This article is the third in a series introducing the Microsoft Catapult proxy server. The previous two articles looked at installation and setup and advanced configuration issues for this proxy server, Internet Access Server (IAS). This month's final installment looks in depth at configuring some popular client software packages that you can use with IAS. You'll see that configuring any proxy- enabled client software for use with IAS is straightforward once you know and understand the fundamental parameter requirements.
As a proxy server, IAS can act on behalf of other computers on a network. IAS provides access to TCP/IP networks such as the Internet while keeping the workstation address anonymous. To see how IAS makes intruder attacks on your machine almost impossible, see, "Microsoft's Internet Access Server," September 1996.
Remember, if you use the lmhosts file to establish a load-balanced proxy environment--as described in "Configuring Microsoft's Internet Access Server," October 1996--when you configure client software packages, you'll want to use the proxy group name you established in the lmhosts file. If you don't want a particular client software package to use the load balancing group, configure that client software to use your preferred proxy server name.
The Web browser is probably the most common type of client software people use on the Internet today. Let's configure two popular Web browsers, Internet Explorer (IE) and Netscape Navigator. We'll also explore RealAudio, an audio software tool, and VDOLive, a video software tool.
You sometimes need to bypass the proxy altogether to reach a certain Internet site. This need can occur if a site is behind a firewall. A proxy running on a host server outside a firewall cannot connect to a server inside the firewall. To work around this firewall restriction, you must bypass the proxy. (For information on firewalls and proxies, see Philip Carden and Charles Kelly, "Firewalls: Securing NT Networks from Internet Intruders.")
Also, if your network uses nonroutable IP addresses--as described in my September article--you can't bypass the proxy to reach sites on the Internet, because your network has no valid routes in and out of the Internet. However, you can still reach sites on your local network if your administrator has established the proper routes. When configuring your proxy server and clients, use routable IP addresses instead of nonroutable addresses to avoid headaches down the road. (For more on IP addressing, see Mark Minasi, "How to Set Up IP," February 1996; "IP Routing with NT," March; "NT Workstations Using an IP Router," May; and "DHCP and Assigning IP Addresses," August.)
Microsoft Internet Explorer 2.0
Configuring IE 2.0 for Windows NT is simple. To arrive at the Properties page, where you'll make your configuration entries, click Start, select Settings, select Control Panel, double-click the Internet icon, click the Advanced property sheet tab, select Use Proxy Server, and enter the proxy server's URL, for example, http://proxyserver:80.
You must enter the proxy server's URL correctly. The example shows the proper syntax to define the port that the proxy server listens to for incoming requests. At the end of the URL, you notice a colon followed by the number 80 (:80). When a client requests an Internet object, the proxy server receives and processes the request on TCP/IP port 80.
If you want to bypass the proxy server when connecting to certain Internet sites, enter those sites in the Bypass proxy on data-entry window. Let's say you want to provide direct access to all computers at microsoft.com and direct access to all FTP sites listening on TCP port 21. To accomplish this task with IE 2.0, enter microsoft.com,:21, as shown in Screen 1. A comma must separate each entry in the Bypass proxy on window. Be sure to prefix the port number with a colon.
Internet Explorer 3.0
Internet Explorer (IE) 3.0 configuration for NT is similar to that for IE 2.0, with some subtle but important differences. You arrive at the Properties configuration page for IE 3.0 in almost the same manner as with IE 2.0. To open the properties page, Proxy Settings, click Start, select Settings, select Control Panel, double-click the Internet icon, select the Connection tab, choose Connect Through a Proxy Server, and click Settings.
Screen 2 shows the two group boxes in this dialog: Servers and Exceptions. In the Servers options group, you can make five entries, one for each of the following protocol types: HTTP, Secure, FTP, Gopher, and Socks. You can define a different proxy server for each of these types of Internet protocols. Just enter the appropriate proxy server information in the associated field.
If you prefer one proxy or group of proxies for all protocol types, check Use the same proxy server for all protocols. Checking this box grays out all the data entry fields except the ones associated with the Hypertext Transfer Protocol (HTTP). You then enter the proxy server or proxy group's URL and port number in the corresponding HTTP fields. (Note: Although you enter the information in to the HTTP fields, the proxy server uses these same settings to process all other protocol requests.)
The second group box, Exceptions, has two setting options to configure, if you see the need on your network. The first field is Do not use proxy server for addresses beginning with. If you want certain protocols to bypass your proxy server so they have a direct connection, enter them in this field. For example, if you want all FTP connections to bypass the proxy server, enter ftp in the box. Be sure to use semicolons to separate all entries in this box.
The second field in the Exceptions group box is Do not use proxy server for local (intranet) addresses. Check this box to instruct the client software to directly connect to servers on your intranet, bypassing the proxy. This instruction improves the performance of client software packages because it removes the added overhead of communicating with IAS. You use IP addresses and subnet masks to determine whether the destination is local.
Netscape Navigator 2.01
Netscape's Navigator 2.01 is a popular Web browser. Let's configure it step-by-step to work with the proxy server. Open Netscape Navigator, and select the Options menu. On the Proxies property page, select Network Preferences, select Manual Proxy Configuration, and click View. In each proxy field (HTTP, Gopher, FTP, Security, WAIS, and Socks), type the name of the computer running the proxy server and its associated TCP/IP port number.
In the No Proxy for field, shown in Screen 3, enter hosts that you want to access directly, bypassing the proxy server. For example, if you want Navigator 2.01 to connect directly to Netscape's public Web server, enter www.netscape. com:80. And be sure to insert a colon before the port number.
Netscape Navigator 2.02 and 3.0
The Netscape Navigator 2.02 and 3.0 proxy configurations for NT are also straightforward. To configure Netscape Navigator 2.02 and 3.0 to use the proxy server for HTTP protocol requests, open Netscape Navigator, select Options, then Network Preferences. Select the Proxy tab and Manual Proxy Configuration, and click View. In each proxy field (FTP, Gopher, HTTP, Security, WAIS, SOCKS), type the host name or IP address of the computer running the proxy server, and enter the proxy server's associated port number.
In the No proxy for field, follow the same instructions as for Navigator 2.01 to access hosts directly. Enter www. netscape.com:80 to connect directly to Netscape's public Web server.
RealAudio is a popular software tool (available for Windows 95, Windows 3.1.x, NT, Mac OS 7.x, Linux, Solaris 2.4 and 2.5, SunOS 4.1.x, IRIX 5.3, and FreeBSD). It lets users listen to recorded and live audio across the Internet. RealAudio is widely used across the Internet as a means to deliver all sorts of creative audio content, ranging from live radio broadcasts to recorded speeches or mission statements from corporate executives.
IAS supports RealAudio through the Remote Windows Socket (RWS) service. To configure the RealAudio Player software, you must understand how data moves across the Internet.
RealAudio supports two basic types of transmissions: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). I won't go into all the details of these two protocols, but I will tell you that UDP is less reliable than TCP. UDP provides no error correction and no guarantee that UDP packets will arrive at their intended destination. When UDP packets do arrive at their destination, they do not necessarily arrive in the same order as you send them. But, UDP requires less overhead than TCP and is therefore faster.
In addition to a proxy server, some networks incorporate a separate packet filtering firewall system that doesn't let UDP traffic enter your intranet. In these cases, you must either reconfigure your packet filtering firewall to allow UDP packets for RealAudio, or reconfigure RealAudio to use TCP. The choice is up to you and your network administrators. I won't delve into using RealAudio in this article, but I'll focus instead on configuring the software for use through the RWS using the UDP. RWS handles all Winsock applications transparently, so you do not need to configure RealAudio to use the proxy server. Be sure the proxy server is disabled in the Real Audio preference settings.
To configure RealAudio Player to receive audio with the default UDP, start RealAudio Player, select the View menu, and then the Network Preferences tab shown in Screen 4. Click UDP, select the Proxy preferences tab shown in Screen 5, and deselect the Use Proxy field.
Use Specified UDP Port defines the port number the RWS service uses to receive RealAudio data from the Internet. Internet Service Manager in the RWS Permissions property sheet lets you specify the port setting on the RWS service.
IAS's RWS service supports the video protocol VDOLive (for Windows 3.1x, Windows 95, NT, and the PowerMAC). According to rumor, in future releases, Microsoft will integrate VDOLive technology into its new NetMeeting collaborative conferencing software (which is part of the Normandy suite--see Ronald Arden, "Safe Internet Shopping with Microsoft Merchant System," for information about another piece of this suite, and David Truncale, "CompuServe Brings NT Online," for information about CompuServe's plans to implement this suite).
A VDOLive server can send continuous video images over the Internet to VDOLive-compatible clients. To configure your VDOLive client software packages to use IAS, start VDOLive Player, click Setup, and select the Settings tab shown in Screen 6. Click Automatic selection of UDP port, and type the UDP port number RWS uses for VDOLive. The default RWS port is 7001.
Macintosh, UNIX, and Other Clients
You can configure other operating system client types for use with IAS as easily as for the examples you've seen so far. You can configure any software that uses a proxy server or is Winsock compatible for use with IAS with a few simple parameters, including the name of the computer running IAS and the port number IAS uses for the particular protocol.
Rest Easier with IAS
In closing this series on IAS, I will say that you can configure RWS service for just about any custom protocol and port number. This capability provides a lot of forward compatibility for IAS users, especially because developers introduce new Internet protocols every day.
A carefully planned and executed IAS installation will undoubtedly let most network administrators sleep a little bit better at night, knowing their network environment is now a safer place to work from. Just remember: Never assume your network is completely safe. To ensure the highest degree of safety, you must continually monitor your systems and re-evaluate your policies and procedures. No network is impenetrable.
To find the latest information on IAS, point your Web browser to www. microsoft.com/proxy/default.htm, or get it (under its code name, Catapult) from Microsoft's FTP site at ftp.microsoft.com in the /msdownload/catapult directory. The file index.txt in that directory explains each file in the directory.
Microsoft also maintains a newsgroup about this proxy server. You can find the newsgroup, microsoft.public. catapult.beta, on Microsoft's news server at msnews.microsoft.com.
|Microsoft Internet Explorer 2.0 and 3.0|
|Netscape Navigator 2.01, 2.02, and 3.0|
|Progressive Networks * 206-674-2700
VDOnet * 415-846-7700|