Microsoft Proxy Server consists of 3 different services: Web Proxy, WinSock Proxy, and SOCKS Proxy.. or any other client, requests the object again, Proxy Server gets the object from the
Trang 1Troy Technologies USA
MCSE STUDY GUIDE
Proxy Server 2.0 Exam 70-88
Trang 2Troy Technologies USA
11134 Hunter Oaks San Antonio, TX 78233
We will gladly refund the full cost of this study guide However, you are not going to need this guarantee if you follow the above instructions.
Ó Copyright 1998 Troy Technologies USA All Rights Reserved.
Trang 3Further Suggested Reading for Microsoft Certified System Engineer
• Exam Cram, MCSE Windows 2000 Network: Exam 70-216 (Exam Cram) by Hank Carbeck, et al Paperback (September 28, 2000)
• MCSE Windows 2000 Accelerated Study Guide (Exam 70-240) (Book/CD-ROM package) by Tom Shinder (Editor), et al Hardcover (October 6, 2000)
• MCSE 2000 JumpStart: Computer and Network Basics by Lisa Donald, et al Paperback (April 2000)
• MCSE: Windows 2000 Network Infrastructure Administration Exam Notes by John William Jenkins, et al Paperback (September 19, 2000)
• Public Key Infrastructure Essentials: A Wiley Tech Brief - Tom Austin, et al; Paperback
• Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure - Russ Housley, Tim Polk; Hardcover
• Digital Certificates: Applied Internet Security - Jalal Feghhi, et al; Paperback
• Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks - Naganand Doraswamy, Dan Harkins; Hardcover
• A Technical Guide to Ipsec Virtual Private Networks - Jim S Tiller, James S Tiller; Hardcover
• Big Book of IPsec RFCs: Internet Security Architecture - Pete Loshin (Compiler); Paperback
• MCSE Windows 2000 Core 4 for Dummies: Exam 70-210, Exam 70-215, Exam 70-216, Exam 70-217
Trang 4Proxy Server Concepts
The primary functions of Microsoft Proxy Server is to act as a gateway to and from the Internet Clientsconnect to Proxy Server when they make a request for resources located on the Internet Proxy Server getsthe resource and returns it to the client The Server can also allow selected computers or protocols toaccess the internal network Since you are only presenting one IP address to the Internet, Proxy Servereffectively hides your internal network
A Proxy Server has one network card for the private internal network and it has another network adapterwith which to connect to the Internet This adapter may be another network card or it may be an ISDNadapter The Proxy Server is the only computer in the network attached to both internal and externalnetworks
Microsoft Proxy Server consists of 3 different services: Web Proxy, WinSock Proxy, and SOCKS Proxy
Web Proxy Service
The Web Proxy service runs as a service on a Windows NT Server It runs as an extension to IIS 3.0 orhigher You must have IIS installed on your NT server in order for the Web Proxy service to run Clientscontact the Web Proxy service and it contacts other Web servers on behalf of the client and then relays theinformation back
The Web Proxy service supports Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) forcomputers on the local LAN
Caching
The Web Proxy service maintains a local copy of HTTP and FTP objects on a local hard disk This iscalled caching Not all objects are cached Some objects change frequently, even each time they areaccessed, so caching them is a waste of processing time Some objects have a security context and are notcached for security reasons The Proxy Server performs two types of caching: Passive caching and Activecaching
or any other client, requests the object again, Proxy Server gets the object from the local cache rather thanfrom the Web server on the Internet
In order to ensure that the cached information is still current, several techniques are used One technique
is to set an expiration time on the object This expiration time is known as the time to live (TTL) When aclient requests an object that is cached, Proxy Server checks the TTL to determine if the requested object
is still valid If the TTL has not expired, then the object is returned to the client If the TTL has expired,then Proxy Server goes out to the Internet and retrieves the object and the TTL process begins again
Trang 5In order to manage disk space, Proxy Server deletes older cached objects to make room for new ones whenthe disk becomes too full.
Active Caching
Active caching supplements passive caching The intent of active caching is to maximize the probabilitythat an object will be in local cache when the client requests the object from Proxy Server To accomplishthis, Proxy Server will automatically retrieve objects from the Internet It chooses objects by consideringsuch factors as:
Frequency of request - Objects that are more frequently requested are kept in the cache If the TTL on one
of these objects expires, a new object is requested
Time-To-Live - Objects having a greater TTL are better to cache than objects with shorter TTLs In otherwords, if an object has a short TTL and is seldom requested, it is not advantageous to cache it because theTTL will have expired by the time the next request arrives
Server Activity - Proxy Server seeks to cache more objects during times of low activity than it does duringperiods of high activity
WinSock Proxy Service
The WinSock Proxy service works with Windows-based client computers The WinSock Proxy serviceallows WinSock applications to run remotely This service is a client/server process that runs only onWindows NT 4.0 Server running Proxy Server It allows client applications to run as if they are directlyconnected to the Internet
Local Address Table (LAT)
The function of the LAT is to define the IP addresses on the internal network Network addresses notcontained in the LAT are considered external addresses
The LAT entries are pairs of IP addresses Each pair defines an address range This address range can be
an entire network ID or a single IP address The LAT is built when you install Proxy Server The LAT isgenerated from the Windows NT Server routing table This method may not record all the addresses of theinternal networks You may have subnets that need to be added There may also be external networkaddresses that need to be removed It is important to remove external network addresses from the LAT
When you install the Proxy client, the Setup program installs a file named msplat.txt This file is installed
in the \mspclnt folder The file contains the LAT The contents of this file are identical to the LAT on the server To keep this file consistent, the server regularly updates the msplat.txt file on the client.
When a WinSock application needs to establish a connection using an IP address, the msplat.txt file is
consulted to determine if the requested IP address is internal or external If the address is listed in the
msplat.txt file, then it is considered to be on the internal network and the connection with the resource is
made directly If the address is not listed, then it is considered to be on an external network and theconnection is made through the Proxy Server
If the LAT at the server does not contain all of the internal network addresses, you can modify the
msplat.txt at the client to include the other internal network addresses However, these address
modifications are lost when the server periodically sends the LAT update to the client To overcome this,you can create a custom LAT for the client using a text editor You add the additional address pairs thatare on the internal network so that the client recognizes them as part of the internal network You then
Trang 6save the file in the \mspclnt folder The file must be named Locallat.txt The WinSock client checks both
files, if they are present, for local IP addresses
TCP/IP and IPX/SPX
There are several important points you need to know about using TCP/IP or IPX/SPX protocols and theWinSock Proxy service When you are using TCP/IP on your LAN and an application wants tocommunicate with a server, that server may be local or remote to the application Based on the addressescontained in the LAT, the application can tell if the requested server is local or remote If the address islocal, the client forwards the request directly If the address is not local, then the WinSock Proxy service
is involved
If your LAN is running the IPS/SPX protocol, the scenario changes In this case, the WinSock Proxyservice is also acting as a protocol gateway It converts the IPX/SPX protocol to the TCP/IP protocol andback again Since you are not running TCP/IP, there is no LAT table to be downloaded to the WinSockProxy client at installation time Since there are no TCP/IP hosts on the local network, all attempts toconnect to a TCP/IP host are considered requests for a remote host and are processed according to thoserules
SOCKS Proxy Service
The SOCKS Proxy service is a cross-platform mechanism used to establish secure communicationsbetween the server and non-Windows based clients like UNIX and Macintosh This service allows fortransparent access to the Internet using Proxy Server This service does not support applications that useUDP, nor does it support the IPX/SPX protocol
Multiple Proxy Servers
You configure multiple Proxy Servers in your organization to support two objectives: Redundancy andLoad sharing Having more than one Proxy Server allows you to have multiple gateways to the Internet.Designing a plan to share the load among the gateway computers is an important issue You can configurethis load sharing in several ways They are:
Load sharing using DNS
Load sharing using WINS
Load sharing using multiple Proxy Servers
For clients using the Web Proxy service, you can configure the clients to use a specific Proxy Server oryou can configure them to use all Proxy Servers For clients using the WinSock Proxy service, you mustconfigure them to use a specific Proxy Server
Trang 7Load Sharing Using DNS
DNS servers are responsible for providing host name-to-IP address resolution Before the Web browsercan establish the session with the Web server, it must have its IP address If you are using multiple ProxyServers, you can configure the DNS in such a way that it distributes the workload of the servers bysupplying a different IP address for each successive request
When you have information that is accessed heavily by users and that information may be on threedifferent Web servers Clients access that information using the URL, but since the URL contains the hostname and each of the three servers has a different host name, each client needs to specify a different URL.This is undesirable because you want all clients to specify a single URL This process needs to betransparent to the user
The Microsoft DNS server supports a process known as round robin This process balances the workload
of the servers, in this case, the three Web servers To do this, you must create an alias that points tomultiple IP addresses This alias record is a CNAME record entry in your DNS server file,
DNS gives the client the IP address of the first host in the list The DNS then moves that host to thebottom of the list When the next request arrives, DNS gives the IP addresses of the second server, now atthe top of the list, and moves that server name to the bottom of the list, and so on In this manner, eachhost receives an equal share of client requests and the process is transparent to the user
Load Sharing Using WINS
If you are using Windows and the TCP/IP protocol, then you should have at least one WINS serverdeployed WINS is Microsoft’s implementation of an RFC NetBIOS Name server WINS serves a similar,but different function than DNS DNS resolves FQDNs (Fully Qualified Domain Names) to IP addresses.WINS resolves NetBIOS names to IP addresses All Microsoft operating systems rely on NetBIOS fortheir networking
You can use WINS in the same manner as you use DNS to share the load of your Proxy Servers Youcreate a static entry in your WINS server table for the Proxy Server alias and map it to multiple IPaddresses
Load Sharing Using WinSock Proxy
You install the WinSock Proxy client from a Proxy Server The client then attaches to and uses theWinSock Proxy service of the Proxy Server from which the client was installed To balance the workload
of the WinSock Proxy services, configure each clients from a different Proxy Servers This distributes theload among the Proxy Servers in the organization
Distributed Caching
You can configure caching to be distributed among multiple Proxy Servers in the organization Thisimproves both the active and passive caching You distribute the cached objects and provide for faulttolerance if one Proxy Server fails or becomes unavailable Distributed caching is implemented by one oftwo methods, or by combining and using both methods: Chaining or Arrays
Chaining
Using Proxy Server to route to another proxy server is a technique that involves a process called upstream
routing By configuring upstream routing, a Web Proxy client request can be routed to an upstream Proxy
Trang 8Server, to a Proxy Server array, or directly to the Internet The term "upstream," from a data flow
point-of-view, refers to being closer to the Internet This technique is also known as chaining.
You can also specify a backup route to use in the event that the upstream proxy server is unavailable Thebackup route is fully functional and provides for automatic transfer transparently From time to time, theprimary route Proxy Server is queried to see if it is available When the primary Proxy Server is available,the primary route is re-established automatically
Proxy Server Array
An array is a group of Proxy Servers bound together by an array name Proxy Servers in an array areadministered as a single unit Configuring an array provides for load sharing, fault tolerance, and easieradministration Arrays can be useful in Branch offices, Networks that are too large to be serviced by asingle Proxy Server, and Consolidating multiple Internet connections
You must create an array You do this from the Internet Service Manager (ISM) An array is common toall Proxy services Each Proxy Server maintains a list of which members of the array are available andwhich members are not available Each individual member in the array uses a hash to make routingdecisions A Hash is a mathematical algorithm used for routing decisions
The configuration for a single array member may be propagated and synchronized to all members of thearray The following parameters are propagated when auto-synchronization is enabled:
Advanced caching options
Client configuration files
Domain filters
LAT
Logging information
Publishing information
Upstream routing options
Web Proxy user permissions
WinSock protocol definitions
Cache Array Routing Protocol (CARP)
Proxy Server 2.0 supports Cache Array Routing Protocol (CARP) This is an enhancement of the InternetCache Protocol (ICP) The purpose of this protocol is to allow a proxy server to query other proxy servers
to see if those servers have cached copies of requested objects before the proxy server goes to the Internetfor the object
CARP expands on the ICP protocol in several ways CARP uses a "queryless" hash-based algorithm Thehash-based routing results in the URL being resolved to the same Proxy Server This means there is asingle hop resolution for the requested object CARP becomes faster the more Proxy Servers are added.This is because the location of each cached object is known within the array, unlike ICP, which mustquery for each requested object
CARP prevents multiple servers from caching the same object This makes the CARP array much moreefficient than an ICP array
Client Installation
When you install Proxy Server, the Setup Wizard creates the \msp\clients folder Client software utilities
are installed in their respective folders For example, the Alpha folder contains Alpha-specific files and
Trang 9the I386 folder contains the Intel-specific files The Setup Wizard also shares the \msp\clients as a share called mspclnt.
You have to install the WinSock client software on the client computers The client setup programconfigures the computer to be a client of the WinSock Proxy service on the server where the setup wasinitiated Also, as part of the installation, the Web browser is configured as a client of the Web Proxyservice
You can start the client setup program using one of two techniques You can connect to the UNC
\\server_name\mspclnt and run the client setup program Or, you can use a browser, such as Internet Explorer, point it to http://computer_name/msproxy, and click the Install WinSock Proxy 2.0 client If you
are installing the client on a Web server, the setup program stops the Web service while the installation is
in progress
The Mspclnt.ini file contains configuration information about the client This is a text file and can be
edited with any text editor By default, the client configuration file is downloaded to the client each time aclient computer is restarted and is updated every six hours after an initial refresh When a refresh occurs,
the order of server share paths, listed in the [Master Config] section of Mspclnt.ini, is used to determine
the location of updated configuration files At least one entry must be present Entries are tried in theorder listed Additional path listings are tried only in the event that preceding paths are not available
For Mspclnt.ini changes made on the server to be reflected on a client, you either have to manually update
the WinSock Proxy client or wait for the client to be automatically updated Keep in mind that if you
change the client’s Mspclnt.ini file and want the changes to remain, you should also modify the file on the
server as well
Using Javascript
When a Web browser client is started, you can specify that a client configuration script be downloaded tothe client computer This configuration script is written in JavaScript and is located on the Proxy Servercomputer for that client computer Remember, every client contacts a specific Proxy Server
The script is downloaded to the browser on the client computer and is executed against every URL that thebrowser requests The output of the script is an ordered list of Proxy Servers that is used by the browser toretrieve the object specified by the URL This can reduce some of the routing work performed by theProxy Server array
Access Control
Outbound Access
You can allow your clients complete access to the Internet or you can control what they access MicrosoftProxy Server provides several methods for controlling outbound access These methods allow you toconfigure as granular control as you require in order to determine what your clients can and cannot access
on the Internet There are three primary methods for configuring outbound access: Controlling access byInternet service, Controlling access by IP parameters, and Controlling access by TCP port
Internet Service
One of the keys of security is to allow access to resources and services only by those who need them In thecontext of Proxy Server, you limit specific services to only those users who need to use the service Youcan set the access control permissions individually for the Web Proxy, WinSock Proxy, and the SOCKS
Trang 10Proxy services You set the permissions from inside the ISM using the property sheet of the specificservice.
Web Proxy Service - Use the Permissions Tab to “Enable Access Control” You can then specify who canhave access to the following protocols:
WWW This is for access to HTTP protocol
FTP Read This is for access to FTP services
Gopher Gopher is a menu-based system used to supplement FTP
Secure This is the SSL service If you have access granted, then you can use SSL
security
WinSock Proxy Service - Use the Permissions Tab to “Enable Access Control” You can specify
“Unlimited Access” or you can specify who can have access to the following protocols: AlphaWorld,AOL, Archie, Echo, Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP,Telnet, and VDOLive Other protocols can be added with the WinSock Proxy service
SOCKS Proxy Service - You use the same procedure to set the permissions for using the SOCKS service.You get a dialog box you use to configure this service The “source” specifies the origin of the request.You do this either by IP address and subnet, for a particular Internet Domain or for all computers The
“Destination” side is where you allow (or deny) the destination of the permitted entry
IP Parameters
Proxy Server allows you to control access by specific IP parameters such as: IP address, IP subnet, andInternet domain name This is done by enabling filtering and then specifying the appropriate IP address,subnet, or domain
When configuring this security, there are two methods you can use You can grant access to everyone andthen restrict access by denying certain IP addresses, subnets, or domains Or, you can deny access toeveryone and then grant access by exception by specifying the IP address, subnet, or domain
Just as with configuring access by Internet service, you can set these parameters for each individual ProxyServer
Port
You can configure which port is used by the TCP and UDP protocols and thus control the access to theWinSock Proxy service Proxy Server comes with a default set of protocol definitions You can add yourown protocol definitions or modify the definitions of the default protocols to suit your requirements.Proxy Server uses application service ports for the WinSock Proxy and SOCKS Proxy services WinSock-based applications work through a network connection Ports are used in combination with IP addressing
to form socket connections A socket is an endpoint in the communication process The WinSock Proxyservice can also redirect a listen() call The implication of this is that Proxy Server can listen to Internetrequests on behalf of your application It then redirects the request from the Internet to your application.There is also a special setting called “Unlimited Access” You can also enable access to inbound andoutbound service ports selectively for users on your network You do this through the ISM by selecting theWinSock property sheet and then selecting the Protocols tab
You can create definitions and modify existing protocol definitions You can save these definitions andload them at a later date You can save this file from one Proxy Server and load it at another Proxy Server
Trang 11You may use any legal filename, including an extension Proxy Server does not append the filename with
an extension It is saved as a text file
You can also create new protocol definitions in WinSock Proxy service properties for the purpose ofcontrolling access
The following table summarizes the port parameters for the default protocols You can modify the initialconnection, specify TCP or UDP, and specify whether it is inbound or outbound You can also set theparameters for subsequent connections, which do not have to be the same as the initial connection
Protocol Name Initial Outbound Connection Type
Trang 12Enable Access Control - This is the default during installation Without access control enabled, you willnot be able to set password authentication This is considered unsecured.
Local Address Table - The LAT details what addresses Proxy Server considers internal network addresses.This point is critical Internal addresses have access to the internal network Never put externaladdresses in the LAT
Disable Server Service - Consider disabling the Windows NT Server service on the Proxy Server system.This service provides file and print services to network clients These services are not necessary for theProxy Server or its clients to function adequately If you choose not to disable the service, then make surethat any shares that you created have the proper permissions assigned to them You should also use theNTFS file system because it greatly enhances security for this situation
Drive Mappings - Do not use drive mappings to connect to remote resources if you are running ProxyServer and IIS on the same server and you are publishing content The issue with mapped drives that thedrive letter designator could change and the resource will not be available If you use the UNC syntax,this cannot happen In addition, you are limited to the number of drive mappings you can have, based onthe characters in the alphabet
Configuring the Client - Remove gateway references and DNS references from the IP parameters from theclient computers This prevents clients from bypassing Proxy Server to access the Internet Don’t forget toremove these parameters from your DHCP scope properties as well
Disable RPC ports - Ports 1024 through 1029 are used by TCP/IP services for remote procedure call(RPC) listening You can disable all ports used for RPC listening on the external network interface Thenthese ports are no longer visible to the Internet You make these changes through the registry
The default installation configuration of Microsoft Proxy Server has the network fully secure from outsideaccess by Internet users Interestingly enough, if, during installation, you accept the defaults that enableaccess control, internal access to the Internet is also prevented In other words, users inside cannot accessthe Internet and users outside cannot access the internal network
Access control is enabled at installation, but no users or groups are specified yet The administrator mustexplicitly do this This is true for both the Web Proxy and WinSock Proxy services
Controlling by Packet Type
You can use Proxy Server to control access to the internal network using a technique known as packet
filtering With packet filtering enabled, Proxy Server accepts or denies packets based on packet type You
can also block packets originating from specific Internet hosts
Proxy Server supports both dynamic and static packet filtering With dynamic packet filtering, designatedports are automatically opened for outgoing and inbound traffic The ports are automatically closed afterthe session has been terminated This minimizes the number of ports that are open at any time andminimizes the length of time a particular port is open Dynamic packet filtering is automatic and requires
no work on your part Static packet filtering involves manually configuring the filter You do this usingISM and the property sheet for the service
Encryption
Proxy Server takes advantage of authentication and the security architecture of IIS The Web Proxyservice uses the same password authentication methods for client requests as those configured in the