Configuring Microsoft’s Internet Access Server

Last month's article, "Microsoft's Internet Access Server," looked at the installation and basic setup process for Microsoft's new Internet Access Server (IAS), a proxy server that makes connecting your intranet to the Internet a much safer thing to do. IAS, which is in beta 3 testing, is slated for release by the end of the year. This article looks at some details of configuring IAS once you install it.

The Proxy Server
In a network environment, a proxy server has the authority to act for other computers on the network. The IAS is a proxy, providing each workstation with access to TCP/IP networks such as the Internet, while keeping the workstation address anonymous. Such anonymity makes intruder attacks on your machine almost impossible.

You manage IAS through the Internet Service Manager (ISM). To start ISM, click Start, select Programs, Catapult Server, and then Internet Service Manager. If you have other Internet services on your Windows NT machine, you'll see them in the ISM display. Screen 1 shows the ISM with all the services installed and running.

All the configuration settings are on the administrative interface for each service. To display a service's administrative interface, double-click the service name in the ISM or right-click the service name and select Service Properties.

The Proxy Service
The Proxy service controls access to FTP, WWW, and Gopher sites on the Internet. The administrative interface for the Proxy service has five tabs: Service, Permissions, Caching, Logging, and Filters.

The Service tab is for informational purposes only and contains nothing to configure but a comment field, which lets you describe this service so users can view the description in ISM. Click Current Sessions to display a list of the users connected to the Proxy service at any given moment.

The Permissions tab, as shown in Screen 2, lets you grant or deny various users and groups access rights to the proxy for Internet access. You can separately manage three types of access here: FTP, Web, and Gopher. To allow access to a service, select it in the Rights pulldown, and click Add to display the Add Users and Groups dialog. Once you add the users and groups that get access, click OK. To disallow access rights to a user or group, select the user or group and click Remove.

Tip: The User Manager for Domains lets you create a group that includes the user accounts of all users who need access to FTP, Web, or Gopher. Once you create this group, you need to apply permissions for each service only once for the group, rather than once for each member. This approach can be a real time saver.

The Caching tab, shown in Screen 3, presents the cache property settings. The Proxy service cache lets you configure the service to store Internet objects on your local hard drive for a given period. This option can greatly reduce response times and bandwidth utilization. When a client machine requests an Internet object that is in the cache, the Proxy server delivers the cached copy instead of getting the object from the Internet site.

The cache expires at intervals the administrator sets. The proxy server will retrieve a fresh copy of the Web object when a client requests it again or before a client requests the object, depending on how the cache is configured.

The cache has two modes of operation: passive and active. In the passive mode, IAS copies each object someone requests from the Internet to the hard disk of the computer running the IAS server. In active mode, IAS updates objects in the cache periodically, whether a user requests them or not.

The proxy cache has five areas to configure:

1. The Enable Caching check box enables and disables the cache.
2. The Cache Expiration Policy lets you adjust the freshness of objects in the cache. Freshness is a measure of how long to store and use a local copy of a cached object before IAS updates it from the Web site. A slider bar lets you adjust this setting. Move the slider bar toward Always Request Updates to keep objects fresher and increase the traffic the IAS server generates. Move the slider bar toward Fewest Internet Requests to lengthen the time you store objects before IAS refreshes and to decrease the traffic the IAS server generates.
3. The Active Caching Policy ensures the freshness of Internet objects you store on the hard disk, by letting the cache manager generate a request for an Internet object without a client's prompting. Move the slider bar toward Most Client Cache Hits to update the cache more frequently, or toward Fewest Internet Requests to reduce the frequency of update requests to Internet sites.
4. The Cache Size lets you add and remove drives from caching and set the amount of disk space for caching Internet objects. The limit to the cache size is the amount of disk space available. Theoretically, cache size has no upward limitations.
5. The Advanced Cache Options let you specify which objects to cache and the maximum object size to cache, and enable server protection and cache filtering. Cache filtering lets you specify filename, directory name, and domain name to restrict which objects to always cache or never cache. To display Advanced Cache Options, click Advanced.

The Logging tab presents the available log settings. You can turn logging on or off, select regular logging or verbose logging, and select data logging to a text file or a database. Each log record contains the username, client type, client protocol, time and date stamp, and size of the requested object.

The Filters tab, in Screen 4, presents the filtering properties that let you control access to Internet sites through the server. The filtering mechanism grants or denies access based on the IP address or domain name of particular Internet sites. For example, to block access to a Web site to keep employees from misusing company time, you select Denied, click Add, select Domain, and then enter the Web address in the Domain data entry window. That's all there is to it.

Remote Windows Socket
Now let's look at the Remote Windows Socket (RWS) service. As I mentioned last month, RWS is a mechanism that makes a Windows Sockets-compatible application running on a private network perform as if it were directly connected to the Internet, when actually, a gateway computer connects the two networks. IAS can be the gateway.

You access the administrative interface for RWS the same way as for the proxy server. Open ISM, and double-click the RWS service. The RWS administrative interface consists of four tabs: Service, Permissions, Logging, and Filters.

The Service tab has only one field, Comment, which lets you describe this service. ISM lets you view the comment.

The Permissions tab is the most extensive area of the RWS administrative interface. You can add, change, and remove protocols and control access to each protocol. This page has five elements: Service, Right, Add, Remove, and Protocols.

Service lists the Internet protocols available to users of the RWS service that is using this server. To add a protocol to this list, choose Protocols and complete the dialog. To grant a user protocol access, select that protocol from the Service box, click Add, and complete the dialog. The Right box lists the users and groups that can use the protocol on this server. Add lets you assign a user or group the right to use a protocol. You must first select the protocol from Services, choose Add, and then complete the Add Users and Groups dialog. Remove deletes a user or group's right to use a protocol on this server. Protocols displays the dialog that lets you add a protocol, modify an existing protocol configuration, or remove a protocol.

The Logging tab, shown in Screen 5, is the same as the Logging tab for the proxy server. You can turn logging on or off, select regular or verbose logging, and select data logging to a text file or a database.

The Filters tab lets you grant and deny access to Internet sites that users can access through RWS. Access filtering can prohibit access to specified sites or allow access to only the sites specified. The filtering applies to all users who access the Internet through RWS on this server.

Working Together
You can configure the Proxy service and the RWS service to work together. Doing so lets you use Internal Package eXchange (IPX) and Sequenced Packet eXchange (SPX) on the internal network. This capability eases integration for Novell shops because they don't have to migrate to TCP/IP. Having the proxy and RWS work together also allows streaming and datagram Internet protocols and the Windows NT Challenge/Response authentication between the client and IAS server.

To configure the proxy to work with RWS, follow these steps:

1. Configure the client's Internet browser to use the Catapult Server Proxy service.
2. Configure the client computer to use any RWS server on the internal network.
3. If the private network is running TCP/IP, use the IAS setup to configure the Local Address Table (LAT) to remove the Proxy server's internal IP address from the LAT. This configuration forces the use of RWS between the client and IAS server. You must modify the LAT on all IAS servers on the private network. If your internal network runs on IPX/SPX, you can skip this step because you won't have TCP/IP routing tables to manage.

Proxy Gateways in DNS
Configuring multiple proxy server gateways is becoming more common in large network environments. As the number of users who need Internet access from your LAN grows, load balancing multiple proxy servers will become increasingly important to you.

Balance your network traffic with IAS by creating a group name in your lmhosts file. To this group, you assign all client computer applications. The group will contain a list of all the machine names and IP addresses for each proxy server on your network. The lmhosts file includes sample entries that demonstrate how to correctly create entries in this file.

Use the lmhosts file to create a group to configure client software to implement load balancing by following these steps:

1. Open the lmhosts file with a text editor such as Notepad. A sample lmhosts file named lmhosts.sam is in the \systemroot\system32\drivers\etc directory. If you have not configured a lmhosts file for your network, open the lmhosts.sam file and save it (in the same directory that contains lmhosts.sam) to a new file called lmhosts.
2. Create a new group name for the proxy servers that will participate in the load balancing. Be sure the group name does not conflict with other group names or NT domain names. Enter the group name to make new proxy server entries, one per line, in the lmhosts file. The proxy denotes groups by the #dom tag at the end of each proxy server entry. Be sure that each proxy server's entry includes the IP address, the NetBIOS machine name, and the #dom tag with the group name. In the example below, the group name is proxygate.

   206.4.11.69 proxy1  
    #DOM:proxygate #PRE
   206.4.11.70 proxy2  
    #DOM:proxygate #PRE
   206.4.11.71 proxy3  
    #DOM:proxygate #PRE
   

   As the example shows, you can include the #pre tag. It tells NT to preload these entries when the operating system boots. The #pre tag is not required, but it can help improve the overall proxy server performance because name lookups resolve faster if the proxy doesn't have to read the lmhosts file from disk. Screen 6 shows a sample lmhosts file.
3. Save the file, and exit the editor.
4. Configure your client software to use the proxy name.

When you use a group in the lmhosts file, client computers requesting an Internet object through the group name tell Domain Name System (DNS) to cycle through the gateways listed in the group, one at a time. (See Spyros Sakellariadis, "Configuring and Administering DNS," August 1996, for more on DNS components.) The first request uses the first name in the list, the second request uses the second name, and so on. This cycle establishes load balancing, which can ease the burden of any particular proxy server. The lmhosts file is in the systemroot\ system32 \drivers\etc subdirectory.

Gateways in WINS
If your network relies on Windows Internet Name Service (WINS) instead of DNS for name resolution, WINS lets you configure a multi-homed environment to facilitate Internet object requests. (Spyros Sakellariadis covers DNS and WINS in "Integrating and Administering DNS," September 1996, and Ed Tittel and Mary Madden explain multi-homing in "Multi-Homing on the Web," September 1996.) WINS is similar to the DNS environment: You create one entry that contains the list of IP addresses for all the proxy server gateways. (For more on IP addressing, see Mark Minasi "How to Set Up IP," February 1996; "IP Routing with NT," March; "NT Workstations Using an IP Router," May; "Unlock Your Gateway to the Internet," June; "DHCP and Assigning IP Addresses," August; and "Gateways Revisited," on page 47.)

WINS provides three levels of name resolution for this configuration. First, the WINS server attempts to match a client's request with the client's IP address. Next, WINS will seek a proxy server on the same subnetwork as the client. Then WINS seeks a proxy server on the same network as the client. If WINS cannot match a client to a gateway, it will randomly pick a gateway from the WINS list of gateways to facilitate the Internet object request.

RWS with Multiple Gateways
By default, clients on an internal network use the RWS gateway that you configure them for. You achieve load balancing by installing RWS on the clients from each gateway you want the client to use. For example, if you expect a particular group of users to produce heavier-than-normal traffic to the RWS service--as with video conferencing--distribute the users across your gateways to lighten the load on any particular server.

Securing Your Network
Overall, IAS provides a great way to begin securing your network. With RWS, you'll find the future expandability adequate as new Internet protocols become available. Now that NT 4.0 is available, you can expect the release of IAS soon.

As I end this article, I leave you with one final and very important thought to ponder--no panacea for network security exists, so act diligently. For more on network security, see John Enck, "Confronting Your Network Security Nightmares," page 81, and Keith Pleas, "Securing Windows NT," on page 74.

Internet Access Server beta 3

Microsoft * 206-882-8080 Web: www.microsoft.com/infoserv/catapult Price: Free