Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

- California State University, Los Angeles

advertisement 
Group Project
Proxy Server
CIS 454 LOCAL AREA NETWORK
PROFESSOR: DR. GANESAN
GROUP #1
ROBERT WANG, DI LY, LINDA WU
KAY AYARJOKE
Microsoft Proxy Server
2.0
Course Outline
• Overview of Microsoft Proxy Server.
• Examples of Capacity Planning.
• Web Proxy Server Configuration.
• Proxy Server Auto Dial.
Overview of Microsoft Proxy
Server
Overview of Microsoft Proxy
Server
• What is Proxy Server?
• Firewall Server.
• Web Cache Server.
• 3 Proxy Services – Web Proxy,
WinSock Proxy, and SOCKS Proxy.
• System Requirements.
What is Proxy Server ?
• A secure gateway between a protected
network (LAN) and the Internet.
• Mediates traffic and processes all
incoming and outgoing requests.
• Application server that acts as both a
firewall server and a web cache server.
• Only One IP address is “visible” to
outside world.
Proxy Server Example
One IP address
is visible.
Internet
FTP
Gopher
HTTP
LAN
Proxy
Traffic
IIS
Win NT
LAN
IP addresses are hidden.
What is a Firewall ?
• System that enforces an access control
policy between two networks.
• Some block traffic; others permit traffic.
• Protects against unauthenticated logins
from the “outside.”
• A “phone tap” and tracing tool.
• Cannot protect against attacks outside
of the firewall and viruses.
Types of Firewalls
• Network Level (Router).
– Decisions based on source, destination
addresses and ports in IP packets.
– Route traffic directly, fast and transparent.
• Application Level (Proxy Server)
–
–
–
–
Permit no direct traffic between networks.
Good for logging and access control.
Provide detailed audit report.
Enforce more conservative security.
MS Proxy Server as Firewall
Server
• Packet Filtering – examines all TCP/IP based
attempts in & out of the network.
– Static and Dynamic.
• Logs all connection attempts & alerts in realtime of the suspicious activities.
• Reverse Proxy - Places the web server behind
Proxy Server to publish to the Web.
– “Impersonates" a Web server to the outside.
– Reverse Hosting & Server Proxying.
Reverse Proxy Example
Secure Network
www.company.com
www.company.com
Web Server
Client
Internet
Proxy
Mkt Dept
LAN
www.company.com
MS Proxy Server as Web Cache
Server
• Web Caching – process of storing Web
content locally to reduce network traffic.
– Active and Passive.
• Allow internal clients to have full Web access
behind the firewall without compromising
security.
• Hierarchical Caching.
• Distributed Caching.
Cache Example
Connection
to Internet
Proxy
Internet
Content
Cached
Cache Hit!
50% Traffic
Saving
1st client
2nd client
Hierarchical Caching Example
New York
Internet
Proxy
Boston
Los Angeles
Proxy
Client
Proxy
Client
Client
Client
Source: http://www.microsoft.com/proxy/guide/WebCach.asp?A=2&B=2
Distributed Caching Load
Example
Balancing
Fault tolerance
Scalability
Client
Client
Proxy 4
Client
Proxy 3
Client
Proxy 2
Client
Proxy 1
Internet
Client
Source: http://www.microsoft.com/proxy/guide/WebCach.asp?A=2&B=2
WinSock, SOCKS, Web Proxy
• Protocols allow the application clients
to communicate to application servers.
• Performs three functions:
– Intercepts connection requests.
– Sets up proxy circuit.
– Relays application data.
WinSock & SOCKS Proxy
• WinSock Proxy.
– For Window application.
– Creating virtual connection between internal and
Internet application.
– Acts as gateway protocol for IPX/SPX.
• SOCKS Proxy.
– Allows Unix, Mac and Window client application
that support SOCKS protocol specification.
– Handles all TCP/IP traffic through the proxy
server.
– Cannot Handle UDP based protocols.
Web Proxy
• Web Proxy
– Supports any CERN web browser.
– Supports HTTP, FTP, SSL and Gopher
protocol.
– Enables its caching capabilities.
System Requirements
•
•
•
•
WinNT Server 4.0 with service pack 3 or later.
IIS – Internet Information Server.
Network interface card.
CPU and disk space:
– Intel based: 486/33MHz or higher & 125MB.
– RISC based: RISC processor compatible with
WinNT 4.0 & 160MB.
• 16MB of RAM.
Examples of Capacity
Implementation
Examples of Capacity Planning
• Small Office Network.
• Medium-Size Office Network with a
Branch Office.
• Large Enterprise Network.
Example of Small Office Network
Internet
ISP
Modem or ISDN line
Content
Cached
Proxy Server
(Win NT RAS client)
LAN
Web Server
Mail Server
Client
Client
Client
Source: http://www.microsoft.com/proxy/guide/NetScenarios.asp?A=2&B=5
Small Office Network
• Characteristic:
–
–
–
–
A single LAN segment.
Use of the IP network protocol.
Demand-dial connectivity to an ISP.
Fewer than 300 clients.
• The proxy-based computers set up:
– One NIC to the internal network.
– One modem to the external network (Internet).
• Uses Auto Dial for demand-dialing to
Internet.
• Caching is enabled and configured to limit
the demand-dialing to the Internet.
Small Office Network
Cont . . .
• Stores a local copy of popular URLs in
dedicated disk drive.
• Uses a single network security policy.
–
–
–
–
Password authentication.
User permissions.
Protocol definitions.
Domain, cache and packet filtering.
Example of Branch Office
Network
Internet
Web Server
Router on
T1 line
ISP
Proxy
Server
Array
Mail Server
LAN
Router
Modem or ISDN Line
Proxy server
(Win NT RAS
client)
Web Server
Web Server
Clients
(Department LAN)
Clients
Remote Branch Office
Source: http://www.microsoft.com/proxy/guide/NetScenarios.asp?A=2&B=5
Branch Office Network
• Characteristic . . .
–
–
–
–
A central office with several LAN segments.
A branch office with a single LAN segment.
Use of the IP network protocol.
Demand-dial connectivity from the branch office to the
central office.
– Dedicated-link connectivity from the central office to
an ISP.
– Fewer than 2,000 clients.
• Auto Dial feature provides demand-dialing
from remote office to central office.
Branch Office Network Cont . . .
• Proxy-based computer set up at branch:
– One NIC to the local network (branch).
– One modem to remote network at the central office.
• Caching is enabled to minimize demanddialing to central office and to reduce longdistance phone charge.
• Active caching should not be used at remote
branch.
Branch Office Network
Cont . . .
• Global Security policy:
– Administrated at central office.
– Central office can also set and override local policy.
• Remote branch proxy has no direct Internet
access.
• All clients requests are routed upstream to
the proxy array at central office.
Example of Large Enterprise
Network
ISP
Internet
Router
Proxy Server
Array
Router on T1 line
Corporate
Network
Mail Server
Proxy Server
Array
Web Server
LAN
Web Server
Router
Web Server
Clients
Clients
Department LAN
Router
Department LAN
Source: http://www.microsoft.com/proxy/guide/NetScenarios.asp?A=2&B=5
Large Enterprise Network
• Characteristic . . .
– A central corporate office with many LAN
segments and a backbone LAN.
– Several branch offices, each with a single LAN
segment
– Use of both IP and IPX network protocols.
– Demand-dial connectivity from the branch office
to the central office.
– An ISP & Dedicated-link connectivity from the
central office to an ISP.
– More than 2,000 clients.
Large Enterprise Network Cont . . .
• Proxy array is used for:
– Distributed caching.
– Load balancing.
– Fault tolerance.
• Proxy array handles all client Internet
requests (locally or branch).
• Active caching to retrieve popular URLs.
Large Enterprise Network Cont . . .
• Uses single array member to administration
all other proxy.
• Proxy array is used on the backbone LAN.
• Is used at ISP to demonstrate scalability.
• Local branch clients use Auto Dial for
demand-dialing to RAS server.
• Internet requests not serviced locally are
forwarded to corporate proxy array.
• Server administration is set and enforced at
the central office.
Large Enterprise Network Cont . . .
• Departmental proxy connection:
– One NIC to departmental LAN.
– One NIC to backbone LAN.
• Proxy array at backbone is dual-homed.
– Internal NIC.
– External NIC to Internet.
• Proxy array at ISP:
– Massive scalability, load-balancing, and faulttolerance.
– Can cache massive amount of information.
– Increases client performance.
– Preserves ISP’s bandwidth out to the Internet
backbone.
Web Proxy Server Configuration
Proxy server configuration
• Uses Internet Service Manager.
• General Proxy.
– Service page.
– Logging page.
• Service Specific Proxy.
–
–
–
–
Permission page.
Caching page.
Routing page.
Publishing page.
Service Page Notes
• Product release and ID.
• Current sessions – current user info.
• Shared service:
– Security – packet, domain filtering, alerting
and logging.
– Array, Auto Dial, and Plug & play.
• Configuration:
– Client configuration, LAT, server backup
and restore.
Service Page
Source: http://www.calstatela.edu/ats/cbt/
Current Sessions
Source: http://www.calstatela.edu/ats/cbt/
Client Installation
Source: http://www.calstatela.edu/ats/cbt/
Logging Page Notes
• Sets logging options for web proxy,
WinSock proxy, and SOCKS proxy.
• Provides auditing trail.
• Records client, server, connection, and
object information.
• Can log to text file or SQL/ODBC
database.
– Database file requires more resources.
Logging Page
Source: http://www.calstatela.edu/ats/cbt/
Permissions Page Notes
• Grant or deny access to services.
• Can provide unlimited access to an
individual user group.
• Permission based on protocol via
protocol definition.
– For example:
• FTP.
• FTP Read.
Permission Page
Source: http://www.calstatela.edu/ats/cbt/
Caching Page Notes
• Sets location and size of the disk cache.
• Enable or disable caching.
• Can specify how often to update cache.
• Increase cache size does not effect the
data already cached.
• Delete all cached content by setting
cache size to zero.
Caching Page
Source: http://www.calstatela.edu/ats/cbt/
Routing Page Notes
• Information on directing client requests
for Internet objects.
• Direct connection or use proxy.
• Can enable backup route.
• Can enable routing within proxy array
before routing upstream.
• Can also configure web proxy clients.
Routing Page
Source: http://www.calstatela.edu/ats/cbt/
Publishing Page Notes
• Configures publishing requests.
• Configures Reverse proxy and hosting.
• Incoming requests:
– Discard.
– Sent to local web server.
– Sent to another web server.
• Set default web server host by Default
Mapping.
Publishing Page
Source: http://www.calstatela.edu/ats/cbt/
Proxy Server AutoDial
What is AutoDial?
• Proxy server automatically dial out to an ISP
for Internet connection.
• Uses Windows NT Server Remote Access Service
(RAS) and Dial up Networking to establish a
connection to an ISP.
• Event-driven
– Client requests can activate Auto Dial from the
WinSock and SOCKS Proxy Service.
– Web Proxy Service is activated when an object
requested is not located in the cache.
Auto Dial Benefits
• Can save company Internet charges
– Event-Driven - activated only when Internet
connection is needed.
– Regulate Usage - configured to connect to the Internet
during office hours only.
• Can be used as backup to an existing
continuous Internet links.
– only cost of configuring Auto Dial as continuous
Internet connection are the hardware & the online time
when a continuous Internet link is down.
Steps to Configuring Auto Dial
• Window NT Server Remote Access Service
(RAS) and Dial-up Network before
implementing Proxy Server Auto Dial.
– For security reasons, install RAS Server on
separate computer of the Proxy Server computer.
• RAS and Dial-up Networking can be installed
after or before the installation of Window NT
Server 4.0.
Remote Access Service
• Remote Access Service can be
configured in Auto Dial as an:
– RAS Client - to dial out only.
– RAS Server - can be both dial out and
receive calls or just receive calls only.
– RAS Server requires a high level of security
on you Intranet.
Dial-up Networking
• Used to connect client to remote
networks.
• A phonebook entry stores all the setting
needed to connect to a particular
remote network.
– Personal phonebook.
– Company phonebook (public use).
Phonebook Entry Includes
•
•
•
•
Name of phonebook entry.
Connection method.
Phone number.
Serial line protocol offered by the server you
are calling.
• Whether or not to include a login script
• IP address.
• IP address of a DNS or WIN Server on the
remote network or both.
Netscape
Proxy Server 3.25
Course Outline
• General Overview.
• Implementation.
• Architecture.
• Configuration.
• Upgrade.
General Overview
Features
• Caching on command.
• Client IP address forwarding.
• Automatic content discovery
– Dynamic proxy routing.
• Enterprise Management.
• Fine Grained Filtering.
• Administrative Control.
Caching on Command
• Automatically update and caches
frequently accessed documents.
• Documents or entire sites can be
preloaded into the cache, and
administrators can schedule updates of
cached content.
Client IP Address Forwarding
• Sends clients IP address to remote
server if the Proxy is one of a chain of
internal proxies.
Enterprise Management
• Centralize Management.
– Support LDAP.
– Uses Directory Server to manage users and
password centrally.
• Clustered Management.
• Manual Configuration Files.
• Custom log formats.
Fine Grained Filtering
• Access controls for sites, documents,
and protocols.
• Content filtering - built-in virus
scanning.
• Cross - platform generic protocol
support.
Administrative Control
• Ensures that users access network
resources safely and productively.
• Can specify distinct access controls
based on access type.
• Allows administrators to create custom
HTML files to be returned to users
when access is denied.
Implementation
Netscape Proxy Server
Implementation
• Bottleneck locations for implementing
Proxy Server.
– Internet Gateway—Forward Proxy.
– Branch Office—Forward Proxy.
– Internet Gateway—Reverse Proxy.
Internet Gateway - Forward Proxy
• Provides gateway services at the application
level with a web proxy as well as at the circuit
level through SOCKS.
• Enhances Internet access.
• Web content caching reduces response times.
• Facilitates bandwidth conservation.
• Helps reduce overall communications
expense.
• Content filtering and access control allows
easy management of intranet material.
Proxy Server inside firewall
PC
Interne
t
Proxy
LAN
PC
PC
Firewall
Branch Office—Forward Proxy
• Multiple proxy server allows chaining
proxies together to create a hierarchical
caching system
• Proxy chaining allows multiple
Netscape Proxy Servers to cache
content locally setting up a hierarchy of
servers for client access.
Proxy Server at Remote & Internet
Interne
t
Proxy
Backbone
Proxy
Firewall
LAN
PC
Internet Gateway—Reverse
Proxy
• Proxy Server is placed outside firewall to
represent a content server to external clients.
• Expose selected content without exposing
web servers that host it or other elements of
private network.
• Multiple reverse proxy servers can be used to
balance the load on an over-taxed web server.
Reverse Proxy Server
PC
Interne
t
Reverse
Proxy
Web
Server
Firewall
LAN
PC
PC
Architecture
Architecture
– Dual-Homed
Host
Architecture
– Screened Host
– Screened
Subnetwork
– Reverse Proxy
– Server Stand-in
– Load Balancing
Dual-Homed Host Architecture
• Has two network interfaces, one
connected to an internal LAN and the
other to the Internet.
• Incorporates a firewall software
package.
• Provides caching, fine-grain filtering
and virus scanning.
Proxy Server with a Dual-Homed Host
Firewall
LAN
Internet
Client
Proxy Server
& Firewall
Client
Screened Host
• Consists of a router deployed in front of a
server that is hosted on a private network.
• Router can be traditional hardware router or
firewall software application providing
packet-filtering capabilities and restricting
inbound access to internal network.
• Appropriate for small to medium-sized
intranets that require a simple, yet effective
security solution.
Proxy Server implemented behind a
screening router
LAN
Client
Interne
t
Router
Client
Proxy
Server
Proxy Server Implemented Behind a
Screening Firewall
LAN
Client
Interne
t
Firewall
Software
Router
Proxy
Server
Client
Screened Sub-network
• Consists of multiple routers sandwiching a
non-secure network that is outside or part of
the firewall solution.
• Commonly referred to as a DMZ
(demilitarized zone). Proxy is deployed in
DMZ and is allowed access to both internal
and external networks through routers.
• Popular architecture choice for larger
organizations with heavily trafficked
gateways.
Proxy Server in Reverse Mode as a Stand-in
for a Web Server
Client
Interne
t
Proxy
Server
Firewall
Enterprise
Server
Multiple Proxy Server in Reverse Mode to
Balance the Load on a Web Server
Interne
t
Firewall
DNS Server
Reverse
Proxies
Enterprise
Server
Chained Proxy Servers Providing Load
Balancing and Fail-Over Capabilities
Proxy 1
LAN
LAN
Proxy 2
Interne
t
Proxies
Proxy 3
Client
Client
Client
Client
Proxy
Router
Router
A
Possible enterprise
implementation
Bottlenecks
Central Office
Subnet
Interne
t
Router
BRANCH
OFFICE
LAN
LAN
Client
Client
Client
Client
Router
Proxy
Server
Router
Router Proxy
Server
Configuration
Configuration
• Automatic Client Configuration.
• Caching.
• Templates.
• Filtering.
• Server Plug-in Functions.
Automatic Client Configuration
• Enables automatic proxy configuration in
Navigator clients on intranet.
• Administered by a Proxy Automatic
Configuration (PAC) file.
• PAC allows load balancing across multiple
proxy servers and alteration of proxy
architecture without modifying end user
settings.
Caching
• Caches should be approximately 1 GB
per partition and spread across multiple
disk controllers.
• Refer to Administrator’s Guide for indepth instructions on creating batch
update configurations.
Templates
• An object created in Proxy Server’s object
configuration file, obj.conf.
• Used to assign unique procedures to
specific URLs.
• Can make the server behave differently
depending on the URL the client tries to
retrieve.
• Allows customization of how Proxy Server
interacts with clients.
Server Plug-in Functions
• Extends capabilities of proxy by using
Netscape Server Plug-in Application
Programming Interface, NSAPI.
• Set of functions and header files use to create
functions in the server configuration files.
– AuthTrans, PathCheck, NameTrans,DNS,
Connect, Addlog.
• Use to create functions that uses a custom
database for access control or create custom
log files with special entries.
Maintenance/Upgrade
• Maintenance
– Tuning the Servers
– Monitoring the Servers
• Upgrade
– Growth Issues
– Licenses
– Software Updates
Tuning Servers
• Time-outs.
• Up-To-Date Checks.
• DNS Lookups:
–
–
–
–
Enable DNS Caching.
Log Only Client IP Addresses.
Disable Reverse DNS.
Avoid ACLs with Client Host Names.
• HTTP Keep-Alive.
Monitoring Servers
• Analyzing Logs.
• Monitoring Performance:
– Cache Utilization.
– CPU Utilization.
– Memory Utilization.
Upgrade
Upgrade
• Growth Issues
–
–
–
–
Is proxy services strategic for business?
Network bandwidth saturated?
CPU utilization too high?
Has a new field office been opened or a
department added
– Has access content type been changed?
Upgrade Cont . . .
• Licenses
Proxy User LicensesProxy Servers
Purchased
Deployed
1000
1
2000
2
3000
3
4000
4
Upgrade Cont . . .
• Software Updates
– Refer to the Netscape Software Download
Site.
– Netscape Proxy Server provides on-the-fly
virus scanning of all incoming data, using
the Trend Micro’s InterScan VirusWall
Purchase of Proxy Server give you 90 days
of free virus pattern updates.
References
• www.microsoft.com
• www.netscape.com
• www.clarknet.com
• www.whatis.com
• www.calstatela.edu/ats/cbt/ (CBT)
END OF COURSE
Related documents
The Impact Map
The Impact Map
Information and Educational Technology University of California, Davis
Information and Educational Technology University of California, Davis
Mock AFM (Atomic Force Microscope) powerpoint
Mock AFM (Atomic Force Microscope) powerpoint
The right to information Any person has the right to obtain detailed
The right to information Any person has the right to obtain detailed
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
FRESHWATER BIOLOGICAL ASSOCIATION
FRESHWATER BIOLOGICAL ASSOCIATION
access request for adult proxy
access request for adult proxy
HTTP Error 407 - Proxy authentication required
HTTP Error 407 - Proxy authentication required
Download
advertisement