A firewall and Web cache server in one package

As the Internet's popularity soars, companies are searching for ways to manage and control employees' access to the Internet and external Internet users' access to resources on the corporate network. One tool that companies might consider is Microsoft's Proxy Server 2.0, a BackOffice software package that serves as a firewall and Web cache server. Proxy Server 2.0 acts as a gateway between your internal LAN and the external Internet network, helping you protect your network from unauthorized access by external Internet users, control employees' access to the Internet, and improve Internet access and network response time.

Microsoft significantly improved Proxy Server between versions 1.0 and 2.0. The most important difference is that Proxy Server 1.0 controls only outbound network traffic (i.e., traffic from your LAN to the Internet), whereas Proxy Server 2.0 controls outbound and inbound traffic (i.e., traffic from the Internet to your LAN). Proxy Server 1.0 also lacks several features--packet filtering, alerting, inbound connectivity, and support for Virtual Private Networks (VPNs)--that basic firewall packages typically include. Proxy Server 2.0 now includes those features and more.

However, Proxy Server 2.0 is not necessarily meant to replace your existing firewall. Although Proxy Server 2.0 can serve as the sole firewall solution for many companies, it doesn't include all the features that high-end firewall packages provide. So if you already have a firewall product, your best option is to use Proxy Server 2.0 to complement, not replace, your existing firewall. If you do not have a firewall, whether you use Proxy Server 2.0 exclusively depends on the level of security and performance that your business demands.

Looking at Proxy Server 2.0's features can help you decide whether it will meet your company's security needs as well as performance needs. The following focuses on two major areas of interest in Proxy Server 2.0: security and performance.

Security
Microsoft added many new security features to Proxy Server 2.0. The new and the original features work together to offer important security capabilities, such as server proxying, reverse proxying, reverse hosting, alerting and logging, dynamic packet filtering, multilayer security, and VPN support.

Server proxying. Proxy Server 2.0 monitors and forwards incoming packets to the appropriate server. For example, you can configure Proxy Server 2.0 to use Simple Mail Transfer Protocol (SMTP) to direct incoming mail packets to your mail server. However, setting up server proxying can require a lot of work. For example, to use Exchange in server proxying, you must configure static packet filters and set up authentication.

Reverse proxying. Proxy Server 2.0 impersonates the Web server when dealing with inbound traffic. In other words, Proxy Server 2.0 responds to Internet requests and forwards them to Internet Information Server (IIS) or another Web server. Internet users are unaware that Proxy Server 2.0, not IIS, is passing and monitoring their requests.

Reverse hosting. Reverse hosting takes reverse proxying one step further by letting the Web servers behind Proxy Server 2.0 publish to the Web. Proxy Server 2.0 listens and responds to requests on the Web servers' behalf. Thus, reverse hosting lets you publish to the Web without compromising security.

Alerting and logging. You can configure Proxy Server 2.0 to immediately alert you to suspicious activities (such as protocol violations) and certain attacks (such as SYN attacks) on your network. For example, in a normal message exchange between a client and server, the client sends a SYN message. The server responds with a SYN-ACK message and then waits for a return ACK message from the client. If an incorrect IP address is sending a SYN, the server will send a SYN-ACK and then wait for an ACK, which it will never receive. As the source sends more messages, the rejected packets can tie up the server's TCP ports, and legitimate users will not be able to use the services. This SYN attack can seriously affect Internet Service Providers (ISPs) and other companies that rely heavily on Internet access. You can configure Proxy Server 2.0 to alert you after the server rejects a specific number of packets. You can configure Proxy Server 2.0 to notify you of several alerting thresholds. When your system reaches these thresholds, Proxy Server 2.0 can notify you by email (via Simple Network Management Protocol--SNMP) or pager (if your email product supports paging).

After Proxy Server 2.0 alerts you to attacks and suspicious activities, it records alert information (and other inbound and outbound traffic data) in the System Log. Proxy Server 2.0 can log data to a text file, an Open Database Connectivity (ODBC) database, or a SQL server database. You need to think twice about logging to a SQL server database, however. Although you can take advantage of SQL Server's advanced querying and reporting features, logging events to a SQL server database is much slower than logging events to a text file. Furthermore, you need an ODBC-compliant database (such as Microsoft Access) to read the log files.

Dynamic packet filtering. Proxy Server 2.0 filters all inbound and outbound packets. You have control over inbound and outbound traffic without manually predefining certain ports for specific applications, which means less administrative work for you. Proxy Server 2.0 achieves filtering by opening the port when the communication starts and then closing it as soon as the communication ends. Because Proxy Server 2.0 opens the port only when necessary, you have a more secure network.

Multilayer security. In addition to securing the packet layer with dynamic packet filtering, Proxy Server 2.0 offers security at the application and circuit layers. The Web Proxy service secures the application layer, and the WinSock Proxy service and SOCKS Proxy service secure the circuit layer.

With these three services, you can deny or permit access to the Internet and intranet at any organizational level, including the user level. You can deny or permit requests for a domain of computers, one IP address, or a combination of an IP address and a subnet mask.

You set detailed permission lists by Internet protocol. The Web Proxy service supports HTTP, Secure HTTP (S-HTTP), FTP, and Gopher. The SOCKS Proxy service supports SOCKS 4.3a. The SOCKS Proxy service also supports TCP applications, such as HTTP, Telnet, FTP, or Gopher, but it does not support UDP applications, such as RealAudio, VDOLive, or Microsoft NetShow. The WinSock Proxy service supports Windows Sockets (Winsock) 1.1-based protocols, such as TCP/IP, America Online (AOL), Internet Relay Chat (IRC), and Post Office Protocol (POP) 3. Because of the support for both Winsock 1.1 and SOCKS 4.3a, you can use Proxy Server 2.0 on Windows-based clients and non-Windows-based clients (such as Macintosh and UNIX).

VPN support. If you install Proxy Server 2.0 and Routing and Remote Access Service (RRAS) on the same machine at a remote site, you can use the Internet as a backbone to send encrypted communication to the corporate network. This method uses Point-to-Point Tunneling Protocol (PPTP) to create a secure VPN. Using a VPN is more cost-effective than other options because VPN takes advantage of a local call to the local ISP whereas most other options use a T1 line.

Performance
Microsoft greatly improved Proxy Server 2.0's performance between versions 1.0 and 2.0. Microsoft's tests showed a 40 percent performance increase in files-per-second throughput on a single-processor system and a 44 percent performance increase on a dual-processor system. (Because Proxy Server 2.0 isn't very CPU intensive, adding a second processor typically isn't beneficial.) Microsoft achieved these performance increases by improving the product's cache architecture and protocol support.

Improved Cache Architecture
Microsoft significantly improved the cache architecture in Proxy Server 2.0. (To use this new cache architecture, you need an NTFS partition.) With such capabilities as distributed caching, Cache Array Routing Protocol (CARP), hierarchical caching, and array caching, some companies might purchase Proxy Server 2.0 just for its Web cache server.

Distributed caching. ISPs and other large organizations that distribute loads of cached objects will find this capability beneficial. Distributed caching spreads caching across several proxy servers, providing fault tolerance. It also moves caching closer to the users, enhancing overall performance.

To implement distributed caching, you must use CARP. You must also set up your proxy servers for hierarchical (i.e., chained) caching, array caching, or a combination thereof. (Combining hierarchical and array caching provides additional fault tolerance.)

CARP. Microsoft developed CARP to overcome the limitations in the Internet Cache Protocol (ICP), which Proxy Server 1.0 uses. In large networks containing many ICP-based proxy servers, the querying between servers can cause additional network traffic. In addition, if an array contains many proxy servers, you might end up with duplicated cached objects on servers. CARP doesn't use queries for distributed caching. Instead, it uses hash-based routing, which improves response time to users' queries and significantly reduces extraneous network traffic. If you configure multiple proxy servers as an array, CARP lets you treat all the servers as one large logical cache, avoiding duplication of cached contents.

Hierarchical caching. You can chain proxy servers together in a hierarchy. In this hierarchy, Proxy Server 2.0 forwards a request for an object, such as a URL, upstream until the request reaches a proxy server that has the URL cached. For example, you can chain your proxy servers so that a request first goes through the proxy server at a branch office, then through the proxy server at corporate headquarters, and eventually to the Internet if none of the inhouse proxy servers has the URL cached. The server that has the URL cached responds directly to the request. This setup distributes the server load and provides fault tolerance.

Array caching. An array is a group of proxy servers that you manage as one logical unit. When a user sends a URL request to an array, Proxy Server 2.0 automatically routes the request to the proxy server with the highest score. Proxy Server 2.0 determines the proxy servers' scores by regularly checking their status and notes the available servers on an array membership list. When Proxy Server 2.0 receives a URL request, it computes a hash value for each available proxy server and a hash value for the requested URL. For each available machine, Proxy Server 2.0 adds the server hash value and the URL hash value to obtain a score. Proxy Server 2.0 then sends the URL request to the proxy server with the highest score. If that server cannot fulfill the URL request, Proxy Server 2.0 routes the request to the server with the next highest score, and so on until a server can fulfill the request. The proxy server that fulfills the request, not the server that received it, responds to the request.

Improved Protocol Support. In addition to improving the cache architecture, Microsoft improved Proxy Server 2.0's support for protocols. Proxy Server 1.0 lets you cache only HTTP 1.0 objects. Proxy Server 2.0 lets you cache HTTP 1.0, HTTP 1.1, and FTP objects.

Full support for HTTP 1.1 requires IIS 4.0 or Netscape Communicator. HTTP 1.1 offers several performance-enhancing features, such as persistent connections, pipelining, and HTTP PUT and DELETE.

Persistent connections. When a client requests an object from a Web server, the client establishes a connection with that server. A Web page might contain a dozen different objects, in which case, the client needs to establish a dozen different connections to display that page in the browser. Setting up and closing these connections can affect network performance and strain the client's and the server's resources. With persistent connections, the connection remains intact for a specified time. That way, the client doesn't need to reestablish the connection for every request. Proxy Server 2.0 supports persistent connections between the client and the proxy server and between the proxy server and the server on the Internet.

Pipelining. In a typical network, clients send a request to the Web server and then wait for the server to respond. With the use of pipelining, clients can send several requests to the Web server without waiting for a response. Thus, pipelining enhances performance because the server can process more requests from clients in a given time.

HTTP PUT and DELETE. With HTTP PUT, you can use the standard HTTP protocol to post files on a Web site. With HTTP DELETE, you can use the standard HTTP protocol to delete files on a Web site.

Tips for Installing and Configuring Proxy Server 2.0
Now that you are familiar with many of Proxy Server 2.0's security and performance capabilities, here are some tips that can help you with its installation and configuration. These tips fall in a wide range of areas, including server installation and configuration, client installation and configuration, permissions, Web publishing, and alerting and logging.

Server installation and configuration tips. Because Proxy Server 2.0 is an Internet Server API (ISAPI) filter, you must install Proxy Server 2.0 on the same machine as IIS. When you install Proxy Server 2.0, the setup program asks you to provide a list of internal IP addresses that constitute your private network. Proxy Server 2.0 creates the Local Address Table (LAT) with this information. Each proxy client gets a copy of the LAT, which the server updates every 6 hours.

You must confirm that the LAT contains only internal network addresses and no external (Internet) addresses or default gateway IP addresses, because Proxy Server 2.0 isolates your internal network from the external network. You can confirm that the internal and external networks are separate by pinging an external machine from a client on the internal network and by pinging an internal machine from an external machine on the Internet. In both the cases, the ping should be unsuccessful.

Another potential pitfall when setting up Proxy Server 2.0 is incorrectly configuring IP forwarding. If you inadvertently enable IP routing between Proxy Server 2.0's two NICs, you risk giving the outside world access to your internal network. Proxy Server 2.0's setup program gives you no warning if you mistakenly enable IP forwarding.

Another warning about IP forwarding concerns Remote Access Service (RAS). If you install RAS, Proxy Server 2.0 automatically enables IP forwarding, even if you previously disabled it. However, you need to use RAS's packet filtering instead of Proxy Server 2.0's packet filtering. Thus, you must disable packet filtering in Proxy Server 2.0. (I tested Proxy Server 2.0 using RAS, which comes with NT 4.0, and not with the upgrade, RRAS.)

Client installation and configuration tips. Because Proxy Server 2.0 supports a wide range of protocols, it works with many different types of clients, including Web Proxy clients, WinSock Proxy clients, SOCKS Proxy clients, FTP clients, and HTTP clients. Although the configuration process is similar for the various types of clients, you need to know about a few quirks.

You don't need any special software to set up Web Proxy clients. With Proxy Server 2.0's Client Auto-Configuration program, you can use predefined JavaScripts or custom scripts to automatically install and configure Web Proxy clients. You can also use the Internet Explorer Administration Kit (IEAK) or Systems Management Server (SMS) to automate the installation and configuration of Web Proxy clients.

Unlike the Web Proxy service, the WinSock Proxy and SOCKS Proxy services require special client software. The WinSock Proxy service consists of two components: a WinSock Proxy service running on NT Server 4.0 and a WinSock Proxy client .dll file (Winsock.dll for 16-bit and Wsock32.dll for 32-bit Windows-based applications) running on the client. The SOCKS Proxy service is part of WinSock Proxy service, so if you install the WinSock Proxy support on the client, you will also have support for SOCKS Proxy. You cannot use NET STOP or NET START commands at the command prompt to stop or start the SOCKS Proxy service. Proxy Server 2.0 includes a special tool, remotmsp.exe (in the \MSP folder), to start and stop this service.

You can use Proxy Server 2.0's Client Configuration option to configure how clients connect to WinSock Proxy Server, as Screen 1 shows. If you are using array caching, you can specify the Domain Name System (DNS) name in the Computer name text box to resolve the IP addresses of all array members. This configuration is particularly useful for load balancing.

You can also use Proxy Server 2.0's Client Configuration option to automatically configure clients' browsers. That way, the clients must go through Proxy Server 2.0 to connect to the Internet instead of directly connecting to it. If you select the Configure Web browsers to use Automatic Configuration check box in Screen 1, Proxy Server 2.0 will automatically use the default URL. If you want to specify a custom URL, you click Configure. Under Browser automatic configuration script, the Properties option lets Proxy Server 2.0 generate an automatic configuration script for browsers. The clients can use the script to locate the cache objects in a proxy server array.

With FTP clients, the server typically establishes the connection with the client. However, several third-party FTP clients (such as WS_FTP) require that the client establish the connection. You can force an FTP client to establish the connection by enabling passive (PASV) transfers. (You use PASV transfers for router-based firewalls that allow connections in one direction only.) As Screen 2, page 150 shows, you enable PASV transfers in WS_FTP by selecting the Passive transfers check box in the Session Profile's Advanced Profile Parameters dialog box.

You can also use FTP through your Web browser. You might need to enable Web Proxy support for PASV FTP in certain situations by modifying the following Registry entry on the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3proxy\Parameters\NonPassiveFTPTransfer. By default, the entry has a REG_DWORD value of 1 (nonpassive). You need to change this value to 0 to make PASV FTP the default transfer mode.

If you have HTTP clients and if you enable packet filtering, you might encounter timeout errors and have problems publishing to the Internet. These problems occur because Proxy Server 2.0 blocks all inbound and outbound nonproxy requests. To work around this problem, you need to enable access control in Web Proxy service properties and create custom packet filters for the HTTP and S-HTTP clients. For more information about this workaround, check out Microsoft Support Online article Q176921, "Enable Internet Publishing on Proxy Server 2.0 Fails" (http://support.microsoft.com/support/kb/articles/q176/9/21.asp).

If you have WinSock Proxy clients and if you enable packet filtering, your clients might experience problems with applications such as IRC, FTP, or Telnet. The packet filtering might be blocking Identd (Identification protocol), which some Internet servers use to identify other Internet hosts. To solve these problems, you can add the Identd predefined filter.

Permissions tips. By default, Proxy Server 2.0 does not select the Enable access control check box under the Permissions tab. If you select this option, you must manually configure the protocols that users and groups can use to access the Internet or intranet. If you select this check box but do not manually configure the protocols, you will deny users access to resources connected with any protocol.

The Permissions tab in the WinSock Proxy Service Properties dialog box also contains an Enable access control check box, as Screen 3 shows. By default, Proxy Server 2.0 enables this option. I strongly recommend that you do not disable access control. If you do, all WinSock Proxy clients can access the Internet, which is equivalent to giving the clients anonymous access.

At the top of the Protocol list in Screen 3 is Unlimited Access. I recommend that you do not select this option, because it overrides WinSock domain packet filtering. In other words, if you give users or groups unlimited access, they can access all the protocols and all the ports (including any ports that you haven't defined in the protocol configuration) on the server.

Web publishing tips. When you install IIS, IIS automatically starts three services: WWW, FTP, and Gopher. If you plan to publish to the Web, you need to disable the FTP and Gopher services on IIS for maximum security. Clients can continue to FTP through the browser but they will not be able to use the FTP software. You don't need to disable the WWW service because Proxy Server 2.0, by default, prevents publishing to the Internet through the WWW service.

Before you enable Web publishing, you need to make sure your network is properly set up. I recommend that you install IIS on a second machine for Web publishing. Therefore, don't use the machine on which you installed Proxy Server 2.0 and IIS for Web publishing. (You don't need to install Proxy Server 2.0 on the second machine.) I also recommend that you install these two machines on a domain (e.g., WebPub) separate from your internal domains and create a one-way trust relationship in which the WebPub domain trusts all other corporate domains, as Figure 1 shows. You can restrict access to your LAN with this configuration, securing access to the Web servers for both intranet and Internet users. Plus, if you need to add proxy servers in the future, you can simply add them to the WebPub domain.

Alerting and logging tips. By default, Proxy Server 2.0 logs events in the System Log but doesn't send alert emails to administrators. You must manually configure the mail notification option. You can enable alerting only when you enable packet filtering. You can enable packet filtering only when you have a second network interface (such as an NIC) available. If you are using RAS in your proxy server, you can also use a dial-up adapter as the second network interface.

By default, Proxy Server 2.0 uses the Regular logging option, which means it logs events to a file or database on a daily basis. I recommend you change the frequency to Verbose, which means Proxy Server 2.0 records all available information in realtime. That way, you can view logs to confirm that you don't have any security loopholes. For example, suppose you just finished configuring Proxy Server 2.0 to stop users from accessing a certain site. If you have chosen Verbose, you can immediately check the log to see whether users are still accessing that site. If they are, you know that you need to correct your configuration parameters.

By default, Proxy Server 2.0 enables the Stop all services if disk full logging option. When the disk is full, the Web Proxy, WinSock Proxy, and SOCKS Proxy services stop as a security precaution. So if you don't want to miss any unauthorized accesses to your network, leave this option enabled. If you selected the Verbose logging option, be sure to check your free disk space frequently because the log fills up quickly.

An Extensible Solution
Proxy Server 2.0's many security and performance capabilities make it an important addition to Microsoft's BackOffice suite and possibly to your network. After you become familiar with Proxy Server 2.0's capabilities, you will discover new applications in various environments and appreciate its usefulness as a firewall solution and as a Web cache server. Because Proxy Server 2.0 is an extensible solution, you can even develop custom products or use third-party products to further enhance its usefulness.