Microsoft is about to launch another powerful tool into the BackOffice Suite. The product, a proxy server code named Catapult, makes connecting your intranet to the Internet much safer than ever before. The tentative release name for this little gem is the Microsoft Internet Access Server (IAS), and it is in beta 3 testing as I write this article. Slated for release sometime before the end of this year, this product will let you sleep a little better at night, knowing your network is now a safer environment.
What Is a Proxy?
First, the definition of proxy in a general sense is the "authority or power to act for another." In a network environment, a proxy server has the authority to act on behalf of other computers on the network. The IAS serves as proxy by providing access to the TCP/IP networks such as the Internet while keeping the workstation address anonymous. Workstation anonymity makes intruder attacks on your machine almost impossible. I say almost because a trojan horse or virus can still infiltrate your workstation through a file you download from the Internet, so to be completely safe at the workstation level, you need more than a proxy server. But when the workstation is anonymous, a potential intruder has no way of knowing what client address to attack.
How a Proxy Works
Proxies keep workstations anonymous by servicing TCP/IP protocol requests for the client. First, the client workstation makes a TCP/IP-based protocol request, such as entering a universal resource locator (URL) into a Web browser to pull up a Web page. The client sends the request to the proxy server and waits for the reply. Then, the proxy server receives the request and sends it to the destination address, substituting its server address for the client address. This substitution maintains the anonymity of the client address. Next, the destination processes the request and sends the results back to the proxy server. Finally, the proxy returns the results to the client.
Eliminate Alternative Routes
Simple enough, right? Actually, it is. The secret to establishing a proxy server is to make sure it is the only route to your workstations and servers. The proxy server needs at least one valid, routable IP address. If a real route to the rest of your network doesn't exist, traffic can't reach your machines.
You can eliminate alternative routes in two ways. The first is to choose an arbitrary Class C network pool to use internally. For instance, pick something such as 22.214.171.124 out of the air for one of your Class Cs. This choice gives you 126.96.36.199 through 188.8.131.52 as internal addresses. This Class C network pool is probably assigned to someone already, and the routes on the Internet point to that network, not yours, so you're safe using arbitrary addresses this way. (For more on IP addressing, see Mark Minasi, "How to Set Up IP," Windows NT Magazine, February 1996; "NT Workstations Using an IP Router," May 1996; and "Unlock Your Gateway to the Internet," June 1996.)
The second way is to use what I'll call test address pools. Several non-routable test address pools are available from InterNIC, the US organization that manages domains on the Internet. What you need to understand about these test addresses is that lots of people all over the Internet use them. None of the backbone Internet Service Providers (ISPs) include routes to these addresses, so they are useless for routable traffic but perfect for internal use behind a proxy server.
You're safe using Class C addresses out of the Class A network address pool of 10.0.0.0. This pool provides more than enough IP addresses for an average intranet. If you need fewer than 254 addresses, use a Class C network from this pool. For example, you can have a Class C network, ranging from 10.0.0.1 through 10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than one Class C for internal addresses, simply subnet the 10.0.0.0 again (break the pool into more manageable pieces for routing in different directions), creating additional address pools. Subnetting can get rather complex, so seek administrative help if necessary.
IAS consists of the Remote Windows Socket (RWS) service and the proxy service. Either of these services or both provide secure access for your intranet.
The proxy service operates with TCP/IP only and is CERN-Proxy compatible, which broadens the scope of available client software. The proxy server supports Web, gopher, and ftp and has a caching feature that can store frequently requested documents for a given period. Caching reduces bandwidth utilization and speeds information delivery to the client. The proxy lets you configure what to cache, what not to, and the size of the cache. You can implement user-level security, controlling who can and cannot access any particular service. You can also implement IP address filtering, so you can determine overall access to the proxy by granting and denying access according to a workstation's address. The RWS service allows other types of TCP/IP protocols through the IAS and supports most popular Internet tools.
RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange (SPX) protocol on your network. This combination can provide an additional level of security in the form of a protocol barrier. TCP/IP can't talk to IPX/SPX, so you get the picture. RWS is compatible with most existing Windows Sockets 1.1-compatible applications and lets you control inbound and outbound access by port number, protocol, and user or group. You can establish restrictions via filters that control access to Internet sites by domain name, IP address, and subnet mask.
The IAS integrates seamlessly into an existing Microsoft Internet suite. If you're already running Microsoft's Internet Information Server (IIS), IAS fits like a glove, letting you control the services through the Internet Service Manager, which comes with both IIS and IAS.
The initial setup process is simple and quick, so you won't need more than about 30 minutes to install the entire product. Before you begin installation, review the checklist in the sidebar, "Installation Checklist," on page 85. You'll need to have the necessary information ready after you download IAS from ftp.microsoft.com/msdownload/catapult.
The setup routine installs IAS, copies client software packages to the server and pre-configures them for easy installation, and establishes a network share for installing client software. Here are the eight steps in the installation process.
The proxy access settings are as follows.
That's the initial installation. Be aware that additional configuration is still necessary. These configuration settings can take from 30 minutes to several hours or even days, depending on the number of users needing access to the server.
You'll want to start the Internet Service Manager on the Start Button menu: Select the Programs folder, then the Catapult Server folder, then the Internet Service Manager. You'll find that the Setup program has created a shared directory, iasclnt, on the server.
You access this directory with the universal naming convention (UNC) name \\servername\iasclnt. Your workstations will connect to this share to access and install the appropriate client access software package.
When you look at some features of IAS and walk through the initial installation and preliminary configuration options and settings, you see that the complete IAS package is not very large or complex to configure. The installation process is intuitive and straightforward. I'll cover all the individual security options and settings in detail in my next article.