MCSE STUDY GUIDE_ Proxy Server 2.0 Exam 70-88
A Proxy Server has one network card for the private internal network and it has another network adapter
with which to connect to the Internet. This adapter may be another network card or it may be an ISDN
adapter. The Proxy Server is the only computer in the network attached to both internal and external
networks.
Troy Technologies USA
MCSE
STUDY GUIDE
Proxy Server 2.0
Exam 70-88
Congratulations!!
You have purchased one of the Troy Technologies USA MCSE Study
Guides.
This study guide consists of a selection of questions and answers very, very
similar to the ones you will find on the official MCSE exam. All you need to
do is study and memorize the following questions and answers.....and you
will be ready to take the exam. Remember, we guarantee it!
Average study time is 10 to 12 hours. Then you are ready.
GOOD LUCK!
Guarantee
Should you use this study guide and still fail the appropriate MCSE exam,
then send your original of the official score notice, along with your mailing
address to:
Troy Technologies USA
11134 Hunter Oaks
San Antonio, TX 78233
We will gladly refund the full cost of this study guide. However, you are not
going to need this guarantee if you follow the above instructions.
Ó Copyright 1998 Troy Technologies USA. All Rights Reserved.
Further Suggested Reading for Microsoft Certified System Engineer
• Exam Cram, MCSE Windows 2000 Network: Exam 70-216 (Exam Cram) by
Hank Carbeck, et al. Paperback (September 28, 2000)
• MCSE Windows 2000 Accelerated Study Guide (Exam 70-240) (Book/CD-ROM
package) by Tom Shinder (Editor), et al. Hardcover (October 6, 2000)
• MCSE 2000 JumpStart: Computer and Network Basics by Lisa Donald, et al.
Paperback (April 2000)
• MCSE: Windows 2000 Network Infrastructure Administration Exam Notes by
John William Jenkins, et al. Paperback (September 19, 2000)
• Public Key Infrastructure Essentials: A Wiley Tech Brief - Tom Austin, et al;
Paperback
• Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure -
Russ Housley, Tim Polk; Hardcover
• Digital Certificates: Applied Internet Security - Jalal Feghhi, et al; Paperback
• Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private
Networks - Naganand Doraswamy, Dan Harkins; Hardcover
• A Technical Guide to Ipsec Virtual Private Networks - Jim S. Tiller, James S.
Tiller; Hardcover
• Big Book of IPsec RFCs: Internet Security Architecture - Pete Loshin (Compiler);
Paperback
• MCSE Windows 2000 Core 4 for Dummies: Exam 70-210, Exam 70-215, Exam
70-216, Exam 70-217
Proxy Server Concepts
The primary functions of Microsoft Proxy Server is to act as a gateway to and from the Internet. Clients
connect to Proxy Server when they make a request for resources located on the Internet. Proxy Server gets
the resource and returns it to the client. The Server can also allow selected computers or protocols to
access the internal network. Since you are only presenting one IP address to the Internet, Proxy Server
effectively hides your internal network.
A Proxy Server has one network card for the private internal network and it has another network adapter
with which to connect to the Internet. This adapter may be another network card or it may be an ISDN
adapter. The Proxy Server is the only computer in the network attached to both internal and external
networks.
Microsoft Proxy Server consists of 3 different services: Web Proxy, WinSock Proxy, and SOCKS Proxy.
Web Proxy Service
The Web Proxy service runs as a service on a Windows NT Server. It runs as an extension to IIS 3.0 or
higher. You must have IIS installed on your NT server in order for the Web Proxy service to run. Clients
contact the Web Proxy service and it contacts other Web servers on behalf of the client and then relays the
information back.
The Web Proxy service supports Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) for
computers on the local LAN.
Caching
The Web Proxy service maintains a local copy of HTTP and FTP objects on a local hard disk. This is
called caching. Not all objects are cached. Some objects change frequently, even each time they are
accessed, so caching them is a waste of processing time. Some objects have a security context and are not
cached for security reasons. The Proxy Server performs two types of caching: Passive caching and Active
caching.
Passive Caching
Passive caching is the method used most. It is also know as on-demand caching because it is available on
demand when the client makes the request.
In a network that does not have a Proxy Server, the client contacts the Web server on the Internet. The
Web server responds to the request and sends the requested objects directly back to the client. Proxy
Server sits in the middle of this process. The Proxy client contacts Proxy Server with the request. Proxy
Server goes to the Internet with the request and retrieves the requested object. It caches that object. If you,
or any other client, requests the object again, Proxy Server gets the object from the local cache rather than
from the Web server on the Internet.
In order to ensure that the cached information is still current, several techniques are used. One technique
is to set an expiration time on the object. This expiration time is known as the time to live (TTL). When a
client requests an object that is cached, Proxy Server checks the TTL to determine if the requested object
is still valid. If the TTL has not expired, then the object is returned to the client. If the TTL has expired,
then Proxy Server goes out to the Internet and retrieves the object and the TTL process begins again.
1
In order to manage disk space, Proxy Server deletes older cached objects to make room for new ones when
the disk becomes too full.
Active Caching
Active caching supplements passive caching. The intent of active caching is to maximize the probability
that an object will be in local cache when the client requests the object from Proxy Server. To accomplish
this, Proxy Server will automatically retrieve objects from the Internet. It chooses objects by considering
such factors as:
Frequency of request - Objects that are more frequently requested are kept in the cache. If the TTL on one
of these objects expires, a new object is requested.
Time-To-Live - Objects having a greater TTL are better to cache than objects with shorter TTLs. In other
words, if an object has a short TTL and is seldom requested, it is not advantageous to cache it because the
TTL will have expired by the time the next request arrives.
Server Activity - Proxy Server seeks to cache more objects during times of low activity than it does during
periods of high activity.
WinSock Proxy Service
The WinSock Proxy service works with Windows-based client computers. The WinSock Proxy service
allows WinSock applications to run remotely. This service is a client/server process that runs only on
Windows NT 4.0 Server running Proxy Server. It allows client applications to run as if they are directly
connected to the Internet.
Local Address Table (LAT)
The function of the LAT is to define the IP addresses on the internal network. Network addresses not
contained in the LAT are considered external addresses.
The LAT entries are pairs of IP addresses. Each pair defines an address range. This address range can be
an entire network ID or a single IP address. The LAT is built when you install Proxy Server. The LAT is
generated from the Windows NT Server routing table. This method may not record all the addresses of the
internal networks. You may have subnets that need to be added. There may also be external network
addresses that need to be removed. It is important to remove external network addresses from the LAT.
When you install the Proxy client, the Setup program installs a file named msplat.txt. This file is installed
in the \mspclnt folder. The file contains the LAT. The contents of this file are identical to the LAT on the
server. To keep this file consistent, the server regularly updates the msplat.txt file on the client.
When a WinSock application needs to establish a connection using an IP address, the msplat.txt file is
consulted to determine if the requested IP address is internal or external. If the address is listed in the
msplat.txt file, then it is considered to be on the internal network and the connection with the resource is
made directly. If the address is not listed, then it is considered to be on an external network and the
connection is made through the Proxy Server.
If the LAT at the server does not contain all of the internal network addresses, you can modify the
msplat.txt at the client to include the other internal network addresses. However, these address
modifications are lost when the server periodically sends the LAT update to the client. To overcome this,
you can create a custom LAT for the client using a text editor. You add the additional address pairs that
are on the internal network so that the client recognizes them as part of the internal network. You then
2
save the file in the \mspclnt folder. The file must be named Locallat.txt. The WinSock client checks both
files, if they are present, for local IP addresses.
TCP/IP and IPX/SPX
There are several important points you need to know about using TCP/IP or IPX/SPX protocols and the
WinSock Proxy service. When you are using TCP/IP on your LAN and an application wants to
communicate with a server, that server may be local or remote to the application. Based on the addresses
contained in the LAT, the application can tell if the requested server is local or remote. If the address is
local, the client forwards the request directly. If the address is not local, then the WinSock Proxy service
is involved.
If your LAN is running the IPS/SPX protocol, the scenario changes. In this case, the WinSock Proxy
service is also acting as a protocol gateway. It converts the IPX/SPX protocol to the TCP/IP protocol and
back again. Since you are not running TCP/IP, there is no LAT table to be downloaded to the WinSock
Proxy client at installation time. Since there are no TCP/IP hosts on the local network, all attempts to
connect to a TCP/IP host are considered requests for a remote host and are processed according to those
rules.
SOCKS Proxy Service
The SOCKS Proxy service is a cross-platform mechanism used to establish secure communications
between the server and non-Windows based clients like UNIX and Macintosh. This service allows for
transparent access to the Internet using Proxy Server. This service does not support applications that use
UDP, nor does it support the IPX/SPX protocol.
Implementation
Microsoft lists three environments to consider when implementing Proxy Server. The environments are:
Small, Medium, and Large networks.
Network Clients served per Proxy Server
Small 1 - 200
Medium 201 - 2000
Large 2001 - higher
Multiple Proxy Servers
You configure multiple Proxy Servers in your organization to support two objectives: Redundancy and
Load sharing. Having more than one Proxy Server allows you to have multiple gateways to the Internet.
Designing a plan to share the load among the gateway computers is an important issue. You can configure
this load sharing in several ways. They are:
Load sharing using DNS
Load sharing using WINS
Load sharing using multiple Proxy Servers
For clients using the Web Proxy service, you can configure the clients to use a specific Proxy Server or
you can configure them to use all Proxy Servers. For clients using the WinSock Proxy service, you must
configure them to use a specific Proxy Server.
3
Load Sharing Using DNS
DNS servers are responsible for providing host name-to-IP address resolution. Before the Web browser
can establish the session with the Web server, it must have its IP address. If you are using multiple Proxy
Servers, you can configure the DNS in such a way that it distributes the workload of the servers by
supplying a different IP address for each successive request.
When you have information that is accessed heavily by users and that information may be on three
different Web servers. Clients access that information using the URL, but since the URL contains the host
name and each of the three servers has a different host name, each client needs to specify a different URL.
This is undesirable because you want all clients to specify a single URL. This process needs to be
transparent to the user.
The Microsoft DNS server supports a process known as round robin. This process balances the workload
of the servers, in this case, the three Web servers. To do this, you must create an alias that points to
multiple IP addresses. This alias record is a CNAME record entry in your DNS server file,
DNS gives the client the IP address of the first host in the list. The DNS then moves that host to the
bottom of the list. When the next request arrives, DNS gives the IP addresses of the second server, now at
the top of the list, and moves that server name to the bottom of the list, and so on. In this manner, each
host receives an equal share of client requests and the process is transparent to the user.
Load Sharing Using WINS
If you are using Windows and the TCP/IP protocol, then you should have at least one WINS server
deployed. WINS is Microsoft’ implementation of an RFC NetBIOS Name server. WINS serves a similar,
s
but different function than DNS. DNS resolves FQDNs (Fully Qualified Domain Names) to IP addresses.
WINS resolves NetBIOS names to IP addresses. All Microsoft operating systems rely on NetBIOS for
their networking.
You can use WINS in the same manner as you use DNS to share the load of your Proxy Servers. You
create a static entry in your WINS server table for the Proxy Server alias and map it to multiple IP
addresses.
Load Sharing Using WinSock Proxy
You install the WinSock Proxy client from a Proxy Server. The client then attaches to and uses the
WinSock Proxy service of the Proxy Server from which the client was installed. To balance the workload
of the WinSock Proxy services, configure each clients from a different Proxy Servers. This distributes the
load among the Proxy Servers in the organization.
Distributed Caching
You can configure caching to be distributed among multiple Proxy Servers in the organization. This
improves both the active and passive caching. You distribute the cached objects and provide for fault
tolerance if one Proxy Server fails or becomes unavailable. Distributed caching is implemented by one of
two methods, or by combining and using both methods: Chaining or Arrays.
Chaining
Using Proxy Server to route to another proxy server is a technique that involves a process called upstream
routing. By configuring upstream routing, a Web Proxy client request can be routed to an upstream Proxy
4
Server, to a Proxy Server array, or directly to the Internet. The term "upstream," from a data flow point-
of-view, refers to being closer to the Internet. This technique is also known as chaining.
You can also specify a backup route to use in the event that the upstream proxy server is unavailable. The
backup route is fully functional and provides for automatic transfer transparently. From time to time, the
primary route Proxy Server is queried to see if it is available. When the primary Proxy Server is available,
the primary route is re-established automatically.
Proxy Server Array
An array is a group of Proxy Servers bound together by an array name. Proxy Servers in an array are
administered as a single unit. Configuring an array provides for load sharing, fault tolerance, and easier
administration. Arrays can be useful in Branch offices, Networks that are too large to be serviced by a
single Proxy Server, and Consolidating multiple Internet connections.
You must create an array. You do this from the Internet Service Manager (ISM). An array is common to
all Proxy services. Each Proxy Server maintains a list of which members of the array are available and
which members are not available. Each individual member in the array uses a hash to make routing
decisions. A Hash is a mathematical algorithm used for routing decisions.
The configuration for a single array member may be propagated and synchronized to all members of the
array. The following parameters are propagated when auto-synchronization is enabled:
Advanced caching options
Client configuration files
Domain filters
LAT
Logging information
Publishing information
Upstream routing options
Web Proxy user permissions
WinSock protocol definitions
Cache Array Routing Protocol (CARP)
Proxy Server 2.0 supports Cache Array Routing Protocol (CARP). This is an enhancement of the Internet
Cache Protocol (ICP). The purpose of this protocol is to allow a proxy server to query other proxy servers
to see if those servers have cached copies of requested objects before the proxy server goes to the Internet
for the object.
CARP expands on the ICP protocol in several ways. CARP uses a "queryless" hash-based algorithm. The
hash-based routing results in the URL being resolved to the same Proxy Server. This means there is a
single hop resolution for the requested object. CARP becomes faster the more Proxy Servers are added.
This is because the location of each cached object is known within the array, unlike ICP, which must
query for each requested object.
CARP prevents multiple servers from caching the same object. This makes the CARP array much more
efficient than an ICP array.
Client Installation
When you install Proxy Server, the Setup Wizard creates the \msp\clients folder. Client software utilities
are installed in their respective folders. For example, the Alpha folder contains Alpha-specific files and
5
the I386 folder contains the Intel-specific files. The Setup Wizard also shares the \msp\clients as a share
called mspclnt.
You have to install the WinSock client software on the client computers. The client setup program
configures the computer to be a client of the WinSock Proxy service on the server where the setup was
initiated. Also, as part of the installation, the Web browser is configured as a client of the Web Proxy
service.
You can start the client setup program using one of two techniques. You can connect to the UNC
\\server_name\mspclnt and run the client setup program. Or, you can use a browser, such as Internet
Explorer, point it to http://computer_name/msproxy, and click the Install WinSock Proxy 2.0 client. If you
are installing the client on a Web server, the setup program stops the Web service while the installation is
in progress.
The Mspclnt.ini file contains configuration information about the client. This is a text file and can be
edited with any text editor. By default, the client configuration file is downloaded to the client each time a
client computer is restarted and is updated every six hours after an initial refresh. When a refresh occurs,
the order of server share paths, listed in the [Master Config] section of Mspclnt.ini, is used to determine
the location of updated configuration files. At least one entry must be present. Entries are tried in the
order listed. Additional path listings are tried only in the event that preceding paths are not available.
For Mspclnt.ini changes made on the server to be reflected on a client, you either have to manually update
the WinSock Proxy client or wait for the client to be automatically updated. Keep in mind that if you
change the client’ Mspclnt.ini file and want the changes to remain, you should also modify the file on the
s
server as well.
Using Javascript
When a Web browser client is started, you can specify that a client configuration script be downloaded to
the client computer. This configuration script is written in JavaScript and is located on the Proxy Server
computer for that client computer. Remember, every client contacts a specific Proxy Server.
The script is downloaded to the browser on the client computer and is executed against every URL that the
browser requests. The output of the script is an ordered list of Proxy Servers that is used by the browser to
retrieve the object specified by the URL. This can reduce some of the routing work performed by the
Proxy Server array.
Access Control
Outbound Access
You can allow your clients complete access to the Internet or you can control what they access. Microsoft
Proxy Server provides several methods for controlling outbound access. These methods allow you to
configure as granular control as you require in order to determine what your clients can and cannot access
on the Internet. There are three primary methods for configuring outbound access: Controlling access by
Internet service, Controlling access by IP parameters, and Controlling access by TCP port.
Internet Service
One of the keys of security is to allow access to resources and services only by those who need them. In the
context of Proxy Server, you limit specific services to only those users who need to use the service. You
can set the access control permissions individually for the Web Proxy, WinSock Proxy, and the SOCKS
6
Proxy services. You set the permissions from inside the ISM using the property sheet of the specific
service.
Web Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can then specify who can
have access to the following protocols:
WWW This is for access to HTTP protocol.
FTP Read This is for access to FTP services.
Gopher Gopher is a menu-based system used to supplement FTP.
Secure This is the SSL service. If you have access granted, then you can use SSL
security.
WinSock Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can specify
“Unlimited Access” or you can specify who can have access to the following protocols: AlphaWorld,
AOL, Archie, Echo, Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP,
Telnet, and VDOLive. Other protocols can be added with the WinSock Proxy service.
SOCKS Proxy Service - You use the same procedure to set the permissions for using the SOCKS service.
You get a dialog box you use to configure this service. The “source” specifies the origin of the request.
You do this either by IP address and subnet, for a particular Internet Domain or for all computers. The
“Destination” side is where you allow (or deny) the destination of the permitted entry.
IP Parameters
Proxy Server allows you to control access by specific IP parameters such as: IP address, IP subnet, and
Internet domain name. This is done by enabling filtering and then specifying the appropriate IP address,
subnet, or domain.
When configuring this security, there are two methods you can use. You can grant access to everyone and
then restrict access by denying certain IP addresses, subnets, or domains. Or, you can deny access to
everyone and then grant access by exception by specifying the IP address, subnet, or domain.
Just as with configuring access by Internet service, you can set these parameters for each individual Proxy
Server.
Port
You can configure which port is used by the TCP and UDP protocols and thus control the access to the
WinSock Proxy service. Proxy Server comes with a default set of protocol definitions. You can add your
own protocol definitions or modify the definitions of the default protocols to suit your requirements.
Proxy Server uses application service ports for the WinSock Proxy and SOCKS Proxy services. WinSock-
based applications work through a network connection. Ports are used in combination with IP addressing
to form socket connections. A socket is an endpoint in the communication process. The WinSock Proxy
service can also redirect a listen() call. The implication of this is that Proxy Server can listen to Internet
requests on behalf of your application. It then redirects the request from the Internet to your application.
There is also a special setting called “Unlimited Access”. You can also enable access to inbound and
outbound service ports selectively for users on your network. You do this through the ISM by selecting the
WinSock property sheet and then selecting the Protocols tab.
You can create definitions and modify existing protocol definitions. You can save these definitions and
load them at a later date. You can save this file from one Proxy Server and load it at another Proxy Server.
7
You may use any legal filename, including an extension. Proxy Server does not append the filename with
an extension. It is saved as a text file.
You can also create new protocol definitions in WinSock Proxy service properties for the purpose of
controlling access.
The following table summarizes the port parameters for the default protocols. You can modify the initial
connection, specify TCP or UDP, and specify whether it is inbound or outbound. You can also set the
parameters for subsequent connections, which do not have to be the same as the initial connection.
Protocol Name Initial Outbound Connection Type
Alpha World 5670 TCP
AOL 5190 TCP
Archie 1525 UDP
DNS 53 UDP
Echo (TCP) 7 TCP
Echo (UDP) 7 UDP
Enliven 537 TCP
Finger 79 TCP
FTP 21 TCP
Gopher 70 TCP
HTTP 80 TCP
HTTP-S 443 TCP
ICQ 4000 UDP
IMAP4 143 TCP
IRC 6667 TCP
LDAP 389 TCP
NetShow 1755 TCP
MSN 569 TCP
Net2Phone 6801 UDP
NNTP 119 TCP
POP3 110 TCP
Real Audio 7070 TCP
Real Audio 7075 TCP
SMTP 25 TCP
Telnet 23 TCP
Time (TCP) 37 TCP
VDOLive 7000 TCP
Vxtreme 12468 TCP
Whols 43 TCP
Inbound Access
There are some good site design and implementation guidelines that you can use to lessen the security
risks when using Microsoft Proxy Server. Consider some of the following:
Disable IP forwarding - Setting this parameter disables the forwarding of IP packets.
8
Enable Access Control - This is the default during installation. Without access control enabled, you will
not be able to set password authentication. This is considered unsecured.
Local Address Table - The LAT details what addresses Proxy Server considers internal network addresses.
This point is critical. Internal addresses have access to the internal network. Never put external
addresses in the LAT.
Disable Server Service - Consider disabling the Windows NT Server service on the Proxy Server system.
This service provides file and print services to network clients. These services are not necessary for the
Proxy Server or its clients to function adequately. If you choose not to disable the service, then make sure
that any shares that you created have the proper permissions assigned to them. You should also use the
NTFS file system because it greatly enhances security for this situation.
Drive Mappings - Do not use drive mappings to connect to remote resources if you are running Proxy
Server and IIS on the same server and you are publishing content. The issue with mapped drives that the
drive letter designator could change and the resource will not be available. If you use the UNC syntax,
this cannot happen. In addition, you are limited to the number of drive mappings you can have, based on
the characters in the alphabet.
Configuring the Client - Remove gateway references and DNS references from the IP parameters from the
client computers. This prevents clients from bypassing Proxy Server to access the Internet. Don’ forget to
t
remove these parameters from your DHCP scope properties as well.
Disable RPC ports - Ports 1024 through 1029 are used by TCP/IP services for remote procedure call
(RPC) listening. You can disable all ports used for RPC listening on the external network interface. Then
these ports are no longer visible to the Internet. You make these changes through the registry.
The default installation configuration of Microsoft Proxy Server has the network fully secure from outside
access by Internet users. Interestingly enough, if, during installation, you accept the defaults that enable
access control, internal access to the Internet is also prevented. In other words, users inside cannot access
the Internet and users outside cannot access the internal network.
Access control is enabled at installation, but no users or groups are specified yet. The administrator must
explicitly do this. This is true for both the Web Proxy and WinSock Proxy services.
Controlling by Packet Type
You can use Proxy Server to control access to the internal network using a technique known as packet
filtering. With packet filtering enabled, Proxy Server accepts or denies packets based on packet type. You
can also block packets originating from specific Internet hosts.
Proxy Server supports both dynamic and static packet filtering. With dynamic packet filtering, designated
ports are automatically opened for outgoing and inbound traffic. The ports are automatically closed after
the session has been terminated. This minimizes the number of ports that are open at any time and
minimizes the length of time a particular port is open. Dynamic packet filtering is automatic and requires
no work on your part. Static packet filtering involves manually configuring the filter. You do this using
ISM and the property sheet for the service.
Encryption
Proxy Server takes advantage of authentication and the security architecture of IIS. The Web Proxy
service uses the same password authentication methods for client requests as those configured in the
9
WWW service of IIS. These authentication methods include: Anonymous logon, Basic authentication, and
Windows NT challenge/response authentication.
Using challenge/response authentication with any Web browser other than Internet Explorer (IE) 4.0
might result in rejection of client configuration scripts (JScripts) or incorrect display of HTTP pages that
use the Secure Sockets Layer (SSL). You should use basic authentication if you are using a Web browser
other than IE 4.0. Basic authentication is sent clear text. If you use basic authentication along with SSL,
then the user’ name and password are encrypted. SSL supports data encryption and authentication. Data
s
sent to and from a client using SSL is encrypted both ways.
Proxy Server Dial-Up
Proxy Server has a feature called AutoDial. This feature allows you to configure Proxy Server to
automatically dial to your ISP, or dial back to your central location. Proxy Server uses RAS to establish
the dial-up connection. AutoDial is event driven and makes the connection only when needed. Proxy
Server autodials:
When Web Proxy cannot find a requested object in cache
For all client requests of WinSock
For all client requests of SOCKS
To support Proxy Server AutoDial, you must do the following:
Install RAS.
Make a phonebook entry.
Configure the RAS service.
Configure the AutoDial credentials.
Set the AutoDial dialing hours.
Stop and start the Proxy Server services.
Installing Remote Access Service (RAS)
In order to use Proxy Server AutoDial, you must install RAS and configure the services. You must also set
up at least one phonebook entry. RAS can be installed during the Windows NT Server installation. RAS
can also be installed at any time after the installation. After you have RAS installed, you need to do the
following:
Stop the Remote Access AutoDial Manager service.
Disable the AutoDial Manager service.
Stop and Start the Remote Access Connection Manager service.
Make sure that the Connection Manager is set to automatic startup mode.
You use Dial-Up Networking (DUN) to connect as a client through RAS. A phonebook entry is used to
store the parameters necessary to connect to a remote network.
Tools
You can also administer Proxy Server using the command line. This is useful if you need to configure
many Proxy Server computers identically using the same script. Two command-line utilities are installed
during Proxy Server setup.
RemotMsp - This utility helps you configure and administer a remote Proxy Server computer.
10
WspProto - This utility adds, edits, and deletes the WinSock Proxy service protocol definitions.
Web Administration Tool (WAT) - allows you to administer Proxy Server from your Web browser. WAT
provides the same functions as ISM. To use WAT, you need a Web browser that supports JavaScript. You
should be running at least Microsoft Internet Explorer (IE) 3.02, Netscape Navigator 3.0, or Netscape
Communicator 4.04. In addition, your browser should be configured to enable cookies. You must install
the WAT on a computer running Proxy Server.
Web Publishing
Publishing refers to placing objects (documents, images, etc.) on a Web server so they can be reached by
anyone with access to the Web server. Of course, the concept of publishing applies to Intranet users as
well as Internet users.
Even if you are only publishing to employees on your internal network, there may be reasons why you do
not want everyone to be able to connect to any server. One such reason could be that the server is located
in an unsecured area of the building where potentially anyone could have access to it. So the techniques
for securing your Web content against external forces can apply to internal forces as well.
Proxy Server implements both reverse proxy and reverse hosting as a means of helping you publish to the
Internet while not compromising network security.
Reverse Proxy
Reverse proxy is Proxy Server’ ability to process incoming requests to an internal HTTP server and to
s
respond on its behalf. This is the reverse of the normal process where the proxy takes a request from the
internal network and passes the request to the Internet. With reverse proxy, Proxy Server takes the request
from the Internet and responds to it in place of the internal Web server.
Reverse Hosting
Reverse hosting takes publishing to the next logical step. In reverse hosting, Proxy Server maintains a list
of servers on the internal network that have permission to publish to the Internet. This enables Proxy
Server to listen and respond on behalf of multiple servers that are located behind it. To the Internet client,
this process is transparent. There is no evidence that the request passes through Proxy Server before being
forwarded to the applicable Web server. Proxy Server merely redirects the incoming URL to the
appropriate server.
Packet Filtering
Packet filtering occurs when Proxy Server intercepts incoming packets. Proxy Server evaluates packets
before they are passed to higher levels in the protocol layers or to an application. Proxy Server gives you
the ability to automatically apply predefined dynamic filters.
Sometimes this is referred to as stateful filtering. Dynamic filtering occurs when Proxy Server evaluates
which TCP/IP packet types are accessible to specific internal network services. With dynamic filtering
enabled, Proxy Server is acting as a firewall. A firewall is a hardware/software product that acts as a
barrier. Its purpose is to prevent entry into a network by unauthorized users, processes, or data.
The security features of Proxy Server allow you to control the flow of traffic to and from the network. In
addition to authenticating client requests. With packet filtering, you can:
11
· Intercept packets destined to specific services on your Proxy Server computer. You can then either
allow those packets through or block them.
· Send an alert when dropped packets or suspicious events occur. You can either forward a record of
alerts to a log file or send alerts through e-mail.
You can configure packet filters to reject any type of packet and thereby prevent them from being
processed through the Proxy Server. This provides a high level of security for your network. Packet
filtering can block packets originating from specific Internet hosts.
Packet filtering only applies to the external network adapter. The internal network adapter is not affected.
Alerts
Events that can compromise your system should be monitored. If such an event occurs, the server can be
configured so that an alert is generated. Events for which you can generate alerts include:
Rejected packets - Watches the external network interface for dropped IP packets.
Protocol violations - Watches for packets that do not follow the allowed protocol structure.
Disk full - Watches for failures caused by a full disk.
If any of these events occurs, Proxy Server writes the event in the system log. Use the Windows NT Event
Viewer to view the log file. An alert can also be sent as an e-mail message to a designated recipient. You
must enable packet filtering first for alerting to be operational.
Packet filter alerts may be stored in the dedicated log file used by Proxy Server. They may also be stored in
an Open Database Connectivity (ODBC) database such as SQL Server.
Monitoring Performance
Proxy Server provides counters that you can use to monitor its performance and monitor how users are
connecting. You can use Performance Monitor to view Proxy Server activity.
Windows NT Server uses Performance Monitor for tracking computer performance and processes. When
you use Performance Monitor, you actually monitor the behavior of its components. These components are
known as objects. Examples of objects are the processor, memory, cache, hard disk, services, and other
components. Each object has a set of counters that are unique to it.
When Proxy Server is installed, several counter objects are installed into Performance Monitor. These
objects contain all the performance counters that are used to monitor Proxy Server.
Performance Monitor
Performance Monitor can help determine where bottlenecks exist. A bottleneck is any place there is a
system shortage or a resource shortage. All computer systems will have resource shortages. Alleviating
one resource shortage may cause another area to show up as the bottleneck. You may then try to add more
resources to shore up that area.
You should monitor four categories of objects when monitoring the system and attempting to identify
bottlenecks: CPU, Memory, Disk, and Network.
12
When you install Proxy Server, an icon for Monitor Microsoft Proxy Server Performance is added.
Clicking on this icon starts Performance Monitor with Msp.pmc. This file is a preconfigured Performance
Monitor workspace. It already has the objects and counters installed so you do not need to configure
Performance Monitor each time you want to monitor the same set of conditions. These counters are listed
below:
Counter Definition
% Processor Time These counters monitor the time used by these two processes. They
help you identify problem areas and indicate processor usage by the
service. If they are increasing, install a faster processor. When these
get to 100%, the system is at maximum capacity.
Active Sessions This counter tells you how many people are using the server at one
time.
Cache Hit Ratio (%) This counter indicates what percent of requests the cache is serving
by telling you how effective the caching is. The goal should be to
increase this number.
Requests/Second This counter displays the rate of incoming requests that have been
made to the Web Proxy Server.
Total Users This is a cumulative counter of the total number of users that have
ever used the server.
Current Users This counter indicates the number of users currently using the
server. This helps to determine when it is convenient to stop the
server.
Maximum Users This is a cumulative counter that indicates the maximum number of
users simultaneously connected to the server.
Transaction Log Files
Your log files let you know how your equipment is doing and how the organization uses the Internet. Log
files are located in the subfolder specified in the Logging tab. The log files are ASCII text files.
Logging to a text file is the default. However, if you prefer to save logs in a database, you can configure
the Web Proxy and WinSock Proxy services to log information to a database instead. Proxy Server
supports ODBC for logging service information to databases. Logging to any ODBC database is possible.
It does not need to be a Microsoft database.
Database logging increases the amount of time and resources needed by Proxy Server. You may want to
consider logging to a text file and then importing the text file into the database as a means of enhancing
performance. Writing log data to a database allows for data querying and reporting is enhanced.
Log files are stored in one table. Each transaction generates one record in the table. The database can exist
on a Proxy Server computer or on any other computer on your network. You must supply the following
information to log to a database:
ODBC Data Source Name (DSN) - This is the ODBC Data Source Name (DSN) for the database to which
Proxy Server logs data. You configure this through the ODBC applet in Control Panel.
Table - This is the name of a table in the database to which Proxy Server logs information.
13
Questions
Exam 70-88
1: Can you use wildcards like "*" in domain filtering?
A: No
2: The users in your internetwork complain that they have very slow, or no cache response. What might
you do to improve response time?
A: You should require them to use the WEB PROXY in order to take advantage of the content caching.
3: If you have a client using a browser that cannot be automatically configured, how many (maximum)
hops will a client have to a proxy array of 6 computers?
A: two
4: Users complain that the only way to reach a site on the Internet is by entering its IP address. What
could be wrong?
A: There is no DNS server configured in the TCP/IP properties.
5: You have 3 locations SiteA, SiteB and SiteC and the connection between them is a T1 line, SiteA has a
T1 connection and Proxy Array to the Internet, SiteB has a single proxy server and T1 connection to the
Internet. You want to implement a Proxy server to location SiteC. How are you going to configure it?
A: Primary route to SiteA, Backup route to SiteB
6: You have two Proxies, Proxy1 and Proxy2. Proxy1 is configured to have an upstream route to Proxy2.
How can you configure it to work if Proxy 2 fails?
A: In Web Service Properties, select Routing Tab, Enable Backup Route, select use Direct Connection.
14
7: Suppose you have a LAN running an old version of Proxy Server and you'd like to implement Proxy
version 2.0. However, you want the same configuration. What should you do? (Choose 2)
A: Use the Server Backup, on the Service tab.
Use the Server Restore , on the Service tab.
8: You have a LAT, IP addresses for an external NIC, an internal NIC, and a gateway. Which source IP
address will be redirected to the Internet.
A: IP address of the external NIC
9: You have a network which consists of a proxy, a router, and your LAN. Your router is between your
proxy and your LAN. The router is configured to allow only HTTP(port 80) to pass. If you use the web
browser, which protocols can you use? (Choose 3)
A: HTTP, HTTPS and FTP.
10: Which admin utility would you use for remotely administration of the proxy server?
A: REMOTMSP
11: Which application would you use to administer the Proxy Server if you are logged on locally to the
server itself?
A: ISM
12: You have installed a Netscape Navigator or IE3.02 on a Unix machine. How can you enable Netscape
to use the Web Proxy Service?
A: Go to the Netscape, Options, Network Preferences, Proxies Tab, Manual Configuration button and
find the SOCKS proxy line. Then specify the DNS name and specify the port number.
13: How would you make a list of the most frequently accessed sites by Windows clients?
A: Enable logging on Web Proxy Service and WinSock Proxy Service
14: How would you make a list of the most frequently accessed sites by non-windows clients?
A: Enable logging on Web Proxy Service and SOCKS proxy Service.
15: In your LAN you have 2 subnetworks. The first one is in the main office configured in an array with
a T1 line to the ISP. the 2nd one is a single stand alone proxy at the branch that uses T1 to the ISP. You
need to implement a new proxy. How will you achieve the best performance?
A: Make the Primary connection to the main office and the back up connection to the branch.
16: What can you implement to prevent users from accessing certain Web sites?
A: Domain Filtering.
18: You have UNIX, Win95, WinNT clients in your network. You want to prevent UNIX clients from
accessing IRC. What's the best way to do it?
A: In SOCKS Service Properties, deny access to TCP port 6667.
15
19: When monitoring your Proxy Server, what utility would you use to determine where the SMTP traffic
is coming from?
A: Network Monitor.
20: Suppose you have multiple proxy servers in your LAN, what must you do in order to collect
information about all servers in one location?
A: Configure the proxy to log to SQL server, and share it among all servers.
21: You have IE 3.02 installed on your Clients. It is configured with an automatic client configuration
script. How would you disable it?
A: Under the View, Options, Advanced tab on IE.
22: Suppose you have CARP servers in your LAN. In your clients you configure Internet Explorer to use
Automatic Configuration. How many hop will there be to find the URL for Web browser requests?
A: one
22: Your users frequently access a certain Web Page. What should you do to optimize the response time
when internal users request this page?
A: Create Cache Filter for this site and set the filter status to always cache.
23: What object counters would you check in Performance Monitor to determine whether you need to add
more proxy servers to your array?
A: Maximum Users
Total Users
24: What should you do in order to retrieve the most recent version of a URL requested from the Internet?
A: Disable cache.
25: The Administrator of your network attempted to view the hard disk counters in the performance
monitor, but he can't see any counters although the disk is being accessed constantly. What should you do
to solve the problem? (Choose 2)
A: Run DISKPERF command.
Restart the Proxy Server.
26: You have a problem in your LAN because users can not access remote URLs but they can access local
ones. What is the best way to solve it?
A: Specify DNS Server address on the Proxy Server.
16
27: How can you prevents external users from viewing NetBIOS names, in a case where a WINS server
is installed on your LAN?
A: Enable Packet Filtering
Unbind all NetBIOS services from the external NIC for the proxy
Disable unnecessary services such as RAS
28: How much cache will be needed on your Proxy Server for 500 users?
A: 350 MB (( 100 + ( 500*.5 )= 100 + 250 = 350 ))
29: If you enable Automatic Configuration on the Clients browsers, what kind of files will be
downloaded?
A: Javascript.
30: What's the minimum Amount of RAM required for 2000 clients?
A: 64 MB
31: What object would you use to see if the content of the cache is optimally configured?
A: Cache Hit Ratio
32: How would you update cache objects during less busy hours?
A: Enable active caching.
33: Which proxy services are used in UNIX-based and Macintosh Machines??
A: Web Service
SOCKS Service
34: In your network you have Exchange servers on several computers in the internal Network, you have
Internet Mail Service (IMS) in the exchange services. How should you configure the proxy server to
enable internal users to send and receive emails from the Internet? (Choose 2)
A: On each Exchange client, add the external IP of the proxy server.
On each DNS server, Add a DNS Internet MX resource record and specify Proxy server as mail
server.
35: When you look at the Performance Monitor, you have 0 in the disk queue, 1 in network queue and
40% CPU load. What action would you take?
A: Increase the disk cache
36: User modifies there local proxy client configuration file which works until the next morning and then
it is back to original configuration. Why?
A: It gets overwritten at specified intervals with the servers copy
37: You have 3 different proxies in your LAN. There is only one DNS name (proxy.troytec.com) pointing
to the 3 IP’ of the Proxy servers. How are you going to distribute the clients evenly among the proxies?
s
17