Proxy Server 2.0 Release Notes

ID: Q174922


The information in this article applies to:


**********************************************************************
           Microsoft(R) Proxy Server 2.0 Release Notes
                         September 1997
**********************************************************************
          (c)1997 Microsoft Corporation. All rights reserved.

Please review this entire document before you install Microsoft Proxy
Server version 2.0. It contains important information about installing 
and using Proxy Server, and it supplements the on-line documentation 
that is installed with the product.

======================================================================
CONTENTS
======================================================================

* Software Requirements
* Internet Information Server Fix
* Internet Explorer 3.02, Script Routing & NTLM
* Internet Explorer 3.x, NTLM, & SSL
* Display Not Synchronized When Viewing Documentation On-Line 
* Installing Internet Information Server 4.0 With Proxy Server  
* Proxy Server With Single Network Adapter Configuration
* Client Configuration Dialog Box
* Starting and Stopping the Socks Proxy Service
* NetBIOS Packet Filtering Issues
* WinSock Proxy Domain Filters
* Enabling Passive FTP For Web Proxy
* Server Proxy Issues For Using Exchange With DNS
* Packet Filtering Slows Performance if server uses Identd 
* Additional Notes On Configuring Packet Filters
* Administering Arrays
* Registry Entries for Arrays
* Registry Entry for Disabling Socks Proxy
* Remote Use Of System Services With WinSock Proxy
* Setting Autodisconnect for Auto Dial
* Web Browsers That Support SOCKS v4.3 Do Not Proxy DNS Lookups
* Using Routing and Remote Access Service (RRAS)
* Logging to an Access Database
* Acknowledgments


======================================================================
SOFTWARE REQUIREMENTS
======================================================================

The following components must already be installed on the server 
computer before you install Proxy Server 2.0:

* Microsoft Windows NT(R) Server version 4.0 or later
* Microsoft Internet Information Server version 3.0 or later
* Service Pack 3 or later for Microsoft Windows NT Server 4.0

======================================================================
INTERNET INFORMATION SERVER FIX
======================================================================

There is a bug in Microsoft Internet Information Server Version 3.0
that can cause the Web service to abnormally terminate.
You should download and install the software fix on any computer 
that runs IIS and/or Microsoft Proxy Server.
You can use your browser to connect to:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ 
hotfixes-postSP3/iis-fix/ 

For more information on this IIS issue, read the Q143484.txt 
file. For information on how to download and install the fix, read
the readme.txt file.

======================================================================
INTERNET EXPLOER 3.02, SCRIPT ROUTING AND NTLM
======================================================================

When using Proxy's routing script with Internet Explorer version 3.02,
NTLM authentication does not work properly. This is fixed in IE 
version 4.0.

======================================================================
INTERNET EXPLORER 3.X, NTCR, & SSL
======================================================================

When using some versions of Internet Explorer version 3.x with Micro-
soft Proxy Server, NTCR authentication does not work properly when 
accessing secure web sites (https://...). Please check IE information 
on the Microsoft Corporation Web page, or Microsoft Knowledge Base, 
etc. for an update on this issue.

======================================================================
DISPLAY NOT SYNCHRONIZED WHEN VIEWING DOCUMENTATION ON-LINE 
======================================================================

Occasionally when viewing the on-line documentation, you may detect 
problems with the display topics being unsynchronized with a selected 
topic in the contents view.  This problem has been reported during 
some installations, particularly where "Index" mode is used to view 
the table of contents. If you detect this problem, reselecting the 
topic appears to resolve the problem and refresh the display 
correctly.

To reselect a topic and refresh the display:

1.  Click a topic in the table of contents, then click "Display".
2.  In "Topics Found", double-click the topic.

Note: As an option, you may redisplay a topic in "Topics Found" by 
clicking it once and then clicking "Display." 

======================================================================
INSTALLING INTERNET INFORMATION SERVER 4.0 WITH PROXY SERVER
======================================================================

Note: The information provided in this section is current for
installing and using the Beta 3 release of Microsoft Internet 
Information Server (IIS) 4.0 with Microsoft Proxy Server. For possible 
changes between Beta 3 and the final release of IIS 4.0, review final 
release notes for IIS 4.0. 

>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 1.0

Before installing IIS 4.0, you must upgrade from MSP 1.0 to MSP 2.0. 
You can upgrade and install MSP 2.0 using an in-place upgrade 
directly over your previous installation of MSP 1.0.  There is no 
need to uninstall MSP 1.0 prior to upgrading. In addition, MSP
maintains prior server configuration settings, such as Access Control
Lists (ACLs) and other settings, after the upgrade to MSP 2.0 is 
completed.
	
>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 2.0

Once you upgrade to use IIS 4.0 on a server computer running MSP 2.0 
and IIS 3.0, you will need to run MSP 2.0 setup again.  This rein-
stallation is needed because IIS 4.0 installs Microsoft Proxy 
Server as a global ISAPI filter for all Web servers. Repeating MSP 
2.0 setup configures Microsoft Proxy Server correctly, as a
non-global filter of the IIS default Web service for the local server 
computer (or "localhost"). 

There is no need to uninstall MSP 2.0 prior to upgrading to IIS 4.0.
Also, MSP 2.0 maintains prior settings, such as Access Control Lists 
(ACLs) and other configuration settings when in-place reinstallation 
of MSP 2.0 is completed.  

>>>Verifying Authentication Settings After IIS 4.0 is Installed

After you have upgraded to IIS 4.0, you should verify that "Password 
Authentication" settings are maintained and correctly configured as 
you have chosen to use them in IIS 3.0.

For IIS 3.0, "Password Authentication" properties are set using the 
Internet Service Manager (ISM). To view or modify these settings 
using ISM, do the following:

1.  Double-click the computer name next to the "WWW service."

2.  Under "Password Authentication", note which methods are selected 
    for use in authenticating users.  The methods that can be option-
	ally set include either "Allow Anonymous", "Basic (Clear Text)", 
	or "Windows NT Challenge/Response". 
	
3.  Click "OK" or "Cancel" to close this dialog. 

For IIS 4.0, "Password Authentication" properties are set through use 
of Microsoft Management Console (MMC). To view or modify these settings 
using MMC, do the following:

1.  From the Start menu, select "Programs"-->"Microsoft Proxy Server"
    -->"Microsoft Management Console"
	
2.  In MMC, double-click the IIS root folder in the scope pane on the 
    left to open and expand its contents.

3.  Double-click "Default Web Site" to open and expand its contents.

4.  Double-click "SCRIPTS" to open and expand its contents.

5.  Click "Proxy".

6.  Right-click and select "Properties".

7.  Click the "Directory Security" tab.

8.  In "Password Authentication", click "Edit".

9.  Verify password authentication settings are set correctly as 
    previously configured for IIS 3.0 in the previous procedure 
	using ISM.
	
Note: If you have Windows NT 4.0 Option Pack installed, you may also
      open the IIS management console as described in step 1 using a
	  the following alternate shortcut:
	  
	  From the Start menu, select "Programs"-->"Windows NT 4.0 Option 
	  Pack"-->"Microsoft Internet Information Server"-->"Internet 
	  Service Manager"
	  
======================================================================
PROXY SERVER WITH SINGLE NETWORK ADAPTER CONFIGURATION
======================================================================

You can run Microsoft Proxy Server on a computer with only a single 
internal network adapter, such as for a chained downstream configura-
tion or a caching-only configuration. Since such a computer has a 
single IP address, the following considerations apply:

*  Packet filtering cannot be enabled.
*  It is advised that you either disable the WinSock Proxy service, or 
   disable access control for the WinSock Proxy service if the Proxy 
   Server computer is connected to the Internet.

======================================================================
CLIENT CONFIGURATION DIALOG BOX
======================================================================

There is a check box in the "Client Configuration" dialog box that is
missing from the product's online documentation.
This check box can be used to determine whether or not Web 
browsers use the Configuration URL to automatically download a client 
configuration script. The check box is "Configure Web browsers to use 
Automatic Configuration", and is located under "Automatically 
configure Web browser during client setup." By default, this feature 
is disabled.

In addition, the client configuration file, Mspclnt.ini, has an
entry "Set Browsers to use Auto Config" in the [Common] 
section to support this feature.

======================================================================
STARTING AND STOPPING THE SOCKS PROXY SERVICE 
======================================================================

In the on-line documentation, under "Administration"-->"Setting Server
Parameters"-->"Configuring Auto Dial" -> "Restarting Services", 
the following command-line syntax is invalid:

  NET STOP | START SPSVC for the Socks Proxy service

Proxy Server's Web Proxy and Socks Proxy run within the WWW service of
IIS. To stop or start these proxy services, use:

  NET STOP | START W3SVC

======================================================================
NETBIOS PACKET FILTERING ISSUES 
======================================================================

By default, packet filtering is not enabled when Microsoft Proxy 
Server is installed.  Where packet filtering is enabled, this section
details recommended configuration options for secure and reliable 
operation of the proxy server depending on your need to allow or 
restrict NetBIOS traffic on the server's external network interface.  

With packet filtering enabled on Microsoft Proxy Server, several pre-
defined filters for NetBIOS are provided for your use. Depending on 
your need to support NetBIOS traffic on the server's external network 
interface, you may choose among the following ways to configure WINS 
client and NetBIOS packet filtering options for Microsoft Proxy 
Server:

*  If NetBIOS traffic is not used or supported on the external net-
   work, the WINS client should be disabled in bindings for the 
   server's external network adapter card.  In addition, the prede-
   fined NetBIOS filters should NOT be activated.
   
*  If NetBIOS traffic is used and supported on the external network,
   the WINS client can remain enabled by default in bindings or be 
   disabled as needed. 
   
In addition, where NetBIOS must be supported on the external 
network, activate the predefined NetBIOS filters for the following 
reasons:

*  Where the WINS client is enabled for the server's external network
   interface, activate the predefined "NetBIOS (WINS client only)" 
   filter to provide secure filtering of NetBIOS traffic by Microsoft 
   Proxy Server between the internal and external networks. 
   
*  Where the WINS client is disabled for the server's external net-
   work interface, NetBIOS traffic is securely blocked from 
   entering the internal network.  This policy is in effect regard-
   less of whether NetBIOS predefined filters are activated. However, 
   if the NetBIOS predefined filters are not activated, the packet 
   filter driver will detect any NetBIOS broadcast packets on the 
   external network that are received on the server's external 
   adapter card as a possible attack on the proxy server. 
   Consequently, it will log each of these packets and possibly
   generate an alert. This results in system overhead, and reduction
   in the usefulness of the logging & alerting features. To avoid this 
   situation, you can activate the "NetBIOS (All)" predefined
   packet filter to stop logging of these NetBIOS packets when 
   NetBIOS traffic is expected on the external network. 

======================================================================
WINSOCK PROXY DOMAIN FILTERS
======================================================================

In the on-line documentation, under "Administration"-->"Setting 
Security Parameters"-->"Domain Filters", the following note is 
incorrect:

  "To control WinSock Proxy access to Internet sites, create a filter 
   for both the domain and the IP address of the site. When a WinSock 
   application attempts to access an Internet site, it first converts 
   the domain name to the IP address, and then tries to access the 
   site by using the IP address. When the default filtering policy is 
   set to "Denied", the filters (which allow access) must be created 
   for both the domain name and IP address in order for access to that 
   site to succeed."

To control WinSock Proxy access to Internet sites, you only need to 
create a filter for the domain name. It is no longer necessary to 
create an additional domain filter for the IP address of an Internet 
site. 

======================================================================
ENABLING PASSIVE FTP FOR WEB PROXY 
======================================================================

FTP service can use two possible types of communication between the 
FTP server and its clients: passive FTP mode and non-passive FTP. Some 
FTP servers do not support both types.

* How "non-passive"(or traditional) FTP works

In "non-passive" FTP, the client connects to the server making a 
control channel. For each data operation, the client tells the server 
how to connect back to it, specifying the parameters for the data 
connection (data port, transfer mode, representation type, and  
structure). The server then uses these parameters to make the data 
channel.

This type of FTP communication is the same as the model for FTP 
specified in the Internet standard draft for FTP (RFC 959) and has 
been traditionally used on all TCP/IP networks in the past.  

"Non-passive" FTP is required for all FTP service implementations and
is by default the mode of FTP communication used by the Web Proxy 
service in Microsoft Proxy Server versions 1.0 and 2.0. 

* How Passive FTP differs from "Non-passive" FTP

Passive FTP differs from "non-passive" FTP in that the client is 
responsible for making all connections with server, including the 
initial connecting request and subsequent data channel connections. 
In this way, passive FTP provides some additional security to the 
client against malicious attack by an FTP server. 

Because passive FTP is used on some recently implemented FTP servers 
on the Internet, Microsoft Proxy Server 2.0 provides support through 
the Windows NT Registry to enable the Web Proxy service to use 
passive FTP mode if it is needed. You may also need to support passive 
FTP for the following reasons:

*  You are using a firewall that cannot allow an inbound connection 
   from the FTP server.

*  You are using third-party FTP applications. Some applications are
   simpler to configure where passive FTP is used.

To enable Web Proxy support for passive FTP mode, the following reg-
istry key can be modified. The entry name, data type, and supported 
values are as follows:

*  NonPassiveFTPTransfer is type REG_DWORD. The default value for this 
   entry is 1, which uses Sendport (or "non-passive") FTP as the 
   default transfer mode for FTP proxy. 
   
If the entry is changed to 0, the Web Proxy service will support FTP 
proxy with servers that use passive FTP mode. Otherwise, the value 
should be left to its default value of 1.

This entry is installed by Microsoft Proxy Server to the following 
Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM
  \CurrentControlSet
    \Services
      \W3proxy
        \Parameters

You should exercise caution when making any changes to the Windows NT 
Registry.

Note: Passive FTP support is not an issue for the WinSock Proxy 
service which supports both passive and "non-passive" modes of FTP. 

======================================================================
SERVER PROXY ISSUES FOR USING EXCHANGE AND DNS 
======================================================================

Server proxy allows you to place a server, such as Microsoft Exchange 
Server using the Internet Mail Connector (IMC) on your private network 
behind Microsoft Proxy Server.  With this configuration, an Exchange
Server can provide Internet mail service by using the WinSock Proxy 
client and relying on features of Proxy Server 2.0 for
protection. In addition, the Exchange Server computer will not
require an additional registered Internet IP address.

* How Server Proxy Works

The WinSock Proxy Client allows you to bind services or applications
to the external network interface of the server computer running 
Microsoft Proxy Server.  Once a service or application is bound on 
the external network interface, it is then available to hosts on
the Internet. The proxy server will then "listen" for connections on
behalf of the service or application.

For example, if you bind an internal SMTP/POP mail server to the 
proxy server, mail clients or SMTP servers on the Internet would be 
able to contact this mail server by connecting to the proxy server's 
Internet IP address. To remote computers on the Internet, these 
services will appear to be running on the proxy server computer.

* Setting Up Server Proxy for Exchange Server

>>>To set up server proxy for Exchange Server 5.0:

1.  Install and configure Microsoft Proxy Server.

2.  Install and test the WinSock Proxy (WSP) Client on the Exchange 
    Server computer by running a WinSock client application.

    Once the WSP Client is working, additional settings are required 
    for server proxy on the Exchange Server.  In most cases, you 
    should create specific and local Wspcfg.ini files (instead of 
    making changes in Mspclnt.ini) for the Exchange Server since 
    these settings will not need to be globally applied to all WSP 
    Client users on your network.
    
3.  Place the Wspcfg.ini file in the directory where the application
    *.Exe file is installed.  
    
    Note: Since Exchange Server has more than one .exe file for Inter-
	net mail and each EXE needs to be bound to the proxy, more than 
	one Wspcfg.ini file will be needed.
    
4.  Create a Wspcfg.ini file for use with the Exchange SMTP service.  
    Add the information below to Wspcfg.ini and place this file in the 
    directory where Msexcimc.exe is located.  
    
    [MSEXCIMC]
    ServerBindTcpPorts=25
    Persistent=1
    KillOldSession=1
    
    Note: The SMTP port (25) on the Exchange Server will then be bound
    to the proxy server's port 25.
    
5.  Create a second Wspcfg.ini file for the Exchange store (Store.exe).
    Add the information below to this Wspcfg.ini and place the file in 
    the directory where Store.exe is located.  

    [STORE]
    ServerBindTcpPorts=110,119,143
    Persistent=1
    KillOldSession=1
    
    Note: Additional ports, such as ports 119 and 143 shown above, can
    be listed since Store.exe provides Network News Transfer Protocol 
    (NNTP) on port 119, POP mail on port 110, etc.
    
6.  If dynamic packet filtering is enabled (recommended), the proxy 
    server will dynamically open all necessary ports when they are 
    requested.  No special configuration is needed.
    
7.  Stop and start the Exchange services or reboot the Exchange Server
    for the new settings to take effect.
    
8.  You should now be able to contact the Exchange server by connect-
    ing to the proxy server's Internet IP address using SMTP, NNTP, or
    POP.
    
* Configuring DNS for Server Proxy with Exchange Server   	

1.  Verify that any MX and A resource records used by remote mail 
    servers on the Internet refer to the IP address for the proxy 
    server's external network adapter and not the internal IP 
    address of the Exchange Server or SMTP server itself.
	
    For example, if your registered Internet domain name is 
    "mydomain.com", and your internal Exchange server uses a DNS host 
    name of "exchange1", you would need to use an MX, or mail ex-
    changer, record to provide other Internet hosts the name of your 
    internal Exchange server.   In this case, an MX record added in 
    the "mydomain.com" zone could provide this information as follows:
	
       mydomain.com IN MX 10 exchange1.mydomain.com
	
    You would then need to create an A, or address, record for 
    "exchange1.mydomain.com" that uses an external IP address of the 
    proxy server.  If the external IP address of your proxy server 
    were 127.34.56.89, you would add the following A record to the 
    "mydomain.com" zone:
	
       exchange1.mydomain.com       IN A 127.34.56.89
	
    In addition, you can add or create a PTR, or pointer, record to 
    the "mydomain.com" zone to provide reverse lookup.  A valid PTR 
    record to do this would be:
	
       89.56.34.127.in-addr.arpa   IN PTR exchange1.mydomain.com  
    
2.  The Exchange/SMTP server computer must be configured to resolve 
    external (Internet) names by directly accessing an 'external' DNS
    server.

    Specify a DNS server on the DNS server search listing of your 
    Exchange/SMTP server computer that can resolve Internet DNS 
    addresses.  
	
    This DNS server can be a server located on your network, located 
    on your Proxy Server gateway computer, or located externally on 
    the Internet. The IP address of this DNS server must be listed 
    on the same machine running Exchange Server that is used to route 
    mail from your network to the Internet. 
	
    You may assign the DNS server's IP address to the Exchange Server
    using either static or dynamic assignment.  For static assignment,
    set the IP address by adding it to "DNS Service Search Order" in 
    TCP/IP Protocol Properties. For dynamic assignment, configure your 
    DHCP server to provide this address by way of the standard DHCP 
    assigned option code 6 (DNS Server List) to your Exchange Server
    machine. (Note: if your Exchange Server uses DHCP to obtain its 
    IP address, you should reserve this address with the DHCP server 
    for permanent assignment to the Exchange Server computer.)

======================================================================
PACKET FILTERING SLOWS PERFORMANCE IF SERVER USES IDENTD 
======================================================================

If packet filtering is enabled, outbound access to servers (SMTP,
FTP, IRC, etc.) can suffer slow performance if the remote server on 
the external network is running the Identification protocol (Identd)
service.  

To correct performance problems in this situation, activate the pre-
defined "Identd" packet filter on Microsoft Proxy Server. 

======================================================================
ADDITONAL NOTES ON CONFIGURING PACKET FILTERS
======================================================================

The "Local Host" selection box in Packet Filter properties is used to 
select the local host computer that will exchange packets with a 
remote host computer. When configuring the "Local Host" selection box 
in the Packet Filter properties dialog box, please note the following:

*  To allow any IP address assigned to an external interface of the 
   Proxy Server computer to exchange packets, click "Specific Proxy 
   IP" and enter 0.0.0.0 for the IP address. 

*  Also, if the "Internal computer" field in the same dialog is 
   selected, the IP address entered in this field should be excluded 
   from the proxy server's Local Address Table (LAT). 
   
   For more information on how to change the LAT, see "Administration"
   -->"Setting Server Parameters"-->"Changing the LAT" in the on-line 
   documentation.

======================================================================
ADMINISTERING ARRAYS
======================================================================

You should only administer one member of an array at a time. This 
ensures that array synchronization performs correctly and is simpler
from an administrative standpoint.

======================================================================
REGISTRY ENTRIES FOR ARRAYS
======================================================================

There are two registry keys for Proxy Server that you can create that 
are not documented. These keys can be used to change the default ping 
timeout value and the number of communication attempts used in an 
array. The entry names, data types, and default values are as follows:

*  MaxPingTries is type REG_DWORD. The default value when this entry 
   is absent is 3.

*  PingTimeout is type REG_DWORD. The default value when this entry is
   absent is 500 (milliseconds).

You can create these entries using the Registry Editor. The entries 
must be installed to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM
  \CurrentControlSet
    \Services
      \Mspadmin
        \Parameters

You should exercise caution when making any changes to the Windows NT 
Registry.

======================================================================
REGISTRY ENTRY FOR DISABLING SOCKS PROXY
======================================================================

The following registry key can be modified for Microsoft Proxy Server 
to disable the Socks Proxy service if Socks service is not used on 
your network.  

The entry name, data type, and supported values are as follows:

*  SocksServiceEnabled is type REG_DWORD. The default value for this 
   entry is 1, which is enabled. A value of 0 indicates the service 
   is disabled.
   
If the entry is changed to 0, the Socks Proxy service is fully dis-
abled on the server computer.  Microsoft Proxy Server will not start 
the Socks Proxy service automatically at system boot. Also, the 
service cannot be started manually using Microsoft Proxy Server ad-
ministrative tools (such as Internet Service Manager or Remotmsp.exe)
until the value is reset to a value of 1. 

This entry is installed by Microsoft Proxy Server to the following 
Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM
  \CurrentControlSet
    \Services
      \W3proxy
        \Parameters
          \Socks

You should exercise caution when making any changes to the Windows NT 
Registry.

======================================================================
REMOTE USE OF SYSTEM SERVICES WITH WINSOCK PROXY
======================================================================

In general, most Windows NT system services are disabled from remote 
use by WinSock Proxy when Microsoft Proxy Server is installed. If you 
are attempting to proxy a system service application, you may have 
problems establishing a remote WinSock Proxy connection if the 
service was started prior to the NtLmSsp service during system boot.

If you are attempting to use a Windows NT system service to access the 
Internet or another external network, be sure that the NtLmSsp service 
is started first.  You may either adjust the order in which the 
service starts automatically during system boot to start after the 
NtLmSsp service has started, or manually start the service after the 
boot process is complete and the NtLmSsp service has already started.

Another solution is to use the SC.EXE utility included in the Windows
NT Resource Kit to make the service that you want 'remoted' be
dependent on the NtLmSsp service:

To create a service dependency, use the following command:
SC \\MyMchineName CONFIG MyServiceName DEPEND= ntlmssp
(don't omit the space after the =)

To query a service dependency:
SC \\MyMachineName QC MyServiceName

======================================================================
SETTING AUTODISCONNECT FOR AUTO DIAL
======================================================================

When using either Remote Access Service (RAS) or Routing and Remote 
Access Service (RRAS) for automated dial-up with Auto Dial, the 
following procedure should be used for applying dial-up connection 
settings that determine when a connection automatically disconnects 
after remaining idle.

To set autodisconnect properly for a RAS or RRAS phonebook entry:

1.  Locate the phonebook file (typically, this file is located in
    %SystemRoot%\System32\Ras\Rasphone.pbk) and open it using a 
    text editor, such as Notepad.
    
2.  Find the section specific to the dialing entry used for Auto
    Dial connection by Microsoft Proxy Server.  (Note: each section in 
    the phonebook file has a separate heading in the form of 
    [Phonebook Entry].)
    
3.  Find the value for "IdleDisconnectSeconds".  In most cases, the 
    value is typically set to 0.  Increase the value to a number of 
    seconds of your choosing that will be used to timeout and 
    automatically disconnect if the line remains idle.  
    
4.  Check to see if an option for "OverridePref" is included in the 
    dialing entry section.  If this option exists, set the value to 4.
	(Note:  if this value does not exist, do not add it.)
    
5.  Save the file, Rasphone.pbk, and close your text editor 
    application.
    
Note: There is no need to reboot after applying the previous changes.  
RAS or RRAS will use your revised settings the next time dialing 
occurs.

In general, it is recommended that you disable WINS client bindings 
for the dial-up adapter when using Auto Dial with Microsoft Proxy
Server.  If you require the use of NetBIOS on the dial-up adapter and 
decide not to disable bindings on the dial-up adapter for WINS client, 
you will also need to stop the computer's Browser service.  

To stop the Browser service, use the following two commands:

NET STOP BROWSER
NET CONFIG SRV /HIDDEN

Also, you will need to disable the Computer Browser to prevent the 
service from restarting when the computer is rebooted.  

To disable the Computer Browser service:

1.  Open Control Panel, select Services.
2.  Click "Services."
3.  Select "Computer Browser" from the list of services.
4.  Click "Startup."
5.  In "Startup Type", click "Disabled", then click "OK."
6.  Click "Close."	 
	 
======================================================================
WEB BROWSERS THAT SUPPORT SOCKS V4.3 DO NOT PROXY DNS LOOKUPS
======================================================================

In the on-line documentation, under "Administration"-->"Administering 
Clients"-->"Configuring Web Proxy Client Applications", the following 
note text is incorrect:

"Note: The Socks Proxy service supports the SOCKS 4.3a standard, which 
specifies name resolution. Web browsers do not use this feature. They 
require instead that name resolution of Internet addresses is avail-
able on the client computer. If you are running a Web browser as a 
Socks client on a non-Windows client platform, you need to provide a 
DNS proxy server to your clients for name resolution. The DNS proxy 
server resolves names by forwarding client requests to a server on 
the Internet." 

It should be corrected to read: 

"The Socks Proxy service supports the SOCKS 4.3a standard, which 
specifies name resolution. Many Web browsers, including Microsoft 
Internet Explorer 3.02 and 4.0 and Netscape Navigator 3.0 do not use 
this feature. Instead, these browser applications, when configured
to use a Socks server, require that DNS 
name resolution of Internet addresses be available on the client 
computer."

"If you are running one of these Web browser applications as a Socks 
client on a non-Windows client platform, you need to provide a DNS 
server for these clients to use for their resolution of external 
DNS names. In this situation, there are two possible methods for 
implementing DNS service for these clients:"

"1)  Install a DNS server, such as Microsoft DNS Server, on the proxy 
     server computer. You can then configure TCP/IP or DNS properties
     on your Socks client machines to point at the internal IP address
     of the proxy server as one of the their listed DNS servers. This 
     is the recommended configuration for providing DNS service to 
     Socks clients on your internal network."
    
"2)  As an alternative, you may point Socks clients towards a DNS 
     server on your internal network that has been enabled to provide 
     forwarding to the Internet for DNS name resolution.  This config-
     uration is not recommended as it requires that Microsoft Proxy 
     Client software first be installed on your internal DNS server, 
     and may require additional reconfiguration of your internal DNS 
     server to use forwarding to an external DNS server on the Inter-
     net."     

======================================================================
USING ROUTING AND REMOTE ACCESS SERVICE (RRAS)
======================================================================

Routing and Remote Access Service (RRAS) can be used along with Micro-
soft Proxy Server to provide a secure enterprise internetworking 
solution. 


>>> Required RRAS hotfix

In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues 
associated with reliable, secure, integration between RRAS and Proxy.


In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues
associated with reliable, secure, integration between RRAS and Proxy.

To download the corrected file connect to:

http://www.microsoft.com/proxy/fix/rras_0.htm


>>> Recommended configurations

This section addresses several common configurations and 
outlines recommended configurations for interworking both RRAS and MSP 
2.0 on your network.

* Departmental server running RRAS and MSP 2.0

A departmental server on an internal network (typically with only one
network interface) should have packet filtering turned off.

* Edge server connecting to the Internet running RRAS and MSP 2.0

This configuration involves the MSP 2.0 server computer using either 
two network adapters (one for internal interface, one for the external
interface).  For the internal interface, a network adapter card is 
needed.  For the external interface, either a network adapter card or 
a modem can be used.

An edge server in this configuration should have MSP packet filtering 
turned on with MSP 2.0 predefined packet filters activated with no
additional custom packet filters configured. 

* Edge server with "Extranet" or barrier LAN segment

An edge server in this configuration requires a third network adapter
to be installed on the MSP 2.0 server computer to interface to the 
Extranet LAN segment (sometimes referred to as a DMZ network). 
The Local Address Table (LAT) on the server must
not include IP addresses used on the Extranet LAN. 

Typically, routing is enabled between the external network and the 
Extranet LAN, and computers on the Extranet network with registered 
IP addresses can communicate directly with Internet computers. RRAS 
can be used to configure routing for each Interface.

All communication between the Extranet LAN and the internal network 
should be done using Microsoft Proxy Server services (Web Proxy, 
WinSock Proxy, Socks Proxy). Where this configuration is applied, 
WinSock servers can also be remoted by means of configuration in the 
Wspcfg.ini file using application-specific settings.  

For more information on configuring these settings, see 
"Administration"-->"Administering Clients"-->"Configuring WinSock 
Proxy Client Applications" in the on-line documentation.

Note:  As an alternative, you can use RRAS instead for communication 
between the internal LAN and the Extranet LAN segments.  This can be
done by way of "Enabling IP Forwarding", eliminating the need to use 
MSP 2.0 services for proxy communication.  However, this configuration
is not preferred. 

======================================================================
Logging to an Access Database
======================================================================

In the on-line documentation, under "Administration"-->"Configuring
Logs"-->"Logging to a Database", there is an error in the description 
of creating an Access Table. Here are the updated instructions:


Creating an Access Database Table
--------------------------------------------------------
You can use the database template files, Msp.sql and Pf.sql, to create 
a database table in Microsoft SQL Server or Microsoft Access.
In order to create a database table in Microsoft Access using a 
database template file, implement the following procedure:

1.  Rename the database template file with a TXT file extension and 
    open the file in a text editor, such as Microsoft Notepad. The 
    database template files are located in:
	  %systemroot%\help\proxy\misc.
	  
2.  Start Access and open the database you previously created for 
    Proxy Server logging.
	
3.  On the "Queries" tab, click "New" to create a new query.

4.  In the "New Query" dialog box, , click "Design View", and then 
    click "OK."
	
5.  Click close on the "Show Table" dialog.

6.  Click "SQL View" on the View menu, and then delete any text pre-
    sent in "Query."
	
7.  Copy and paste the entire contents of the file previously opened 
    in Notepad in "Query", click "Save" and then click "OK."
	
8.  Double-click the query you just saved. Click "Yes" in any pop-up 
    message boxes.

Rename the Access table to use it with a particular Proxy Server 
service. 

======================================================================
ACKNOWLEDGMENTS
======================================================================

Information in this document is subject to change without notice. 
Companies, names, and data used in examples herein are fictitious 
unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for
any purpose, without the express written permission of Microsoft. 
Permission to print one copy for personal use is hereby granted if 
your only means of access is electronic.

Microsoft may have patents or pending patent applications, trademarks,
copyrights, or other intellectual property rights covering subject 
matter in this document. The furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other 
intellectual property rights except as expressly provided in any
written license agreement from Microsoft.

(c)1997 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, and Windows NT are either registered 
trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

Other product and company names mentioned herein may be the trademarks
of their respective owners. 

Additional query words: readme.txt


Keywords          : kbreadme 
Version           : 2.00
Platform          : winnt 
Issue type        : 

Last Reviewed: August 9, 1999