In several of my previous Microsoft Proxy Server articles, I examined topics relating to Proxy Server installation, Web publishing, security, and performance. This month, I cover a few of the administrative problems proxy server administrators face regularly. Proxy servers are often high-profile servers because they provide a valuable service to one of the most popular employee work functions—Web surfing. Whether employees are surfing for business or pleasure, they'll notice a down proxy server immediately.

When proxy servers go down, the calls seem to come all at once. "Is there a problem with the proxy server?" "I can't get to my Web site." "I keep getting this message saying the computer can't find the server." Admittedly, many browsers and proxy servers don't explain to users what went wrong with their request. However, you can categorize nearly every proxy server problem into one of four categories:

  • The browser or client is misconfigured.
  • The URL or Web site is down.
  • Connectivity or network problems exist.
  • An actual proxy server problem exists.

When I troubleshoot a proxy server call, I always try to set up my process of elimination according to these four bullets.

Local Client and Browser Configuration
A misconfigured browser is a common error that proxy server administrators face. In many environments, users can modify their browser settings without restriction, which often leads to users changing important proxy server settings.

To ensure appropriate proxy server configuration for every user's browser, you can use system policies to prevent users from altering settings. Windows NT 4.0 first introduced system policies, which mainly covered desktop and environment settings. Policies that affect Microsoft Internet Explorer (IE) first appeared in IE 3.0, but Microsoft later greatly enhanced these policies in the Internet Explorer Administration Kit (IEAK—for more information about IEAK and to download the kit, go to http://www.microsoft.com/windows/ieak/en/default.asp). Like NT, IEAK 5.0 also offers an option in which only administrators can change proxy server settings.

Proxy Server also has a feature that lets proxy server administrators administer client browser settings from a central point—often the very proxy server a particular user's browser accesses. This feature, called Automatic Configuration, forces a client browser to periodically update its settings from the proxy server. You can write this configuration script in JavaScript or JScript and modify the script and your proxy server configuration changes as needed. (For more information about the Proxy Server Automatic Configuration script, see the Microsoft Internet Explorer 5.0 Resource Kit or IEAK 5.0.)

To use the Automatic Configuration script, open the Microsoft Management Console (MMC). Right-click Web Proxy Service, then select Properties. From the Shared Services Properties dialog box, select the Client Configuration option. From the Client Installation/Configuration dialog box, which Screen 1 shows, select the Configure Web browsers to use Automatic Configuration check box. The default URL should be visible. For the browsers you intend to configure automatically, click Properties in the Client Installation/Configuration dialog box to access the Advanced Client Configuration dialog box, which Screen 2 shows. From this dialog box, you can set additional properties on the client automatically and configure the client browser specifically for your network. If you select the Use Proxy for local servers check box, the proxy server will act on behalf of the client when it receives requests that have a simple host name (i.e., a host name without a dot in the server-name portion of the URL). An example of such a URL is http://server1/default.asp. The fully qualified URL would be http://server1.hotcert.com/default.asp.

Depending on your network's infrastructure, you might want to bypass the proxy server altogether when connecting to internal servers (e.g., intranet, extranet) that aren't readily available to your proxy server's external interface. You can mark a range of IP addresses and certain domain names as being internal, which lets your clients access them directly rather than having to go through the proxy server.

If you want to filter by an IP address or a range of addresses, select the Do not use proxy for the following IP Addresses check box, and enter the appropriate IP addresses. A subnet mask lets you enter a range of addresses. For example, if you want to ensure that the entire 10.x.x.x private network won't go through your proxy server, enter 10.0.0.0 with a subnet mask of 0.255.255.255. (This process is a bit different from how you usually think of a subnet mask. Rather than specifying which bits represent a host ID and network ID, you use the subnet mask to simply denote a range of addresses.)

Just as you can prevent a range of IP addresses from going through your proxy server, you can also specify that certain domains not go though the proxy server. Select the Do not use proxy for domains ending with check box. Enter each domain in the corresponding text box; use semicolons between domains. Note one thing about determining which domains to bypass (at least when working with IE): When you supply wildcards, you must be literal. Bypassing the domain *.*.hotcert.com isn't the same as and doesn't cover the domain *.hotcert.com.

Finally, you can specify a backup proxy server or tell your client browser to go directly to the Internet if the first proxy server fails. Select the Backup route check box, and click Modify to access the Configure Backup Route dialog box, which Screen 3 shows. The default option is to let your clients go directly to the Internet. You can change this default action and send the client to a backup proxy server instead.

If you have more than one proxy server and Automatic Configuration isn't for you, let me suggest an alternative. When you have more than a few dozen client browsers, it's difficult to ask each of your clients to change to a new proxy server if the current proxy server fails. If you have control of your name resolution, whether through DNS or distribution of local HOSTS files, you can create an address record (commonly known as an A-record) with a generic name like proxy in your internal DNS or HOSTS tables. Use this name as the name of your proxy server in your client configurations. With this method, if one of your proxy servers fails, you can easily switch to a backup by modifying the proxy record in your DNS. Assigning a short Time to Live (TTL—e.g., 5 or 10 minutes) to the record lets the change propagate even faster. (For more information about setting and determining TTL, see "Proxy Server Caching," May 2000.) I've seen this short TTL work very successfully even in large shops with thousands of clients.

URL Down
When users enter an incorrect URL, each browser responds differently. For IE, the browser receives a DNS-error response from the proxy server, and IE returns a Cannot find server or DNS error message (i.e., the 11001.htm page) to the user. Proxy servers also return this message in a file that is in the C:\msp\errorhtmls directory. You can customize this file and the other .html files in this directory for your site. Notice that within each file some simple explanations for each error exist. You can edit these pages to suit your needs. You might consider adding text or images that direct users to try again, check the settings, or check the URL. I would advise, however, that you avoid tampering with the servername and viaheader values in each of these files. When these values appear to the user, the proxy server provides its name as well as the name of the downstream proxy server (if one exists) to aid in troubleshooting.

Local Connectivity and Network Problems
Network problems are common problems that every proxy server administrator faces. Even the proxy servers with the highest availability rates still have to account for Web servers on the Internet that are down. If the remote site is down or inaccessible, it's often up to the administrator to break the bad news to end users.

You can quickly eliminate the proxy server from this picture by asking a user to go to another Web site. Note that although the site appears, it might be coming from the cache. To ensure that the proxy server is loading a fresh copy from the Web server, ask the user to hold down Ctrl+Shift and click Refresh (if the client is using IE).

You might have to resort to simple TCP/IP troubleshooting from the proxy server. This troubleshooting might include pings and trace routes to see where the request is failing. (Note: If you're using packet filtering and blocking Internet Control Message Protocol—ICMP—messages, trace routes from the client to the Web server might not work correctly.) You might need to examine the Web Proxy log files on each server to determine where the result presented to the client browser originated. (For more information about dissecting the Web Proxy log files, see "Proxy Server Caching," May 2000.) Sometimes, the answer is as simple as checking the connectivity to the proxy server. A simple ping to the proxy server can help troubleshoot this problem.

Proxy Server Problems
If you've exhausted all other troubleshooting means for users, or if several users are reporting a common problem that isn't network related, the problem might be with your proxy server. One common problem during setup is the presence of multiple default gateways. This problem generates a 10060 error (Connection Timed Out) to any request sent to the Web Proxy service. Though this error is often associated with slow external links to the Internet, if it occurs right after setup, more than one default gateway is probably present. For more information about this error and a workaround for it, see the Microsoft article "10060 Connection Timed Out Error with Proxy Server on Slow Link" (http://support.microsoft.com/ support/kb/articles/q191/1/43.asp).

Another common proxy server problem isn't really a problem at all. Proxy server administrators often see event ID 120 in the proxy server's event log. The event's description is The Proxy Service could not create a packet filter. This message is typical on busy proxy servers with packet filtering enabled. The purpose of the message is to alert the administrator that the packet filter dropped more than 20 packets.

In typical situations, a handful of these error messages isn't cause for alarm. However, if the messages are persistent, you might investigate into the source of the packets. Look in the proxy server's log directory, which by default is in the \%systemroot%\system32\msplogs folder. This directory contains log files whose names begin with PF and end with the current date. Consult the appropriate log file for more information about what is generating the error. For more information, see the Microsoft article "Event ID 120 'The Proxy Service Could Not Create a Packet Filter'" (http://support.microsoft.com/support/kb/articles/q252/4/68.asp).

Next Month
This month, I outlined for you some of the problems proxy server administrators face regularly. Next month, I'll introduce you to some third-party tools that you can use with Proxy Server to enhance your administration and make your tasks easier.