objective

To describe the method that

can be used to restrict

Networks Not Based on Active Directory

If your network design is predominantly composed of other operating systems,

such as UNIX or NetWare, or you are not including Active Directory in the

design, you can specify that Proxy Server be installed on a stand-alone Windows 2000–based computer The stand-alone Windows 2000–based computer has local users and groups that you can use to grant Proxy Server access

If the network consists of other operating systems, such as UNIX or NetWare, you can specify that the:

Other operating systems replicate the user accounts to the Windows 2000–based computer running Proxy Server

For example, in a network that is based on Novell Directory Services (NDS), you would specify that NDS users and groups must be replicated to the proxy server by using Novell software

Guest account on the proxy server is enabled and granted Proxy Server access, thereby allowing anonymous access to the proxy server

All users on the private network are granted access, and you are unable to restrict Proxy Server access on a user-by-user or group basis

Determining the Number of Screened Subnets

Multiple Interfaces or Multiple Servers

Proxy Server

Internet

Screened Subnet A

Screened Subnet C Screened Subnet B

Proxy Server

Internet

Screened Subnet A

Screened Subnet C Screened

Subnet B

Proxy Server

Proxy Server

You can determine the number of screened subnets in a Proxy Server solution based on the security requirements of an organization You can establish a screened subnet whenever you want to prevent traffic from passing through the proxy server You can prevent traffic from passing through the proxy server by using IP packet filters, Web proxy security, SOCKS proxy security, or

WinSock proxy security

Based on the users or applications that need access to the resources on the screened subnet, specify a screened subnet for each security requirement For example, you would define three screened subnets to isolate resources that need

to be accessed by all Internet-based users, users in a partner organization, and users within the private network

Multiple Interfaces or Multiple Servers

You can define multiple screened subnets by using multiple private network interfaces in a Proxy Server, using multiple proxy servers with a single interface, or using a combination of both The following table lists the methods for establishing multiple screened subnets, along with the reasons to select each method

Select this method To establish a screened subnet if the

Multiple interfaces System resources of the proxy server are not saturated

Organization requires a centralized administration model Multiple servers Performance for the screened subnet needs to be maximized

Organization requires a decentralized administration model

Slide Objective

To determine the number of

screened subnets required

in the Internet connectivity

design

Lead-in

The number of screened

subnets required in an

Internet connectivity design

is based on the security

requirements of an

organization

Hierarchical Screened Subnet Designs

In designs that require more than one screened subnet created by multiple proxy servers, you place the proxy servers in a hierarchy Specify hierarchical

screened subnet designs to:

Delegate the administration of the screened subnets

Specify broad security requirements at the top of the hierarchy, such as the security requirements for an entire organization

Specify stronger security requirements lower in the hierarchy, such as the security requirements for a department or application

Restricting Traffic with Packet Filters

Packet Filter Restrictions

Packet Filter Criteria

Private Network Proxy Outgoing

Server

Central Office

Internet

Incoming

Proxy Server

Proxy Server

Partner Network

Web Server

To ensure a secure network, you must prevent traffic between the private network and the Internet You can prevent traffic by specifying Proxy Server packet filters Proxy Server packet filters affect the SOCKS proxy, Web proxy, and WinSock proxy You can create a combination of Proxy Server packet filters to addresses any security requirement

Packet Filter Restrictions

Proxy Server packet filters are layer two filters that affect the IP traffic received

by Proxy Server These filters specify which IP packets are forwarded or rejected by Proxy Server Proxy Server packet filters restrict:

Traffic for all Proxy Server services

Both inbound and outbound traffic

Internet access to private network resources, such as servers

Private network user access to Internet-based resources, such as partner networks or Web sites

Slide Objective

To describe the use of

Proxy Server packet filters

to restrict Internet traffic

Lead-in

You can restrict access to

the Internet or to private

network resources by using

Proxy Server packet filters

Review the list of packet

filter criteria to ensure that

students understand the

criteria that can be used to

restrict traffic between the

private network and the

Internet

Packet Filter Criteria

You can create Proxy Server packet filters by specifying the source or destination IP address range and the protocol number of the packets to be filtered To address any security requirement, you can create a combination of filters by specifying multiple filters for each interface

You can base your packet filter design on a single criteria or any combination

of the following:

Direction The direction of the traffic that the filter must affect You can

specify traffic inbound to the private network, outbound for the Internet, or moving in both directions

Protocol ID The IP protocol ID for the filter You can specify TCP protocol

ID, Internet Control Message Protocol (ICMP) protocol ID, or any protocol

ID

Local port The TCP or UDP port number for the source if the packet

originates from the private network, or the destination if the packet originates outside the private network You can specify any port number, a

specific port number, or a range of unknown port numbers

Remote port The TCP or UDP port number for the source if the packet

originates outside the private network, or the destination if the packet originates inside the private network You can specify any port number, a

specific port number, or a range of unknown port numbers

Local host IP address The IP address of the computer on the private

network that exchanges IP packets with the remote computer on the Internet Typically, this is the IP address of the proxy server You can specify the default proxy server IP address, a specific IP address assigned to

a proxy server interface, or the IP address of a computer on the private network

Remote host IP address The IP address of the remote computer on the

Internet that exchanges IP packets with the computer on the private network You can specify any IP address from the Internet, or the IP address

of a specific computer on the Internet

Restricting Outbound Traffic with Domain Filters

Domain Filter Criteria

Private Network Proxy Outbound

Server

Central Office

Internet Proxy

Server

Proxy Server

Partner Network

Web Server

You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy You can add multiple domain filters to create a combination that meets the security requirements of any organization

Granting or Denying Access with Exception

You can specify the default behavior of Proxy Server domain filters to grant access to all Internet sites, or to deny access to all Internet sites You can then build a list of Internet sites that are the exception to the default behavior

As a result, you can specify Proxy Server domain filters to:

Reject packets specified in the criteria of the filter and forward all others

Forward packets specified in the criteria of the filter and reject all others

Slide Objective

To describe how Proxy

Server domain filters

prevent unauthorized

Internet access

Lead-in

You can restrict traffic to

Internet resources by using

Proxy Server domain filters

Domain Filter Criteria

Define Proxy Server domain filter criteria to restrict traffic based on the security requirements of the organization For example, if an organization wants

to restrict access to a specific Web site by name, define a Proxy Server domain filter that is based upon the domain name of the Web site

The following table lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design

Filter on If you want to restrict access for

Single computer A specific computer on the Internet by using the IP address

of the computer Group of computers A range of IP addresses on the Internet by using an IP

address and subnet mask to specify the range

Domain A specific domain name, independent of the IP address, by

specifying the fully qualified domain name (FQDN) for the domain

Your Proxy Server domain filter can only be based on one of the criteria listed in the table above

Note

Restricting Inbound Traffic with Web Publishing

Use the Default – All Requests are Discarded

Internet

Remote User

Web Publishing

Proxy Server

Web Server

Private Network

To restrict inbound traffic, you can enable access to HTTP or FTP servers that are located in the private network by using the Web Publishing feature of Proxy Server If you include Web Publishing in your solution, Proxy Server examines inbound Internet-based requests and:

Forwards the requests to HTTP or FTP servers within the private network

Discards the request

Use the Default—All Requests Are Discarded

You can specify how Web Publishing reacts when an inbound request is received and does not match any of the Web Publishing criteria You can specify that Web Publishing either:

Ignore all requests and send no response

Forward all requests to the default Web site on the proxy server

Forward all requests to a specific Web site

The default behavior for Web Publishing is to discard any Internet-based requests to Web servers located within the private network

Slide Objective

To describe how Proxy

Server Web Publishing

prevents unauthorized

access to Web servers on

the private network

Lead-in

You can enable access to

HTTP or FTP servers that

are located in the private

network by using Proxy

Server Web Publishing

Note

Defining Web Publishing Mapping

You can define Proxy Server Web Publishing mappings that override the default behavior of Web Publishing For each Web Publishing mapping, you can specify the:

Inbound URL that Proxy Server uses to identify requests that are exceptions

to the default behavior of Web Publishing

URL within the private network where the request is to be forwarded For example, you could create a Web Publishing mapping that would forward all requests for http://www.nwtraders.msft to http://sales.nwtraders.msft