Indirect Internet Interchange

Proxy Server adds a level of security to your Windows NT server when you connect your network to the Internet.

Wylie Wong

August 31, 1997

13 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows NT Proxy Server gives you an extrameasure of security when you connect your network to the Internet

The direct route to the Internet might not be the safest. A proxy server cangive you an extra measure of security as you provide access to TCP/IP networkssuch as the Internet. Microsoft's Proxy Server lets you connect to the Internetbut keep workstation addresses anonymous. Without a workstation address, anintruder doesn't know where to attack. (Mark Joseph Edwards explains proxyservers in "Microsoft's Internet Access Server," September 1966, and "ConfiguringMicrosoft's Internet Access Server," October 1996.)

To connect network workstations to the Internet through Microsoft's ProxyServer, you need a server running Windows NT Server and the latest version ofInternet Information Server (IIS), and a communications link to your localInternet Service Provider (ISP). I used an Integrated Services Digital Network(ISDN) line and for communication support, a U.S. Robotics internal CourierI-Modem. The I-Modem is an ISDN terminal adapter that looks and acts like amodem with respect to the server, so the procedures outlined here are identicalfor any modem.

Proxy Server provides two kinds of services, Web proxy server and a Winsockproxy server. You can use one or both. Both services can use dynamicconnections, and both can operate at the same time using the same connection.

The Web proxy server works with any client that supports a Web proxyserver. For example, a Macintosh running Netscape Navigator can use the Webproxy server to access a Web server on the Internet. The Web proxy server workswith a Web browser and assumes a TCP/IP connection between the workstation andthe NT Server's IIS Web server. Most Web browsers, such as Microsoft's InternetExplorer (IE) and Netscape Navigator, support Web proxy servers. To conFigurethe proxy server settings in IE, select the Connection tab from the View,Options menu. The Web proxy server supports only a few Internet protocols, suchas Web access and FTP support. You can't use the Web proxy server for Internetapplications such as videophones or to pick up email.

The Winsock proxy server uses a special version of the Winsock DLL on eachworkstation that uses the server. The ordinary Winsock DLL accesses the networkdirectly and provides access to the Web server on the network. In contrast, theproxy Winsock DLL connects to the Winsock proxy server, which redirects anyrequests to the appropriate server. The proxy server can access local or remoteservers. The workstation Winsock DLL can communicate with the proxy server usingIPX, NetBIOS, or TCP/IP protocol, whereas the Web proxy server uses TCP/IP toaccess the requested server.

The Winsock proxy server works with any Winsock application to let theapplication use any higher level protocol, such as Post Office Protocol (POP) 3email services and videoconferencing support. Of course, you need theappropriate application. The Winsock proxy server provides transparent access toany TCP/IP service, including email, but you must have matching Winsock supporton the client. Currently, only Windows 3.x, Windows 95, and NT have Winsocksupport. I will describe how to install and conFigure both the Web proxy serverand the Winsock proxy server, and the Winsock client.

Although I will discuss here only Microsoft's Proxy Server, it is not theonly proxy server you can get. Other options are dedicated hardware units, suchas Bay Networks Instant Internet, and software solutions, such as VirtualMotion's Internet LanBridge.

Installing the Hardware
The U.S. Robotics Courier I-Modem I used is an internal 16-bit ISA ISDNterminal adapter. I followed U.S. Robotics' instructions for installing theadapter and conFigured the adapter to appear as COM2. You use U.S. Robotics'DOS-based application to conFigure the ISDN and to set the ISDN Service ProfileIdentifier (SPID) numbers. You also need to set the type of ISDN switch yourtelephone company provides. Telephone company installers provide thisinformation when they install the ISDN line.

The next step is to conFigure NT to use the modem. First, add the modem (inthis case, the I-Modem). You need the configuration floppy supplied with themodem. Second, install the NT Remote Access Service (RAS). From Control Panel,Network; choose the Services tab, then Remote Access Service. In the RemoteAccess Setup dialog box, Click Add. Select the modem from the RAS CapableDevices list on the Add RAS Device dialog, and conFigure it as Dial out only,as you see in Screen 1. The protocol you select depends on the kind ofconnection you need, TCP/IP in this case. Choose dynamic IP or fixed IP addressaccording to the type of service your ISP provides.

Close down the network configuration and restart NT Server. You can now usethe NT dial-up networking support to test the modem. In Programs, Accessories,Dial-Up Networking, create a new phone book entry. Your ISP supplies thetelephone number for its new phone book entry and related information, includingthe name and password you need to make the connection. Select More, andbe sure that the idle time settings in User preferences and Logon preferencesare set to the same value; 300 seconds is a good starting point to avoidexcessive connect time.

Click the Dial button to test the connection. When you connect, the dial-upstatus reads Connect and gives the connection speed. You can thenterminate the connection, or you can use a Web browser on the server to accessthe Internet and verify that the connection works. If it does, the Proxy servercan use it. If not, determine which settings you need to modify. For example,you can change an incorrect phone number and double check the SPID settings inan ISDN connection.

Installing the Proxy Server
Now you're ready to install Proxy Server. First, make sure you've installedall necessary NT Server patches, including NT Service Packs. Next, use the Setupprogram in NT Server's Inetsrv directory to install the Web server component ofIIS.

Install the Proxy Server from its CD-ROM or download it from Microsoft'sWeb site (http://www.microsoft.com); then install it. The installation uses thestandard SETUP.EXE program, which installs all the software in the directory youdesignate and makes the appropriate changes to the Registry. The installationprogram also installs IE; you need it because the online documentation is inHTML format. IE also gives you a way to check out the Web proxy server supportbecause IE can use a Web proxy server.

The IIS installation adds the Internet Service Manager (ISM), and the ProxyServer installation adds two entries: the Web proxy server and the Winsock proxyserver, as you see in Screen 2. The default configuration lets anyone access anyserver at any time. For now, this configuration is sufficient.

Start up ISM and adjust the Local Address Table (LAT). The LAT lets theproxy servers know which accesses are local and which go over the remoteconnection. The LAT also provides access to the local Web server and intranetservers on the network. Open the Web proxy server from the service list in ISM.Select LAT, then Construct Table, to fill in the IP address ranges for thecurrent IP settings NT Server is using, as Screen 3 shows. The defaults areusually sufficient, but you can adjust the settings if, for example, the localnetwork has additional IP address ranges for internal use.

On NT Server, don't install the Winsock proxy client, but set up the copyof IE to access the Web server on the NT Server. This step is necessary becausethe Winsock proxy replaces the TCP/IP support that the proxy server and IISneed. You will use IE to test the configuration.

Installing the Web Proxy Server
Configuring clients to use the Web proxy server is quick and easy if yourWeb browser supports proxy access. The latest versions of Navigator and IE do.You must set up the workstation for TCP/IP support on the same network as theproxy server. Web proxy server users don't need to log on to the NT Server oreven have network accounts on the server.

You can use Netscape Navigator with the Web proxy server after youconFigure Navigator to use the server. Select Network Configuration fromNetscape's Options menu. Click the Proxies tab, as you see in Screen 4. You mustlist the Proxy Server in each of the protocols that the browser supports. Themost commonly used protocols are HTTP and FTP. Save these entries and exit thebrowser. Make the settings active by restarting the browser. Make these changeson each workstation.

You can refer to the proxy server by name if a Domain Name System (DNS)server is running on your network. Otherwise, use the IP address of the proxyserver. A Web server's port number is usually 80, but because you can use otherport numbers, check with the Web server manager to find out whether the numberis something other than 80. Both the IP address and port number must be correct.

The Web proxy server support works with any workstation that has a TCP/IPconnection and a Web browser that supports a proxy server. I connected an ApplePower Macintosh 6500/250 and a 4400/200 to the Internet through my Web server.

Installing Winsock Proxy
Winsock proxy server installation is slightly more involved, but it requiresno change to the Web browser, and it will provide Internet access to anyWinsock-compliant application. Unfortunately, Proxy Server supports only Windowsmachines.

The Proxy Server server installation places the Winsock client installationsoftware on the server. You can also find the Winsock client software on theProxy Server distribution CD-ROM. You must run the setup program on eachworkstation that uses the Winsock proxy server; however, you need to run thesetup program only once, and you can disable the Winsock proxy support from theControl Panel after installation. Disabling Winsock proxy support is handy forlaptop users who use Winsock proxy server support when they are attached to thenetwork and use modem Point-to-Point Protocol (PPP) connections elsewhere.

The workstation must have at least one transport protocol that NT Serversupports--IPX, NetBIOS, or TCP/IP. During client installation, enter the name ofthe server that is running the proxy server. You must reboot the client toactivate the Winsock proxy support. Then you can use any Winsock-compliantapplication as usual. The proxy server handles demand-dialing connections asneeded; you don't need to start the proxy function separately.

Checking Out the Software
At this point, you have installed the I-Modem, IIS, IE, and Proxy Server.Use the I-Modem dial-up connection to manually connect to the ISP. Use IE toaccess a known Web site on the Internet through the Web proxy support. If youcan't connect this way, change IE to not use a proxy server and see whether IEcan access the Internet through the dial-up connection.

After IE is working with the proxy server, you can try proxy clients on thenetwork. Shut down the dial-up connection by clicking the dial-up monitor iconon the NT Server task bar.

You have finished the installation, except for autodial support. Somecompanies don't want autodial because they want to maintain a connection duringworking hours and shut down access at other times. The manual connect/
disconnect just described is sufficient in these instances.

To activate automatic dial-up support, go to the entry for autodial supportin the Proxy Server folder. This program accesses the NT Registry informationpertaining to demand-dialing support for the proxy server. The program presentsa dialog box with two tabs. The Dialing Hours tab lets you set the time duringwhich dialing can occur (Screen 5 shows calling enabled during working hours;the default is no limit).

The Credentials tab you see in Screen 6 lets you select the RAS phone bookentry to use for a remote connection. You can select only one entry; before youselect an entry, create the entry by selecting Start, Programs, Accessories,Dial-Up Networking, New. The dialog box includes the name and password for theconnection. Autodial uses these settings instead of those in the address book.You usually leave the Domain field in the dialog box blank. After you makechanges to autodialing support, shut down the Winsock and Web proxy serverservices, and use ISM, the Services applet in Control Panel, or a command line.

Managing the Proxy Servers
ISM manages the Web proxy server and Winsock proxy server. ISM also handlesthe Web server, the FTP server, and the gopher server, which are components ofIIS. You can start or stop any service independently, except the Web proxyserver and the Web server, which are the same service, even though they show asseparate services. ISM lists the Web proxy server and the Web server as separateservices so you can conFigure each service. Proxy Server does not change the Webconfiguration support.

Opening the Web or Winsock proxy server provides access to itsconfiguration dialog box, which has five tabs: Service, Protocols, Permissions,Logging, and Filters. Unlimited access and Web proxy server caching aredefaults. You can access a LAT by clicking a button on the Services tab. TheTable lets Proxy Server know which references are local and hence can go overthe network, and which are remote. Remote users can initiate a connection if youhave conFigured and enabled autodial.

You can enable logging, which is useful if you are tracking usage or tryingto solve a communications problem. You can conFigure both proxy servers to limit(by NT user or group) who can use all or portions of the service. In addition,you can limit anonymous access.

Potential Issues
Web proxy caching can improve performance, but enabling it can causeproblems. Using Proxy Server can involve security and performance issues. I'lladdress these issues here; the documentation covers some of them too, but notalways directly.

Restricting use of Proxy Server may be important in some environments. Youcan restrict use by user and by type of connection and even by the sites thatare accessible. The dialing support restricts initial connection time but doesnot force a disconnect if a connection still exists during a restricted period.Check the Proxy Server documentation detail if you have specific restrictionrequirements.

Proxy Server supports active caching, which maintains a copy of the Webpages that users access on the server. Also, Proxy Server can obtain pagesthrough links on a cached page to speed up presentation performance because theserver is receiving information before a user requests it. Unfortunately, thesefeatures can have unhappy consequences with demand-dialing support. Many Webpages now continually send information to provide animated or dynamic updates.The server maintains a connection to receive this information even if the userhas moved on to another page because, in theory, the cached page will beaccessed in the future. Turn off caching, and have users enable caching on theirbrowser if you allow demand dialing.

Redialing and failure to automatically hang up are two other potentialproblems that can increase connection times and costs. Make sure the redial andidle are large enough (e.g., 10 seconds and 300 seconds, respectively) so callsare not made repeatedly. As Screen 7 shows, the redial and idle settings are onthe Dialing tab in NT Server's Dial-Up Networking, User Preferences dialog box.You can have a higher telephone bill for many short calls than for one long callbecause phone companies often round up time in billing and impose a one- tothree-minute minimum call time.

Finally we get to the question of cost. Business lines usually incur costsfor every use. The amount per minute may be small, but continuous Internetaccess every day can become costly. At that point, a dedicated line may be mostcost effective. You can use Proxy Server with a dedicated line, especiallybecause it provides a basic firewall between the Internet and your network.

A Good Solution
Microsoft's Proxy Server is relatively easy to install and requires minimummaintenance. It can provide selective access to the Internet with transparent,demand dialing. Support for low-cost dynamic IP address ISP accounts make itextremely attractive to small to medium-sized NT server networks.

About the Author

Wylie Wong

Wylie Wong is a journalist and freelance writer specializing in technology, business and sports. He previously worked at CNET, Computerworld and CRN and loves covering and learning about the advances and ever-changing dynamics of the technology industry. On the sports front, Wylie is co-author of Giants: Where Have You Gone, a where-are-they-now book on former San Francisco Giants. He previously launched and wrote a Giants blog for the San Jose Mercury News, and in recent years, has enjoyed writing about the intersection of technology and sports.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like