Proxy Server 2.0 Release NotesID: Q174922
|
**********************************************************************
Microsoft(R) Proxy Server 2.0 Release Notes
September 1997
**********************************************************************
(c)1997 Microsoft Corporation. All rights reserved.
Please review this entire document before you install Microsoft Proxy
Server version 2.0. It contains important information about installing
and using Proxy Server, and it supplements the on-line documentation
that is installed with the product.
======================================================================
CONTENTS
======================================================================
* Software Requirements
* Internet Information Server Fix
* Internet Explorer 3.02, Script Routing & NTLM
* Internet Explorer 3.x, NTLM, & SSL
* Display Not Synchronized When Viewing Documentation On-Line
* Installing Internet Information Server 4.0 With Proxy Server
* Proxy Server With Single Network Adapter Configuration
* Client Configuration Dialog Box
* Starting and Stopping the Socks Proxy Service
* NetBIOS Packet Filtering Issues
* WinSock Proxy Domain Filters
* Enabling Passive FTP For Web Proxy
* Server Proxy Issues For Using Exchange With DNS
* Packet Filtering Slows Performance if server uses Identd
* Additional Notes On Configuring Packet Filters
* Administering Arrays
* Registry Entries for Arrays
* Registry Entry for Disabling Socks Proxy
* Remote Use Of System Services With WinSock Proxy
* Setting Autodisconnect for Auto Dial
* Web Browsers That Support SOCKS v4.3 Do Not Proxy DNS Lookups
* Using Routing and Remote Access Service (RRAS)
* Logging to an Access Database
* Acknowledgments
======================================================================
SOFTWARE REQUIREMENTS
======================================================================
The following components must already be installed on the server
computer before you install Proxy Server 2.0:
* Microsoft Windows NT(R) Server version 4.0 or later
* Microsoft Internet Information Server version 3.0 or later
* Service Pack 3 or later for Microsoft Windows NT Server 4.0
======================================================================
INTERNET INFORMATION SERVER FIX
======================================================================
There is a bug in Microsoft Internet Information Server Version 3.0
that can cause the Web service to abnormally terminate.
You should download and install the software fix on any computer
that runs IIS and/or Microsoft Proxy Server.
You can use your browser to connect to:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
hotfixes-postSP3/iis-fix/
For more information on this IIS issue, read the Q143484.txt
file. For information on how to download and install the fix, read
the readme.txt file.
======================================================================
INTERNET EXPLOER 3.02, SCRIPT ROUTING AND NTLM
======================================================================
When using Proxy's routing script with Internet Explorer version 3.02,
NTLM authentication does not work properly. This is fixed in IE
version 4.0.
======================================================================
INTERNET EXPLORER 3.X, NTCR, & SSL
======================================================================
When using some versions of Internet Explorer version 3.x with Micro-
soft Proxy Server, NTCR authentication does not work properly when
accessing secure web sites (https://...). Please check IE information
on the Microsoft Corporation Web page, or Microsoft Knowledge Base,
etc. for an update on this issue.
======================================================================
DISPLAY NOT SYNCHRONIZED WHEN VIEWING DOCUMENTATION ON-LINE
======================================================================
Occasionally when viewing the on-line documentation, you may detect
problems with the display topics being unsynchronized with a selected
topic in the contents view. This problem has been reported during
some installations, particularly where "Index" mode is used to view
the table of contents. If you detect this problem, reselecting the
topic appears to resolve the problem and refresh the display
correctly.
To reselect a topic and refresh the display:
1. Click a topic in the table of contents, then click "Display".
2. In "Topics Found", double-click the topic.
Note: As an option, you may redisplay a topic in "Topics Found" by
clicking it once and then clicking "Display."
======================================================================
INSTALLING INTERNET INFORMATION SERVER 4.0 WITH PROXY SERVER
======================================================================
Note: The information provided in this section is current for
installing and using the Beta 3 release of Microsoft Internet
Information Server (IIS) 4.0 with Microsoft Proxy Server. For possible
changes between Beta 3 and the final release of IIS 4.0, review final
release notes for IIS 4.0.
>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 1.0
Before installing IIS 4.0, you must upgrade from MSP 1.0 to MSP 2.0.
You can upgrade and install MSP 2.0 using an in-place upgrade
directly over your previous installation of MSP 1.0. There is no
need to uninstall MSP 1.0 prior to upgrading. In addition, MSP
maintains prior server configuration settings, such as Access Control
Lists (ACLs) and other settings, after the upgrade to MSP 2.0 is
completed.
>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 2.0
Once you upgrade to use IIS 4.0 on a server computer running MSP 2.0
and IIS 3.0, you will need to run MSP 2.0 setup again. This rein-
stallation is needed because IIS 4.0 installs Microsoft Proxy
Server as a global ISAPI filter for all Web servers. Repeating MSP
2.0 setup configures Microsoft Proxy Server correctly, as a
non-global filter of the IIS default Web service for the local server
computer (or "localhost").
There is no need to uninstall MSP 2.0 prior to upgrading to IIS 4.0.
Also, MSP 2.0 maintains prior settings, such as Access Control Lists
(ACLs) and other configuration settings when in-place reinstallation
of MSP 2.0 is completed.
>>>Verifying Authentication Settings After IIS 4.0 is Installed
After you have upgraded to IIS 4.0, you should verify that "Password
Authentication" settings are maintained and correctly configured as
you have chosen to use them in IIS 3.0.
For IIS 3.0, "Password Authentication" properties are set using the
Internet Service Manager (ISM). To view or modify these settings
using ISM, do the following:
1. Double-click the computer name next to the "WWW service."
2. Under "Password Authentication", note which methods are selected
for use in authenticating users. The methods that can be option-
ally set include either "Allow Anonymous", "Basic (Clear Text)",
or "Windows NT Challenge/Response".
3. Click "OK" or "Cancel" to close this dialog.
For IIS 4.0, "Password Authentication" properties are set through use
of Microsoft Management Console (MMC). To view or modify these settings
using MMC, do the following:
1. From the Start menu, select "Programs"-->"Microsoft Proxy Server"
-->"Microsoft Management Console"
2. In MMC, double-click the IIS root folder in the scope pane on the
left to open and expand its contents.
3. Double-click "Default Web Site" to open and expand its contents.
4. Double-click "SCRIPTS" to open and expand its contents.
5. Click "Proxy".
6. Right-click and select "Properties".
7. Click the "Directory Security" tab.
8. In "Password Authentication", click "Edit".
9. Verify password authentication settings are set correctly as
previously configured for IIS 3.0 in the previous procedure
using ISM.
Note: If you have Windows NT 4.0 Option Pack installed, you may also
open the IIS management console as described in step 1 using a
the following alternate shortcut:
From the Start menu, select "Programs"-->"Windows NT 4.0 Option
Pack"-->"Microsoft Internet Information Server"-->"Internet
Service Manager"
======================================================================
PROXY SERVER WITH SINGLE NETWORK ADAPTER CONFIGURATION
======================================================================
You can run Microsoft Proxy Server on a computer with only a single
internal network adapter, such as for a chained downstream configura-
tion or a caching-only configuration. Since such a computer has a
single IP address, the following considerations apply:
* Packet filtering cannot be enabled.
* It is advised that you either disable the WinSock Proxy service, or
disable access control for the WinSock Proxy service if the Proxy
Server computer is connected to the Internet.
======================================================================
CLIENT CONFIGURATION DIALOG BOX
======================================================================
There is a check box in the "Client Configuration" dialog box that is
missing from the product's online documentation.
This check box can be used to determine whether or not Web
browsers use the Configuration URL to automatically download a client
configuration script. The check box is "Configure Web browsers to use
Automatic Configuration", and is located under "Automatically
configure Web browser during client setup." By default, this feature
is disabled.
In addition, the client configuration file, Mspclnt.ini, has an
entry "Set Browsers to use Auto Config" in the [Common]
section to support this feature.
======================================================================
STARTING AND STOPPING THE SOCKS PROXY SERVICE
======================================================================
In the on-line documentation, under "Administration"-->"Setting Server
Parameters"-->"Configuring Auto Dial" -> "Restarting Services",
the following command-line syntax is invalid:
NET STOP | START SPSVC for the Socks Proxy service
Proxy Server's Web Proxy and Socks Proxy run within the WWW service of
IIS. To stop or start these proxy services, use:
NET STOP | START W3SVC
======================================================================
NETBIOS PACKET FILTERING ISSUES
======================================================================
By default, packet filtering is not enabled when Microsoft Proxy
Server is installed. Where packet filtering is enabled, this section
details recommended configuration options for secure and reliable
operation of the proxy server depending on your need to allow or
restrict NetBIOS traffic on the server's external network interface.
With packet filtering enabled on Microsoft Proxy Server, several pre-
defined filters for NetBIOS are provided for your use. Depending on
your need to support NetBIOS traffic on the server's external network
interface, you may choose among the following ways to configure WINS
client and NetBIOS packet filtering options for Microsoft Proxy
Server:
* If NetBIOS traffic is not used or supported on the external net-
work, the WINS client should be disabled in bindings for the
server's external network adapter card. In addition, the prede-
fined NetBIOS filters should NOT be activated.
* If NetBIOS traffic is used and supported on the external network,
the WINS client can remain enabled by default in bindings or be
disabled as needed.
In addition, where NetBIOS must be supported on the external
network, activate the predefined NetBIOS filters for the following
reasons:
* Where the WINS client is enabled for the server's external network
interface, activate the predefined "NetBIOS (WINS client only)"
filter to provide secure filtering of NetBIOS traffic by Microsoft
Proxy Server between the internal and external networks.
* Where the WINS client is disabled for the server's external net-
work interface, NetBIOS traffic is securely blocked from
entering the internal network. This policy is in effect regard-
less of whether NetBIOS predefined filters are activated. However,
if the NetBIOS predefined filters are not activated, the packet
filter driver will detect any NetBIOS broadcast packets on the
external network that are received on the server's external
adapter card as a possible attack on the proxy server.
Consequently, it will log each of these packets and possibly
generate an alert. This results in system overhead, and reduction
in the usefulness of the logging & alerting features. To avoid this
situation, you can activate the "NetBIOS (All)" predefined
packet filter to stop logging of these NetBIOS packets when
NetBIOS traffic is expected on the external network.
======================================================================
WINSOCK PROXY DOMAIN FILTERS
======================================================================
In the on-line documentation, under "Administration"-->"Setting
Security Parameters"-->"Domain Filters", the following note is
incorrect:
"To control WinSock Proxy access to Internet sites, create a filter
for both the domain and the IP address of the site. When a WinSock
application attempts to access an Internet site, it first converts
the domain name to the IP address, and then tries to access the
site by using the IP address. When the default filtering policy is
set to "Denied", the filters (which allow access) must be created
for both the domain name and IP address in order for access to that
site to succeed."
To control WinSock Proxy access to Internet sites, you only need to
create a filter for the domain name. It is no longer necessary to
create an additional domain filter for the IP address of an Internet
site.
======================================================================
ENABLING PASSIVE FTP FOR WEB PROXY
======================================================================
FTP service can use two possible types of communication between the
FTP server and its clients: passive FTP mode and non-passive FTP. Some
FTP servers do not support both types.
* How "non-passive"(or traditional) FTP works
In "non-passive" FTP, the client connects to the server making a
control channel. For each data operation, the client tells the server
how to connect back to it, specifying the parameters for the data
connection (data port, transfer mode, representation type, and
structure). The server then uses these parameters to make the data
channel.
This type of FTP communication is the same as the model for FTP
specified in the Internet standard draft for FTP (RFC 959) and has
been traditionally used on all TCP/IP networks in the past.
"Non-passive" FTP is required for all FTP service implementations and
is by default the mode of FTP communication used by the Web Proxy
service in Microsoft Proxy Server versions 1.0 and 2.0.
* How Passive FTP differs from "Non-passive" FTP
Passive FTP differs from "non-passive" FTP in that the client is
responsible for making all connections with server, including the
initial connecting request and subsequent data channel connections.
In this way, passive FTP provides some additional security to the
client against malicious attack by an FTP server.
Because passive FTP is used on some recently implemented FTP servers
on the Internet, Microsoft Proxy Server 2.0 provides support through
the Windows NT Registry to enable the Web Proxy service to use
passive FTP mode if it is needed. You may also need to support passive
FTP for the following reasons:
* You are using a firewall that cannot allow an inbound connection
from the FTP server.
* You are using third-party FTP applications. Some applications are
simpler to configure where passive FTP is used.
To enable Web Proxy support for passive FTP mode, the following reg-
istry key can be modified. The entry name, data type, and supported
values are as follows:
* NonPassiveFTPTransfer is type REG_DWORD. The default value for this
entry is 1, which uses Sendport (or "non-passive") FTP as the
default transfer mode for FTP proxy.
If the entry is changed to 0, the Web Proxy service will support FTP
proxy with servers that use passive FTP mode. Otherwise, the value
should be left to its default value of 1.
This entry is installed by Microsoft Proxy Server to the following
Windows NT Registry key path:
HKEY_LOCALMACHINE\SYSTEM
\CurrentControlSet
\Services
\W3proxy
\Parameters
You should exercise caution when making any changes to the Windows NT
Registry.
Note: Passive FTP support is not an issue for the WinSock Proxy
service which supports both passive and "non-passive" modes of FTP.
======================================================================
SERVER PROXY ISSUES FOR USING EXCHANGE AND DNS
======================================================================
Server proxy allows you to place a server, such as Microsoft Exchange
Server using the Internet Mail Connector (IMC) on your private network
behind Microsoft Proxy Server. With this configuration, an Exchange
Server can provide Internet mail service by using the WinSock Proxy
client and relying on features of Proxy Server 2.0 for
protection. In addition, the Exchange Server computer will not
require an additional registered Internet IP address.
* How Server Proxy Works
The WinSock Proxy Client allows you to bind services or applications
to the external network interface of the server computer running
Microsoft Proxy Server. Once a service or application is bound on
the external network interface, it is then available to hosts on
the Internet. The proxy server will then "listen" for connections on
behalf of the service or application.
For example, if you bind an internal SMTP/POP mail server to the
proxy server, mail clients or SMTP servers on the Internet would be
able to contact this mail server by connecting to the proxy server's
Internet IP address. To remote computers on the Internet, these
services will appear to be running on the proxy server computer.
* Setting Up Server Proxy for Exchange Server
>>>To set up server proxy for Exchange Server 5.0:
1. Install and configure Microsoft Proxy Server.
2. Install and test the WinSock Proxy (WSP) Client on the Exchange
Server computer by running a WinSock client application.
Once the WSP Client is working, additional settings are required
for server proxy on the Exchange Server. In most cases, you
should create specific and local Wspcfg.ini files (instead of
making changes in Mspclnt.ini) for the Exchange Server since
these settings will not need to be globally applied to all WSP
Client users on your network.
3. Place the Wspcfg.ini file in the directory where the application
*.Exe file is installed.
Note: Since Exchange Server has more than one .exe file for Inter-
net mail and each EXE needs to be bound to the proxy, more than
one Wspcfg.ini file will be needed.
4. Create a Wspcfg.ini file for use with the Exchange SMTP service.
Add the information below to Wspcfg.ini and place this file in the
directory where Msexcimc.exe is located.
[MSEXCIMC]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1
Note: The SMTP port (25) on the Exchange Server will then be bound
to the proxy server's port 25.
5. Create a second Wspcfg.ini file for the Exchange store (Store.exe).
Add the information below to this Wspcfg.ini and place the file in
the directory where Store.exe is located.
[STORE]
ServerBindTcpPorts=110,119,143
Persistent=1
KillOldSession=1
Note: Additional ports, such as ports 119 and 143 shown above, can
be listed since Store.exe provides Network News Transfer Protocol
(NNTP) on port 119, POP mail on port 110, etc.
6. If dynamic packet filtering is enabled (recommended), the proxy
server will dynamically open all necessary ports when they are
requested. No special configuration is needed.
7. Stop and start the Exchange services or reboot the Exchange Server
for the new settings to take effect.
8. You should now be able to contact the Exchange server by connect-
ing to the proxy server's Internet IP address using SMTP, NNTP, or
POP.
* Configuring DNS for Server Proxy with Exchange Server
1. Verify that any MX and A resource records used by remote mail
servers on the Internet refer to the IP address for the proxy
server's external network adapter and not the internal IP
address of the Exchange Server or SMTP server itself.
For example, if your registered Internet domain name is
"mydomain.com", and your internal Exchange server uses a DNS host
name of "exchange1", you would need to use an MX, or mail ex-
changer, record to provide other Internet hosts the name of your
internal Exchange server. In this case, an MX record added in
the "mydomain.com" zone could provide this information as follows:
mydomain.com IN MX 10 exchange1.mydomain.com
You would then need to create an A, or address, record for
"exchange1.mydomain.com" that uses an external IP address of the
proxy server. If the external IP address of your proxy server
were 127.34.56.89, you would add the following A record to the
"mydomain.com" zone:
exchange1.mydomain.com IN A 127.34.56.89
In addition, you can add or create a PTR, or pointer, record to
the "mydomain.com" zone to provide reverse lookup. A valid PTR
record to do this would be:
89.56.34.127.in-addr.arpa IN PTR exchange1.mydomain.com
2. The Exchange/SMTP server computer must be configured to resolve
external (Internet) names by directly accessing an 'external' DNS
server.
Specify a DNS server on the DNS server search listing of your
Exchange/SMTP server computer that can resolve Internet DNS
addresses.
This DNS server can be a server located on your network, located
on your Proxy Server gateway computer, or located externally on
the Internet. The IP address of this DNS server must be listed
on the same machine running Exchange Server that is used to route
mail from your network to the Internet.
You may assign the DNS server's IP address to the Exchange Server
using either static or dynamic assignment. For static assignment,
set the IP address by adding it to "DNS Service Search Order" in
TCP/IP Protocol Properties. For dynamic assignment, configure your
DHCP server to provide this address by way of the standard DHCP
assigned option code 6 (DNS Server List) to your Exchange Server
machine. (Note: if your Exchange Server uses DHCP to obtain its
IP address, you should reserve this address with the DHCP server
for permanent assignment to the Exchange Server computer.)
======================================================================
PACKET FILTERING SLOWS PERFORMANCE IF SERVER USES IDENTD
======================================================================
If packet filtering is enabled, outbound access to servers (SMTP,
FTP, IRC, etc.) can suffer slow performance if the remote server on
the external network is running the Identification protocol (Identd)
service.
To correct performance problems in this situation, activate the pre-
defined "Identd" packet filter on Microsoft Proxy Server.
======================================================================
ADDITONAL NOTES ON CONFIGURING PACKET FILTERS
======================================================================
The "Local Host" selection box in Packet Filter properties is used to
select the local host computer that will exchange packets with a
remote host computer. When configuring the "Local Host" selection box
in the Packet Filter properties dialog box, please note the following:
* To allow any IP address assigned to an external interface of the
Proxy Server computer to exchange packets, click "Specific Proxy
IP" and enter 0.0.0.0 for the IP address.
* Also, if the "Internal computer" field in the same dialog is
selected, the IP address entered in this field should be excluded
from the proxy server's Local Address Table (LAT).
For more information on how to change the LAT, see "Administration"
-->"Setting Server Parameters"-->"Changing the LAT" in the on-line
documentation.
======================================================================
ADMINISTERING ARRAYS
======================================================================
You should only administer one member of an array at a time. This
ensures that array synchronization performs correctly and is simpler
from an administrative standpoint.
======================================================================
REGISTRY ENTRIES FOR ARRAYS
======================================================================
There are two registry keys for Proxy Server that you can create that
are not documented. These keys can be used to change the default ping
timeout value and the number of communication attempts used in an
array. The entry names, data types, and default values are as follows:
* MaxPingTries is type REG_DWORD. The default value when this entry
is absent is 3.
* PingTimeout is type REG_DWORD. The default value when this entry is
absent is 500 (milliseconds).
You can create these entries using the Registry Editor. The entries
must be installed to the following Windows NT Registry key path:
HKEY_LOCALMACHINE\SYSTEM
\CurrentControlSet
\Services
\Mspadmin
\Parameters
You should exercise caution when making any changes to the Windows NT
Registry.
======================================================================
REGISTRY ENTRY FOR DISABLING SOCKS PROXY
======================================================================
The following registry key can be modified for Microsoft Proxy Server
to disable the Socks Proxy service if Socks service is not used on
your network.
The entry name, data type, and supported values are as follows:
* SocksServiceEnabled is type REG_DWORD. The default value for this
entry is 1, which is enabled. A value of 0 indicates the service
is disabled.
If the entry is changed to 0, the Socks Proxy service is fully dis-
abled on the server computer. Microsoft Proxy Server will not start
the Socks Proxy service automatically at system boot. Also, the
service cannot be started manually using Microsoft Proxy Server ad-
ministrative tools (such as Internet Service Manager or Remotmsp.exe)
until the value is reset to a value of 1.
This entry is installed by Microsoft Proxy Server to the following
Windows NT Registry key path:
HKEY_LOCALMACHINE\SYSTEM
\CurrentControlSet
\Services
\W3proxy
\Parameters
\Socks
You should exercise caution when making any changes to the Windows NT
Registry.
======================================================================
REMOTE USE OF SYSTEM SERVICES WITH WINSOCK PROXY
======================================================================
In general, most Windows NT system services are disabled from remote
use by WinSock Proxy when Microsoft Proxy Server is installed. If you
are attempting to proxy a system service application, you may have
problems establishing a remote WinSock Proxy connection if the
service was started prior to the NtLmSsp service during system boot.
If you are attempting to use a Windows NT system service to access the
Internet or another external network, be sure that the NtLmSsp service
is started first. You may either adjust the order in which the
service starts automatically during system boot to start after the
NtLmSsp service has started, or manually start the service after the
boot process is complete and the NtLmSsp service has already started.
Another solution is to use the SC.EXE utility included in the Windows
NT Resource Kit to make the service that you want 'remoted' be
dependent on the NtLmSsp service:
To create a service dependency, use the following command:
SC \\MyMchineName CONFIG MyServiceName DEPEND= ntlmssp
(don't omit the space after the =)
To query a service dependency:
SC \\MyMachineName QC MyServiceName
======================================================================
SETTING AUTODISCONNECT FOR AUTO DIAL
======================================================================
When using either Remote Access Service (RAS) or Routing and Remote
Access Service (RRAS) for automated dial-up with Auto Dial, the
following procedure should be used for applying dial-up connection
settings that determine when a connection automatically disconnects
after remaining idle.
To set autodisconnect properly for a RAS or RRAS phonebook entry:
1. Locate the phonebook file (typically, this file is located in
%SystemRoot%\System32\Ras\Rasphone.pbk) and open it using a
text editor, such as Notepad.
2. Find the section specific to the dialing entry used for Auto
Dial connection by Microsoft Proxy Server. (Note: each section in
the phonebook file has a separate heading in the form of
[Phonebook Entry].)
3. Find the value for "IdleDisconnectSeconds". In most cases, the
value is typically set to 0. Increase the value to a number of
seconds of your choosing that will be used to timeout and
automatically disconnect if the line remains idle.
4. Check to see if an option for "OverridePref" is included in the
dialing entry section. If this option exists, set the value to 4.
(Note: if this value does not exist, do not add it.)
5. Save the file, Rasphone.pbk, and close your text editor
application.
Note: There is no need to reboot after applying the previous changes.
RAS or RRAS will use your revised settings the next time dialing
occurs.
In general, it is recommended that you disable WINS client bindings
for the dial-up adapter when using Auto Dial with Microsoft Proxy
Server. If you require the use of NetBIOS on the dial-up adapter and
decide not to disable bindings on the dial-up adapter for WINS client,
you will also need to stop the computer's Browser service.
To stop the Browser service, use the following two commands:
NET STOP BROWSER
NET CONFIG SRV /HIDDEN
Also, you will need to disable the Computer Browser to prevent the
service from restarting when the computer is rebooted.
To disable the Computer Browser service:
1. Open Control Panel, select Services.
2. Click "Services."
3. Select "Computer Browser" from the list of services.
4. Click "Startup."
5. In "Startup Type", click "Disabled", then click "OK."
6. Click "Close."
======================================================================
WEB BROWSERS THAT SUPPORT SOCKS V4.3 DO NOT PROXY DNS LOOKUPS
======================================================================
In the on-line documentation, under "Administration"-->"Administering
Clients"-->"Configuring Web Proxy Client Applications", the following
note text is incorrect:
"Note: The Socks Proxy service supports the SOCKS 4.3a standard, which
specifies name resolution. Web browsers do not use this feature. They
require instead that name resolution of Internet addresses is avail-
able on the client computer. If you are running a Web browser as a
Socks client on a non-Windows client platform, you need to provide a
DNS proxy server to your clients for name resolution. The DNS proxy
server resolves names by forwarding client requests to a server on
the Internet."
It should be corrected to read:
"The Socks Proxy service supports the SOCKS 4.3a standard, which
specifies name resolution. Many Web browsers, including Microsoft
Internet Explorer 3.02 and 4.0 and Netscape Navigator 3.0 do not use
this feature. Instead, these browser applications, when configured
to use a Socks server, require that DNS
name resolution of Internet addresses be available on the client
computer."
"If you are running one of these Web browser applications as a Socks
client on a non-Windows client platform, you need to provide a DNS
server for these clients to use for their resolution of external
DNS names. In this situation, there are two possible methods for
implementing DNS service for these clients:"
"1) Install a DNS server, such as Microsoft DNS Server, on the proxy
server computer. You can then configure TCP/IP or DNS properties
on your Socks client machines to point at the internal IP address
of the proxy server as one of the their listed DNS servers. This
is the recommended configuration for providing DNS service to
Socks clients on your internal network."
"2) As an alternative, you may point Socks clients towards a DNS
server on your internal network that has been enabled to provide
forwarding to the Internet for DNS name resolution. This config-
uration is not recommended as it requires that Microsoft Proxy
Client software first be installed on your internal DNS server,
and may require additional reconfiguration of your internal DNS
server to use forwarding to an external DNS server on the Inter-
net."
======================================================================
USING ROUTING AND REMOTE ACCESS SERVICE (RRAS)
======================================================================
Routing and Remote Access Service (RRAS) can be used along with Micro-
soft Proxy Server to provide a secure enterprise internetworking
solution.
>>> Required RRAS hotfix
In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues
associated with reliable, secure, integration between RRAS and Proxy.
In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues
associated with reliable, secure, integration between RRAS and Proxy.
To download the corrected file connect to:
http://www.microsoft.com/proxy/fix/rras_0.htm
>>> Recommended configurations
This section addresses several common configurations and
outlines recommended configurations for interworking both RRAS and MSP
2.0 on your network.
* Departmental server running RRAS and MSP 2.0
A departmental server on an internal network (typically with only one
network interface) should have packet filtering turned off.
* Edge server connecting to the Internet running RRAS and MSP 2.0
This configuration involves the MSP 2.0 server computer using either
two network adapters (one for internal interface, one for the external
interface). For the internal interface, a network adapter card is
needed. For the external interface, either a network adapter card or
a modem can be used.
An edge server in this configuration should have MSP packet filtering
turned on with MSP 2.0 predefined packet filters activated with no
additional custom packet filters configured.
* Edge server with "Extranet" or barrier LAN segment
An edge server in this configuration requires a third network adapter
to be installed on the MSP 2.0 server computer to interface to the
Extranet LAN segment (sometimes referred to as a DMZ network).
The Local Address Table (LAT) on the server must
not include IP addresses used on the Extranet LAN.
Typically, routing is enabled between the external network and the
Extranet LAN, and computers on the Extranet network with registered
IP addresses can communicate directly with Internet computers. RRAS
can be used to configure routing for each Interface.
All communication between the Extranet LAN and the internal network
should be done using Microsoft Proxy Server services (Web Proxy,
WinSock Proxy, Socks Proxy). Where this configuration is applied,
WinSock servers can also be remoted by means of configuration in the
Wspcfg.ini file using application-specific settings.
For more information on configuring these settings, see
"Administration"-->"Administering Clients"-->"Configuring WinSock
Proxy Client Applications" in the on-line documentation.
Note: As an alternative, you can use RRAS instead for communication
between the internal LAN and the Extranet LAN segments. This can be
done by way of "Enabling IP Forwarding", eliminating the need to use
MSP 2.0 services for proxy communication. However, this configuration
is not preferred.
======================================================================
Logging to an Access Database
======================================================================
In the on-line documentation, under "Administration"-->"Configuring
Logs"-->"Logging to a Database", there is an error in the description
of creating an Access Table. Here are the updated instructions:
Creating an Access Database Table
--------------------------------------------------------
You can use the database template files, Msp.sql and Pf.sql, to create
a database table in Microsoft SQL Server or Microsoft Access.
In order to create a database table in Microsoft Access using a
database template file, implement the following procedure:
1. Rename the database template file with a TXT file extension and
open the file in a text editor, such as Microsoft Notepad. The
database template files are located in:
%systemroot%\help\proxy\misc.
2. Start Access and open the database you previously created for
Proxy Server logging.
3. On the "Queries" tab, click "New" to create a new query.
4. In the "New Query" dialog box, , click "Design View", and then
click "OK."
5. Click close on the "Show Table" dialog.
6. Click "SQL View" on the View menu, and then delete any text pre-
sent in "Query."
7. Copy and paste the entire contents of the file previously opened
in Notepad in "Query", click "Save" and then click "OK."
8. Double-click the query you just saved. Click "Yes" in any pop-up
message boxes.
Rename the Access table to use it with a particular Proxy Server
service.
======================================================================
ACKNOWLEDGMENTS
======================================================================
Information in this document is subject to change without notice.
Companies, names, and data used in examples herein are fictitious
unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for
any purpose, without the express written permission of Microsoft.
Permission to print one copy for personal use is hereby granted if
your only means of access is electronic.
Microsoft may have patents or pending patent applications, trademarks,
copyrights, or other intellectual property rights covering subject
matter in this document. The furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other
intellectual property rights except as expressly provided in any
written license agreement from Microsoft.
(c)1997 Microsoft Corporation. All rights reserved.
Microsoft, MS, Windows, and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Other product and company names mentioned herein may be the trademarks
of their respective owners.
Additional query words: readme.txt
Keywords : kbreadme
Version : 2.00
Platform : winnt
Issue type :
Last Reviewed: August 9, 1999