Windows NT Proxy Server gives you an extra measure of security when you connect your network to the Internet

The direct route to the Internet might not be the safest. A proxy server can give you an extra measure of security as you provide access to TCP/IP networks such as the Internet. Microsoft's Proxy Server lets you connect to the Internet but keep workstation addresses anonymous. Without a workstation address, an intruder doesn't know where to attack. (Mark Joseph Edwards explains proxy servers in "Microsoft's Internet Access Server," September 1966, and "Configuring Microsoft's Internet Access Server," October 1996.)

To connect network workstations to the Internet through Microsoft's Proxy Server, you need a server running Windows NT Server and the latest version of Internet Information Server (IIS), and a communications link to your local Internet Service Provider (ISP). I used an Integrated Services Digital Network (ISDN) line and for communication support, a U.S. Robotics internal Courier I-Modem. The I-Modem is an ISDN terminal adapter that looks and acts like a modem with respect to the server, so the procedures outlined here are identical for any modem.

Proxy Server provides two kinds of services, Web proxy server and a Winsock proxy server. You can use one or both. Both services can use dynamic connections, and both can operate at the same time using the same connection.

The Web proxy server works with any client that supports a Web proxy server. For example, a Macintosh running Netscape Navigator can use the Web proxy server to access a Web server on the Internet. The Web proxy server works with a Web browser and assumes a TCP/IP connection between the workstation and the NT Server's IIS Web server. Most Web browsers, such as Microsoft's Internet Explorer (IE) and Netscape Navigator, support Web proxy servers. To conFigure the proxy server settings in IE, select the Connection tab from the View, Options menu. The Web proxy server supports only a few Internet protocols, such as Web access and FTP support. You can't use the Web proxy server for Internet applications such as videophones or to pick up email.

The Winsock proxy server uses a special version of the Winsock DLL on each workstation that uses the server. The ordinary Winsock DLL accesses the network directly and provides access to the Web server on the network. In contrast, the proxy Winsock DLL connects to the Winsock proxy server, which redirects any requests to the appropriate server. The proxy server can access local or remote servers. The workstation Winsock DLL can communicate with the proxy server using IPX, NetBIOS, or TCP/IP protocol, whereas the Web proxy server uses TCP/IP to access the requested server.

The Winsock proxy server works with any Winsock application to let the application use any higher level protocol, such as Post Office Protocol (POP) 3 email services and videoconferencing support. Of course, you need the appropriate application. The Winsock proxy server provides transparent access to any TCP/IP service, including email, but you must have matching Winsock support on the client. Currently, only Windows 3.x, Windows 95, and NT have Winsock support. I will describe how to install and conFigure both the Web proxy server and the Winsock proxy server, and the Winsock client.

Although I will discuss here only Microsoft's Proxy Server, it is not the only proxy server you can get. Other options are dedicated hardware units, such as Bay Networks Instant Internet, and software solutions, such as Virtual Motion's Internet LanBridge.

Installing the Hardware
The U.S. Robotics Courier I-Modem I used is an internal 16-bit ISA ISDN terminal adapter. I followed U.S. Robotics' instructions for installing the adapter and conFigured the adapter to appear as COM2. You use U.S. Robotics' DOS-based application to conFigure the ISDN and to set the ISDN Service Profile Identifier (SPID) numbers. You also need to set the type of ISDN switch your telephone company provides. Telephone company installers provide this information when they install the ISDN line.

The next step is to conFigure NT to use the modem. First, add the modem (in this case, the I-Modem). You need the configuration floppy supplied with the modem. Second, install the NT Remote Access Service (RAS). From Control Panel, Network; choose the Services tab, then Remote Access Service. In the Remote Access Setup dialog box, Click Add. Select the modem from the RAS Capable Devices list on the Add RAS Device dialog, and conFigure it as Dial out only, as you see in Screen 1. The protocol you select depends on the kind of connection you need, TCP/IP in this case. Choose dynamic IP or fixed IP address according to the type of service your ISP provides.

Close down the network configuration and restart NT Server. You can now use the NT dial-up networking support to test the modem. In Programs, Accessories, Dial-Up Networking, create a new phone book entry. Your ISP supplies the telephone number for its new phone book entry and related information, including the name and password you need to make the connection. Select More, and be sure that the idle time settings in User preferences and Logon preferences are set to the same value; 300 seconds is a good starting point to avoid excessive connect time.

Click the Dial button to test the connection. When you connect, the dial-up status reads Connect and gives the connection speed. You can then terminate the connection, or you can use a Web browser on the server to access the Internet and verify that the connection works. If it does, the Proxy server can use it. If not, determine which settings you need to modify. For example, you can change an incorrect phone number and double check the SPID settings in an ISDN connection.

Installing the Proxy Server
Now you're ready to install Proxy Server. First, make sure you've installed all necessary NT Server patches, including NT Service Packs. Next, use the Setup program in NT Server's Inetsrv directory to install the Web server component of IIS.

Install the Proxy Server from its CD-ROM or download it from Microsoft's Web site (http://www.microsoft.com); then install it. The installation uses the standard SETUP.EXE program, which installs all the software in the directory you designate and makes the appropriate changes to the Registry. The installation program also installs IE; you need it because the online documentation is in HTML format. IE also gives you a way to check out the Web proxy server support because IE can use a Web proxy server.

The IIS installation adds the Internet Service Manager (ISM), and the Proxy Server installation adds two entries: the Web proxy server and the Winsock proxy server, as you see in Screen 2. The default configuration lets anyone access any server at any time. For now, this configuration is sufficient.

Start up ISM and adjust the Local Address Table (LAT). The LAT lets the proxy servers know which accesses are local and which go over the remote connection. The LAT also provides access to the local Web server and intranet servers on the network. Open the Web proxy server from the service list in ISM. Select LAT, then Construct Table, to fill in the IP address ranges for the current IP settings NT Server is using, as Screen 3 shows. The defaults are usually sufficient, but you can adjust the settings if, for example, the local network has additional IP address ranges for internal use.

On NT Server, don't install the Winsock proxy client, but set up the copy of IE to access the Web server on the NT Server. This step is necessary because the Winsock proxy replaces the TCP/IP support that the proxy server and IIS need. You will use IE to test the configuration.

Installing the Web Proxy Server
Configuring clients to use the Web proxy server is quick and easy if your Web browser supports proxy access. The latest versions of Navigator and IE do. You must set up the workstation for TCP/IP support on the same network as the proxy server. Web proxy server users don't need to log on to the NT Server or even have network accounts on the server.

You can use Netscape Navigator with the Web proxy server after you conFigure Navigator to use the server. Select Network Configuration from Netscape's Options menu. Click the Proxies tab, as you see in Screen 4. You must list the Proxy Server in each of the protocols that the browser supports. The most commonly used protocols are HTTP and FTP. Save these entries and exit the browser. Make the settings active by restarting the browser. Make these changes on each workstation.

You can refer to the proxy server by name if a Domain Name System (DNS) server is running on your network. Otherwise, use the IP address of the proxy server. A Web server's port number is usually 80, but because you can use other port numbers, check with the Web server manager to find out whether the number is something other than 80. Both the IP address and port number must be correct.

The Web proxy server support works with any workstation that has a TCP/IP connection and a Web browser that supports a proxy server. I connected an Apple Power Macintosh 6500/250 and a 4400/200 to the Internet through my Web server.

Installing Winsock Proxy
Winsock proxy server installation is slightly more involved, but it requires no change to the Web browser, and it will provide Internet access to any Winsock-compliant application. Unfortunately, Proxy Server supports only Windows machines.

The Proxy Server server installation places the Winsock client installation software on the server. You can also find the Winsock client software on the Proxy Server distribution CD-ROM. You must run the setup program on each workstation that uses the Winsock proxy server; however, you need to run the setup program only once, and you can disable the Winsock proxy support from the Control Panel after installation. Disabling Winsock proxy support is handy for laptop users who use Winsock proxy server support when they are attached to the network and use modem Point-to-Point Protocol (PPP) connections elsewhere.

The workstation must have at least one transport protocol that NT Server supports--IPX, NetBIOS, or TCP/IP. During client installation, enter the name of the server that is running the proxy server. You must reboot the client to activate the Winsock proxy support. Then you can use any Winsock-compliant application as usual. The proxy server handles demand-dialing connections as needed; you don't need to start the proxy function separately.

Checking Out the Software
At this point, you have installed the I-Modem, IIS, IE, and Proxy Server. Use the I-Modem dial-up connection to manually connect to the ISP. Use IE to access a known Web site on the Internet through the Web proxy support. If you can't connect this way, change IE to not use a proxy server and see whether IE can access the Internet through the dial-up connection.

After IE is working with the proxy server, you can try proxy clients on the network. Shut down the dial-up connection by clicking the dial-up monitor icon on the NT Server task bar.

You have finished the installation, except for autodial support. Some companies don't want autodial because they want to maintain a connection during working hours and shut down access at other times. The manual connect/
disconnect just described is sufficient in these instances.

To activate automatic dial-up support, go to the entry for autodial support in the Proxy Server folder. This program accesses the NT Registry information pertaining to demand-dialing support for the proxy server. The program presents a dialog box with two tabs. The Dialing Hours tab lets you set the time during which dialing can occur (Screen 5 shows calling enabled during working hours; the default is no limit).

The Credentials tab you see in Screen 6 lets you select the RAS phone book entry to use for a remote connection. You can select only one entry; before you select an entry, create the entry by selecting Start, Programs, Accessories, Dial-Up Networking, New. The dialog box includes the name and password for the connection. Autodial uses these settings instead of those in the address book. You usually leave the Domain field in the dialog box blank. After you make changes to autodialing support, shut down the Winsock and Web proxy server services, and use ISM, the Services applet in Control Panel, or a command line.

Managing the Proxy Servers
ISM manages the Web proxy server and Winsock proxy server. ISM also handles the Web server, the FTP server, and the gopher server, which are components of IIS. You can start or stop any service independently, except the Web proxy server and the Web server, which are the same service, even though they show as separate services. ISM lists the Web proxy server and the Web server as separate services so you can conFigure each service. Proxy Server does not change the Web configuration support.

Opening the Web or Winsock proxy server provides access to its configuration dialog box, which has five tabs: Service, Protocols, Permissions, Logging, and Filters. Unlimited access and Web proxy server caching are defaults. You can access a LAT by clicking a button on the Services tab. The Table lets Proxy Server know which references are local and hence can go over the network, and which are remote. Remote users can initiate a connection if you have conFigured and enabled autodial.

You can enable logging, which is useful if you are tracking usage or trying to solve a communications problem. You can conFigure both proxy servers to limit (by NT user or group) who can use all or portions of the service. In addition, you can limit anonymous access.

Potential Issues
Web proxy caching can improve performance, but enabling it can cause problems. Using Proxy Server can involve security and performance issues. I'll address these issues here; the documentation covers some of them too, but not always directly.

Restricting use of Proxy Server may be important in some environments. You can restrict use by user and by type of connection and even by the sites that are accessible. The dialing support restricts initial connection time but does not force a disconnect if a connection still exists during a restricted period. Check the Proxy Server documentation detail if you have specific restriction requirements.

Proxy Server supports active caching, which maintains a copy of the Web pages that users access on the server. Also, Proxy Server can obtain pages through links on a cached page to speed up presentation performance because the server is receiving information before a user requests it. Unfortunately, these features can have unhappy consequences with demand-dialing support. Many Web pages now continually send information to provide animated or dynamic updates. The server maintains a connection to receive this information even if the user has moved on to another page because, in theory, the cached page will be accessed in the future. Turn off caching, and have users enable caching on their browser if you allow demand dialing.

Redialing and failure to automatically hang up are two other potential problems that can increase connection times and costs. Make sure the redial and idle are large enough (e.g., 10 seconds and 300 seconds, respectively) so calls are not made repeatedly. As Screen 7 shows, the redial and idle settings are on the Dialing tab in NT Server's Dial-Up Networking, User Preferences dialog box. You can have a higher telephone bill for many short calls than for one long call because phone companies often round up time in billing and impose a one- to three-minute minimum call time.

Finally we get to the question of cost. Business lines usually incur costs for every use. The amount per minute may be small, but continuous Internet access every day can become costly. At that point, a dedicated line may be most cost effective. You can use Proxy Server with a dedicated line, especially because it provides a basic firewall between the Internet and your network.

A Good Solution
Microsoft's Proxy Server is relatively easy to install and requires minimum maintenance. It can provide selective access to the Internet with transparent, demand dialing. Support for low-cost dynamic IP address ISP accounts make it extremely attractive to small to medium-sized NT server networks.