The most difficult element when preparing to install Microsoft Proxy Server is the actual connection to the Internet that will be used. LAN users have a wide range of options to use to connect to the Internet. The connection can be as simple as a normal dialup account to an ISP (Internet Service Provider), or it can be as complicated as a permanent connection with routers and CSU/DSU units. However, most people who have a permanent connection to the Internet will not need the services that Microsoft Proxy Server can provide because a permanent connection usually includes LAN-wide access to the Internet.
The hardware and software requirements of Microsoft Proxy Server are not much more demanding than the requirements of Windows NT 4.0. However, this chapter gives a basic outline of the requirements of all forms of connections, from modems to ISDN lines to permanent connections, such as a T1 line. This chapter will also cover the basics of installing and setting up RAS (Remote Access Services), which the majority of Microsoft Proxy Server users will be using to connect the NT machine running Microsoft Proxy Server to the Internet
If your machine will run NT 4.0, it will run Microsoft Proxy Server. Keep in mind that the more services that run on an NT machine, the stronger that NT machine is going to have to be to keep up with network traffic. The nature of a Microsoft Proxy Server machine is to handle the traffic of multiple LAN workstations through a single connection to the Internet. The two most important items that should be focused on are RAM and connection speed to the Internet.
In order to get the basics out of the way, I've made a list of basic requirements which need to be met before NT 4.0 will install:
Microsoft Proxy Server requires nothing special in the way of hardware (outside of a connection method). Any connection method supported by NT can be used by Microsoft Proxy Server to route LAN Internet traffic to the outside.
By far, the best thing a network administrator can do to improve the performance on any NT server is to get more RAM for it. Though NT can get by on 12 or 16 megs of memory, adding an additional 16 megs or more will improve NT's performance greatly (70 to 100 percent sometimes). Depending on the number of services an NT machine is running, 32 megs of memory may not be enough. NT will be very happy with 64 megs of memory. With the price of memory now dropping like a stone, it's a great idea to get as much memory as you can afford. When buying memory chips, remember to buy the biggest density you can afford. Don't fill out SIMM slots with a lot of low density chips, or you will reduce your ability to upgrade at a later time. For example, if a motherboard has four SIMM slots each with an eight meg chip installed (for a total of 32 megs of memory), upgrading to 48 megs of memory means that you will have to buy two 16 meg chips and have no use for two of the eight meg chips. If on the other hand, the original 32 megs of memory was comprised of two 16 meg chips, no memory would be wasted when installing an additional 32 megs (two more 16 meg chips) into the two free SIMM slots. Make sure that a certain memory configuration will not waste chips if the system is later upgraded.
The number of internal connections Microsoft Proxy Server must support is also a factor in the amount of memory NT needs. The more connections Microsoft Proxy Server must maintain, the more memory is required. This is true for all forms of network connections. The TCP/IP protocol is a very memory-demanding protocol. Because Microsoft Proxy Server requires that the TCP/IP protocol be installed on the NT server it is running, 16 megs of memory will most likely be too little to provide adequate performance.
If the NT machine running Microsoft Proxy Server will be doing nothing but running Microsoft Proxy Server, a high end 486, such as a DX4/100, will do fine. One factor in deciding CPU requirements is the speed of the Internet connection Microsoft Proxy Server is using. If the connection is a smaller one, such as a 28.8 Kbps modem or an ISDN link, a DX4/100 will be sufficient. If the connection is a high speed permanent line then a Pentium CPU should be used. If the CPU does not have to channel a large quantity of data between a few internal workstations and external Internet sites, a small CPU will work fine. If the CPU will have to channel large amounts of data between many internal workstations and external Internet sites, a small CPU will be over taxed, no matter how much memory the system has.
Microsoft Proxy Server can cache most WWW objects (graphics, sound bytes, and HTML documents for example). This means that Microsoft Proxy Server can draw from a local hard drive to serve out Internet data that it has already handled. This improves performance to workstations and reduces the use of the outside link. The larger the cache, the more data Microsoft Proxy Server can maintain. If your LAN has many users accessing many different sites throughout the day, Microsoft Proxy Server may be expiring cache data way too soon for the cache to be of any use. By default, Microsoft Proxy Server should use a cache of at least 100 megs. This is a dynamic cache and can be expanded if too small. If a NT machine is going to be dedicated to only running Microsoft Proxy Server, it is a great idea to expand the Microsoft Proxy Server cache to be as large as possible. This will ensure that cache objects are not expired because of an influx of new objects. If many users will be using Microsoft Proxy Server to access a multitude of different web sites, objects in the cache could be flushed before they are ever called on again. This will nullify the use of the cache.
Hard drives, like memory, are dropping rapidly in price (Thank you, Western Digital, for starting that little price war. . . ). IDE drives topping 3.1 gig can be bought for about $300 today. SCSI drives are slightly more expensive, but have greater flexibility, access speed and transfer rate. Installing a large drive with plenty of free space will allow Microsoft Proxy Server to have a sufficient enough cache to prevent possible future problems
Do not worry about installing a high end video card. High end video cards place higher demands on a system than low end cards do. The great thing about NT servers is that very few tasks are (or should be) executed on them locally. This means that there is little need for video resolution above 640X480, or a color depth greater than 16 colors. If an NT machine is going to be used to create HTML documents or handle other graphically oriented tasks, the color depth should reach 256, or better yet, 65,000 colors. Because the defacto graphics standard on the Internet is JPG, 65,000 colors should be used to view these images. JPG is a graphics format which displays 16 million colors per image. Personally, I have never been able to see the difference between 65,000 and 16 million colors. Setting an NT machine to display 16 million colors can really place a lot of overhead on the system.
Microsoft Proxy Server can use any valid connection method that is supported by NT to talk to the Internet. Most people will be using a simple modem to start off with, and some people will be using an ISDN connection. No matter which of these connection methods will be used, RAS will be the software portion of the equation. If an NT machine already has a permanent connection to the Internet, it is most likely that the LAN the NT machine is connected to already has workstation-level access to the Internet. However, there are some situations where using Microsoft Proxy Server is preferable to letting workstations have valid Internet connections on their own.
I can't stress enough how important it is to use external connection devices over internal devices. Granted, external analog modems and ISDN modems are slightly more expensive than their internal counterparts, but the flexibility external devices have over internal devices far outweighs the cost factor. The following is a short list of benefits external devices have over internal devices:
The one drawback to having external devices rather than internal devices is that the ports the devices are connected to must be adequate to maintain the data passing through them.
Sadly, the device most computer manufacturers scrimp on is the serial port. Many serial ports installed in pre-made systems are substandard ports that are not suited for soundly passing large amounts of high speed data through them. The primary element of concern when dealing with serial ports is the generation of its UART chip. A UART or Universal Asynchronous Receiver Transmitter chip controls the flow of data passing through the port and ensures that what comes in from the outside (the device connected to the port) gets to the CPU in the same form it came in. Older UARTs are 8250 or 16540 generation, while newer UARTs are 16550AFN or 16650 chips. The 16550 UART had bugs in it in earlier incarnations and was updated a couple of times to worm those bugs out (ha ha ha. . . I kill myself sometimes.) The latest standard version of the debugged 16550 UART is the 16550AFN chip.
Advanced UART chips are very important because they handle the flow of serial data over very high speed connections. Port speeds of 115 Kbps are now standard for 28.8 or 33.6 Kbps modems. The importance of a high port speed cannot be stressed enough. Many people get confused about the difference between port speed and connect speed. Port speed is often referred to as DTE or Data Terminal Equipment speed (the speed at which the computer talks to the serial device or modem). The speed at which the a modem connects to another modem is known as the DCE speed, or Data Carrier Equipment speed. Figure 3.1 shows the speed relationships:
The main reason for needing a higher port speed than connect speed is the use of hardware data compression. Nearly all modems used today use some form of data compression to increase the amount of data that can be passed through a modem connection. The same principle used with compressing data for storage in archive files, such as ZIP or LZH files, applies to passing data between modems. Because modems used in a Microsoft Proxy Server scenario or for dialup networking will be dealing with non-compressed data, a high port speed is essential. Take the following scenario, for example:
A Microsoft Proxy Server client is requesting a large HTML document of text from a web site. The connect speed being used is a 28.8 Kbps connection. The sending end performs hardware data compression on it and achieves a compression ratio of 3:1. This ratio is not out of the question and sometimes even higher compression ratios can be achieved on certain types of data. So, in essence, 86.4 Kbps worth of data (28.8 X 3) is passing between the modems. When the data arrives at the receiving end of the connection, the receiving modem expands the data to its original size. Basically, the receiving end is getting data at a rate of 86.4 Kbps. The receiving end must be able to off load that data as quickly (or hopefully more quickly) as the modem can spit it out. This is the need for a high port speed. If the port speed is not sufficient to handle the stream of data being received, the sending end will have to wait for the receiving end to process it and that means a drop in performance and efficiency.
The same principles apply in reverse. If the sending end is unable to feed the sending modem fast enough, the data stream will not be as full as it could be, and again the performance will not be as high as is could be.
Hardware data compression is not very useful at increasing the speed already-compressed data is transmitted. Images in JPG format are already very highly compressed, and archive files such as ZIP, ARJ, and LZH files are also tightly compressed. Hardware compression done by modems will achieve very little additional compression, if any. However, much of the data transmitted from web servers is not compressed.
Without advanced UART chips maintaining data integrity, data will be corrupted as it passes through the serial port. Because NT is a multitasking environment, the CPU is not constantly monitoring the serial ports and offloading the data as soon as it arrives. The data may have to wait a nanosecond or two before the CPU cycles around the serial port. FIFO chips refer to 16550 and 16650 UARTs. FIFO stands for First In/First Out. It's a reference to the manner in which UARTs ensure data integrity. The 16550 chip has an eight-byte buffer and the 16650 chip has a 32-byte buffer. These buffers are used to hold data until the CPU can cycle back around to the serial port to offload the data. Some non-standard UARTs may have expanded buffers, but the principles of data integrity are the same. UARTs prior to the 16550 did not have buffers.
As you can see, it is very important to have a port which is capable of supporting the amount of data a high speed modem may be sending. When ISDN modems enter the picture, port speeds of 345 Kbps and 460 Kbps are necessary to ensure reliable data transfers. Special serial port hardware can be purchased that supports these tremendously high speeds, but most of these ports are not based on 16xxx UART technology. Without a high enough port speed, the performance of a modem will not be what it could be, and workstation users will not be getting the fastest performance they could.
Internal devices obviously do not hook up to a serial port. Internal analog modems and ISDN modems have their own onboard UART chips that handle the data which passes between the modems and the CPU. Internal devices, like external devices, have separate speeds at which they talk to the CPU. The same terminology of port speed and connect speed applies to internal devices as it does to external devices.
If you are looking at Microsoft Proxy Server as a possible LAN Internet solution, you are most likely looking at it for its cost-cutting capability. Don't make the mistake of not optimizing your connection. An inefficient connection can make your online time increase. Depending on the ISP you or your company uses, online time may be an expensive part of the access equation.
Not too many people like my advice when it comes to what types of modems they should use. I don't tow the US Robotics line nor have I ever been a Hayes lackey. I've had more experience with modems than most people, and I have come to a personal conclusion that the high end modems are only high in price. I have tried all kinds of modems, cheap, mid-range, and expensive. I have always had the best luck with mid-range modems, such as Zoom, Cardinal and Supra. High end modems such as USR and Practical Peripheral are just not what people make them out to be. I get a full 28.8 connection nearly every time I dial my ISP with my Supra or Zoom modems. USR and Practical Peripheral modems will hardly ever connect at a full 28.8 Kbps with anything other than another of their own kind. I know there are going to be some people out there screaming that I'm nuts, but that has been my personal experience.
Many external modems these days are stripped down and do not have a full range of status lights. Make sure that any modem you are considering purchasing has the following lights:
One element I have always admired in the Practical Peripheral modems has been a full four line LCD display indicating the modem status. This feature is only available on the ProClass Practical Peripheral modems, but is a very handy element to have.
Without a full range of status lights, it is difficult to figure out if a problem is due to a connection problem, or to a software configuration problem.
My opinion of ISDN has never been very good. I have never been a big believer in ISDN because in my area of the country it is prohibitively expensive and is metered (meaning you get charged by the minute for your online time). Also, few providers here in Indianapolis provide flexible and reliable ISDN service. However, I do realize that in other parts of the country ISDN is only slightly more expensive than regular phone service, and the metered rate is very reasonable. Also, ISDN hardware is becoming more affordable and easily obtained by the general public. Even Egghead Software now sells ISDN modems for around $300. So, who knows? I may be wrong about the future of ISDN.
ISDN is a digital interface. Digital is a faster and more reliable connection method. Standard modems communicate over analog links. Comparing analog to digital is like comparing vinyl albums to compact disks. The quality and capability of compact disks far exceeds that of old vinyl records. ISDN as a connection format is available in two forms. The first is known as Basic Rate Interface ISDN (BRI ISDN) and is the most common form of ISDN. The second form of ISDN is known as Primary Rate Interface (PRI ISDN) and is harder to find.
BRI ISDN is a digital connection consisting of three channels. The first is a 16 Kbps controller channel that the ISDN modems use to talk to each other (the D channel) and two 64 Kbps channels which are used to carry data (the B channels). The B channels can be used together to reach a throughput of 128 Kbps, or they can be use separately as outbound or inbound data, or voice lines. ISDN is handled much like regular telephone connections in that an ISDN line is assigned a telephone number and can be dialed up just like a regular telephone. The B channels can be used independently for bi-directional communication. They can be used for standard voice communication as well. Many providers have various pricing schemes for utilizing ISDN channels together, or one at a time.
In my area (one of the most expensive areas, so I've been told), ISDN service costs about $90 to $120 a month in service fees alone. Per minute charges can run two or three cents, depending on the time of day.
PRI ISDN is equivalent in bandwidth to a full T1 line, but still has the flexibility of a periodic connection. PRI ISDN is broken up into 24 64 Kbps channels, 23 of which are used to carry data and the 24th is reserved for communication between the two ISDN units. Hardware for PRI ISDN connections is different than BRI ISDN and is much more expensive, usually costing from $1000 to $1200 for an ISDN unit. PRI ISDN also cannot be carried over standard copper lines as BRI ISDN can, making the installation costs much higher. If finding a provider for BRI ISDN is hard, finding a provider that offers PRI ISDN service is nearly impossible. Most people who use PRI ISDN are doing so for connections that transmit a high volume of data between set points rather than using PRI ISDN to link to the Internet.
If you are considering using PRI ISDN as your Internet connection, the better choice is committing to a T1 line. T1 access is a dedicated, 24 hours a day line of access which is not metered. Therefor, the amount of data passing over the line passes at one set cost.
Some providers can handle obtaining ISDN service for you and others can't. You may need to work through your phone company to get BRI ISDN service, if you want to go that route. If you are setting up an ISDN connection that is far away from a phone company junction, you may be required to pay extra for the connection because the phone company will need to put in a special high speed loop from your office or home to the nearest junction. In this way, ISDN is similar to a T1 line in that it needs a local loop to get to the nearest hookup point.
Getting dedicated access usually means that all the pieces are available for providing normal LAN-wide access to the Internet for all workstations on a network. This is usually the job of Microsoft Proxy Server through a smaller connection. However, there are ways of using Microsoft Proxy Server with a dedicated connection that provide greater control over how network users access the Internet.
Dedicated access usually involves working directly with a provider to get a dedicated digital line of some kind (such as a DDS, Fractional T1, or a Full T1). With this dedicated access usually comes a set of valid addresses to distribute to all workstations on the network so that each workstation can have a valid presence on the Internet and route correctly through the connection point. Figure 3.2 shows a diagram of a possible dedicated connection using a T1 line:
A CSU/DSU unit is a termination unit that converts the digital signal which passes along a T1 line into a Ethernet compatible signal. A router is also capable of communicating via an Ethernet signal. Routers can cost between $1500 and $2500, and CSU/DSU units can cost between $1000 and $1500. Installation charges can also be fairly expensive for T1-level access, costing anywhere from $900 to $1500.
I've heard a wide range of monthly T1 charges, anywhere from $900 to $2000. Generally a T1 will cost at least $1200. That includes the charge for a local loop connection from your location to your provider's location and the bandwidth charge you will use from your provider's site to the Internet.
With the connection and hardware comes a subnet of addresses that can be used by all machines on a network for authentic Internet access through the connection point. A subnet consists of 254 addresses. Microsoft Proxy Server can be used in place of issuing valid addresses to all workstations. Microsoft Proxy Server can sit at the connection point and route local non-valid Internet addressed traffic out through the connection point. This offers a level of control over the traffic that passes through the connection point that a network administrator cannot get if all workstations on the network are valid Internet workstations.
The decision to get a dedicated access line is one that many companies are making these days. The use of the Internet is becoming more and more common for businesses and private individuals. This book does not focus on those scenarios which have a dedicated connection because it is assumed that the majority of readers of this book are looking for a solution to provide a cheaper alternative to LAN-wide Internet access.
There are two major software requirements that must be met before Microsoft Proxy Server will run correctly. The first is that the Internet Information Server must be running. The only component of this that must be installed is the Web server. The second software requirement is that a connection method must be used. This usually comes from RAS connecting to an ISP through an analog modem or ISDN modem. There are a couple of other minor points which will also be discussed in the following section.
With anything of this nature, any previous beta should be removed before installing a release version of the software. Beta software has a nasty tendency to sometimes use slightly different filenames for DLLs and configuration files. The release copy of software sometimes does not remove the references to these beta files. The end result is the release copy of the software sometimes still looks for beta file names. Removing these beta files before installing the release copy of the software will ensure that only the correct files are used.
To remove a beta version of Microsoft Proxy Server (known as Catapult) follow the following steps:
Once any previous beta copies of Microsoft Proxy Server have been removed, you can install the release version of Microsoft Proxy Server.
The IIS web server is required for Microsoft Proxy Server to operate properly. Microsoft Proxy Server relies on the IIS web server to provide its listening capabilities for LAN requests for outside connections. Microsoft Proxy Server Web Proxy runs as a sub-service of the IIS web server and has no ability to operate on its own. Installation of the IIS web server can be done during the installation of NT 4.0, or it can be done at a later time.
To install the IIS server after NT 4.0 has been installed, you must have the NT 4.0 installation CD. The installation routine for the IIS server is found in the \i386\inetserv directory. Running INETSTP.EXE in this directory will begin the installation process. The only element necessary for Microsoft Proxy Server is the WWW server. Consult the NT online help for further information about installing IIS.
RAS can be installed during the installation of NT, or it can be installed later as a standard network service. It is sometimes difficult to install RAS during the original installation of NT if the modems that RAS will use are connected to non-standard serial ports. At no time during NT's original installation does the administrator have the ability to configure RAS to talk to non-standard serial ports. Non-standard serial ports must be configured after NT has been successfully installed. If all modems that RAS will use are on standard serial ports, RAS can be installed with NT without too much trouble. However, because RAS relies on so many other NT services, I tend to like to install it after NT is up and running.
To install RAS as an NT service, complete the following steps:
The primary purpose for RAS is to provide a dial in feature for outside users of a network. However, it can also operate as a dial out service for local users to connect to other networks. RAS can also be used to dial out and connect to the Internet. Under NT 4.0 the outbound capability of RAS is found in the Accessories folder as Dial Up Networking. This has been done to more closely parallel the look and feel of Windows 95.
By default, all RAS devices are set as inbound-only devices. To set a RAS device as an outbound and/or and inbound device, highlight the device in the RAS list and select Configure. The following dialog box will allow you to set which direction a RAS device will operate.
Selecting the Network button will allow you to configure which network protocols will be bound to RAS for both inbound and outbound traffic. For Microsoft Proxy Server, RAS only needs to be enabled for outbound traffic, and only the TCP/IP protocol needs to be active on the RAS service. See Figure 3.5.
If any of the RAS devices are set for inbound connections, the dialog box you will see for setting up the Network options of RAS will be an expanded version of what you see in Figure 3.5. The inbound setup of RAS is not the focus of this section and will not be covered. Deselect all protocols except TCP/IP. Select OK.
Once the TCP/IP protocol has been set as the only protocol for outbound use, select OK at the Remote Access Setup dialog, and the installation of RAS will be finalized. The NT server will need to be restarted before a dial out connection can be made.
Once RAS is installed and the system rebooted, a new item will be available in the Accessories folder. This is the Dial Up Networking applet. With this application, a valid Internet connection to an ISP can be achieved as long as you have an account with the ISP. Start the Dial Up Networking applet.
The first time it is executed, the applet will prompt you to create a new entry to dial. A wizard will start that will prompt you for all the entry items needed to complete the dialing directory entry. If you choose, you can indicate that you are familiar with dial up networking settings and you would like to enter them manually. Figure 3.6 shows a dialing directory entry.
The important items for a dialing directory entry are as follows:
On the Server Tab, next to the TCP/IP protocol check box, there is a TCP/IP Settings button. This allows you to manually enter some important number your provider may have given you. See Figure 3.7.
Most providers will assign an IP address to you dynamically. This means that you will be given a different IP address every time you log in to the provider. If you are lucky enough to have a static IP address, select the Specify an IP Address option and enter the IP address your provider should have already given you.
The next section concerning DNS resolution may need to be filled in. Depending on the version of UNIX OS that your provider is running, it may pass DNS location information out when logging on. If it does not, you will need to know what the address of the DNS server is that your provider uses to perform name resolutions. If the provider's system passes DNS information out at login, leave the default of Server Assigned name resolution alone. WINS resolution is a NetBios name resolution service that is only applied under an NT network and is therefor not necessary for NT to UNIX connections.
The remaining two options can be left alone because if they are not options with your provider, they will not be correctly negotiated at connect, but will not interfere with the process of connecting.
Once the vital elements of an entry have been set, select OK and the entry will be saved and ready to dial. Figure 3.8 shows the primary Dial Up Networking interface which will be shown after the first dial up entry is created.
Select the Dial button to begin a dialout to the provider. If this is the first dial, NT will display a dialog similar to the one shown in Figure 3.9.
By default, NT pulls up the user name with which you are logged in to NT. This name is rarely the name your provider needs you to log in with. Enter your ISP login name and password. The domain field is only needed for connecting to another NT machine and should be cleared. NT will not correctly connect to a UNIX-based ISP if there is an entry in the domain field. Check the Save Password check box if you do not want to continually enter the password before dialing this ISP.
Click OK and Dial Up Networking should dial the ISP and connect. From this point on, the NT machine will have a valid connection to both the local LAN and the Internet. When Microsoft Proxy Server is running on the NT machine, it will be able to route local traffic out to the Internet.
Getting an account with an ISP is a fairly simple task. Most often it just takes a call and a credit card number. Some providers take 24 hours before an account is fully set up while others are able to get an account ready in one hour. Some questions to ask your provider are:
Once these questions are answered, you should have enough information to complete configuring your end to connect to the provider.
Many providers will disconnect a connection if it has been inactive for a certain amount of time. This is usually 10 or 15 minutes. In order to keep a connection alive when there may not be activity on the connection for a long time, you may find you need a simple program that goes out and passes a small amount of data through the connection at regular intervals just to keep it alive. Many of these types of programs exist and can be found on various Internet sites.
NoteOne of the best sites for finding Windows 95 and Windows NT software is www.windows95.com.
A utility I use to keep connections to my ISP open is called Ponger32. This utility can be used to ping a site at regular intervals or request a time response (where your system basically asks the host "what time is it?"). This will keep a connection open and prevent an ISP from shutting it down. Look around your favorite file sites and you should be able to find Ponger32, or something similar to it.
Microsoft Proxy Server has the ability to automatically dial a provider if the Internet connection is not currently available when a proxy client requests a connection. This is known as Auto Dial. Configuring Auto Dial is done through an external application found in the Microsoft Proxy Server folder. This application can be used to configure which ISP is dialed and what times of the day the ISP can be dialed. By default, Auto Dial is not enabled and the administrator is responsible for making the connection from the Microsoft Proxy Server to the Internet. Appendix B, "Auto Dial," covers setting up Auto Dial and the issues involved with it.
Just as ISPs have timeout periods, NT also has its own timeout period. By default, if a RAS connection is not used within 20 minutes, NT will shut it down. If your ISP does not have a time out value, you can turn off NT's timeout value so you will not need a utility such as Ponger32 to keep the NT side of the connection alive. The NT timeout value can be disabled by editing a key in the registry.
To start the NT registry editor, open a Command Prompt and enter the command REGEDT32.EXE. Locate the following key:
HKEY_LOCAL_MACHINE System CurrentControlSet Services RemoteAccess Parameters Autodisconnect
The Autodisconnection key is a hexidecimal key and is set to 14 (14 in hexidecimal notation = 20 in standard decimal notation). Editing this value and setting it to 0 will disable the timeout value for RAS connections. Be careful when editing the registry. Making incorrect changes will sometimes render NT unbootable, and only a reinstallation of the system will take care of the problem.
Microsoft Proxy Server requires that the TCP/IP protocol be installed on the NT machine on which it is running. Obviously, to make a successful connection to a TCP/IP UNIX host, the TCP/IP protocol must be installed first. Connections to LAN workstations do not have to be through the TCP/IP protocol. Microsoft Proxy Server WinSock Proxy will function via the IPX/SPX protocol. The Web Proxy portion of Microsoft Proxy Server will only function correctly via the TCP/IP protocol. When IPX is the transport protocol between workstations to Microsoft Proxy Server, all Internet requests from workstations are handled as though they are external requests and WinSock Proxy server will manage them all.
In order for IPX/SPX to be successfully used as the primary workstation transport method, the WinSock Proxy client software (provided with Microsoft Proxy Server) must be installed on all workstations wanting access to the Internet. Applications that would normally use the Web Proxy server (such as Netscape, IE 3.0, CERN proxy compatible FTP clients) will have to use the WinSock Proxy server instead because the Web Proxy server can only communicate with clients via a direct TCP/IP link.
Other than those minor points, Microsoft Proxy Server is very flexible when it comes to operating via either the TCP/IP or IPX/SPX protocols.
Under rare conditions, it is possible for outside packets to slip into a LAN which is connected to the Internet. This opens up the possibility for outsiders to have access to resources within the network. The following conditions at the least would have to be met before LAN security would be compromised. Keep in mind this issue has nothing to do with Microsoft Proxy Server because Microsoft Proxy Server only directs internal traffic outward.
As you can see, it's not very likely that a breach of security will ever occur. However, Microsoft has never been accused of under-doing something.
The last item in the list can be the total stopping point for all inbound TCP/IP accesses to the LAN. When IP Forwarding is disabled, the NT machine connected to the Internet and the LAN will not pass IP packets between NICs. To disable IP Forwarding complete the following steps:
There, your LAN is ultimately secure. The NT machine will need to be restarted before the change takes effect.
Don't think that by disabling IP Forwarding you are preventing Microsoft Proxy Server from doing its job. Microsoft Proxy Server does its own separate, secure routing of LAN traffic out to the Internet.
One of the most secure actions you can take to make certain that your system is never compromised is to use NTFS (NT File System) on all important disk drives. NTFS is an alternate file system to FAT and has many advanced security and performance enhancements that will make Microsoft Proxy Server run more smoothly and allow you as network administrator to control just who has access to what on the server, right down to the file level.
Access Control Lists can be created for individual directories that control which users have access to the file held within. Consult the online NT help for more details concerning how to implement ACLs.
When installing NT for the first time, you have the option of converting the NT boot partition to NTFS format. This is a non-destructive conversion from FAT and takes very little time to complete. A disk can also be converted to NTFS at a later time by using the CONVERT.EXE utility found in the \WINNT directory. The command is used in this manner:
CONVERT D:
Conversions will take place immediately unless the NT boot partition is being converted. If the boot partition is being converted, the system will need to be restarted in order for the conversion to take place.
Hopefully this chapter gives you an understanding of the hardware and requirements needed by Microsoft Proxy Server to operate correctly and to the best of its ability. This chapter covers connection issues that will give you a clearer understanding of how Microsoft Proxy Server talks to the Internet and the costs involved.