2

Proxy Server, IIS and Windows NT

As most people know by now, Microsoft is making a great push toward the Internet. Most applications released by Microsoft deal directly with the Internet in some way. Microsoft has tried to design Windows NT 4.0 to be the platform of choice for all types of Internet servers and applications. It's taken a little while for Microsoft to get up a full head of steam down the Internet road, but they're now going full tilt. Microsoft Proxy Server is part of a global package of Internet-oriented applications. Each of these applications in turn is designed to work as an extension of the NT operating system. Each element, including Microsoft Proxy Server, IIS Web server, IIS FTP server, and IIS Gopher server, utilizes such NT sub services as security and network channels to work together as seamless applications.

This integrated approach has been common in the UNIX environment for a while, but is just now becoming the standard for Windows NT. For a long time, Internet applications and servers in the Windows NT, Windows 95, or Windows 3.x environments have been a hodge podge of stand alone systems that relied on their own security and separate TCP/IP stacks. There are a couple of reasons for this fact. The first reason is that Microsoft was not headed in the direction of the Internet. In the world of the Internet, Microsoft is a newcomer. Granted, Microsoft can devote far more development resources to Internet applications and servers than any other software company, but the UNIX crowd has had a big head start. Because Microsoft's attention to Internet development has been slight until now, previous versions of Windows were not well suited for use as Internet platforms.

Because of this, third party Internet software developers had to create their own security systems and protocol layers for use in Windows environments. Naturally, it was rare that any two server side applications would work in tandem unless they were developed by the same company. The effort involved in creating a complete Internet site in the Windows environment was pretty daunting task. Windows had a pretty bad reputation as an Internet platform and justifiably so.

Windows NT 4.0

I attended World Wide Alive in Indianapolis in July of 1996. World Wide Alive was a live, one day seminar by Microsoft which was transmitted to approximately 90 locations around the country and a few international sites. Not only was this seminar designed to showcase upcoming Microsoft products, such as Microsoft Proxy Server and Windows NT 4.0, but it also detailed Microsoft's dedicated direction toward the Internet in most of its future software plans. For example, the scheduled 1997/1998 (you know Microsoft's famous time tables) revision of Windows 95 is supposed to change Windows 95 into a completely HTML-based environment. This means that the Windows 95 desktop will be nothing more than an actual HTML document. The Control Panel will also be HTML-based in much the same way.

Those folks who are good at managing HTML web documents now will be right at home with Microsoft applications in the future. Imagine being able to use your desktop to simply link to a friend's desktop via a dialup link, such as the one many people have to an ISP today.

Windows NT 4.0 is the first step toward this type of environment. Obviously the Windows NT 4.0 desktop is not HTML-based, but many of its sub services have been redesigned to offer greater flexibility with the Internet and Internet related servers.

The NT Internet Interface

Access to the Internet can be gained in several different ways with NT. The two most common ways are:

NT treats each form of connection the same way, although at a substantially difference in connection speed. This book is written with the network administrator in mind. It's assumed that you have an adequate understanding of the networking terms and concepts that will be addressed in this book. Installation and use of Microsoft Proxy Server to facilitate global LAN access to the Internet is a pretty straight forward process. However, no two LANs are ever set up identically, so it can sometimes get confusing when trying to describe certain scenarios in which Microsoft Proxy Server can be useful.

The most common network arrangement for most private individuals and companies who use NT is as an isolated LAN with periodic dialup connections to the Internet, for those people on the LAN who need Internet access (see Figure 2.1).

Figure 2.1. A typical network with independent periodic Internet Connections

This arrangement means that Internet users on a LAN must have a separate phone line to each computer that needs Internet access and a modem. Each individual LAN user may also need separate dial in accounts with a provider. However, this is not always true because some providers do allow multiple simultaneous dial ins on the same account. This can be pretty expensive if a LAN has many users who need Internet access. There are ways to work around this, such as using a modem pool on a central server to eliminate the need for individual phone lines and modems at network workstations, but this type of solution can be pretty expensive because most modem pooling software doesn't come cheap (see Figure 2.2).

Figure 2.2. Internet connections to workstations through a modem pool.

Modem pooling can also be flaky at times and place extra overhead on network workstations. It still does not eliminate the possible need for individual ISP (Internet Service Provider) accounts for each LAN users needing Internet dial out access. Modem pooling does reduce the number of individual dial out lines and modems though. However, modem pooling software for NT runs around $300 on average for a five-user license, and the cost goes up for each line added to the system. If you are thinking about Microsoft Proxy Server for your LAN, I assume one of the main reasons for this is to keep the cost of Internet access as low as possible. Of all Internet access scenarios, using Microsoft Proxy Server is the cheapest and offers the highest performance for multiple users.

NT Server Access to the Internet

As already mentioned, NT can access the Internet in several ways. The most convenient way is to have access to a dedicated line of some form. However, if a LAN has access to a dedicated line, it is most likely that all network workstations will already be set up to access the Internet themselves without the need of Microsoft Proxy Server. Figure 2.3 diagrams a typical network with LAN-wide Internet access.

Figure 2.3. A LAN with a permanent Internet connection.

Under this scenario, network workstations may have direct access to the Internet. Full LAN access to the Internet requires more than just the correct hardware. The second element necessary for full Internet access is a valid set of addresses for each workstation on a network. If a LAN has a dedicated line, such as a T1 or higher, the provider giving such access will almost certainly have allocated a subnet of valid Internet addresses for the LAN. It is therefore unlikely that a LAN in this scenario will need the services of Microsoft Proxy Server. However, it is possible that for some strange reason workstations of this type of LAN are prevented from having fully qualified Internet addresses. If for example, the private LAN only operated via the IPX or Netbeui protocols, access to the Internet would not be directly possible. Microsoft Proxy Server can provide access to the Internet if the TCP/IP protocol is not supported or used on the workstations, but the IPX protocol is. Microsoft Proxy Server can use IPX as a transport protocol when TCP/IP is not available or supported. The use of IPX is discussed in greater detail in Chapter 6, "Configuring Proxy Server."

Microsoft Proxy Server will most likely be used when an NT server on a LAN has a periodic connection to the Internet. This usually comes in the form of either an ISDN connection or a modem connection to an ISP (see Figure 2.4)

Figure 2.4. A periodic connection to the Internet.

In this scenario, only the NT server itself will normally have access to the Internet via the dialup connection. Because the workstations on the private network do not have their own valid IP addresses, they cannot access the Internet through the dialup connection on the NT server. NT 4.0 does have the physical ability to route IP packets correctly through RAS, whereas NT 3.51 did not. As a result, RAS is no longer limited as a network interface. As long as RIP (Routing for Internet Protocol) is installed as a service on the NT server with the Internet access, TCP/IP packets will be correctly routed if they originate from valid addresses, no matter which NIC they pass through. The problem is getting a range of valid Internet addresses when the form of connection is only a periodic dialup. Most ISPs will not give out more than one address to an ISP customer. Some ISPs do have forms of dedicated dialup access that provide more than one address.

The largest ISP in Indianapolis offers dedicated dialup access for $100 a month. With this level of service, customers also get six valid IP addresses to use on their own LAN. This allows a private network to have access to the Internet for up to six individual workstations, under the right conditions. If there are no more than six workstations on the network then the arrangement will work out quite well. If there are more than six workstations on a network that need access to the Internet, a DHCP server will need to be available on the LAN to hand out those six IP addresses only when needed.

Internet vs. Intranet

The world seems to revolve around catch words and phrases. One of the latest to dominate the chatter about computers is the word Intranet. Because the Internet has been such a large part of computers, a word had to be created to distinguish the outside world from the inside world. That word is intranet.

The difficult thing with setting up a private LAN with the TCP/IP protocol is that the LAN is normally set up with invalid IP addresses. On my home network, I picked out an IP subnet of 220.200.200.*. No real reason for this range, that's just the one I chose. Most network administrators do the same thing with their own networks. In actuality, another site on the Internet may already be validly using the 220.200.200.* subnet. Routers on the Internet would go crazy trying to route packets from Internet sites using an invalid set of addresses. Consult Chapter 4, "Planning Your Installation and Configuration," for full details on properly selecting a subnet for a private LAN. My choice of 220.200.200 is not the best choice.

When a LAN is not connected to the outside world, the IP addresses used on the LAN are meaningless. This can cause problems later if a permanent connection to the Internet is obtained. It means long hours of reconfiguring all workstations on the network for the new set of addresses.

One of the simplest elements that can be added to a network which can greatly reduce reconfiguration time is a DHCP server. A DHCP server or Dynamic Host Configuration Protocol server is an NT service that hands out TCP/IP configuration information to workstations on a network. A DHCP server can hand out all necessary protocol information a TCP/IP workstation might need when starting up. Such things as IP address, DNS location, and subnet mask can be passed out by a DHCP server on a network.

For example, if a LAN has 100 workstations, each with preset IP addresses, and those 100 workstations have to be reconfigured because of a change of some sort, you're looking at a couple days work just plugging in new numbers. A DHCP server can turn a two-day project into a two-minute project. But of course, there is a drawback to workstations with dynamic addresses. However, with such NT services as WINS, the drawbacks can be greatly reduced or completely nullified.

It's important to have a clear understanding of possible future needs of a LAN when setting it up. It's also important to understand some of the vital NT services, such as WINS and DHCP, if you're planning on adding Internet-type services to an Intranet. WINS is similar in action to DNS, except its main purpose is to resolve NetBios names as opposed to Internet names. When used in conjunction with DHCP, the dynamic addresses which the DHCP server passes out to new machines on a network are automatically registered with WINS. Therefore, an up-to-date database of local IP addresses to NetBios machine names is available for network use. This insures continued proper network operation when IP addresses for a LAN change (among other possible changes).

Internet Servers

Many companies are beginning to use Web servers to manage internal company information. The point-and-click nature of the Web makes it very simple for computer novice employees to perform their jobs. Also, a web interface is the perfect environment for disseminating information. Opening a web server, or any Internet server (such as FTP, and Telnet) to the outside world when the network where the server resides does not have valid Internet addresses is a tricky task.

The purpose of Microsoft Proxy Server is not to grant outside Internet users access to the resources of a private LAN. Therefore, unless Internet servers are on the NT machines with the Internet connections, access to these servers will not be possible from the outside. Even though general access to a LAN is not normally possible from the outside through Microsoft Proxy Server, it is possible that experienced hackers could gain access in rare situations . Microsoft recommends disabling IP forwarding on the Microsoft Proxy server to ensure that the NT machine itself does not propagate outside packets into the private LAN.

Keep in mind that Microsoft Proxy Server does not require any form of IP forwarding on the server on which it is running in order to function normally. Microsoft Proxy Server handles its own delivery of IP packets to and from the outside connection. Disabling IP routing is covered in greater detail in Chapter 6, "Configuring Proxy Server."

Most arrangements of Microsoft Proxy Server will be such that it will be running on the same machine as Internet server applications. This poses no problem as long as the Web server in use is the Microsoft IIS web server. The Microsoft IIS web server is the only application that is required by Microsoft Proxy Server. This is because Microsoft Proxy Server "piggy-backs" on the listening services of the IIS web server on port 80 in order to pick up on LAN requests that are destined for the outside world. Any other Internet server applications can be run on an NT machine that also runs Microsoft Proxy Server. Microsoft Proxy Server's Web Proxy and WinSock Proxy services are implemented so that port conflicts are not an issue on the server.

Other proxy servers, such as WinGate, operate by listening to ports that other server applications listen to. This causes a conflict because no two applications can respond to the same TCP/IP port traffic. In cases where proxy servers such as WinGate are used on machines with other Internet applications, the Internet applications must have their listening ports altered to which the proxy server itself is not listening.

Microsoft Proxy Server circumvents such conflicts in two ways. With standard proxy requests (WWW, FTP, and Gopher), the IIS web server first fields all traffic through a special filter DLL that determines if the traffic is local or destined for the outside. If the traffic is not to be picked up by the WWW server itself, Microsoft Proxy Server takes over the traffic and passes it outside. TCP/IP traffic that is not covered by the Microsoft Proxy Server Web Proxy server (any traffic on a port other than 80) is handled by the Microsoft Proxy Server WinSock Proxy service.

The WinSock Proxy server works in tandem with the WinSock Proxy client on the workstations. The WinSock Proxy client software fields any local TCP/IP requests, translating the traffic to the port that the WinSock Proxy server is listening too. This means that the WinSock Proxy server can handle nearly any type of TCP/IP client, such as SMTP, NNTP, and Telnet, without a conflict with other Internet server software that may be running along side of Microsoft Proxy Server.

I have personally run non-Microsoft FTP servers, SMTP servers, and POP3 servers on the same system that runs Microsoft Proxy Server without encountering a problem. Chapter 1, "Proxy Server Overview," covers in greater detail how the Web Proxy server and the WinSock Proxy server operate.

NT Security

If you are only familiar with Windows 95 or Windows 3.x, you'll be unfamiliar with how NT deals with user security. NT's level of security far exceeds that of Windows 95 and Windows 3.x. In fact, one of NT's strongest points is its level of network security. As with all IIS applications, Microsoft Proxy Server directly utilizes NT's network security systems for its own security needs. Unlike other Internet server applications Microsoft has designed to use NT's security system to deal with outside users wanting access to a LAN, Microsoft Proxy Server uses NT's security systems to deal with internal LAN users needing access to the outside.

Microsoft Proxy Server fully utilizes all network security features of an NT-based network. When a LAN user attempts to access the Internet via Microsoft Proxy Server, whether by Web Proxy or WinSock Proxy (both types of servers can have their security configured independently), Microsoft Proxy Server authenticates their access against the NT user database.

When a user starts a Windows 95 or Windows for Workgroups (WFWG) workstation and logs in, that user can do so in one of two ways. A standard Windows login simply requires the user to indicate a name and a password. This information is not immediately validated by a domain controller (primary or backup), but is stored by Windows. This form of login to a workstation is a basic login. If a user then attempts to access a secured network resource, such as a server disk or a service such as Microsoft Proxy Server, the Windows workstation will present the login information to an available domain controller for validation. If the user information is not in the NT database of users or if the user is present but does not have sufficient access to use the requested resource, the server will deny access to the resource.

Windows workstations can also have a login name and password immediately validate by a domain controller if the workstation is configured for such a log in.

Microsoft Proxy Server has a wide range of security options. As already mentioned, the Web Proxy server and the WinSock Proxy server can be configured independently. Each type of connection can also have independent security limitations placed on it. For example, Microsoft Proxy Server can permit only a certain network group to access WWW servers while allowing another network group to only have access to FTP servers. Microsoft Proxy Server can even go so far as to permit or deny access to Internet servers for individual LAN users.

Microsoft has devoted a great deal of development to the high end security features of Microsoft Proxy Server. For my own needs and (in my opinion) for the needs of most private individuals and small to medium companies, the security features of Microsoft Proxy Server far exceed what is needed. Large companies will almost certainly have valid Internet connections for the workstations of their employees. However, Microsoft Proxy Server does offer a great deal of control to the outside Internet via a central authority. A great deal of control is lost when workstations have their own valid Internet access. For some companies, Microsoft Proxy Server is a better solution for Internet access than actually extending a valid Internet presence to individual workstations.

As well as controlling who can have access to the Internet through Microsoft Proxy Server, Microsoft Proxy Server can also control which sites on the Internet are accessible to LAN users. Yeah, it's a big brother approach, but if your employees spend all afternoon downloading dirty pictures from WWW.PLAYBOY.COM or WWW.PENTHOUSE.COM through an Internet connection you are paying for, you begin to want a little control over what your employees are accessing.

Microsoft Proxy Server also has outstanding logging features that help to track down misused Internet access. When workstations have their own valid Internet presence, users have much less restricted access to the outside, and the logging features of NT are not nearly as thorough at tracking that kind of activity. In the long run, it may be better for some companies to use Microsoft Proxy Server over full workstation Internet access. Chapter 8, "Configuring Proxy Server Security and Authentication," covers how to configure the security features of Microsoft Proxy Server.

NT Gateways

Access to the outside Internet is possible through more than just one point. In a completely valid arrangement, a LAN might have several gateway points through which to access the outside Internet. Workstations can be configured with a list of available network gateway points, which will each be tried in turn should the workstation need outside access. Figure 2.5 shows a possible network arrangement with multiple gateway points.

Figure 2.5. A possible network with multiple gateway points.

If a single gateway point is not sufficient to handle the amount of Internet traffic a LAN has, multiple gateway points can be used. However, most networks would simply increase the capacity of a single connection. Multiple gateways can also be used as a form of fault tolerance in case one connection fails.

The same approach can be used with multiple Microsoft Proxy Server gateways. Keep in mind that Microsoft Proxy Server gateways can be used just like normal gateways. Because most Microsoft Proxy Server gateways will be using smaller connections, such as analog modems or ISDN modems, scenarios involving multiple Microsoft Proxy Servers will be more common than gateways on LANs having valid Internet gateways.

An arrangement of which workstations access which Microsoft Proxy Server is a configuration element set up on each workstation. After installing Internet Explorer 3.0 or higher, a new control icon is placed in the Control Panel of Windows 95 machines. This icon is the access point to configuring all vital Internet settings for a Windows 95 workstation, including proxy settings. Figure 2.6 shows the Internet control applet of the Control Panel. The Connection tab is selected. This is the tab for controlling whether Windows 95 will use a proxy for its Internet connections.

Figure 2.6. The Internet applet of Control Panel.

The Settings button of this area allows for the specification of proxy server locations. Figure 2.7 shows the Settings dialog.

Figure 2.7. The Settings area of the Internet control applet.

As you can see, Microsoft Proxy Server operates identically for WWW, FTP, and Gopher clients, passing all requests for such servers through port 80. The flexibility exists to configure each type of service differently should a different type of proxy server be used. Because the Microsoft Proxy Server Web Proxy listens for all requests on port 80, configuration is a simple task. The address 220.200.200.1 is the address of the NT server on my network that runs Microsoft Proxy Server. Chapter 11, "Proxy Server and Client Applications," deals with correctly setting up client applications, both standard Microsoft clients, such as Internet Explorer 3.0, and non-Microsoft clients such as Netscape, and Eudora.

The WinSock Proxy portion of the client side is a little trickier than the Web Proxy side. With the proxy side of things, configuration consists of only a few settings in Control Panel. The WinSock Proxy client side configuration requires installation of special client software. Enabling or disabling WinSock Proxy redirection is controlled via an INI file. Correctly configuring the WinSock Proxy client is also covered in Chapter 11.

In order to spread out the Internet access load on LANs with many Internet users, multiple Microsoft Proxy Server gateways should be used. The organization of such an arrangement depends on a network administrator's need. Each Microsoft Proxy Server on a network can be dedicated to trafficking only a certain type of connection (FTP, for example). Another distribution method can set different groups of LAN users to use different Microsoft Proxy Servers. Keep in mind that FTP access is more demanding of a connection than WWW access. Not only does FTP access involve lengthy file transfers, but the data that is transmitted is not stored in the Microsoft Proxy Server cache as it is with WWW information. Cached information can greatly improve the performance of Internet access through Microsoft Proxy Server.

Common Control Interface

When Microsoft Proxy Server is installed, it attaches itself to the same control interface used by other IIS servers. This control interface is accessed through one of two points. The Internet Service Manager can be started from either the Microsoft Internet Server folder or the Microsoft Proxy Server folder. Figure 2.8 shows the service manager:

Figure 2.8. The Internet Service Manager.

All Microsoft Internet servers will attach themselves to this common control interface. As you can see, both the Web Proxy server and the WinSock Proxy server show up as independent servers.

From this common interface, Microsoft Internet servers can be configured, stopped, started, or paused. As with most NT control interfaces, the Internet Service Manager can be used to view and control the status of Internet servers running on other NT machines. Details of how to use the Internet Service Manager can be found in Chapter 6.

Microsoft BackOffice

A lot of talk has been heard recently about the Microsoft BackOffice, but I've found that not very many people understand what it means. Simply put, Back Office is a reference to what Microsoft considers to be essential elements of an operating system that do not normally come with the OS itself.

Over the years, Windows operating systems have been packed with more and more features that people had at one time considered to be add-on type elements. For example, in the days of Windows 3.0, inter-office mail was not considered something that should be part of the operating system. Today, Exchange is shipped with both Windows 95 and Windows NT 4.0 as part of each operating system. Mail applications went from the back office to the front office.

Because Microsoft is beginning to focus heavily on Internet-oriented applications, software like Microsoft Proxy Server, IIS and SQL Server are all now considered to be part of the Microsoft back office family of products. As time goes by, these products are being woven more tightly into the OS. In a short while, elements that we now consider to be separate of the OS will be totally integrated. The following is a list of application packages that are considered to make up the Microsoft BackOffice family of servers:

SQL Server is the database engine of choice by Microsoft. Many of the sites on the Internet that are powered by Windows NT utilize SQL servers for search engines, forms processing, and other functions. SQL Server is definitely a separate package that can cost a pretty penny. Microsoft is pushing hard to get SQL Server more widely accepted than it is currently.

The MS Mail Server is the old standby office mail server that has shipped with Windows NT, Windows 95, and Windows 3.x for many years now. The Exchange Server is an improved form of the Mail Server that can handle such things as file transfers and Internet mail gatewaying for networks.

IIS is of course made up of all the Microsoft Internet server applications, such as the WWW server, FTP server, Gopher server, Microsoft Proxy Server, and all of the others that may come along in the future.

The SNA server is a server package created by Microsoft to facilitate NT's ability to interface with IBM mainframes. The Systems Management Server is a server package created to help facilitate remote control of NT servers. One of the biggest advantages of NT is that it is designed to be able to be controlled remotely. In the growing world of the Internet, being able to control a server remotely is a vital element.

How Much Does Microsoft Proxy Server Cost?

Microsoft Proxy Server costs roughly $995 and can be purchased from most software vendors. Separate licenses for Microsoft Proxy Server must be purchased for each Microsoft Proxy server installed on a network. However, there is no need for connection licenses for Microsoft Proxy Server as is needed with NT Server itself.

Summary

Hopefully this chapter gives you an idea of how Microsoft Proxy Server fits in as a member of the Microsoft concept of a fully integrated OS that is designed as an Internet platform. As NT grows in strength and popularity, its Internet abilities will gain the respect that the UNIX operating system has basked in for years now. Getting a grip on NT at this stage of the Internet game (yes, it's still pretty early) can give you an advantage in the network administrator's employment market of the future.