Reap the security and performance benefits

Proxy servers provide security and performance benefits for your network. Netscape Proxy Server 3.5 turns your Windows NT server into a proxy server.

In this article, I first explain how to install Netscape Proxy Server. Then, I discuss how to configure proxy arrays and how you can use Netscape Proxy Server to provide reverse proxy services (and thus permit controlled external access to an internal Web site) and improve performance in a large organization that has multiple interconnected proxy servers.

Installation
You can install Netscape Proxy Server on an NT Server 4.0 or NT Workstation 4.0 system. The fast and simple installation process installs Netscape Administration Server, which you use to manage the proxy server and other Netscape servers on the system (e.g., the Enterprise Server computer, the Directory Server computer).

Netscape Proxy Server requires Netscape Navigator 4.0, which the installation CD-ROM includes. You use Navigator to access the Netscape Administration Server, which presents Netscape Proxy Server's Web interface. You can then restrict management access and use secure connections between Navigator and the proxy server. After you install Netscape Proxy Server's services, you must use Navigator to change Netscape Proxy Server's initial configuration.

If you install Netscape Proxy Server on a standalone server, the software requires minimal configuration. Typical configuration (e.g., for small sites where the server acts as a firewall between local Web browsers and the Internet) consists of dial-up access support and local cache support. You can usually set up a Netscape Proxy Server site in less than an hour. More complex configurations take more time, depending on the number of servers, the types of connections, and additional customization (e.g., mapping one URL to another).

Proxy Arrays
A proxy array is a group of proxy servers that share information. Proxy arrays let Web browsers access information through several routes depending on the information's location and how you connect the proxy servers.

A proxy server can obtain information directly from a Web site or indirectly through other proxy servers (standalone proxy servers or servers in an array). Figure 1 shows proxy servers accessing proxy arrays and other proxy servers. This configuration is appropriate if your connection speeds vary. For example, a corporate site might have a proxy array connected to a proxy server at a branch office via a low-speed ISDN connection. The branch office proxy server provides branch office users with cached access to the corporate site and the Internet via the corporate site.

A Netscape Proxy Server computer can forward information that a Web browser requests and that the computer obtains from a Web site directly to the Web browser. Alternatively, one or more Netscape Proxy Server computers can cache the information before forwarding it to the Web browser. The computer then uses the cache for subsequent requests for the information. Netscape Proxy Server supports the Internet Control Protocol. ICP lets adjacent proxy servers exchange information about cached data.

You configure proxy arrays after you install Netscape Proxy Server. You can set up links between proxy servers at any time, but for security reasons, you need to configure each array member at the member's computer. You must designate one of the members as the master proxy server; the master server is typically the first one you configure. The result of your configuration might be an array with local Web browsers accessing any of the proxy servers in the array. Netscape Proxy Server uses the Cache Array Routing Protocol (CARP) to link the proxy array.

You can configure arrays by using a text editor to modify configuration text files or through the Web interface that Screen 1 shows. The first method requires stopping and restarting the proxy server so that changes take effect. Configuration changes that you make via the Web interface can take effect immediately, or you can choose to have them take effect when the service restarts.

The Member List in Screen 1 shows part of the sibling list in a proxy array. You must add new members to the list at the member's site; the list doesn't include the server you're managing. You configure each member connection from the Member Configuration screen, taking security and bandwidth into account. Netscape Proxy Server supports SOCKS 5.0 for secure connections between servers. A secure configuration is useful when proxy servers at remote sites connect via the Internet or other unsecured communication links.

To set up proxy siblings or ICP neighbors, you must know the proxy server's name or IP address and port number. The array continues to operate even if one of the servers fails or you take a server offline.

Adding a proxy server to the proxy array list simply establishes the connection information. Screen 2 shows the ICP configuration options you need to supply so that Netscape Proxy Server can cache information instead of forwarding requests and responses. Some sites aren't suitable for caching (e.g., sites with interactive forms or other dynamic content). After you configure a proxy array, the proxy servers automatically forward requests to one another and cache the results.

Netscape Proxy Server uses ICP to support as many as 64 servers—either parent servers or siblings—in a proxy array. ICP generates a hit or miss response for requests. Thus, if one server processes a request but sends a miss response, another server can complete the request later. In this case, the first server discards the information it cached about the request, and the second server caches the information. You can examine Netscape Proxy Server's log files to see the amount of traffic going through the server and how information is flowing.

Netscape Proxy Server can route requests for information that the proxy array doesn't contain through one or more parent proxy servers before trying to access a Web site directly. The software keeps a list of parent proxy servers.

Reverse Proxy
Besides outbound cache support, Netscape Proxy Server has inbound cache support, called reverse proxy. Proxy arrays handle outbound requests from local Web browsers to remote Web sites, and reverse proxy services handle inbound requests from remote Web browsers to local Web sites.

For security reasons, you can use one Netscape Proxy Server system as a reverse proxy server for a Web server. The Web server usually resides behind a firewall that the proxy server connects through. Remote Web browsers access the Web server through the proxy sever. The proxy server can use caching to reduce the remote load on the Web server. Also, caching can increase performance if the Web browsers have a high-speed Ethernet link to the proxy server and the proxy server has a low-speed ISDN or modem link to the Web server.

You can set up reverse proxy support with one or multiple proxy servers. With multiple proxy servers, you'll want to incorporate a round-robin DNS server, as Figure 2 shows, to provide load balancing. (For more about this topic, see Douglas Toombs, "Load Sharing for Your NT Web Server," April 1998.)

You configure reverse proxy support independently of the regular proxy support. You must add reverse proxy URL mappings, as Screen 3, page 108, shows. Regular mappings redirect local Web browser requests to different remote sites (e.g., an ISP might host the corporate Web site on the Internet and replicate the site locally). Regular mapping lets users access the corporate site's URL, but the proxy server redirects requests to the local site, improving response time and reducing the load on Internet connections.

URL mapping for outgoing requests can use simple prefix substitution or regular expression substitution, which is more complex. Reverse proxy URL mapping commonly uses prefix substitution, because this method is faster.

Reverse proxy entries work the same way regular proxy entries work, but reverse proxy servers handle requests in the opposite direction. Remote Web browsers have a URL that references the proxy server. A matching reverse proxy entry includes a corresponding local URL. The reverse proxy server uses this URL to fill the Web browser's request. If you enable caching, the proxy server checks the cache; otherwise, the server forwards the browser's request to the local Web server. Caching might include siblings in a proxy array.

You can use SOCKS 5.0 for additional Netscape Proxy Server support. You enable SOCKS support after you configure the reverse proxy server. SOCKS provides a secure link between the proxy server and a Web browser and between the proxy server and a Web server that the reverse proxy support accesses. Netscape Proxy Server supports routed SOCKS connections in which a request passes through multiple SOCKS servers.

Configuring multiple reverse proxy server arrays requires more work than configuring the round-robin DNS server that is necessary to distribute incoming requests across the server array. You need to set up the proxy servers to handle reverse proxy support. You can set them up with interdependent ICP caching, but you must configure the DNS server to flag dynamic content that uses Common Gateway Interface (CGI) or other serverside scripting and direct the content to one proxy server. This method lets a proxy server handle interactive forms without confusing the other proxy servers. However, the method might create a bottleneck on the proxy server if the Web site depends heavily on serverside scripting.

Multiple Proxy Servers
Netscape Proxy Server supports multiple proxy servers on one server. This complex configuration lets multiple proxy servers act as front ends to one Web server. A load-balancing DNS server is necessary to distribute requests among the proxy servers, and ICP keeps caches up-to-date. Users can access the most current information available, and the Web master needs to update only one Web site rather than multiple duplicate sites.

You can set up multiple proxy servers on one NT server as long as each server has an IP address or uses a separate port (if the servers have the same IP address). The default port for a proxy server is 8080 in hexadecimal notation.

Multiple proxy servers make sense if you split regular and reverse proxy services among instances of the proxy server on one NT server. In addition, multiple services make sense if you plan to split the services onto several servers. Multiple proxy servers make management easier, because each type of service is isolated. Separate proxy servers improve security if you restrict external access to one or more servers via a firewall or router.

Netscape Proxy Server supports an automatic configuration service for Netscape clients. The software can automatically generate a file that is actually an HTML page. (You can also use a text or HTML editor to create the Web page.) Then, the service lets the JavaScript Web page configure Navigator clients to use a designated proxy server for a particular URL.

You will find this feature useful in large organizations in which a Web browser can access multiple proxy servers and in which the proxy servers are partitioned by the sites they service. The automatic configuration service can be more efficient than having the proxy server handle redirection, but letting the proxy server handle all the caching and redirection details is often easier.

Ideal Use
Proxy servers and proxy arrays use caching to improve performance and reduce network traffic. Netscape Proxy Server works well for standalone proxy servers, but the software is most beneficial when you use it as part of a large proxy array. Although proxy arrays require planning, they require almost no maintenance after the initial configuration.

Netscape Proxy Server 3.5
Contact: Netscape * 650-254-1900
Web: http://www.netscape.com
Price: $525 for 100 users
System Requirements: Windows NT Server 4.0 or NT Workstation 4.0