Version 2.0

High Performance Web Caching and Firewall Security
in One Affordable, Integrated Product
Reviewer Guide
Version 2.0
Overview
Microsoft Proxy Server 2.0 is the first product to combine
extensible firewall security and high-performance content
caching in one integrated package.
Microsoft Proxy Server 2.0 is more than just an economical and
secure way to provide managed Internet access to every
desktop within an organization. The new product also provides
important performance and security features that make it a
cornerstone within next-generation Intranets and even within the
public Internet infrastructure.
Microsoft Proxy Server, with version 2.0, offers unbeaten
scalability and proxy performance with its new distributed
caching – array-based and hierarchical. Plus the product is now
a firewall, providing packet layer, circuit layer, and application
layer security, along with extensive logging and real-time alerting
features.
Using this
Guide
This guide highlights important features included in Microsoft’s
Proxy Server 2.0 for Windows NT Server 4.0.
This guide is as concise as possible to help ensure your review
cycle proceeds smoothly. The document highlights product
features and describes how these features can benefit large and
small enterprises as well as Internet service providers.
The feature walk-through also provides some useful tips to help
you install and set-up a testbed network for your evaluation. For
additional configuration and usage information, please refer to
the Microsoft Proxy Server 2.0 online documentation and
ReadMe document, both of which accompany the product.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the publication date. This document is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Microsoft, ActiveX, BackOffice, the BackOffice logo, MS-DOS, NetShow, Windows, and Windows NT are registered
trademarks of Microsoft Corporation in the United States and/or other countries.
Java is a trademark of Sun Microsystems, Inc.
Other product and company names herein may be the trademarks of their respective owners.
Originally Published June 1997 – Updated September 1997
 Copyright 1997 Microsoft Corporation
3
CONTENTS
Overview – Network Security, Performance, and Affordability ........................................................ 1
The Need for Network Security, Performance and Affordability
1
Firewalls Provide Security
1
Content Caching Provides Network Performance and Cost Savings
2
Defining the Term “Proxy”
2
Connecting to the Net via Proxy - a Secure Gateway
3
Beginning to Address the Need – Microsoft Proxy Server 1.0
4
What’s New in Microsoft Proxy Server 2.0 ......................................................................................... 5
Overview – Microsoft Proxy Server 2.0
5
Extensible Security
5
Unbeaten Performance, Scalability, and Cost-Savings
6
Easy, Comprehensive Management
6
Features At A Glance ............................................................................................................................ 7
Testbed Configuration for Proxy Server 2.0 ..................................................................................... 10
Dynamic Packet Filtering Security .................................................................................................... 14
Application Layer and Circuit Layer Security ................................................................................ 18
Microsoft Proxy Server – Multi-Layered Security
18
Application Layer Security with Web Proxy
18
Circuit Layer Security with WinSock Proxy
19
Circuit Layer Security with SOCKS Proxy
21
Real Time Security Alerts and Logging ............................................................................................ 23
Reverse Proxy, Virtual Hosting and Server Proxying ..................................................................... 25
Enhanced Web Publishing Support
25
Server Proxying
26
Distributed Content Caching ............................................................................................................. 31
Cache Arrays – A New Approach to Scalability & Fault Tolerance
31
Array Administration
32
Hierarchical Caching
36
Cache Array Routing Protocol – A Better Way to Scale
38
Active, Intelligent Caching ................................................................................................................. 39
Performance ........................................................................................................................................ 41
Real-World Proxy Server Usage
41
Real World Proxy Server Performance Improvements
41
Windows NT Server Integration for Great Manageability................................................................ 43
Windows NT Server 4.0 Integration
43
User Access Control ........................................................................................................................... 45
Site Filtering Control........................................................................................................................... 48
Enabling Managed Internet Access
48
Value-Added Site Filtering Services
49
Automatic Client Configuration ......................................................................................................... 50
IPX-to-IP Gateway ............................................................................................................................... 54
Auto-Dial Internet Connection ........................................................................................................... 55
Cost-Savings and Added User Access Control
55
Makes Use of Windows Dial-Up Networking
55
New Enhancements – Back-Up Routes and Easier Use
56
Extensibility and Complementary Products ..................................................................................... 58
Third Party “Plug-In” Products – The Virtual Bundle
58
Other Firewalls – Complementary or Competitive?
59
Detailed Feature Matrix....................................................................................................................... 60
For More Information .......................................................................................................................... 61
Appendix A What is the Local Address Table (LAT)? ................................................................ 62
How is the LAT Defined?
62
Appendix B Windows NT Server – Overview of a Secure Operating System ........................... 64
Windows NT Features
64
Single Log-on and Remote Sessions
65
Password Management
66
Access Control Lists (ACLs)
66
Central Admin & Roles
67
Security Audit Trail
67
Routing and Remote Access Service (RRAS) & Point-to-Point Tunneling Protocol (PPTP)
67
Basic Protocol Security
68
C2 and its Companions
68
And the story continues…
69
Enabling Technologies
70
CryptoAPI & S-Channel
70
P-Store, Microsoft Wallet & PFX
71
Smart Cards
72
SSPI & Secure RPC & DCOM
72
Applications
73
Summary .............................................................................................................................................. 74
OVERVIEW – NETWORK
SECURITY, PERFORMANCE,
AND AFFORDABILITY
The Need for Network Security, Performance and Affordability
Commercial and residential Internet access growth is exploding. Every day, more
and more companies connect their internal networks to the Internet for a variety of
reasons – productivity, customer service, collaboration, and more. Some of the
biggest issues these organizations – small and large alike – face as they extend
their networks to the Internet are security, manageability, and cost. Firewalls and
content cache servers help organizations address these issues effectively.
Firewalls Provide Security
Most people are familiar with the term “Internet firewall.” It is commonly used and
reasonably well accepted as a reference to hardware and software used to restrict
entry to an organization’s network from the Internet. Firewalls typically provide
multi-layered security – at the packet and application layers – although many
routers that provide only packet filtering are often called firewalls. Firewalls also
usually provide alerting mechanisms to let network managers know if their networks
are under attack by intruders. Some firewall products also support virtual private
networks (VPNs) between locations. VPNs provide a low-cost, secure connection
path between, for example, a branch office and a corporate headquarters location,
across public network facilities.
The firewall market is experiencing significant growth, fueled by the growth in
Internet access and the importance of security. The market has evolved from an era
just a few years ago in which customers had to design or have built for them their
own firewalls from the ground up. These custom-made firewall solutions were very
expensive to create and often difficult to manage. In the early ‘90s a number of
commercially available firewall products started to appear making the process of
securing internal networks a bit easier. Today firewall solutions are much less
expensive than just a couple of years ago, but the typical $5,000 to $20,000 price
tag often prevents all but large organizations from benefiting from firewalls. Many
industry analysts expect firewall prices and usability to reach broad market status
by the year 2000.
1
Content Caching Provides Network Performance and Cost Savings
The content cache server category is a relatively new category and less well
understood in general than firewalls. Like the firewall market, growth in the content
caching category mirrors the growth in Internet access. While firewalls provide
security, content cache servers and application proxy servers typically provide
better network performance and cost savings. Content caching servers are often
used alongside firewall solutions, but firewalls, to-date, have not included content
caching.
Caching reduces network traffic and, therefore, network costs, because it moves
data closer to the users who are accessing the data. As a result, the data does not
have as far to travel across the public Internet or across an enterprise network to
reach the person who needs it. This reduces network traffic and congestion. In
addition, many proxy servers enable network managers to control which Internet
services their users are able to access. This is referred to as user access control
and site filtering.
Content caching is already important to many large enterprises and Internet Service
Providers (ISPs) and it is making its way into smaller organizations. Looking ahead,
content caching is expected to take on a critical role for organizations of all sizes.
The increasing use of Internet technologies within organizations for Intranets and
the emergence of “push” technologies, which proactively move content across the
Internet or Intranets for more personalized service, is expected to further increase
the need for proxy server products.
Defining the Term “Proxy”
The term proxy means “to do something on behalf of someone else.” In networking
terms, a proxy server computer can act on the behalf of several client PCs
requesting content from the Internet or even elsewhere on an Intranet. In this case,
the proxy server is the secure gateway to the Internet for several client PCs.
Secure Network
LAN
Internet
Microsoft
Proxy
Server
LAN
A proxy server interacts with the Internet on behalf of the client PCs
2
The proxy server is more or less transparent to the other parties in this
communications path – the user and the Internet resource. The user interacting with
the Internet at his desktop PC should not be able to tell that a proxy server is
interceding, that is unless the user attempts to access a service or go to a site the
proxy server is disallowing. The web server being accessed across the Internet
interprets the requests from the proxy server as requests from a browser or FTP
client.
The proxy server in this scenario is dual-homed, meaning the server computer has
two network cards. One card connects the computer to the enterprise network. The
other card connects the computer to the outside world, in this case, to the Internet.
Connecting to the Net via Proxy - a Secure Gateway
Organizations wanting to extend Internet access to user desktops would be well
advised to use a proxy server. A secure gateway from the organization’s Intranet
out to the Internet has several important advantages over other possible methods.
There are two primary alternatives to using a proxy server that some organizations
use to provide Internet access to their users: (1) run phone lines directly to those
users who want Internet access; or (2) set up a few PCs and place them in
locations where they can be shared resources among several people. Both of these
alternatives have serious drawbacks when compared to using a proxy server.
Disadvantages of using dedicated lines to each user for Internet access:






Extra hardware (e.g., modem) expense at each desktop
Recurring phone line charge for each user
No sharing of the phone line or Internet account resource
No network manager control over user’s Internet experience
Major security breach if modem-equipped PC is connected to LAN
Poor performance for the user (due to modem connectivity)
Disadvantages of sharing Internet-ready PCs among several users:




Inconvenience for user
Frequent lack of availability (other people using the computer)
Everyone using the Internet on those PCs gets the same service – no ability to customize
the Internet services to make them appropriate to the individual
Tracking and logging usage by user is difficult to impossible
A proxy server, by contrast, offers several advantages:






3
Sharing of the Internet connection resource among many users
Single, secure gateway to manage and monitor
Ability to offer Internet access appropriate to the individual or group
Ability to track usage by user
Much better performance – especially if proxy server includes caching
Very affordable
Beginning to Address the Need – Microsoft Proxy Server 1.0
In November 1996, Microsoft introduced Microsoft Proxy Server version1.0. The
product provides an easy, secure way to bring Internet access to every desktop
within an organization. With content caching, Microsoft Proxy Server accelerates
the Internet experience and reduces the cost of network communications. The
product also provides user access control and site blocking for management
oversight of Internet use. Version 1.0 has been well received, particularly among
small to mid-size organizations, moving rapidly alongside Netscape Proxy Server as
the leading product in the category based on unit volume and market presence.
Unlike other proxy or content cache servers, Microsoft Proxy Server 1.0 provides
great security with its application layer and circuit layer proxies. The product is
secure enough that it can be placed at the boundary of an organization’s network
(i.e., where the internal network meets the outside world) without additional firewall
support required. Microsoft Proxy Server is complementary to other firewalls,
however.
Although Microsoft Proxy Server 1.0 provides application layer security and is
resistant to most of the attacks firewalls resist, the product does not provide all the
features commonly associated with a firewall. Namely, the version 1.0 product does
not include packet filtering nor does it perform alerting or detailed logging of live
network attacks. In addition, large enterprise customers and ISPs often find they
need to have a group of proxy servers working together to provide better scalability
and performance across their networks.
Microsoft is now moving forward with the next version of Microsoft Proxy Server –
version 2.0. The new product, now available, addresses the need for firewall
security and for scalable content caching for any size enterprise customer or ISP.
4
WHAT’S NEW IN MICROSOFT
PROXY SERVER 2.0
Key New Features :
Firewall Security
 Dynamic Packet Filtering
 Reverse Proxy
 Reverse Hosting
 Server Proxying
 Real time alerts & logging
 VPN support
Performance / Cost-Savings
 Array-Based Content
Caching
 Hierarchical Caching
 Cache Array Routing Protocol
Support
 FTP Caching
 40% Better Performance
 HTTP 1.1 Support
 SOCKs support
Management
 HTML-Based Admin
(available via Web download
shortly after Proxy 2.0
general release)
 Command-Line & Scripting
 Array Administration
 Config Backup & Restore
Overview – Microsoft Proxy Server 2.0
Microsoft Proxy Server 2.0 is an extensible firewall and content cache server,
providing Internet security while improving network response time and efficiency by
50%, on average, for businesses of all sizes. The product is re-defining the firewall
and content caching categories. It is the first firewall product to include highperformance content caching. Similarly, it is the first content cache server to provide
firewall support.
Microsoft Proxy Server 2.0 delivers a compelling combination of security and
performance and the product is within reach of organizations of virtually any size
This should help broaden and accelerate distribution channel presence and
expertise of these networking solutions so more customers can take advantage of
Internet technologies. Microsoft Proxy Server is a member of the Microsoft
BackOffice family of server applications.
Performance
(Caching)
Web
Cache
Products
V2.0
V1.0
Firewall
Products
Security
Extensible Security
Microsoft Proxy Server acts as a gateway with firewall-class security between a
Local Area Network (LAN) and the Internet. Several new features have been added
to Microsoft Proxy Server 2.0 to enable its use as a firewall. The product supports
dynamic packet filtering, in addition to application layer security and circuit
layer security. The product also provides the alerting and logging features
demanded by firewall users. Plus, when Microsoft Proxy Server is used with the
Routing and Remote Access Service Update for Windows NT Server, customers
can enjoy the cost-savings and security of Virtual Private Networks (VPNs).
Microsoft Proxy Server can play an important role in enforcing an organization’s
overall security policy. Customers can choose from a variety of virus scanning,
JavaScript and ActiveX filters, site blocking enhancement products and other
security products built on the Microsoft Proxy Server platform that are available
today from third party companies. Third party developers can use Microsoft Proxy
Server 2.0 as a platform for value-added development due to the product’s
5
extensibility. In addition, because the best security policy is one that includes
multiple mechanisms to provide backup and depth, Microsoft Proxy Server 2.0 can
be used in a very complementary way with other security products, including highend firewall solutions, to meet the specialized security needs for a wide spectrum of
customers.
Unbeaten Performance, Scalability, and Cost-Savings
With version 2.0, Microsoft Proxy Server introduces array-based and hierarchical
(or chain-based) caching to deliver unbeaten linear scalability. This enables large
enterprises and ISPs to make use of the product in their most demanding locations.
Content caching is becoming distributed – moving to branch offices and to the
departmental level within enterprises and in various ISP Points of Presence.
Microsoft Proxy Server, with support of a new industry standard called Cache Array
Routing Protocol, provides unbeaten distributed content caching performance and
deployment flexibility.
Microsoft Proxy Server’s caching can reduce network bandwidth by 50% on
average, improving response time for clients, reducing network congestion, and
improving control over network resources without burdening end users or network
administrators. It filters and stores popular Web content locally for corporations or
Internet Service Providers. Microsoft Proxy Server proactively caches frequently
accessed documents to ensure the freshness and availability of data, automatically
pre-loading and updating popular web pages based on heuristics of usage.
Customers moving from Microsoft Proxy Server 1.0 to version 2.0 will enjoy realworld performance improvements of about 40%.
Easy, Comprehensive Management
Since Microsoft Proxy Server is integrated with Windows NT Server,
administrators can use a single set of tools (including the performance monitor, user
manager, event log, and access logging) to manage their intranets and Internet
access. This provides a lower total cost of ownership. Version 2.0 introduces more
ways to manage Microsoft Proxy Server – HTML-based administration and
command line support with scripting complement the graphical user interfacebased support. Easy-to-configure array administration is added. There are more
tools to automate the deployment, configuration, and back-up of Microsoft Proxy
Server than before. Plus network managers can enjoy the additional flexibility
provided by SOCKs v4.3 support, HTTP 1.1, and FTP caching to enable expanded
use of Internet and Intranet services to their users.
6
FEATURES AT A GLANCE
Microsoft Proxy Server 2.0 - Features At A Glance
Feature
Description
EXTENSIBLE FIREWALL SECURITY
Packet Layer Security with
Dynamic Packet Filtering
New! Microsoft Proxy Server 2.0 supports inbound and outbound packet filtering. Unlike other packet
filtering firewalls, Proxy Server intelligently & dynamically determines which packets to allow to pass through
to the secured network’s circuit & application layer proxy services. Rather than force a network manager to
manually pre-define and permanently open a set of ports for different applications, this feature opens ports
automatically only as needed, then closes the ports when the communication ends. This approach minimizes
the number of exposed ports in either direction and provides a unique measure of hassle-free security.
Circuit Layer Security
Protect your Intranet via the Winsock proxy and the new SOCKS proxy. These services provide applicationtransparent circuit gateways. Microsoft Proxy Server 2.0 provides multi-platform access to Telnet, RealAudio,
NetShow, IRC, and several other Internet services. Unlike other circuit layer proxies, Microsoft Proxy Server
2.0 circuit layer security works with dynamic packet filtering for enhanced security and ease of use.
Application Layer Security
Microsoft Proxy Server 2.0 understands and interprets commands within the application protocols (such as
HTTP, FTP, and Gopher) from client PCs. Proxy Server acts on behalf of the client PC to interact with the
Internet resource. The network topology and IP or IPX addresses are not revealed to the outside network.
Real-time Security Alerts
New! Now you can be notified immediately if your network is under attack so you can take action. Microsoft
Proxy Server 2.0 supports several alerting thresholds and variables for great flexibility.
Reverse Proxy
New! Now you can place your web server behind Proxy Server to publish to the World Wide Web without
compromising the security of the web server or its data. Proxy Server "impersonates" a Web server to the
outside world, while your Web server maintains access to internal network services.
Reverse Hosting
New! This extension of reverse proxy allows several web servers sitting behind Microsoft Proxy Server
to publish to the Internet, providing great flexibility and security in Web publishing. These additional web
servers can publish independently or appear as directories in a single large virtual web server
Server Proxying
New! Microsoft Proxy Server 2.0 has the ability to listen for inbound packets destined to a server
computer that is connected behind the Proxy Server computer. Proxy Server then forwards the incoming
requests. For example, incoming mail can be directed to your Microsoft Exchange Server computer.
Extensive Logging Support
Microsoft Proxy Server 2.0 logs via log files or to ODBC databases so network managers have a complete
profile of inbound and outbound traffic moving through the Proxy Server computer. Logging has been
expanded in Microsoft Proxy Server 2.0 to include alert information and other new firewall-related activity.
You can use Microsoft Proxy Server 2.0 on the same server with Routing and Remote Access Service for
Virtual Private Networking with
Routing & Remote Access Service Windows NT Server to connect branch offices to a corporate network via the Internet. Using the Internet as a
Virtual Private Network provides big cost savings compared to traditional Wide Area Network (WAN) options.
Update
This provides all-in-one access and control for use with Internet and connectivity to a multi-site Intranet.
Secure Sockets Layer Tunneling
Microsoft Proxy Server permits SSL tunneling, which provides an encrypted path between the client and
remote server. This feature is useful for secure Internet transactions and other applications.
Full authentication / logging
The built-in WinSock Proxy performs full access control, encrypted authentication, and logs all transactions.
Complementary Third Party
Applications – the Virtual Bundle
A variety of third party products “plug in” to Microsoft Proxy Server 2.0 for value-added or specialized security.
For example, you can use filters to prevent viruses, Java scripts or ActiveX controls from being downloaded
into your secured network. Third party applications work with Proxy Server via the Internet Server Application
Programming Interface (ISAPI). This extensibility gives customers great choice and flexibility.
PERFORMANCE AND COST-SAVINGS
Array-Based Content Caching
New! Proxy Server now allows you to set up distributed caching among multiple Proxy Server computers.
Arrays allow a group of Proxy Server computers to be treated and administered as a single, logical entity.
Arrays provide load balancing, fault tolerance, scalability, and ease of administration.
Hierarchical Content Caching
New! Proxy Server now enables caching across a hierarchical connection of individual Proxy Server
computers or arrays, enabling distributed deployment to branch offices and departments. Requests from
clients are sent upstream through the hierarchy until the requested object is found.
Cache Array Routing Protocol
New! This is a new approach for performing scalable array-based and hierarchical-based caching that has
been submitted to the IETF. The new protocol, developed by Microsoft, provides substantial advantages over
alternative approaches in performance to enable linear scalability with cache arrays or hierarchies. Microsoft
Proxy Server 2.0 is the first product to make use of this protocol.
7
Microsoft Proxy Server 2.0 - Features At A Glance
Feature
Description
Active Intelligent Caching
Microsoft Proxy Server 2.0 automatically determines which web sites are most used and how frequently their
content is refreshed. Proxy Server uses this information to proactively pre-load that web content into its
cache during periods of low network use. This provides a consistent, accelerated Internet experience for all
users accessing these web sites, without requiring network manager intervention.
FTP and HTTP Cache Support
New! Now you can cache not only HTTP 1.0 objects - you can also cache HTTP 1.1 and FTP objects. There
is greater control over the Time-to-Live (TTL) setting, as well, with Microsoft Proxy Server version 2.0.
Hypertext Transfer Protocol
(HTTP) version 1.1
New! Implementation of HTTP 1.1 allows Proxy Server to use persistent client-to-proxy server connections,
persistent proxy server-to-Internet server connections, read-range, and virtual hosts. Full support of HTTP 1.1
helps Microsoft Proxy Server deliver significant performance gains. (NOTE: Full HTTP 1.1 support requires
use of the Internet Information Server 4.0 HTTP engine which is not supported in the initial beta)
Improved Cache and Proxy
Performance
New! Microsoft Proxy Server 2.0 offers unbeaten performance to meet real-world requirements of fulfilling
requests not only from the cache but also from across a live Internet connection – all while performing the full
range of security and managed access. Microsoft Proxy Server 2.0 is up to 40% faster than Proxy Server 1.0
EASY, COMPREHENSIVE MANAGEMENT SUPPORT
Windows NT Server Integration
Microsoft Proxy Server capitalizes on features that make Windows NT Server a secure, scalable network
operating system. This includes the best integration with the Windows NT Server directory service for easier
manageability and reduced total cost of ownership. Microsoft Proxy Server supports a single user logon for
network services and applications so user accounts do not have to be re-created for Proxy Server.
User Access Control
Network managers can use Microsoft Proxy Server to set detailed user & group permission lists by Internet
protocol in the Web Proxy, WinSock Proxy, and SOCKS Proxy components
Site Filtering
Network managers can specify a list of Internet addresses (IP addresses, IP address ranges, or URLs) to be
exclusively permitted or denied for access by users behind the Proxy Server.
GUI-Based Administration
Microsoft Proxy Server’s Internet Service Manager provides an easy to understand way to administer a local
or remote proxy server computer, proxy array, or proxy hierarchy.
HTML-Based Administration
New! You can administer Microsoft Proxy Server locally or remotely via a web browser for added
management flexibility and ease-of-use. You can even create customized HTML error pages. (NOTE: HTMLbased admin is available as a Web download.)
Command Line Administration
New! This tool lets you manage Microsoft Proxy Server through MS-DOS prompts if that is your preference.
You can configure and manage one or more local or remote servers with this tool.
Array Administration
New! Multiple proxy servers can be administered simultaneously via transparent Array based administration.
This allows change to be propagated to other proxy servers with a single mouse click.
Configuration Backup & Restore
New! You can now back up your server configuration to a file or roll back to a previous configuration.
Client Auto-Configuration
New! You can automatically configure Web Proxy clients by using predefined JavaScripts or by creating your
own scripts for great ease-of-use and fast enterprise-wide deployment. You can also use the Internet Explorer
Administration Kit or Microsoft Systems Management Server to automate the proxy client installation.
SNMP Support
A network manager can monitor and examine the current status of any Microsoft Proxy Server on the network
using an SNMP console such as HP OpenView for added flexibility and reduced cost of ownership.
FLEXIBLE NETWORKING AND APPLICATIONS SUPPORT
IPX-to-IP Gateway
Unlike other proxy servers, Microsoft Proxy Server 2.0 does not require that network managers “rip and
replace” existing legacy IPX network with IP networks. This built-in IPX-to-IP gateway can be much less
expensive than other solutions. Windows 95 and Windows NT Workstation 4.0 clients are supported.
Auto-Dial Connection
This unique feature dynamically connects your network to your ISP, as needed, providing even more cost
savings and user access control.This also includes a backup route to the Net if primary path is busy.
SOCKS Support
New! You can now configure Microsoft Proxy Server as a SOCKS server or as a SOCKS client to an
upstream SOCKS server for easy access to rich Internet services for Macintosh, Unix or other client PCs.
Unbeaten LAN & WAN
Connectivity Options
Microsoft Proxy Server 2.0 can be used with over 2,000 LAN and WAN cards that have earned the Windows
NT Compatible logo. This provides unbeaten customer choice and flexibility.
Great Protocol Support
Great variety of protocols are built in to Proxy Server plus more protocols can be added, The Web Proxy
supports: HTTP, HTTP-S, FTP, and Gopher. The WinSock Proxy includes: AlphaWorld, AOL, Archie, Echo,
Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP, Telnet, and VDOLive.
Other protocols can be added with the WinSock Proxy service and with the SOCKS Proxy service.
9
TESTBED CONFIGURATION
FOR PROXY SERVER 2.0
To experience first-hand the majority of new features in Microsoft Proxy Server 2.0,
you’ll need a minimum of four PCs. It is possible to build a testbed with 2 machines
(just a client and a Proxy Server connected to the Internet), but you will only be able
to review the easy configuration and setup of Proxy Server, not the performanceenhancing features, so we'll review the full configuration here.
For the full test, two PCs will be setup with the Proxy Server software running on
Windows NT Server 4.0. For purposes of this demonstration, it is assumed your
testbed has no direct connection to the Internet or other external Web servers.
Therefore, you will use the third machine to act in this capacity, running Windows
NT Server 4.0. This PC will run the Domain Name Service (DNS) and also serve as
an external ‘public’ client. The last system will be an internal client, running
Microsoft Windows 95.
When deployed in smaller sites, you would most likely configure the dial-up service
of Microsoft Proxy Server 2.0 to make an automatic connection to your ISP. This
guide does not cover dial-up access, but if you want to test this capability, you will
find the information you need in the RAS section of the on-line help.
Please refer to the diagram below as we detail how to configure the test systems.
The idea here is to create an internal private network, and an external network
mimicking the Internet.
Proxy Server Testbed Configuration Diagram.
Platform Setups
Follow these steps to configure each computer. (For a complete list of minimum
hardware requirements and detailed setup information please see the System
Requirements section at the back of this document or in the user documentation.)
Server #1 - Primary computer used to examine the features of Microsoft Proxy
Server 2.0.
1.
2.
3.
Install two network interface cards (NICs).
Connect one NIC to the internal hub and one NIC to the external hub.
Normally, a proxy server is setup as a stand-alone server for maximum security. For
this evaluation, setup this machine as a Primary Domain Controller (PDC). Give it a
Windows NT domain name INTERNAL and a server name PROXY1.
4.
5.
6.
7.
8.
9.
Be sure to install Internet Information Server, and create at least one Windows NT
File System (NTFS) partition. (For caching.)
From the Microsoft TCP/IP Properties dialog, set the IP address of the internal
NIC to 10.0.0.1, and the external NIC to 12.0.0.1. (Subnet masks for both should be
255.0.0.0)
Define the Default Gateway: for the external NIC as 12.0.0.5. Do not set a gateway
address for the internal NIC.
Choose the DNS tab and set the Domain: name to private.com.
Click the Add button and define the DNS Server address as 12.0.0.5. Ignore the
warning message and do not designate any WINS servers.
Verify that only the internal network’s addresses are entered in the LAT. Do this by
starting Internet Service Manager, double-clicking the WinSock Proxy Service icon,
then clicking the Local Address Table button.
Checking the Local Address Table.
10. If you have entries besides the one shown below, highlight them and click the
Remove button. (For a detailed explanation of LAT, see Appendix A.)
Correcting the LAT information.
11
Server #2 - Used as an Array partner, and also to demonstrate the routing features
of Microsoft Proxy Server 2.0.
1.
2.
3.
Install one NIC and connect it to the internal hub.
Setup as a Stand-alone server but add the machine to the Windows NT domain
INTERNAL, and name it PROXY2. Be sure to install Internet Information Server,
and create at least one NTFS partition. (For caching.)
Set the IP address to 10.0.0.2, with a subnet mask of 255.0.0.0. Do not designate
any Default Gateway, DNS, or WINS server addresses.
Internal Client - Used to show how Web Proxy and WinSock Proxy operate
transparently from the user’s perspective.
1.
2.
3.
4.
5.
Install one NIC and connect it to the internal hub.
Designate this client’s workgroup as INTERNAL.
From the TCP/IP Properties dialog, set the IP address to 10.0.0.5, with a subnet
masks of 255.0.0.0. Do not designate any WINS servers.
Install Microsoft Internet Explorer 3.02.
Install the WinSock Proxy client component. The simplest way to do this is to open
the shared folder mspclnt on PROXY1. Then run SETUP.EXE and follow the on
screen prompts. Restart Windows 95 after installation completes.
Running the WinSock Proxy Client setup.
External Web Server/DNS/Client - Plays the part of the outside world for testing.
1.
2.
3.
4.
5.
Install one NIC and connect it to the external hub.
This machine can be either a PDC or a Stand-alone server. Name it PUB1, and be
sure to install the IIS and DNS services.
Set the IP address to 12.0.0.5, with a subnet mask of 255.0.0.0.
Choose the DNS tab and set the Domain: name to world.com.
Click the Add button and define the DNS Server address as 12.0.0.5. Do not
designate any WINS servers.
6.
After re-booting, you’ll need to create two zones in the DNS Manager. The first zone
should be called world.com. Add one host entry, for PUB1 itself. Setup a second
zone called private.com. Add the host PROXY1 to this zone. (Consult the on-line
help for assistance in setting up DNS zones.) When finished, your DNS zone
configurations should look like those below.
DNS Zone settings for private.com.
DNS Zone settings for world.com.
13
DYNAMIC PACKET FILTERING
SECURITY
Key Benefits :




Easy to administer
Reduces chance of attack
Automated, intelligent
operation
Works with circuit layer and
application layer security
Audience Relevance :
ISP
Large Sites
Small Sites
As more end users clamor for connectivity to the Web and external network
resources, administrators face a tough challenge trying to deliver the goods, without
compromising corporate security. Smaller companies venturing out into the realm of
on-line connections face an even greater problem, because they frequently lack the
staff or knowledge to implement a secure computing environment.
Dynamic Packet Filtering is a new feature for Microsoft Proxy Server v2.0 and is
critical to its ability to provide easy-to-use firewall security. In short, Dynamic Packet
Filtering allows Microsoft Proxy Server to:


Drop all packets on an “external” interface by default.
Dynamically determine whether or not to accept a packet from the Internet
while minimizing:
 Number of exposed ports in either direction.
 Duration that a port is open to the Internet.
The actual process for enabling Dynamic Packet Filtering is deceptively easy. From
the WinSock Proxy Service Properties page, click the Security button.
Selecting the Shared Services Security option.
Next, select the Packet Filters tab. By placing a checkmark in the two Enable…
boxes, you’ve now secured your internal network. That’s all it takes.
Dynamic Packet Filters, enabled using two checkboxes.
Use Add button to create custom filters.
Even though it takes only a few seconds to enable, the Dynamic Packet Filter
feature is a very powerful feature of Microsoft Proxy Server 2.0. To give you a better
understanding of how Dynamic Filtering works, this brief explanation and diagram
should help clarify the process.
Architecturally, dynamic packet filtering consists of two components:
1.
2.
15
Packet Filter Driver — implemented deep within the Windows NT Networking
architecture which talks directly to the external network interface and
Packet Filter Manager — provides the higher level interface for Proxy Server
services to interact with the driver.
SOCKS Proxy
WinSock Proxy
Web Proxy
User Interface
WinSock
Apps
Here’s a quick illustrative example of how the combination of the Proxy Services,
the Packet Filter Manager, and the Packet Filter Driver combine to create secure,
dynamic packet filters.
File Sharing
RPC
Packet Filter Manager
WinSock A PI
TCP/IP Stack
Packet Filter Driver
Internal NIC
External NIC
Dynamic packet filtering with Microsoft Proxy Server 2.0
1.
2.
3.
4.
5.
6.
A client with the WinSock Proxy client component launches a telnet application
and attempts to connect to an Internet Server.
The WinSock Proxy client component intercepts the Internet telnet request and
“remotes” that connection request to the WinSock Proxy Server.
The WinSock Proxy Server interrogates the client to ensure that he/she has
proper Windows NT User Directory Service permissions to access the telnet
protocol on the Internet.
If permissions are correct, the Server instructs the WinSock API to create a
local “socket” with a local port address of 6008 (for example).
The WinSock Proxy Server then notifies the Packet Filter Manager that
outbound connections from local port 6008 to a remote telnet service have
been “approved” by the proxy service.
The Packet Filter Manager instructs the Driver to open port 6008 for outbound
telnet connections and tells the WinSock Proxy Server to begin a telnet session
on behalf of the original client.
FTP
TCP Port
Telnet
Packet Filter
21
23
Client Telnet
The result of these operations is a logical “filter” which only allows packets from the
approved communications but blocks other disapproved packets:
6008
To Internet Host
Open a port only for as long as it needs to be open – then close it for security
As soon as the WinSock Proxy detects that the client has closed his/her telnet
session, it instructs the Packet Filter Manager to close that client’s port (6008)
blocking any further packets from the remote system.
If your installation requires opening a special port between the proxy and an outside
host, you have a high degree of control over the custom packet filter setup. To
install a filter, click the Add button located on the bottom of the Packet Filters tab
shown earlier.
Defining a custom Packet Filter.
As you can see, either fixed or dynamic ports can be configured here, and you can
define this filter to be active for a single host or all external hosts. In addition, you
can designate the type of protocol, and the direction of the flow.
17
APPLICATION LAYER AND
CIRCUIT LAYER SECURITY
Key Benefits :



Hides internal network
addresses
Managed individual gateway
between networks
Works with dynamic packet
filtering
Audience Relevance
ISP
ISP
Large Sites
Microsoft Proxy Server 2.0 security is multi-layered. In addition to packet layer
filtering, Microsoft Proxy Server also supports application layer security via the
product’s Web Proxy service and circuit layer security via the product’s WinSock
Proxy service and SOCKS Proxy service. These various proxies are frequently
only available in separate products. Microsoft Proxy Server 2.0 includes all of them
in one integrated package.
Microsoft Proxy Server – Multi-Layered Security
As the table indicates, Microsoft Proxy Server 2.0 really provides three basic types
of proxy services – a Web Proxy, a WinSock Proxy, and a SOCKS Proxy – all in
one integrated package. Significantly, all of these proxies work with the dynamic
packet filtering for a multi-layered approach to security.
There are some important differences between what an application layer, (Web
proxy) can do and what a circuit layer (WinSock and SOCKS proxies) can do, as
this section of the Reviewer Guide articulates. This table below summarizes some
of these differences.
Small Sites
Web
Proxy
Winsock
Proxy
SOCKS
Proxy
Security Layer (type of proxy)
Application Layer
Circuit Layer
Circuit Layer
Protocols supported
HTTP, FTP, Gopher, HTTP-S Many
Many
Client support
Any CERN-based browser
Windows
Many
Special Client software needed
No
Yes-included
Yes-included
Cache-able content
Yes
No
No
Dynamic packet filter support
Yes
Yes
Yes
Item
Application Layer Security with Web Proxy
An application layer proxy server understands and interprets client PC commands
within the applications protocols. For example, Microsoft Proxy Server’s Web Proxy
is an application layer proxy for HTTP, Secure HTTP, FTP, and Gopher.
Microsoft Proxy Server’s application layer proxy provides security because it hides
the internal network IP or IPX addresses from the outside world. To attack a
network resource, a person must first find a way to communicate with that resource.
Without access to the resource’s address, it is much harder to attack it.
The application layer proxy permits more kinds of support for additional capabilities
within each protocol than circuit later proxies permit. For example, an application
layer proxy can support additional virus scanning while a circuit layer proxy cannot.
Another advantage of an application layer proxy is that it is client-neutral. No special
software should be required on the client PC- other than a CERN-compatible web
browser like Microsoft Internet Explorer or Netscape Navigator - to enable the client
to communicate to the Internet via the proxy server computer. As a result, an
application layer proxy can support several types of client operating systems.
If you wish to see an example of an Application Layer Filter, double-click the Web
Proxy icon from the Internet Service Manager screen.
Application Layer Filters with the Web Proxy service.
Now pick the Permissions tab and check the Enable access control box. Next
choose an entry from the Protocol: drop-down box. For your final step, click the
Add button to grant users or groups from your Windows NT domain the right to use
that service.
Microsoft Proxy Server can be configured to allow anonymous requests by users or
to require that users be authenticated (validated) by the server. Once users are
authenticated, you can determine which protocols (Web, FTP, or Gopher) are
accessible for each user.
You can grant users access to selected protocols and you can restrict access to
remote Web sites by domain name, IP address, and subnet mask, as addressed
later in this guide. Microsoft Proxy Server provides a secure, encrypted logon for
those browsers that support Windows NT Challenge/Response authentication. The
product also provides basic authentication for other browsers and allows data
encryption by means of Secure Sockets Layer (SSL) tunneling.
Circuit Layer Security with WinSock Proxy
One disadvantage of any application layer proxy is the limited number of protocols it
can support. Circuit layer proxying is another approach for connecting a client to a
server across the Internet or Intranet. A circuit layer proxy supports a much wider
variety of protocols, such as streaming audio and video protocols, messaging
protocols, and Internet Relay Chat (IRC).
WinSock Proxy is a service that makes a Windows Sockets-compatible client
application, such as the NetShow client, RealAudio, or IRC, perform as if it were
19
directly connected to the Internet. The WinSock Proxy service provides Windows
NT Challenge/Response authentication - a secure, encrypted logon process regardless of whether the client application supports it.
You can use Windows NT Challenge/Response authentication between clients and
the WinSock Proxy service to avoid sending passwords across the internal network.
Once the client is authenticated, the WinSock Proxy service uses the logon user
name to verify that the user has permission to use the Internet resource requested.
Authentication for an application is done only once, when the application first links
to Windows Sockets. This reduces network traffic generated for authentication.
Microsoft Proxy Server’s Winsock Proxy service is compatible with virtually any
existing Windows Sockets version 1.1-compatible application and can be used with
Windows-based client PCs. Access is controlled by port number, protocol, and user
or group. Each port can be enabled or disabled for communications by a specific list
of users or user groups. The list of users allowed to initiate outbound connections
on a port can be a different list than the list of users allowed to listen for inbound
connections on the same port. Access for TCP protocols is controlled separately
from User Datagram Protocol (UDP) protocols. In this manner, the WinSock Proxy
service could prevent users from accessing their personal on-line accounts, such as
MSN, for example. WinSock Proxy supports user access control and site filtering.
To see an example of Circuit Layer Filters, choose the Protocols tab from the
WinSock Proxy Service Properties page.
Predefined Circuit Layer protocols plus you can add more protocols.
The extensive list of pre-defined filters means that in most installations there will be
little need to create your own.
Should you find yourself requiring a custom filter, all you need to do is click the Add
button. This takes you to the Protocol Definition page. Here you’d enter the specific
port and protocol used, and the direction of the traffic flow.
In case you need to create a customized Circuit Layer filter.
The Add button is used for subsequent connection information.
Microsoft Proxy Server 2.0 can even handle conditions where a protocol uses one
port for initial negotiation and a different port or range of ports for subsequent
communications.
Defining ports for subsequent communications.
By clicking the Add button, you’ll bring up the Port Range Definition dialog. Here
you can specify the Port or Range of Ports for subsequent communications over
this protocol. (One well-known example of this type of port hopping after negotiation
is the RealAudio streaming protocol.)
Circuit Layer Security with SOCKS Proxy
Microsoft Proxy Server extends its support for circuit layer security in version 2.0
with new support for SOCKS 4.3. While the WinSock Proxy service supports
Windows-based client PC, the SOCKS Proxy supports Macintosh or Unix-based
client PCs so this service enhances the multi-platform nature of Proxy Server.
21
Microsoft Proxy Server now supports SOCKS.
Microsoft Proxy Server can act as a SOCKS client to an upstream SOCKS server or
Proxy Server can be a SOCKS server to a client computer running SOCKS
software on it. Microsoft Proxy Server 2.0 supports SOCKS version 4. SOCKS uses
TCP and can be used for Telnet, FTP, Gopher, and the World Wide Web. The
SOCKS Proxy service does not support RealAudio, streaming video, or NetShow.
REAL TIME SECURITY ALERTS
AND LOGGING
Key Benefits :
 Keeps you informed of status
 Detailed audit trail
 Useful for network, security
planning
 Peace of mind
It almost goes without saying, but staying informed is a must when trying to provide
a secure computing environment for any enterprise. With Microsoft Proxy Server
2.0 it’s easy to monitor critical functions in real-time. In addition, logging of packet or
protocol violations to the Windows NT Event Log is easily accomplished.
From the Security menu, choose the Alerting tab. Next pick the Event you wish to
define an alert for from the drop down box. Each event has a predefined threshold,
but you may change this to any value you’d like.
If you’d like to be alerted via E-mail, select the Send SMTP mail checkbox, then
click on the Configure Mail button.
Audience Relevance :
ISP
Large Sites
Small Sites
Setting Alerts and E-mail notification options.
Now fill in the information for your mail server, and the person to whom you want
the mail sent. Now whenever an event’s triggered by Microsoft Proxy Server 2.0,
you’ll know about it right away. Many email systems support paging integration so
this feature can trigger paging, as well as email, alerting with those systems.
E-mail notification setup parameters.
Now lets look at the Microsoft Proxy Server 2.0 logging feature.
23
Choose the Logging tab from the Security menu. Once you check the Enable box,
you have a high degree of control over the various ways Proxy Server 2.0 keeps
tabs on activity. If your location will see large amounts of traffic—such as an ISP
would encounter—a daily log is probably the best bet for you. These high-traffic
sites could also log data directly to an SQL or ODBC-compliant database for further
analysis. To keep from missing a possible unauthorized access attempt, you can
also check the Stop all services if disk full option. (Note: This option applies to
the three proxy services; WinSock Proxy, Web Proxy, SOCKS Proxy.)
Setting logging options for optimal monitoring.
You’ll also find a logging configuration option for the regular services (WWW,
Gopher, FTP). Each services’ settings is independent of the others.
REVERSE PROXY, VIRTUAL
HOSTING AND SERVER
PROXYING
Key Benefits :
Enhanced Web Publishing Support
Microsoft Proxy Server 2.0 allows you to publish to the Internet without
compromising the security of your internal network. Proxy Server uses reverse
proxying and reverse hosting to send requests downstream to a Web server or
group of web servers located behind the Proxy Server computer.
 Improves web server capacity
planning
 Keeps data secure while
allowing access across the
Net
 Allows web servers to access
other internal servers and data
for publishing
Secure Network
“internal.company.com”
Internet
Microsoft
Proxy
Web Server
Web Server
Server 2.0
“www.company.com”
“www.company.com/mktg”
/mktg
Audience Relevance :
ISP
Reverse Proxy and Reverse Hosting offload Web publishing duties from the Web
servers and let you securely connect your Web servers to the rest of your Intranet.
Large Sites
Small Sites
Reverse proxying causes the Proxy Server computer to "impersonate" a Web
server to the outside world. The Proxy Server computer fulfills client requests for
web content from its cache and forwards requests to the real web server only when
the requests cannot be served from its cache. Meanwhile, your Web server(s) sits
in its secure environment and maintains access to other internal network services.
Virtual, or reverse, hosting is an extension of the concept of reverse proxying.
Virtual hosting allows any server sitting behind Proxy Server to publish to the
Internet, giving superb flexibility in Web publishing. In this case, the Proxy Server
simulates virtual roots on a web server and then re-directs requests for a particular
domain and root combination to a single web server. Reverse proxy works at the
application layer and supports HTTP only.
This approach to web publishing requires that only one “hole” be punched through
the Microsoft Proxy Server’s firewall for HTTP requests thereby enhancing security.
25
Server Proxying
Microsoft Proxy Server 2.0 also has the ability to “listen” for incoming packets
destined for computers connected to the secured network behind the Proxy Server
computer. Proxy Server then forwards packets, as appropriate, to those other
server computers. For example, Microsoft Exchange Server can now sit securely
behind a computer running Microsoft Proxy Server.
Secure Network
RPC
Internet
Microsoft
Other
App Server
Proxy
Internal
Server 2.0
Servers
MS Exchange
ODBC
(SQL, DBMS)
Server
Server Proxying lets you run Internet applications behind a secure network connection.
As noted, reverse proxy is an application layer service that supports HTTP only. By
contrast, server proxying is a circuit layer service so it supports a wide variety of
protocols.
By following the procedures outlined over the next few pages, you can experience
how Microsoft Proxy Server 2.0 performs Reverse Proxying and Reverse Hosting.
Let’s try Reverse Proxy first. From Internet Service Manager, select Web Proxy,
right-click and choose Service Properties. (Double-clicking the icon will do also take
you there.)
Opening the Web Proxy Service Properties.
Next click the Publishing tab, then put a checkmark in the Enable Web publishing
box. Now move down to the three radio buttons and pick the sent to another web
server option. In the box to the right, type in PROXY2. The reason you don’t need
to enter a fully qualified domain name (FQDN) is because the internal network was
setup without a DNS—it will resolve hosts using their NetBIOS names instead. The
Port: number should set to 80, which is the default used by the HTTP protocol.
Entering the Reverse Proxy information.
When you’re all done with this page, click OK. Before we can test this fully, you will
need to open this same Properties page on the PROXY2 server. This time, select
the sent to the local web server option, and click OK once more.
27
Now go to the external machine (PUB1) and fire up Microsoft Internet Explorer. In
the Address: box enter the URL http://proxy1.private.com. If everything works as
planned you should see the familiar Microsoft Internet Information Server screen.
Since both proxy servers are running the same software, it would be very hard to
tell which one was actually servicing your request. Therefore, we suggest you
modify the DEFAULT.HTM file (located in the directory drivepath\InetPub\wwwroot)
to denote the server on which it resides. As our screen shot depicts, we just added
some text above the regular Microsoft logo. You can use any ASCII editor to do
this, such as WordPad or Notepad.
Web page being served from PROXY2 via Reverse Proxy on PROXY1.
With that capability now understood, we’ll get a little more sophisticated and try
Reverse Hosting.
Return to the Web Proxy Publishing page on PROXY1. This time, click on the
discarded radio button up top, then move to the bottom of the screen and click the
Add button. What you will be doing now is telling Microsoft Proxy Server 2.0 which
web requests should be redirected to a different downstream web server.
Preparing to designate a Reverse Hosting target.
In this box you’ll enter data instructing Microsoft Proxy Server 2.0 to forward
requests to another web server. But this time, the URL path will be a virtual path off
of PROXY1. These virtual paths effectively hide the true identity of the source
machine. By doing so, they allow workers within the secured network to publish web
pages to the Internet without fearing attacks.
In the Path: box enter http://proxy1.private.com/p2, and in the URL box enter
http://proxy2. Again, because we have no internal DNS, the name entered for
PROXY2 is the NetBIOS name only. Click OK, then OK once more.
Entering paths for Reverse Hosting.
29
Back once more at the PUB1 server, enter the URL http://proxy1.private.com/p2
into the Address: box. While the resulting page will look like it did in the previous
example, you’ve now made it appear as if the source is located on the PROXY1
host.
Redirected request resolved to virtual path on PROXY2 server using Reverse Hosting.
DISTRIBUTED CONTENT
CACHING
Key Benefits :





Linear Scalability
Great performance
Fault tolerance
Load-balancing
Easy to administer
Audience Relevance :
ISP
Large Sites
Small Sites
One of the most exciting and powerful sets of new features in Microsoft Proxy
Server 2.0 is its support for distributed caching. This new set of capabilities makes
Microsoft Proxy Server the ideal way to meet the rigorous demands of large
enterprise and even ISPs.
Distributed caching is significant because it enables caching to take place closer to
users. In addition, distributed caching allows caching activity to be balanced across
several proxy server computers for enhanced scalability and fault tolerance. For
example, within an enterprise, caching can move beyond a single, central location
at the edge of an organization’s network and toward the branch office and
workgroup levels. Within an ISP, caching can move toward a regional ISP point of
presence as opposed to one central ISP point of presence.
Distributed caching becomes even more important as organizations and ISPs
deploy support for Internet “push” technologies. “Push” technologies provide a more
personalized Internet or Intranet experience, but these technologies tend to drive up
network traffic demand. Microsoft Proxy Server is the ideal way to mitigate this
traffic increase.
Microsoft Proxy Server now allows you to set up distributed caching among multiple
Proxy Server computers. It enhances active and passive caching by distributing the
load of cached objects. This provides scalability and fault tolerance. Distributed
caching is implemented using arrays, chaining, or a combination of both methods.
Cache Arrays – A New Approach to Scalability & Fault Tolerance
Now an array, or group, of Microsoft Proxy Server computers can be treated and
administered as a single, logical entity. An array provides load balancing, fault
tolerance, scalability, and ease of administration.
Proxy
Array
Secure Network
Microsoft
Proxy
Server 2.0
Internet
Microsoft
Proxy
Server 2.0
Client PC
Microsoft
Proxy
Server 2.0
A cache array is a group of Proxy Server computers behaving like a single, logical entity.
A cache array performs load balancing. Proxy Server computers can off-load cache
hits to other Proxy Server computers in the array. An array will tend to provide a
higher cache “hit rate” than an individual proxy server due in part to the larger size
31
of the virtual cache.. The term cache hit rate refers to the percentage of Web
requests that can be served from the cache as opposed to requiring network traffic.
Cache arrays can be useful in the following environments:


Corporations and ISPs that are too big to operate with a single Proxy
Server computer and need additional robustness.
Corporations and ISPs that require mission-critical back-up capabilities
for content caching.
Going far beyond conventional hierarchical designs, this new feature permits truly
scalable proxy setups without the drawbacks associated with other approaches. For
Internet Service Providers or large-scale enterprise installations, there is no better
way to achieve effectively linear performance scaling. At the same time, the array
provides fault tolerance, while reducing administrative overhead.
Array Administration
Microsoft Proxy Server 2.0 makes it easy to build and manage an array or a group
of them. To build an array, go to the Internet Service Manager and double-click the
Web Proxy icon. Then click the Array button.
Array creation starts at the Shared Services page.
Now click the Join Array button. Since there isn’t any existing Array, you get to
make a new one.
Step one in building an Array.
Now you need to specify which other computer is to be a partner for the new Array.
The system must be running Microsoft Proxy Server 2.0, which in our case means
the PROXY2 machine. Go ahead and enter that name in the Join Array dialog box.
Designating the name of the new Array partner.
33
Since there was no pre-existing Array, you also get to name the Array here. In this
case, we just called it Array 1. Most likely in a production environment you’d give it
a name reflective of its purpose or location. Now just click the OK button.
Naming the newly formed Array.
You’ll be left at the Array status screen. Here you can see which machines are
members of the Array. To the right of each entry is the port used, the size of the
disk cache allotted, and the operating status. At this point the Array is defined, but
the two servers haven’t actually synchronized with one another. You must click the
OK button here, then the Apply button back on the Shared Service page.
Array status screen showing both systems operational.
You will hear a flurry of disk activity as the two machines get in sync. At this point
the Array is fully functional. But to take advantage of it, you’d need a third proxy
sitting downstream of the Array to pass requests to it. Since our testbed doesn’t
include that third Proxy Server computer, we’ll move on to look at two other features
of the Array: security and backup routing.
As this screen indicates, Microsoft Proxy Server enables secure communication
between the members of an array.
Secure communication within an array.
Under the Routing tab, you can enable backup routing within the array. This
provides fault-tolerance.
Back-up Routing support within arrays keep the array going when there’s a failure.
35
Hierarchical Caching
Now you can arrange Proxy Server computers in a hierarchy for branch office or
departmental use. Requests from clients are sent upstream through the hierarchy
until the requested object is found. For example, a client request in a branch office
would go to the branch office Proxy Server, then on to the regional or corporate
headquarters before sending the request to the public Internet.
Branch Office
Microsoft
Proxy
Server 2.0
Client PC
Corporate HQ
Microsoft
Internet
Branch Office
Proxy
Server 2.0
Microsoft
Proxy
Server 2.0
Client PC
Hierarchical (or chain-based) caching.
Individual computers and arrays can be arranged in a Proxy Server hierarchy.
Chaining with arrays provides an added measure of fault tolerance. By the way, a
Secure Sockets Layer (SSL) hierarchy is also now supported.
Cache Array at HQ
Branch Office
Microsoft
Proxy
Server 2.0
Microsoft
Proxy
Server 2.0
Client PC
Microsoft
Proxy
Internet
Server 2.0
Microsoft
Proxy
Server 2.0
Branch Office
Microsoft
Proxy
Server 2.0
Client PC
Hierarchical caching working with a cache array.
Hierarchical caching can be useful in the following environments:
 Corporate branch offices with Internet connectivity at headquarters.
 Consolidated ISP connections—multiple, geographically-distributed
servers routed into a central server which has Internet connectivity.
To experience hierarchical caching, from the Web Proxy Service screen, choose
the Routing tab. This is where you define the path user requests take when
accessing the Internet. This is also the place to enable backup route options. If the
Proxy Server you’re managing is at the top of the hierarchy, you should select Use
direct connection for Upstream Routing. On the other hand, if you have other
arrays or proxy servers installed in your network, you can ‘chain’ them together via
the Use Web Proxy or array:, option. Go ahead and pick that option, then click on
the Modify button.
Routing options allow chainng and alternate paths for fault tolerance.
At the top of this screen, enter the name of the proxy. For an array, you should
enable the Auto-poll option, which saves the trouble of manual configuration
management. As you type the proxy server name, the Array URL: box gets filled in
automatically. The bottom of this screen is used for authentication credentials
between proxies.
Setting the address and credentials for upstream proxy routing.
37
Cache Array Routing Protocol – A Better Way to Scale
Microsoft has developed an innovative way for Proxy Server computers in an array
or hierarchy to communicate with one another to enable efficient, scalable caching.
The new approach, called Content Array Routing Protocol (CARP), has been
documented and is making its way through the Internet Engineering Task Force as
an industry standard.
Similar to clustering, Microsoft’s Proxy Server Array architecture is based on a
loosely coupled design, but with a twist. The proxy array, using CARP, provides
scalability and other benefits while using standard HTTP protocols. This is in
marked contrast to other vendors’ solutions that employ the legacy and relatively
inefficient Internet Cache Protocol (ICP).
The main purpose of distributed caching is to provide scalability. On this measure,
CARP has a number of fundamental advantages over ICP. ICP requires several
queries to resolve an individual request for a web object or service. The number of
these queries, along with the duplication of cache content and the nearmultiplicative growth in network traffic caused by ICP-based content cache,
ironically delivers negative scalability. Performance is negatively affected with each
new ICP-based content cache.
CARP
Requests
Per Sec
Fulfilled
By Cache
Servers
ICP
Total number of cache servers
CARP has scalability advantages over ICP.
CARP, by contrast, supports a queryless approach to routing requests among
cache arrays and chains and delivers linear scalability. The illustration in the figure
above highlights this comparison of the two protocols. The scalability profile is
based on published materials related to both protocols.
For more details and a comparison of why Microsoft’s Proxy Array running CARP
outshines existing ICP-based products, see the associated white paper available on
the Microsoft Proxy Server Web site at: http://www.microsoft.com/proxy.
ACTIVE, INTELLIGENT
CACHING
Key Benefits :
Microsoft Proxy Server provides a unique way of making sure the Internet or
Intranet sites that are most used by a group of people are readily available to those
users for quick access. That is because Microsoft Proxy Server can proactively precache content.
 Consistent Internet user
experience
 Time-shift network traffic
 Great performance with most
popular web sites
 Automatic – easy to administer
Content cache servers typically provide regular or passive caching. That is, the
content cache server reacts to a specific user request for content. As the request is
being fulfilled and the information passed through to the user, the content cache
server will determine if the content is cache-able. If it is cache-able content and if
there’s room in the cache, the server will store it in the cache. Microsoft Proxy
Server can perform passive caching.
Audience Relevance :
ISP
Large Sites
Small Sites
Microsoft Proxy Server 2.0 goes beyond passive caching to automatically determine
the most popular Web sites visited by the users the proxy server computer
supports. Proxy Server determines how frequently content at those sites is
refreshed, then automatically, goes out and pre-caches new content when the old
content in the cache has been determined to have expired. A simple checkbox
enables this very powerful feature.
Once enabled, the feature works automatically that is why the feature is called
Active Intelligent Caching. No network manager intervention is needed, although
Microsoft Proxy Server provides monitoring tools to help you track certain
parameters related to Active, Intelligent Caching.
Some competitive proxy content cache servers require the network manager to
specify in a list the web sites to be pre-cached. Microsoft Proxy Server provides
network managers with the option of specifying the sites to be pre-cached, but in
practical terms, most organizations will take advantage of the automatic nature of
active caching – a unique feature in Microsoft’s Proxy Server. Network managers
have enough to do already without requiring they specify a list of sites for caching
purposes. This is especially true considering that traffic patterns and favored Web
sites can change so frequently. The popular sites this month are probably not the
same sites that were the most popular three months ago.
Active caching helps provide a more consistent, accelerated Internet and Intranet
user experience. And it makes very efficient use of network resources. Microsoft
Proxy Server keeps up with CPU utilization and uses this information to determine
when to perform the pre-caching. To avoid interfering with other network traffic
during periods of high usage, Microsoft Proxy Server will proactively pre-cache
content at periods of low network (CPU) usage.
While most of the intelligent caching activities take place behind the scenes, there
are several administrative pages we can look at. Double-click the Web Proxy icon,
then choose the Caching tab. The top half of the page is for controlling regular
caching, while the bottom is used to manage the active caching. As you can see,
the three radio buttons in each section let you do some basic performance tuning.
Now click the Advanced button.
39
Regular and Active caching settings page.
This page lets you define limits for the size of individual cached objects and enable
or disable HTTP and FTP caching. You also can adjust the Time to Live (TTL),
which affects the cache refresh interval. You can also define specfic URL’s to
always cache or exclude from caching using the Cache Filters button.
Setting specific cache policy parameters.
PERFORMANCE
Key Benefits :
 Optimized for real-world use
 Bandwidth savings = cost
savings
 Accelerated Internet/Intranet
user experience
 Maximize use of available
network facilities
Real-World Proxy Server Usage
There are several ways to measure the performance of a proxy server. You can
measure how fast the proxy server fulfills requests from its cache. You can also
measure how fast the proxy server fulfills requests across a network connection.
The most meaningful way to measure the file throughput is with a mix of cachefulfilled content and network-fulfilled content. Real world experience with proxy
servers has shown that proxy servers continually must fulfill both types of requests.
From Cache + Sends Msg
to see if Modified
From Web:
Audience Relevance :
20%
Cache-able Content
45%
ISP
Large Sites
Small Sites
25%
From
Cache
10%
From Web:
Not Cache-able Content
Real world experience with proxy servers reflects a mix of traffic. About half of all
requests can be fulfilled from the cache. The other half generate network traffic.
In fact, data used to create this figure comes from Microsoft’s ongoing use of
Microsoft Proxy Server in its own production environment, serving over 20,000
employees each business day around the world.
As the chart illustrates, 45% of the Web requests handled by the Proxy Server
computers are fulfilled by the cache. This would translate directly into network
traffic reduction of that same order. Twenty-five percent of the requests are fulfilled
solely from the cache and with the cache being aware of the content’s expiration
date. The remaining 20% that is served from the cache involves a brief request that
the Proxy Server computer sends to the original Web site to determine if the Web
content has been modified since it was last cached. Many organizations report
cache “hit rates” in excess of 50% to 60% so the 45% figure used here tends to be
a conservative figure.
Real World Proxy Server Performance Improvements
Microsoft Proxy Server 2.0 performance is optimized for real-world traffic patterns,
such as these parameters. This type of traffic profile was used in the benchmark
comparison highlighted in the figure on the next page.
Microsoft Proxy Server 1.0 offered very good performance. Version 2.0 offers
substantial improvements, according to preliminary testing. On average, customers
will experience a 40% to 45% improvement in performance in terms of files per
41
second throughput moving from version 1.0 to version2.0. As the figure illustrates, a
typical single processor server computer will see about a 40% improvement; a dual
processor computer will perform about 44% faster with version 2.0.
Files
Per
Second
Fulfilled
44%
improvement
40%
improvement
MS
MS
Proxy Proxy
v 1.0
v 2.0
Single
Processor
Computer
MS
MS
Proxy
Proxy
v 2.0
v 1.0
Dual
Processor
Computer
You will find 35% to 40% performance improvements in Microsoft Proxy Server 2.0
compared to version1.0
Proxy Mix Distribution – Used in Benchmark Comparison
45% - Content request fulfilled across the network then cached
25% - Content fulfilled from cache
10% - Requests fulfilled across network – content not cacheable (CGI content)
20% - If modified since
Performance improvements from version 1.0 to version 2.0 are due to several
factors. The cache architecture itself has been improved, particularly to make more
efficient use of the Windows NT File System. Internet Information Server 3.0 offers
some performance enhancements – as noted Microsoft Proxy Server runs with
Internet Information Server. There were several improvements in Winsock 2.0
performance in Service Pack 3 for Windows NT Server 4.0. Finally, Proxy Server’s
internal threading code has been improved and is more efficient.
WINDOWS NT SERVER
INTEGRATION FOR GREAT
MANAGEABILITY
Key Benefits :
 Easy to use
 Reduced total cost of
ownership
 Centralized management
 Choice of tools – GUI, HTML,
& command line
Microsoft Proxy Server was designed to provide great management support to
make owning and operating the product easy and affordable. This design goal
applies to a single Proxy Server used in an elementary school, a chain of servers
across several branch offices, or a proxy array in an ISP’s point of presence.
Windows NT Server 4.0 Integration
You will find no other Web cache server or firewall more tightly integrated with the
Windows NT Server operating system than Microsoft Proxy Server 2.0. This
integration shows up in several ways:






Audience Relevance :
ISP
Large Sites
Small Sites
Windows NT Directory Service
Windows NT User Manager
Windows NT Performance Monitor
Windows NT Event Log
Internet Service Manager
Routing and Remote Access Service Update
Windows NT security

Microsoft Proxy Server’s integration with the Windows NT Directory Service enables
a single user logon experience for all network services and applications, including
for Internet or Intranet access via Proxy Server. This saves time deploying the new
capabilities to users. This also enables network managers to exploit the user
account information to allow or deny access to a wide range of Internet or Intranet
services via Microsoft Proxy Server 2.0.
Integration with the operating system pays off in other ways, too. For example, the
Windows NT Server Performance Monitor supports several Microsoft Proxy Server
real time measurements. The Windows NT Event Log is also used to help you track
and troubleshoot Microsoft Proxy Server. These tools provide essential information
to enable a network manager to stay on top of his or her Proxy Server network.
Microsoft Proxy Server is tightly integrated with Microsoft Internet Information
Server. For example, Proxy Server’s extensibility is related to Internet Information
Server’s ISAPI support. In addition, Internet Information Server and Proxy Server
share a common management screen – the Internet Service Manager.
The Internet Service Manager is accessed from the Microsoft Proxy Server menu.
All aspects of Microsoft Proxy Server 2.0 can be controlled here.
Use these icons
to display or hide
services.
Primary Internet Service Manager interface.
43
Now, right click on the WinSock Proxy icon and choose Service Properties. This
brings up the WinSock Proxy Service Properties page.
The buttons shown in the bottom left section are Shared services, used by all of
Proxy Server 2.0. On the bottom right are the common Configuration options.
Proxy 2.0 Shared Services and Configuration screen.
On the Service page, you may have noticed the Server Backup and Server
Restore buttons. Being able to save proxy settings allows administrators to adjust
operational parameters, safe in the knowledge they will be able to roll back to an
earlier configuration if necessary. This feature also allows rapid deployment of
similarly configured proxies using a standardized setup. This screen shot shows the
Restore Configuration options.
Partial restore option makes duplicating proxy setups easy.
Microsoft Proxy Server also supports a command line user interface, which is very
useful for creating a configuration script and sending it to several proxy servers for
rapid configuration. In addition, you can use a Web browser to manage a Proxy
Server 2.0 computer across a network. The browser-based admin support is
available via a free Web download shortly after Proxy Server 2.0’s release.
USER ACCESS CONTROL
Key Benefits :
 Appropriate service for each
person or group
 Maximize proper use of
network resource
 Great granularity of control
 Easy to administer
Audience Relevance :
ISP
Large Sites
Small Sites
The Internet can be a tremendous productivity resource… or it can be a real waste
of time.
In fact, one big reason many organizations delay offering Internet access to their
user’s desktop PCs is management concern that employees will spend too much
time during the workday or school day surfing the Net.
Microsoft Proxy Server 2.0 is an ideal way to address this situation. With Microsoft
Proxy Server, a network manager can exert as much or as little control over Internet
and Intranet resources as he/she feels appropriate. This access control can be
applied not only to the enterprise as a whole, but also down to user groups,
departments, and even to each individual user. For example, a network manager
may want to allow FTP, Gopher, and browser-based World Wide Web access for all
employees but permit only certain members of management to use the Internet for
conferencing or selected other multimedia services.
The user access controls work with each of the Web Proxy, Winsock Proxy, and
SOCKS Proxy services included with the product. Because Microsoft Proxy Server
2.0 is tightly integrated with the Windows NT Server directory, the user names and
domain information serves as the basis for user access control permissions.
Network managers do not have to maintain a separate database or directory of
Internet users. This makes managing user access simple.
To see an example of how Microsoft Proxy Server 2.0 provides tight integration with
the underlying Windows NT Server 4.0’s directory, return to the main Internet
Service Manager screen and double-click the Web Proxy icon. Next choose the
Permissions tab and place a checkmark in the Enable access control box. From
the drop-down box select a Protocol: to administer.
Setting access permissions using Windows NT authentication.
45
Next, click the Add button, to display a list of Domain users and groups. Pick the
Authenticated Users group and click Add, then OK. Notice this is the very same
dialog you would see if you were accessing the Windows NT Server User Manager.
Adding Domain group to the authorized user list.
If you’d like to check the active sessions on Proxy Server 2.0, click the Current
Sessions button at the top of the Service page.
Checking active users with the Current Sessions option.
You’re shown a list of the three Proxy services, each with a radio button. Clicking
next to any one service shows the connected users.
Monitoring active sessions in real time.
You have just seen how easy it is to take advantage of the high level of integration
with Windows NT Server 4.0, which Microsoft Proxy Server 2.0 supports. Set up
and configuration screens look familiar so you do not have to learn a whole new or
separate program. You just saw how checking active sessions is just a mouse click
away, as well.
47
SITE FILTERING CONTROL
Key Benefits :
 Keep users focused
 Maximize proper use of
network resource
 Great granularity of control
 Easy to administer
Audience Relevance :
ISP
Large Sites
Small Sites
Enabling Managed Internet Access
Microsoft Proxy Server 2.0 lets you control not only which Internet or Intranet
services are extended to each user or group. You can also selectively allow or deny
access to specific Web sites, computers, or groups of computers – all based on
user account name, user groups, or on an enterprise-wide basis. This site filtering
applies to web sites on the Internet or on an organization’s Intranet.
This is another way Microsoft Proxy Server can help network managers make
Internet access available to an enterprise and not have to worry whether users will
spend time using the Internet in ways that go outside the bounds of the
organization’s policy. This cuts down on unproductive use of the Internet and can
reduce the cost of providing Internet access to user desktops.
Using site filtering is easy. Network managers have the ability to indicate a specific
IP address, a range of IP addresses for a group of computers, or a domain name.
Defaults can be set to deny access unless by exception or to grant access to all
unless by exception.
To setup a site filter, choose the Security button from the Shared Services page.
Now click the Domain Filters tab, and put a checkmark in the Enable filtering box.
Unless you have very untrustworthy workers, normally you’d want to set the default
access to Granted, then enter the excluded sites in the exception’s box. Let’s see
how that’s done. Click the Add button.
Using Site Filters to block access of undesirable Web sites.
The Deny Access To menu gives you several choices. You can block one address,
a group of IP addresses, or—as depicted below—an entire domain. If you pick
Single Computer, the button with three dots to the right of the IP address box
takes you to the DNS Lookup box. This is handy if you know a site’s name, but not
its IP address.
Blocking unwanted sites by domain name.
DNS lookup for single address sites.
Value-Added Site Filtering Services
With new Web sites going live every day, it can be an ongoing challenge for a
network manager to know the addresses of each and every site on the Internet
containing material the network manager would want filtered for his or her users.
This has spawned the development of value-added services that complement the
core site filtering features provided by Microsoft Proxy Server.
Third party companies taking advantage of Microsoft Proxy Server’s extensibility
offer subscription services that essentially “plug in” to Proxy Server site filtering.
With these services, for example, a network manager does not need to know the
web address for each and every pornographic Web site in order to deny user
access to those sites. Instead, the network manager can use a simple checkbox
and select the categories of Web content to be filtered. The third party companies
offering the filtering service keep continuously updated lists of those sites by
category as a value-added service.
49
AUTOMATIC CLIENT
CONFIGURATION
Key Benefits :
 Easy to administer even on
large scale
 Applies to server and client
operation
 Reduces total cost of
ownership
Audience Relevance :
ISP
Large Sites
Small Sites
As noted earlier, an application layer proxy can enable a wide variety of client PCs
to use the various Internet services without requiring anything more than a CERNcompatible browser installed. By contrast, a circuit layer proxy requires some sort
of code to reside on the client PC to enable communications with the Internet
protocol and service being used.
This is true for Microsoft Proxy Server 2.0, as well. The Web Proxy portion of the
product does not require any special client-side software. The WinSock Proxy and
SOCKS Proxy services do, however.
Microsoft Proxy Server 2.0 makes that process of installing the client-side software
for the circuit layer proxy service simple. Plus, Microsoft Proxy Server takes clientside configuration one step farther to enhance performance and further simplify
network administration.
Microsoft Proxy Server’s automated client configuration can contribute to an
incremental caching performance improvement when using CARP. The automated
client configuration process can include the placing of CARP support on the client
PCs to enable the PCs to communicate more efficiently with the Proxy Server
distributed cache(s).
To see this automated configuration process first hand, double-click the WinSock
Proxy Service icon in Internet Service Manager and choose the Client
Configuration button.
Starting the automated client configuration process.
There are actually three distinct sections on the Client Installation/Configuration
screen which appears next (see next page). The top area determines how WinSock
Proxy clients will locate the proxy server itself. Normally this would be the machine
name, but in special cases you may need to specify the IP address instead.
The middle section specifies if the client web browser should be automatically
configured, and designates the appropriate script to do so. This is a powerful
feature of Proxy Server 2.0 and one that can save hours over manually configuring
each client by hand.
But it’s the bottom-most section that will hold the most appeal for administrators.
Competing products force managers to write browser configuration scripts by hand,
a tedious and error-prone process. But with Microsoft Proxy Server 2.0, you just
choose the Proxy generates script option and a JavaScript file is generated
automatically.
By eliminating the hassle and errors of incorrect setup files, you’re assured of a
smooth client installation and configuration. And as you will see a bit later, setup
changes you might make later on can be ‘pulled’ down by the clients themselves.
Starting the automated client configuration process.
You actually took advantage of this automation during the testbed setup, without
even realizing it. When you installed the WinSock Proxy client software on your
Windows 95 PC, the configuration information was also sent to your machine. Let’s
take a closer look at that machine now.
51
On the Windows 95 client, start Internet Explorer and choose Options from the
View menu. Next, click the Connections tab. See how the browser is already setup
to use the PROXY1 proxy server.
Internet Explorer Connection option showing proxy settings.
To see how Internet Explorer can further exploit these automation abilities, click the
Advanced tab, then click on the Automatic Configuration button. You’ll see the
URL: path is also completed for you already. If a change was made to the
configuration back on the proxy server, you could update the client immediately by
clicking the Refresh button. In addition, Internet Explorer automatically checks this
configuration file for updates each time it’s started.
Internet Explorer’s Automatic Configuration dialog.
Before leaving this section, we’ll turn our attention to the WinSock Proxy Applet.
Open the Windows 95 Control Panel and double-click the WSP Client icon.
Starting the WinSock Proxy Client Applet.
There are two noteworthy elements here. The first one is the Update Now button,
which is used to download any changes the administrator may have made
concerning the proxy server’s setup. The second is the ability to enable or disable
the WinSock Proxy Client itself. Since an ever-increasing number of workers are
mobile—using laptops as their primary computer—this is an important feature.
When away from the office they can uncheck the Enable box and switch back to
Windows 95’s built-in WinSock client for their communication needs.
Mobile users can toggle the WinSock Proxy Client.
53
IPX-TO-IP GATEWAY
Key Benefits :
 Cost savings for Netware
customers
 Easier, faster enterprise-wide
deployment
 Additional security
Audience Relevance :
ISP
Large Sites
Small Sites
Several enterprise customers – especially smaller organizations - continue to use
legacy NetWare networks that run the Internet Protocol Exchange (IPX) protocol.
The IPX protocol does not support Internet communications. Organizations in this
situation that want to provide Internet access to their users, must either install
TCP/IP on each of the client PCs to be used with the Internet or install an IPX-to-IP
gateway where their internal network connects to a server interacting with the
Internet. Either of these options can be expensive and/or time-consuming.
Microsoft Proxy Server provides an easy and affordable way for IPX client PCs to
be able to use the Internet or Intranets elsewhere in an organization. Unlike other
proxy servers that require third party a separate IPX-to-IP gateway purchase,
Microsoft Proxy Server has a built-in IPX-to-IP gateway. The gateway supports PCs
running Windows 95, Windows NT Workstation 4.0, or Windows NT Server 4.0
operating systems running IPX. Because the IPX protocol cannot be routed over the
Internet, the IPX support on the LAN actually provides an additional measure of
security for these customers.
Talking about the IPX-IP gateway takes far longer than enabling it does. On your
Windows 95 client, open up Control Panel and locate the icon labeled WSP Client.
Selecting the WinSock Proxy Client Applet.
Now just place a checkmark in the Force IPX/SPX protocol box. That’s all you
need to do. Just re-boot and you are now using the IPX-to-IP gateway.
Configuring the WinSock Proxy client to use IPX/SPX.
AUTO-DIAL INTERNET
CONNECTION
Key Benefits :
 Cost savings
 Maximize efficient use of
network resource
Cost-Savings and Added User Access Control
Many smaller enterprises or branch office locations may not be able to justify a
persistent or “nailed up” connection with their ISP. These organizations may want to
be able to access the Internet but they want to do so only on an as-needed basis.
Taking this one step further, as an added measure of user access control,
organizations of any size may want to restrict the hours for which Internet access is
made available to users. For example, an organization may want Internet access
available to employees at their desktop PCs during business hours but then disable
Internet access after business hours.
Audience Relevance :
ISP
Large Sites
Small Sites
Microsoft Proxy Server, with its Auto-Dial feature, offers these customers an easy
and affordable way to dial-in and connect to the Internet or to an Intranet site on an
as-needed basis. This is a unique feature that is built-in to Microsoft Proxy Server,
unlike other proxy server products that require the separate purchase of modem
pool software, for example, to achieve a similar capability. This can save an
organization hundreds and even thousands of dollars. Even for a network with 50
users, the cost of the modem pool software often exceeds the price of Microsoft
Proxy Server alone!
With Auto Dial enabled, a network manager can specify which hours Internet
access will be enabled or disabled. The feature is activated via an intuitive 24-houra-day by 7-day-a-week grid.
Makes Use of Windows Dial-Up Networking
Because Microsoft Proxy Server behaves as a Windows Dial-Up Networking client
when the server computer connects with the ISP or when it dials back to the
corporate Intranet, Proxy Server is able to take advantage of other Dial-Up
Networking features for added flexibility and cost savings.
For example, Dial-Up Networking supports a feature known as PPP Multilink. This
feature enables Microsoft Proxy Server to combine the bandwidth of two or more
analog or digital phone lines for effectively a higher bandwidth connection. This
feature supports the IETF RFC 1717 so it can enable connection with other
vendors’ dial-up servers used in ISP points of presence, for example.
With Windows Dial-Up Networking, Microsoft Proxy Server will maintain a
connection to an ISP only while there is traffic moving across that connection. Not
long after the traffic across the dial-up connection stops, Proxy Server and Dial-Up
Networking will terminate the connection so the ISP “meter does not run
unnecessarily. This also helps reduce bottlenecks with ISP points of presence. As
soon as there is a client PC request that cannot be fulfilled from the Proxy Server
cache, Microsoft Proxy Server will immediately initiate the dial-up connection to the
ISP, authenticate with the ISP, and then satisfy the user request across the Internet
or Intranet connection. This feature can reduce the cost of Internet access for an
organization, especially if the access is provided over a long distance phone line
connection.
55
New Enhancements – Back-Up Routes and Easier Use
The Auto-Dial feature was first offered in Microsoft Proxy Server 1.0. The feature
has been enhanced in version 2.0. Getting to Auto-Dial is now easier. It is better
integrated into the overall Internet Service Manager screens. You no longer need to
go back to the Start menu to find the Auto-Dial feature.
In addition, the feature has been expanded in version 2.0 to support automatic
back-up routes to connect to the Internet. During periods of peak activity, ISP points
of presence can frequently become unavailable. We are all familiar with the
unwelcome sound of a busy signal after dialing an ISP. In these situations,
Microsoft Proxy Server allows the network manager to specify a back-up dial-up
connection path.
To view the Auto-Dial settings, double-click on one of the three Proxy service icons
to get to the Shared Services screen. Now choose the Auto Dial button. As you can
see, Auto-Dial can be selectively enabled for either primary or backup Web Proxy
routing, or for normal WinSock and SOCKS Proxy services.
Selecting the Dialing Services and operating hours for Auto-Dial.
If you click the Credentials tab, you’ll be able enter the authenticating information
needed when dialing into an ISP.
Prior to using this page, you’ll need to setup a phonebook entry using the Dial-Up
Networking configuration menus.
Setting Auto Dial credentials.
57
EXTENSIBILITY AND
COMPLEMENTARY PRODUCTS
Key Benefits :
 Customer choice – to meet
specialized security needs
 No “rip and replace” needed
 More comprehensive
approach to security and
network planning
 Third party opportunity
Audience Relevance :
ISP
Large Sites
Small Sites
Microsoft Proxy Server 2.0 provides a comprehensive set of security, performance,
and cost-savings features that should make the product a compelling choice for a
wide range of customers – small enterprises, large enterprises, and ISPs. Of
course, security and network optimization can involve a number of elements. So
while Microsoft Proxy Server offers many things, there is still lots of room for valueadded development and complementary products.
Third Party “Plug-In” Products – The Virtual Bundle
As noted earlier, Microsoft Proxy Server 2.0 is both a product and a platform. The
ISAPI support enables third party products to provide value added offerings that are
tightly integrated with Microsoft Proxy Server, Internet Information Server, and the
Windows NT Server operating system.
For example, today there are several companies that offer value-added products for
use with Microsoft Proxy Server 1.0. These companies are referenced on the
Microsoft Proxy Server web Web site today.

Trend Micro. Trend Micro Inc. is a developer of server-based virus protection, with
products designed for file servers, Internet and Intranet gateways, and E-mail servers.
Preserve bandwidth and add virus and security protection with Trend Micro's InterScan
WebProtect -- scans HTTP files for viruses, blocks Java applets, ActiveX and incoming
software. Supports Microsoft Authenticode.

SpyGlass. SurfWatch from Spyglass is a client and server based content filtering software
that can easily be installed and used with any WWW browser. SurfWatch products are used
by parents who want to block their children's access to objectionable material on the Internet,
Internet service providers who want to offer filtering to their customers, and employers who
want to prevent employees from accessing undesirable information

CyberPatrol. Cyber Patrol Proxy, the Internet filtering software, allows you to filter using a
variety of lists, including our CyberNOT list of inappropriate sites and a CyberYES list of fun
and educational material for kids (ideal for elementary schools). Companies can be sure that
employees are using the Internet productively during business hours, and still allow them
access to leisure material in non-working hours such as lunchtime or after-work.

Webster Network Strategies. The Webster Control List from URL filtering developer
Webster Network Strategies ensures that overall enterprise productivity is enhanced by the
Internet, not reduced by non-business related "surfing"; forestalls legal exposure from
unwanted World Wide Web and Internet content; and offers schools, libraries and other
institutions a safe way to allow children to explore the Internet

PageBlazer. PageBlazer™ allows Web developers to create truly dynamic and
personalized Web content for each visitor. It automatically maintains user specific information
and dynamically creates personalized content based on user state and data derived from
external resources. It uses an object-based model for building pages, with PageBasic(TM) as
a scripting language. PageBlazer also includes a full IDE, with class browsers, debuggers, and
other development tools.

Crystal Reports. Crystal Reports is the client/server report writer that lets you create
presentation quality reports and integrate them into database applications. It allows you to
report off your Web Server log files and HTML publishing capabilities instantly turn reports into
presentation quality, information-rich documents for the Internet and Intranet.
Today, customers can find out about these products that add value to Microsoft
Proxy Server by going to the product’s Web site. With Microsoft Proxy Server 2.0,
that process will be even easier. A simple click on the Plug-Ins button in the
Shared Services screen will give you immediate access to a Virtual Bundle of plug
in products from third party software developers. This is effectively a special link to
the Microsoft Proxy Server partnering Web site where product information and
evaluation software and other information is readily available and up-to-date.
Other Firewalls – Complementary or Competitive?
The best security policy is one that has several mechanisms to prevent access.
That way in case an intruder gets through one door they may be stopped at
another.
Microsoft Proxy Server provides great security, performance, and cost-savings that
will meet the firewall needs of most customers. Still, there are several high-end
firewall solutions that provide very specialized reporting, logging, and alerting
features which larger enterprise customers will continue to use. In addition, many
enterprise customers continue to use firewall solutions they may have developed or
may have had developed especially for them.
Microsoft Proxy Server 2.0 is a great complement to these other firewall solutions
as it not only reinforces the network’s security, but also provides important
performance improvements and cost savings with its Web caching support.
Customers considering a firewall solution for the first time will discover that
Microsoft Proxy Server 2.0 is a compelling choice. Microsoft Proxy Server 2.0 is as
secure as other firewall products available today and is more affordable than most
firewall solutions, making the product accessible to a wide range of customers who
might not otherwise be able to deploy a firewall. And, as noted in the detailed
feature matrix on the following page, Microsoft Proxy Server includes many features
not found on most firewall solutions.
59
DETAILED FEATURE MATRIX
Feature
Microsoft
Netscape
Novell
Proxy Server 2.0 Proxy Server 2.5 BorderManager
Typical
Firewall
Performance
Passive Web Caching
Active Web Caching
Hierarchical (Chain-Based) Caching
Caching Array
Load balancing & Fail-over
Distributed Caching Protocol
Cache Load-Balancing
Reverse Proxy (single Web host)
Reverse Hosting (many Web hosts)
Server Proxying
FTP Caching
HTTP 1.1 Support



No
Automatic
Manual
Manual
No





No
No
Automatic
Manual
Not avail
No
CARP
Proprietary
ICP
Not available
Automatic
No
No
No




No

No
Similar support
No
No
Similar support
No
No
Similar support

No
No
- with IIS 4.0
No
No
Some


No
No – static only
Some


Some
Security
Dynamic Packet Filtering
Application Layer Proxy
SOCKS v4 & WinSock
SOCKS v4
Proprietary
Some
SSL Tunneling



Some
Authentication
Basic/Encrypt/WinNT
Basic/Text database
Basic/NDS
Some






No
No
No
No
No
Some
No
No
Some
with Windows NT Server






No
Circuit Layer Proxy
Proxy-to-proxy authentication
Real Time Alerting
Packet Logging
Domain Filtering
Resists IP Spoofing
Resists SATAN & ISS
VPN


Some
No
No
No
No


No

Some
Some
No





No
Some
No
No
Some
Management
Single User Logon
Content Filtering (Site Blocking)
User Level Control
GUI-Based Admin
HTML-Based Admin
Scriptable Command Line Admin
Logging
Client auto-config scripting
Virus Scanning Filtering
Configuration Back-U p & Restore
SNMP Support


Some
Some
Some
Text / ODBC
Text
Text
Some
Automatic
Manual
Manual
Some
Virtual Bundle


Some


No
No
Some
No

Some


No

Some
No
No
Some
Networking Flexibility
IPX-to-IP Gateway
Auto Dial Connection (to ISP)
FOR MORE INFORMATION

Microsoft Proxy Server web site. Look here for the latest information about
versions 1.0 and 2.0. You’ll find product information, case studies, white
papers, reseller referrals, evaluation software and more, all here:
http://www.microsoft.com/proxy

Network Communications with Windows. Look here for the latest
information about the great communications support provided by Windows
platform. You can also find a variety of available products and solutions built on
this platform. Look here:
http://www.microsoft.com/ntserver/info/ntcomm.htm

Support. Developers and customers can get the technical support needed.
There are several options. Please look here for more details:
http://www.microsoft.com/support

Microsoft Security Information. Microsoft takes network security seriously.
Please see this Web site for the latest in security technology, information,
policy, and programs:
http://www.microsoft.com/security

Microsoft General Information. Here’s the link to a vast array of information
about Microsoft products, technologies, programs, and more:
http://www.microsoft.com
61
APPENDIX A
WHAT IS THE LOCAL ADDRESS
TABLE (LAT)?
This section describes the LAT, tells you what the LAT does, and shows you how
the LAT is defined.
During Microsoft Proxy Server installation, the Setup program helps you create a list
of the IP addresses that constitute your private network. The information you
provide is used to create a table, called the Local Address Table (LAT), that defines
your private network. IP addresses that are external to your private network are
specifically excluded from this table.
The Setup program installs the LAT on the server. The file containing the LAT is
named Msplat.txt and on the server its default location is C:\Msp\Clients (if you
install Microsoft Proxy Server in a different location on the server, the Msplat.txt file
is relocated accordingly). The Microsoft Proxy Server Setup program also installs a
client Setup program into this directory.
The Microsoft Proxy Server Setup program configures the \Clients subdirectory on
the server to be a network share named Mspclnt. Clients can connect to this share
by connecting to \\Servername\Mspclnt and then running the client Setup program.
The client Setup program configures the client computer as a client of the WinSock
Proxy service, and also attempts to configure the client computer’s Internet browser
as a client of the Web Proxy service. (The exact client configuration that client
Setup implements depends on configuration choices you make during Microsoft
Proxy Server Setup.)
During client Setup, the LAT file (Msplat.txt) is copied to the client. In order to keep
client LAT files current, the Msplat.txt file is regularly updated from the server. Each
time a Windows Sockets application on that client attempts to establish a
connection to an IP address, the LAT is used to determine whether the IP address
is on the private network, or is external. If the address is internal, the connection is
made directly. If the address is external, the connection is made remotely, through
the WinSock Proxy service on Microsoft Proxy Server.
How is the LAT Defined?
The LAT is defined during Microsoft Proxy Server installation, when you complete
the Local Address Table Configuration dialog box. The LAT consists of a series of
IP address pairs. Each address pair defines either a range of IP addresses (from
the first, lower address to the second, higher address), or a single IP address (if
both addresses of the pair are identical).
Note: Each IP address pair identifies either a range of addresses, or a single IP
address. The second entry is not a subnet mask.
To add addresses to the LAT, you can:



Click the Construct Table button in the Local Address Table Configuration
dialog box. This generates the list of IP address pairs from internal routing
tables used by Windows NT Server.
Use the edit controls in the Local Address Table Configuration dialog box to
manually enter pairs of IP addresses.
Use a combination of both techniques (generate a list of IP address pairs, then
use the edit controls to manually add and remove addresses).
During Microsoft Proxy Server installation, when you click the Construct Table
button in the Local Address Table Configuration dialog box that generates the list of
IP address pairs from internal routing tables used by Windows NT Server, in some
cases the generated addresses might not completely define your private network.
For example, the generated addresses could omit a subnet of your private network,
or could include addresses external to your private network. It is important that you
review the generated list of IP addresses. Use the edit controls to add any needed
IP address pairs until all addresses of your internal network are defined. Remove
any IP address pairs that define external (Internet) addresses.
Note: If you find that a subnet of your private network is omitted when the list of IP
pairs is generated, you need to add the IP address pairs as described above, but
you also need to review and correct the server or network configuration to ensure
that the missing subnet becomes accessible for TCP/IP connections.
63
APPENDIX B
WINDOWS NT SERVER –
OVERVIEW OF A SECURE
OPERATING SYSTEM
The basis of Microsoft Proxy Server’s security environment lies in Windows NT
Server’s security features and enabling technologies. Microsoft Proxy Server and
other BackOffice applications leverage both. This appendix highlights some of the
attributes that make Windows NT Server a secure network operating system
suitable for use with a firewall application such as Microsoft Proxy Server 2.0. The
security features and techniques described in this appendix apply to Windows NT
Server 4.0 unless otherwise explicitly stated.
Applications
Windows NT Features









Domains & Accounts
Single-logon
Password Management
ACLs
Security Log
Admin Roles
Rights
Basic Protocol Security
C2 Assurance
Enabling Technologies





CryptoAPI
S-Channel
P-Store, Wallet & PFX
Smart Cards
SSPI, Secure
DCOM/RPC
 Certificate Server
 Authenticode
 Java Security
Security Principles
Windows NT Features
Domains and Accounts
The most fundamental security control in a widespread network is which users have
access to which computers, whether for local logon (where you’re working at a
computer) or for remote access to shared network resources. The Windows NT
domain structure fundamentally and primarily governs this policy.
Administrators assign each Windows NT computer, whether a server or desktop
PC, to a single Windows NT domain. (This is usually permanent but it can change.)
Each domain has a Windows NT Domain Controller that servers as a repository for
security information, most notably a set of domain-wide user accounts and group
definitions. A user’s account holds their logon name, password, capabilities, and
other information like their real name. Each account in a domain can locally log onto
and remotely access each computer in the domain, although there are other
controls that can restrict access on an account-by-account basis.
If their administrators’ agree, one domain can trust a second domain, and if so
accounts from the second domain can access computers in the first, just like the
first’s own accounts. In setting up the trust, the first administrator is in effect saying,
“your users may access the computers in my domain” (although there are many
strong controls on that usage). User names across a multi-domain network need
only be unique within a domain and are implicitly prefixed by their domain name,
like “SALES\JJones,” where SALES is the domain and JJones the user. Trust is
one-way. In our current example accounts from the first domain cannot access the
second’s computers. However, two domains can trust one another. A domain can
trust and be trusted by more than one other domain.
There are many popular practices for structuring domain trust relationships, or
“domain models,” and some are based on criteria other than security. For example,
network browser groups computers and their shared resources by their domain.
However, the fundamental security of domains is both simple and essential: who
can access which computers.
There are two features that further allow administrators to control who can access
which computers. User Rights are special capabilities that administrators assign to
accounts that can use a given computer. Most Rights are used internally by
Windows NT and its default assignments seldom change. However, two Rights are
particularly noteworthy: the rights to log on locally and to log on remotely. These
allow each computer to tightly limit each kind of logon. Further, each account has
an optional list of workstations to which its user can locally log on.
Single Log-on and Remote Sessions
When you locally log onto a Windows NT computer, your logon session runs under
the name you present along with your password at logon. When you attempt to
access a remote computer, for example, connecting to one of its shared directories
or printers, or even to perform remote administration, the remote computer
transparently authenticates you and establishes a remote session for your activities
there.
If the domain structure allows, the remote account is the same as your local one.
Otherwise, you can sometimes specify a name and password of an account that is
allowed on the remote computer. But under no circumstances can you establish a
remote session without being authenticated – that is, demonstrating you know the
name and password of an account that’s allowed on the remote computer. And
without a remote session your programs can obtain no significant services.
Once you've been logged on to the remote computer, remote server applications
can assume the identity of your user account through a simple process called
“impersonation.” When they do so, they are running under your permissions and
capabilities and their actions are appropriately constrained by controls in the remote
environment, for example ACL’s on the remote file systems. This is our first and
perhaps best example of how the Windows NT environment implements singlelogon and propagates it to server applications. A server in this scenario need know
nothing about authentication or accounts. It simply impersonates its client user
(whose name it may not even choose to discover) and the Windows NT
environment restricts the program’s actions accordingly.
BackOffice and other Microsoft applications universally leverage this fundamental
security model, and Microsoft strongly encourages all BackOffice logo applications
to do so also.
65
Prior to Windows NT 5.0, a server could not forward your identity and capabilities
on to another remote server. Windows NT 5.0 will includes an authentication
technique called Kerberos that gives servers this ability. Kerberos was developed at
MIT and is a respected Internet standard.
Password Management
Under single-logon you log on only once, so that logon should be quite strong.
Windows NT uses a technique called the “Trusted Path” typically found only in
highly secure operating systems. The Trusted Path prevents the common
“spoofing” scheme where a malicious program already running on a computer
presents what appears to be a legitimate logon window in order to capture a user’s
password. Under the Trusted Path, Windows NT users are trained to always call up
the logon window by pressing the CTRL, ALT, and DEL keys simultaneously.
When they do, Windows NT reliably displays its Security Window into which they
can safely enter their password. (You also use the Trusted Path to change your
password and log off which prevents similar spoofs.) Windows NT includes a variety
of password controls, including the ability to lock an account when its password
appears to be under attack.
There are two important enabling technologies that can strengthen Windows NT’s
logon and password management: PASSFILT and GINA. PASSFILT lets an
administrator install a trusted program that’s called every time a user changes their
password. The program receives the new password and can assure that it meets
certain strength criteria, like its length or random nature of its characters. Microsoft
includes an optional PASSFILT module in Windows NT that enforces an example
password policy. This addresses the time-honored but still troublesome problem of
users who choose unsecure passwords. GINA is a replaceable program that is an
integral part of Windows NT local logon system. Although not for the novice,
vendors can supply alternative GINA modules that strengthen the logon process.
The prime example is to support the smart card authentication we discuss later, or
biometric authentication devices like fingerprint or retinal scanners.
Access Control Lists (ACLs)
All objects in the Windows NT environment can have an Access Control List (ACL),
a list of users or groups and what kind of access each is allowed to the object. The
most visible and important ACL’s are those that protect all elements in Windows
NT’s native file system format (NTFS) and the Windows NT Registry1. These house
all software that enforces Windows NT security, and ACL’s are therefore key in
protecting the system’s integrity. (Windows NT sometimes uses encryption for
additional protection, for example, its user accounts and other key security data.)
User’s have full control of ACL’s on the files, directories, and other objects they
create, and use simple window interfaces to manage them. They can also specify
1
The Windows NT Registry is an extensively used hierarchical storage for system and application control
information.
the ACL to be given by default to all newly created objects in the directories they
manage.
ACL’s protect other objects, like file shares and printers, and as we see later most
BackOffice applications extend the ACL model to data they manage. It’s often
necessary for an application to have a customized ACL format for objects that it
manages. In both cases the purpose and intent is the same.
Central Admin & Roles
Windows NT uses a simple administrative hierarchy. Full administrators, members
of the local Administrators group on each computer, have complete power over that
computer. Windows NT Server includes several operator roles each of limited
power, for example Account Operators that manage user accounts and Server
Operators that look after day-to-day server operations. Windows NT administration
is based simply upon membership in certain groups so you can flexibly devise
network-wide administrative roles.
For example, you can include domain administrators from the local domain and
even remote domains to the administrators who control your LAN workstations. Or
you could create a group for accounts that only administer user workstations, but
not the more critical network servers.
Security Audit Trail
Windows NT and its applications can record an extensive set of system events in its
security log. Administrators define an audit policy that designates which of a set of
six categories the system records (logons and logoffs, user and group
management, and so forth). They can also attach auditing information (which looks
much like an ACL) to any Windows NT object, typically NTFS files and directories,
and Registry keys. When the object category is selected, this information
determines when the system audits access to the object based on the user or group
of the accessor and the success and/or failure of the operation. You can even
stipulate that the system shuts down if audit trail exceeds allowed storage (although
this is wisely left as an option).
Routing and Remote Access Service (RRAS) & Point-to-Point Tunneling Protocol (PPTP)
Microsoft provides extensive software libraries that allow trustable programs to
insert their own custom audit records into the audit trail. The libraries also give audit
tools easy, high-level access to the security log and we can look forward to
powerful, third-party audit trail analysis tools.
The Routing and Remote Access Service (RRAS) lets remote users or remote
routers dial into a Windows NT RAS server and use the resources of its network
as if directly, locally connected. In its simplest mode, users logging onto
Windows NT remotely simply check a small box on their logon window that
automatically establishes the RAS connection and authenticates the session.
RRAS uses Windows NT’s standard single-logon technique, and users can log
67
on under their normal office account. Overall, working from the road is identical
to working from one’s office – and it's secure.
Administrators designate which accounts can use RRAS. They can also set up
RRAS to automatically “call back” a specific number for each account which
assures that a user’s remote access comes only from a specific phone number.
RRAS uses Windows NT’s standard Challenge/Response logon which prevents
passwords from passing over the communication link. RRAS clients and
servers can require that all communication be encrypted, currently by the 40- or
128-bit RC4 cipher. You can also limit remote access to the resources of the
RAS server itself (as opposed to its networks).
Microsoft’s Virtual Private Networking technology uses the industry-supported
Point-to-Point Tunneling Protocol (PPTP) to extend the use of RRAS to the
Internet. Instead of dialing directly into the RRAS server using a telephone line,
the remote RRAS client dials a local Internet service provider and establishes a
Internet link to their PPTP RAS server. This virtual private network scenario
allows a remote user to securely access a central network over the unsecure
Internet.
Basic Protocol Security
Not all networks are prone to attack, and Windows NT does not impose
performance penalties by applying cryptographic techniques to all network traffic.
Instead, its philosophy is to support specific applications that need to
cryptographically protect data in transit across a network. However, it does use
some common sense and basic cryptographic techniques in its standard, underlying
protocols.
Local logon requests are encrypted when they pass between the workstation and its
domain controller. This helps assure that passwords are not exposed and that
interlopers cannot interfere with the primary authentication process. The remote (or
“secondary”) authentication we just discussed uses the NTLM Challenge/Response
protocol to assure that passwords never appear on the network unencrypted.
Windows NT uses Microsoft’s SMB protocol for file and printer sharing, and many
other remote services. A new version of SMB2 applies integrity protection to this
protocol with an algorithm similar to the one we presented earlier. While it does not
encrypt (hide) one’s data, it prevents a broad range of attacks that seek to modify
data in transit or impersonate the client’s identity.
C2 and its Companions
Windows NT 3.51 is one of the few commercial operating systems that has
successfully completed the C2 evaluation process by the U.S. government, as well
as the FC2/E3 evaluation under its companion European criteria, ITSEC. Why
should you care? C2 assures that the base operating system has certain important
security features, but more important, it’s an opinion from an independent, trained,
2
This enhanced SMB protocol was introduced in Windows NT 4.0 Service Pak 3. Its author has proposed
it as a standard for the Common Internet File System (CIFS) that would allow file sharing across diverse
platforms.
experienced, unbiased team of government security analysts, a team that has the
full cooperation of the Microsoft developers and access to source code, internal
design documents, and the core software architects.
The team works through meetings with these designers to gauge Microsoft’s
expertise, commitment, and thoroughness toward security. This team concentrates
on fundamental security architecture guided by the Trusted Computer Systems
Evaluation Criteria, the “Orange Book.” The team summarizes their study in a Final
Evaluation Report, which is as good an illustration of Windows NT security
architecture as you’ll find.
C2 evaluation is therefore not a detailed search for security bugs, but rather an
opinion that the overall security architecture is sound. One cannot “run the system
in C2 mode” – there’s no such thing. One could turn off the features that were
excluded from the evaluation, but even this misses the point of the evaluation
process. C2 is a measure of Microsoft’s commitment and support to produce a
system whose fundamental architecture is subjected to independent analysis. The
resultant C2 and its companion ratings lend an important degree of confidence that
this system is properly architected for security. For more information, see:
http://www.microsoft.com/ntserver/info/securitysummary.htm
And the story continues…
Upcoming additions to Windows NT, particularly those that will be introduced in
Windows NT 5.0, bring many new security features:

Expanded Domain Trust Relationships: To ease domain administration in
larger sites, Windows NT 5.0 allows administrators to group domains so
that each domain implicitly trusts every other domain in the group. This
means that accounts in a domain can be used in all other domains in the
same group. Windows NT 5.0 continues to support simple one-way trust to
more finely control trust relationships.

Kerberos & Public Key Authentication: Windows NT 5.0 uses the industry-
standard Kerberos V5 authentication technology as its default
authentication scheme. Invisible to regular users, Kerberos offers a variety
of expanded authentication capabilities. For example, it lets servers pass
client user identities for use by other servers in a multi-tier client/server
arrangement, and allows for mutual client-server authentication. It also lets
Windows NT users securely access remote, non-Windows NT services that
use this popular technology. Windows NT 5.0 can also authenticate users
using public keys and certificate technology, including SSL. This facilitates
authentication from non-Windows NT sources and eliminates some of the
disadvantages of traditional passwords.

Active Directories: The Active Directory is logically a single, network-
based storage hierarchy based on X.500 standards (and, of course, protected
by ACL’s which have some interesting new properties of their own). When
upgrading from Windows NT 4.0 to Windows NT 5.0, many security
69
parameters migrate to the Active Directory from their current location in
the Windows NT Registry, including all user accounts. This significantly
enhances central security administration. Administrators can also delegate
detailed operations to lesser administrative users who need to perform
specific functions; for example, letting a help desk attendant assign a new
password to a user without otherwise changing the users capabilities.
Because these capabilities are based on the ACL’s that protect the Active
Directory elements, sites can devise custom administrative hierarchies that
fit their own particular needs.

Encrypted File System: Windows NT 5.0 lets users automatically encrypt
information stored in its native NTFS file system format in much the same
way they can automatically compress files today. It has provisions for data
recovery that allows trusted administrators to recover data if users forget
their own encryption keys or leaves the company. This is a welcome and
essential feature for people who use laptops or removable hard drives.
We’ll also see public key technology and certificate management more tightly bound
into Windows NT, wider use of SSL, and some small but nice refinements to its
audit log. You can learn more about all these features in Microsoft Windows NT
Distributed Security Services: Secure Networking using Windows NT Server
Distributed Services Technology Preview
(http://www.microsoft.com/ntserver/info/aasecurwp.htm).
Enabling Technologies
An “enabling technology” is a set of software libraries that encapsulate certain
algorithms or procedures that the operating system makes available to other
applications and system services. These enabling technologies can be leveraged
by other parts of the operating system itself, as well as from applications developed
either by Microsoft or independent third party developers.
While enabling technologies do not by themselves make your system more secure,
they are key in assuring a strong, consistent, ongoing stream of security applications for the Windows NT environment.
In many ways, enabling technologies are the most exciting part of this security story
because they portend a rich, ongoing stream of trusted applications that are more
economical, more secure, and easier to administrator because they leverage
Windows NT’s common, enabling software. We will cover these technologies at a
high level in this appendix. For more information, access our security web site at
www.microsoft.com/security.
CryptoAPI & S-Channel
Cryptography is the essential component of networking security. Unfortunately, it’s
a difficult technology to learn and implement. Microsoft created the CryptoAPI to
address this problem. The CryptoAPI is a set of software libraries with high-level
cryptographic interfaces (API’s) that manage the many details of key management,
formatting, and cipher algorithms, presenting applications with a single interface
that serves different underlying ciphers. CryptoAPI uses Cryptographic Service
Providers (CSP), plug-in cipher modules that cryptographers create and market. In
short, CryptoAPI joins application developers, who know little of cryptography but
need to use it, with cryptographers who develop the base technology.
Each CSP implements a specific set of cryptographic algorithms. Microsoft provides
a base CSP that includes a full complement of cryptographic ciphers and hash
functions licensed from RSA Data Security, Inc. Under CryptoAPI, you can replace
one CSP with another of the same type without affecting any of the applications that
use that type. For example, Microsoft provides an Enhanced version of the RSA
base CSP that supports stronger encryption strength where legal. This also lets you
upgrade your security to hardware devices, like smart cards, by simply replacing the
CSP.
Microsoft delivers a basic set of CSP’s with Windows NT3. All BackOffice
applications are moving quickly to fully utilize CryptoAPI. The recently released
CryptoAPI 2.0 includes a complete set of certificate management API’s that
implement the latest X.509 certificate formats.
Secure Channel
Secure Channel (S-Channel) is a security service provider module that implements
the popular public key security protocols between Web clients and servers: SSL,
PCT, and the upcoming standard that merges them, TLS. S-Channel is layered on
top of CryptoAPI for key and certificate management services. ISV’s and
developers can use this S-Channel to add these strong cryptographic protocols to
any client – server application.
P-Store, Microsoft Wallet & PFX
Traditionally, on a single-logon system like Windows NT, a user had only to
remember their logon password. However, increased security in heterogeneous
environments adds a lot more that they have to lug around, including their private
keys and certificates, trusted CA certificates, credit card and bank account
numbers, other personal identification information (like a driver’s license number),
and data that helps their applications use this information automatically and
transparently. There needs to be a single place to store and protect this information
that applications can share. On Windows NT, the Protected Store (P-Store) is the
technology that enables all this.
P-Store is a set of software libraries that allow applications to fetch and retrieve
security and other information from a personal storage location, hiding the
implementation and details of the storage itself. For example, storage could be the
user’s Windows NT profile, a preferences file, a diskette, or a smart card. The
Microsoft Wallet is a generic name for a window application that serves as the user
3
Note that you may need special third-party licenses if you develop and sell products using
these algorithms.
71
interface to the P-Store. Microsoft Site Server already uses the Wallet with Internet
Explorer and Outlook Express (Internet Explorer’s mail client) to follow soon. The
Personal Information Exchange (PFX) protocol securely transfers the contents of a
P-Store from one location to another. For example, a user may need to copy it from
their office to their home computer.
Smart Cards
Smart cards are a key component of future public key cryptography in Windows NT
5.0. A smart card is about the size of a credit card and can hold a processor and
local memory – a simple computer. It usually plugs into a slot on the computer or its
keyboard. Smart cards can be tamper-resistant where any attempt to dismantle the
card erases its memory. Many companies are developing smart cards for Windows
NT, and Microsoft participates in the industry-wide and ISO committees that are
standardizing them.
With prices falling and the full support of the Windows NT infrastructure, smart
cards will quickly become a popular and critical security component of Windows NT
enterprise networks. (See http://www.Microsoft.com/SmartCard for details.)
SSPI & Secure RPC & DCOM
As intranets become more secure, client applications (like a Web browsers and Email programs) and servers (like Web servers and E-mail hosts) become more
complicated because different situations require different types of authentication
and cryptography. While an application writer could learn each scheme and code it
directly into their program, there’s a much better way. Microsoft’s Security Support
Provider Interface (SSPI) makes common network authentication and cryptographic
data protection schemes available to both client/server writers via simplified
software libraries. Programs that use SSPI do no need to encode the details of
specific authentication or crypto schemes. Instead, the SSPI libraries do all the
complicated work.
A Security Support Provider (SSP) is a library that manages a particular scheme.
Applications interact with all SSP’s through a common SSP Interface (hence, the
overall moniker SSPI) which further hides the details of the specific scheme. SSP’s
rely heavily on other enabling technologies like CryptoAPI and S-Channel wherever
possible. SSPI currently includes four SSP’s:

Kerberos: A cryptographic, industry standard mutual authentication
protocol that we introduced earlier.

NTLM: The traditional password-based authentication protocol for
Windows networks. Although this time-honored standard will continue to
be supported, Kerberos will gradually replace its use for newer, Windows
NT environments.

SSL: (Including PCT and TLS.) A cryptographic protocol for mutual
authentication and data protection popular today only in the Web
community, but nonetheless a strong, general-purpose security protocol.

DPA: A password-based authentication protocol used by many commercial
online services, like Microsoft’s MSN. Its advantage is that users can use
the same credentials (name and password) to log onto more than one online
service.
Distributed and client/server applications use SSPI in several ways, from calling its
SSP’s directly to selecting security options when using DCOM, RPC, and other
popular Internet API’s. DCOM (Distributed COM) and RPC (Remote Procedure
Call) are enabling technologies that make it easier for people to create distributed
applications – applications with cooperating components that run on different
computers, perhaps even different operating systems (like Windows NT, UNIX, or
the Macintosh). For example, Windows NT remote administration uses RPC
extensively. DCOM and RPC manage and hide the nitty-gritty details of how the
different parts communicate. Both DCOM and RPC have simple options that
automatically use SSPI authentication and message encryption. These options are
sometimes called “Secure DCOM” or “Secure RPC.” These are among the easiest
ways to use SSPI.
Applications
Windows NT Features
others...
Outlook
Enabling Technologies
There is a great deal of information about
Security Principles
each of these products on the Microsoft
web site, and most products have their own security white papers.
73
Internet Explorer
Exchange
SNA Server
SQL Server
Proxy Server
BackOffice™
Internet Info Server
While enabling technologies bespeak the
promise, applications must demonstrate
the reality. The BackOffice applications
themselves have a diverse heritage, and
new releases tightly integrate into the
Windows NT security environment
replacing older and less consistent
security features.
SUMMARY
While this was not intended to be an exhaustive study of Microsoft security, we
hope you gained a basic understanding of the security provided by the Windows NT
environment. For more information, please visit our security web-site at:
www.microsoft.com/security.