Microsoft is about to launch another powerful tool into the BackOffice Suite. The product, a proxy server code named Catapult, makes connecting your intranet to the Internet much safer than ever before. The tentative release name for this little gem is the Microsoft Internet Access Server (IAS), and it is in beta 3 testing as I write this article. Slated for release sometime before the end of this year, this product will let you sleep a little better at night, knowing your network is now a safer environment.
What Is a Proxy?
First, the definition of proxy in a general sense is the "authority or power to act for another." In a network environment, a proxy server has the authority to act on behalf of other computers on the network. The IAS serves as proxy by providing access to the TCP/IP networks such as the Internet while keeping the workstation address anonymous. Workstation anonymity makes intruder attacks on your machine almost impossible. I say almost because a trojan horse or virus can still infiltrate your workstation through a file you download from the Internet, so to be completely safe at the workstation level, you need more than a proxy server. But when the workstation is anonymous, a potential intruder has no way of knowing what client address to attack.
How a Proxy Works
Proxies keep workstations anonymous by servicing TCP/IP protocol requests for the client. First, the client workstation makes a TCP/IP-based protocol request, such as entering a universal resource locator (URL) into a Web browser to pull up a Web page. The client sends the request to the proxy server and waits for the reply. Then, the proxy server receives the request and sends it to the destination address, substituting its server address for the client address. This substitution maintains the anonymity of the client address. Next, the destination processes the request and sends the results back to the proxy server. Finally, the proxy returns the results to the client.
Eliminate Alternative Routes
Simple enough, right? Actually, it is. The secret to establishing a proxy server is to make sure it is the only route to your workstations and servers. The proxy server needs at least one valid, routable IP address. If a real route to the rest of your network doesn't exist, traffic can't reach your machines.
You can eliminate alternative routes in two ways. The first is to choose an arbitrary Class C network pool to use internally. For instance, pick something such as 220.127.116.11 out of the air for one of your Class Cs. This choice gives you 18.104.22.168 through 22.214.171.124 as internal addresses. This Class C network pool is probably assigned to someone already, and the routes on the Internet point to that network, not yours, so you're safe using arbitrary addresses this way. (For more on IP addressing, see Mark Minasi, "How to Set Up IP," Windows NT Magazine, February 1996; "NT Workstations Using an IP Router," May 1996; and "Unlock Your Gateway to the Internet," June 1996.)
The second way is to use what I'll call test address pools. Several non-routable test address pools are available from InterNIC, the US organization that manages domains on the Internet. What you need to understand about these test addresses is that lots of people all over the Internet use them. None of the backbone Internet Service Providers (ISPs) include routes to these addresses, so they are useless for routable traffic but perfect for internal use behind a proxy server.
You're safe using Class C addresses out of the Class A network address pool of 10.0.0.0. This pool provides more than enough IP addresses for an average intranet. If you need fewer than 254 addresses, use a Class C network from this pool. For example, you can have a Class C network, ranging from 10.0.0.1 through 10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than one Class C for internal addresses, simply subnet the 10.0.0.0 again (break the pool into more manageable pieces for routing in different directions), creating additional address pools. Subnetting can get rather complex, so seek administrative help if necessary.
IAS consists of the Remote Windows Socket (RWS) service and the proxy service. Either of these services or both provide secure access for your intranet.
The proxy service operates with TCP/IP only and is CERN-Proxy compatible, which broadens the scope of available client software. The proxy server supports Web, gopher, and ftp and has a caching feature that can store frequently requested documents for a given period. Caching reduces bandwidth utilization and speeds information delivery to the client. The proxy lets you configure what to cache, what not to, and the size of the cache. You can implement user-level security, controlling who can and cannot access any particular service. You can also implement IP address filtering, so you can determine overall access to the proxy by granting and denying access according to a workstation's address. The RWS service allows other types of TCP/IP protocols through the IAS and supports most popular Internet tools.
RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange (SPX) protocol on your network. This combination can provide an additional level of security in the form of a protocol barrier. TCP/IP can't talk to IPX/SPX, so you get the picture. RWS is compatible with most existing Windows Sockets 1.1-compatible applications and lets you control inbound and outbound access by port number, protocol, and user or group. You can establish restrictions via filters that control access to Internet sites by domain name, IP address, and subnet mask.
The IAS integrates seamlessly into an existing Microsoft Internet suite. If you're already running Microsoft's Internet Information Server (IIS), IAS fits like a glove, letting you control the services through the Internet Service Manager, which comes with both IIS and IAS.
The initial setup process is simple and quick, so you won't need more than about 30 minutes to install the entire product. Before you begin installation, review the checklist in the sidebar, "Installation Checklist," on page 85. You'll need to have the necessary information ready after you download IAS from ftp.microsoft.com/msdownload/catapult.
The setup routine installs IAS, copies client software packages to the server and pre-configures them for easy installation, and establishes a network share for installing client software. Here are the eight steps in the installation process.
- Setup searches for installed components.
- You then choose a directory for the software installation.
- You can choose components to install from the list in Screen 1. Here's a nice surprise: The documentation is in Hypertext Markup Language (HTML) format, which Microsoft has promised for all Help files as we move toward the browser-based desktop.
The options include the various client software packages necessary to use the proxy server. Some available client packages are NT versions for Intel, PowerPC, MIPS, Alpha, Intel-based Windows 95 clients, and Windows 3.x clients, as you see in Screen 2.
- Setup stops any Microsoft Internet services, such as the IIS Web server, that are running.
- You choose the drive(s) you want for caching documents from the list in Screen 3. Setup recommends drives with at least 50MB of free space. You can certainly choose drives with less space, but you'll be limited in how much information you can cache.
- You define the IP address ranges on your internal networks as shown in Screen 4. The information you enter here creates a Local Address Table (LAT). The LAT is the iaslat.txt file, which, by default, is in the \ias\clients directory on the same drive on which you install the server. When a workstation runs the client setup program, the LAT downloads from the server to the client workstation.
When an RWS-type client attempts to access an IP address, it uses the LAT to determine whether the address is local or remote. Local addresses are on your network, and remote addresses are outside your network on the Internet. You can connect to local addresses directly and to remote Internet addresses through IAS.
- Setup lets you preconfigure most aspects of the client software packages, which minimizes administrative efforts. Screen 5 shows the settings in two groups, one for RWS and one for the proxy. The RWS access settings are as follows.
- A radio button group pre-configures the client software package to contact the RWS service by name or IP address. To rely on DNS names or machines names for client access, check that box and enter the server name. (For more information on DNS, see Spyros Sakellariadis, "Configuring and Administering DNS" and "Integrating and Administering DNS," Windows NT Magazine, August and September 1996.) To access the server by IP address, check that box and enter the server IP address.
- A check box lets you disable Access Control. If you check this box, all internal clients can use RWS without restriction. When this box is not checked (the default setting), only clients that have permissions for specific protocols can use RWS. The Internet Service Manager lets you assign these permissions.
The proxy access settings are as follows.
- A check box tells the IAS setup to configure the client packages so that they automatically configure Web browsers for use with a given proxy access server. To automate some of the client package installation process, check this box.
- A data entry box lets you predetermine the machine name of the proxy access server that the client packages on this computer will use. If you check set Client setup to configure browser proxy settings, enter the proxy server name in this data-entry box.
- Setup checks for necessary disk space and copies the required files. Once the file copy operation is complete, Setup restarts any Internet Services that it had stopped, and then exits.
That's the initial installation. Be aware that additional configuration is still necessary. These configuration settings can take from 30 minutes to several hours or even days, depending on the number of users needing access to the server.
You'll want to start the Internet Service Manager on the Start Button menu: Select the Programs folder, then the Catapult Server folder, then the Internet Service Manager. You'll find that the Setup program has created a shared directory, iasclnt, on the server.
You access this directory with the universal naming convention (UNC) name \\servername\iasclnt. Your workstations will connect to this share to access and install the appropriate client access software package.
When you look at some features of IAS and walk through the initial installation and preliminary configuration options and settings, you see that the complete IAS package is not very large or complex to configure. The installation process is intuitive and straightforward. I'll cover all the individual security options and settings in detail in my next article.