Contents
Module 7: Microsoft
Proxy Server 2.0 as a
Solution for Internet
Connectivity
Overview
1
Introducing Proxy Server
2
Designing a Functional Proxy Server
Solution
7
Securing a Proxy Server Solution
15
Enhancing a Proxy Server Design for
Availability
26
Optimizing a Proxy Server Design for
Performance
31
Lab A: Designing a Proxy Server Solution
41
Review
54
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media,
Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries/regions.
Project Lead: Don Thompson (Volt Technical)
Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc.
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Jack Creasey, Doug Steen (Independent Contractor)
Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Kristen Heller (Wasser)
Copy Editor: Kaarin Dolliver (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Test Leads: Sid Benevente, Keith Cotton
Test Developer: Greg Stemp (S&T OnSite)
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
iii
Instructor Notes
Presentation:
60 Minutes
Lab:
45 Minutes
This module provides students with the information and experiences needed to
evaluate and design Internet connectivity solutions by using Microsoft Proxy
Server 2.0 (Proxy Server) in a Microsoft® Windows® 2000 network
infrastructure. Proxy Server is a separately purchased family of services that
runs on Windows 2000. Proxy Server connects private networks to the Internet
while protecting private network resources.
At the end of this module, students will be able to:
Evaluate Proxy Server as a solution for Internet connectivity.
Evaluate and create a functional Proxy Server Internet connectivity solution.
Select appropriate strategies to secure a Proxy Server solution.
Select appropriate strategies to enhance Proxy Server availability.
Select appropriate strategies to improve Proxy Server performance.
On completion of the lab, students will be able to evaluate and design Proxy
Server solutions to support the Internet connectivity requirements of an
organization.
Course Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Required Materials
To teach this module, you need the following materials:
Microsoft PowerPoint® file 1562B_07.ppt
Preparation Tasks
To prepare for this module, you should:
Review the contents of this module.
Review RFC 1918.
Be familiar with a variety of Internet connectivity design requirements that
can be met by using Proxy Server.
Review any relevant information in the Windows 2000 Help files,
Windows 2000 Resource Kit, or documents provided on the Instructor CD.
Review the discussion material and be prepared to lead class discussions on
the topics.
Complete the lab and be prepared to elaborate beyond the solutions found
there.
Read the review questions and be prepared to elaborate beyond the answers
provided in the text.
iv
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Module Strategy
Use the following strategy to present this module:
Introducing Proxy Server
Proxy Server provides Internet access to users on a private network while
protecting the network’s resources.
In this section:
• Explain that Proxy Server is not included with Microsoft Windows 2000
but runs on a Microsoft Windows 2000–based server. Throughout the
module, Proxy Server with initial capitalization is used to indicate the
Microsoft Proxy Server 2.0 product. When proxy server appears without
initial capitalization, it indicates a computer that is providing proxy
services.
• Emphasize that the design requirements for a Proxy Server solution
include the security requirements, network configuration, number of
Internet-exposed resources, and number of locations.
• Emphasize that Proxy Server works in routed or non-routed
environments, provides restriction to the Internet on a user-by-user basis,
and restricts access to private networks on a resource-by-resource basis.
• Point out that Proxy Server integrates with other networking services to
take advantage of their features.
Designing a Functional Proxy Server Solution
The solution provided by Proxy Server is based on the requirements for
Internet Protocol (IP) addresses and Internet connectivity.
In this section:
• Explain that the required public and private IP addresses are obtained
from an Internet service provider (ISP) or Internet registry, and then
assigned to the appropriate interfaces and devices.
• Describe how to determine the appropriate interface and select the
appropriate connection.
• Explain that the private network address ranges are specified and the
appropriate software is selected to connect the private network
computers to the Proxy Server.
• Make sure students understand the illustration, scenario description, and
directions for the Discussion. Direct them to read through the scenario
and answer the questions. Be prepared to clarify if necessary. Lead a
class discussion on the students’ responses.
Securing a Proxy Server Solution
Isolating the private network from the Internet and restricting traffic
between the private network and the Internet enhance the security of a
Proxy Server solution.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
v
In this section:
• Explain that access to Internet resources can be restricted on a user-byuser basis, with users defined in the Active Directory™ directory service,
or as local user accounts on member servers.
• Emphasize that screened subnets are used to prevent traffic from passing
through the proxy server. The required number of screened subnets is
based on the organization’s security requirements.
• Emphasize that to ensure a secure network, traffic must not pass between
the private network and the Internet. Explain the use of Proxy Server
packet filters to prevent traffic between the private network and the
Internet.
• Describe the use of Proxy Server domain filters to restrict private
network traffic to Internet resources.
• Point out that to restrict inbound traffic, access to Hypertext Transfer
Protocol (HTTP) or File Transfer Protocol (FTP) servers that are located
in the private network can be enabled with Proxy Server Web
Publishing.
Enhancing a Proxy Server Design for Availability
The availability of the Proxy Server solution can be enhanced for both
outbound and inbound client requests.
In this section:
• Emphasize that using a proxy array provides failover for outbound client
requests.
• Emphasize that multiple Proxy Servers can be combined with either
round robin DNS entries, or Network Load Balancing.
Optimizing a Proxy Server Design for Performance
Selecting a cache method, organizing the servers hierarchically, and
distributing IP traffic across multiple Proxy Servers can optimize the
performance of the Proxy Server solution.
In this section:
• Emphasize that the Proxy Server cache stores copies of requests for
Internet-based objects on a local drive on the Proxy Server.
• Emphasize that organizing Proxy Servers in a hierarchy and using
caching reduces the use of the wide area network (WAN) connection
and the Internet connection.
• Emphasize that distributing IP traffic across multiple Proxy Servers and
using round robin DNS entries, proxy arrays, or Network Load
Balancing, optimizes the performance of the Proxy Server solution.
• Make sure students understand the illustration, scenario description, and
directions for the Discussion. Direct them to read through the scenario
and answer the questions. Be prepared to clarify if necessary. Lead a
class discussion on the students’ responses.
vi
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Lab Strategy
Use the following strategy to present this lab.
Lab A: Designing a Proxy Server Solution
In the lab, students will design a Proxy Server solution based on specific
requirements outlined in the given scenario.
Students will review the scenario and the design requirements and read any
supporting materials. They will use this information, and the knowledge gained
from the module, to develop a detailed design by using Proxy Server as a
solution.
To conduct the lab:
Read through the lab carefully, paying close attention to the instructions and
to the details of the scenario.
Divide the class into four teams and assign each team one section (either the
Regional Reservations Center or one of the types of airports) of the lab
exercise.
Present the lab, and make sure students understand the instructions and the
purpose of the lab.
Direct students to use the Design Worksheet to record their solutions.
Remind students to consider any functionality, security, availability, and
performance criteria provided in the scenario, and how they will incorporate
strategies to meet these criteria in their design.
Allow some time to discuss the solutions after the lab is completed. A
solution is provided in your materials to assist you in reviewing the lab
results. Encourage students to critique each other’s solutions and to discuss
any ideas for improving their designs.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
1
Overview
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will
evaluate and create Internet
connectivity solutions by
using Microsoft Proxy
Server 2.0.
Point out that, throughout
the module, Proxy Server
with initial capitalization is
used to indicate the
Microsoft Proxy Server 2.0
product. When proxy server
appears without initial
capitalization, it indicates a
computer that is providing
proxy services.
Introducing Proxy Server
Designing a Functional Proxy Server Solution
Securing a Proxy Server Solution
Enhancing a Proxy Server Design for Availability
Optimizing a Proxy Server Design for Performance
Organizations connect to the Internet to provide Internet access to users on the
private network, and to allow users on the Internet access to private network
resources. The Internet connectivity solution must prevent unauthorized users
from accessing private network resources.
Microsoft Proxy Server 2.0 (Proxy Server) provides solutions to Internet
connectivity requirements for Microsoft® Windows® 2000 networks. Proxy
Server is a group of services that is not included with Windows 2000 but runs
on Windows 2000.
At the end of this module, you will be able to:
Evaluate Proxy Server as a solution for Internet connectivity.
Evaluate and design a functional Proxy Server solution for baseline Internet
connectivity.
Select appropriate strategies to secure a Proxy Server solution.
Select appropriate strategies to enhance Proxy Server availability.
Select appropriate strategies to improve Internet connectivity performance.
Note Throughout the module, Proxy Server with initial capitalization is used to
indicate the Microsoft Proxy Server 2.0 product. When proxy server appears
without initial capitalization, it indicates a computer that is providing proxy
services.
2
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Introducing Proxy Server
Slide Objective
To identify Proxy Server as
a solution for Internet
connectivity in a Windows
2000 network infrastructure.
Lead-in
Proxy Server connects
private networks to the
Internet, while also
preventing unauthorized
access to private network
resources.
Design Decisions for a Proxy Server Solution
Features of Proxy Server
Integration Benefits
Proxy Server connects private networks to the Internet, while also protecting
private network resources from unauthorized users. Proxy Server supports the
essential requirements for any Internet connectivity design, and provides
additional features to enhance the security, availability, and performance of the
Internet connectivity solution.
To design an Internet connectivity solution based on Proxy Server, you must:
Identify the design decisions that influence a Proxy Server solution.
Identify how the features provided by Proxy Server support the design
requirements for Internet connectivity.
Identify the benefits provided by integrating Proxy Server with other
services in Windows 2000.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
3
Design Decisions for a Proxy Server Solution
Slide Objective
To introduce the factors that
influence the development
of a Proxy Server solution.
Internet
Private
Network
Lead-in
By using Proxy Server, you
can design an Internet
connectivity solution based
on the security requirements
of the private network, and
the Internet connectivity
requirements of the
organization.
Proxy
Server
Secure Internet and Private Network Access Required?
Routed or Non-routed Network?
Number of Resources Shared with Internet?
Number of Locations?
b
Refer to the questions on
the diagram to identify the
information required for
making design decisions for
a Proxy Server solution.
By using Proxy Server, your design decisions for an Internet connectivity
solution must be based on the security requirements, the network configuration,
the number of Internet-exposed resources, and the number of geographically
distributed locations of the organization. Proxy Server is an appropriate solution
for Internet connectivity if:
Internet and private network access is restricted on a user-by-user basis or
on a resource-by-resource basis.
The private network is in a routed or nonrouted environment.
A number of private network resources need to be shared with Internetbased users.
The private network encompasses multiple geographic locations.
4
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Features of Proxy Server
Slide Objective
To introduce the features of
Proxy Server.
Lead-in
To incorporate Proxy Server
into your solution, you need
to identify how the features
of Proxy Server support an
organization’s Internet
connectivity requirements.
Internet
Private
Network
Proxy
Server
Screened
Subnet A
Screened
Subnet B
Isolate the Private Network
Restrict Internet and Private Network Traffic
Cache FTP and HTTP Requests
Integrate Into Existing Networks
To incorporate Proxy Server into your network design, you need to identify
how the features of Proxy Server support the Internet connectivity
requirements.
Isolating the Private Network
Proxy Server enhances the security of an organization by isolating the private
network from the Internet, and acting as an intermediary in the exchange of
traffic between the Internet and the private network. With the private network
isolated, you can reduce the number of required public addresses by selecting a
private addressing scheme.
Restricting Internet and Private Network Traffic
Proxy Server allows you to restrict the traffic between the Internet and private
network so that you can limit the access of private network users to Internetbased resources, and limit Internet user access to private, network-based
resources.
You can use Proxy Server to restrict the traffic between the Internet and the
private network by:
Granting Internet access to authorized users.
Establishing filters that forward or discard Internet Protocol (IP) packets
based on the IP address and protocol numbers.
Intercepting inbound Uniform Resource Locater (URL) requests and
determining whether the requests must be forwarded to a private network
resource.
Using screened subnets to provide the required level of network security.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
5
Caching FTP and HTTP Requests
Proxy Server intercepts File Transfer Protocol (FTP) and Hypertext Transfer
Protocol (HTTP) Internet requests for Web objects and saves the retrieved Web
objects in a local cache. When private network users request Internet-based
resources, Proxy Server checks the local cache to see if the request is stored
there. If the request is found in the local cache, the Web object is retrieved from
the local cache and no Internet request is necessary.
Integrating into Existing Networks
If integrated into existing networks, Proxy Server:
Supports both Windows Sockets (WinSock) and non-WinSock clients on a
variety of client operating systems.
Supports integration with the Active Directory™ directory service accounts
in Windows 2000 to provide single logon access for users on Windowsbased computers.
Supports IP and Internetwork Packet Exchange/Sequenced Packet Exchange
(IPX/SPX) protocols on private networks so that IP and IPX/SPX-based
clients can access the Internet through Proxy Server.
6
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Integration Benefits
Slide Objective
IPSec
To describe the benefits of
integrating Proxy Server
with other networking
services.
Routing and Remote
Access
Active
Directory
Lead-in
Proxy Server integrates with
other networking services
such as IPSec and Active
Directory.
Authentication
and IPSec Tunnels
Demand-Dial Connections,
IP Filters, and VPN Tunnels
User Account Authentication
Proxy Server
Point out that because
Proxy Server is running on
Windows 2000, it can
integrate with the
networking services
mentioned on this page.
Proxy Server integrates with other networking services to take advantage of
their features. The integration of these features requires you to include
additional technologies (such as virtual private network (VPN) tunnels that are
used for authentication and data encryption) in the design.
The following table describes the benefits of integrating Proxy Server with
other networking services.
Proxy Server integrates with
To
Internet Protocol Security
(IPSec)
Provide Proxy Server authentication and the
encryption of data transmitted between locations over
public networks.
Routing and Remote Access
Provide support for nonpersistent connections by
using specified demand-dial connections.
Reduce undesired traffic by using specified IP Filters.
Active Directory
Provide Kerberos version 5 protocol certificates and
user accounts so that authentication occurs when
specified.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Designing a Functional Proxy Server Solution
Slide Objective
To provide an overview of
the decisions involved in
creating a functional Internet
connectivity Proxy Server
solution.
Placing Proxy Server Within a Network
Lead-in
Determining Proxy Server Client Requirements
To design an Internet
connectivity solution by
using Proxy Server, you
must establish the essential
requirements for Internet
connectivity.
Integrating Proxy Server into the Existing Network
Discussion: Designing a Proxy Server Solution
There are a few essential decisions that you need to make for an Internet
connectivity solution, so that you can derive the specifications for the Proxy
Server design. After these essential decisions are established, you can optimize
the Internet connectivity solution by adding security, availability, and
performance enhancements to your design.
The essential decisions for your Proxy Server design include:
Where to place Proxy Server within a network so that network traffic is
localized without compromising security.
Which IP address, persistence, data rate, and security router interface
characteristics affect the integration of the router into the existing network.
How the private network clients will access the proxy server, and the
software that the clients will use to access the proxy server.
7
8
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Placing Proxy Server Within a Network
Slide Objective
To introduce the decisions
involved in the placement of
Proxy Server within a
network.
Lead-in
You need to place Proxy
Server between the network
segments so that network
traffic is localized and
security is maintained.
Screened
Subnet
Internet
Branch
Office
Web
Server
Proxy
Server
Central
Office
Proxy
Server
Screened
Subnet
Branch
Office
Demand-Dial
Proxy
Server
Proxy Server Within the Private Network
Proxy Server at the Edge of the Private Network
Delivery Tip
Use the diagram to show
the placement of Proxy
Server in the network.
You must place Proxy Server between the network segments so that network
traffic is localized and security is maintained. To improve performance, you can
place Proxy Server so that Web objects are cached for an entire organization, a
location within an organization, or a network segment within an organization.
Proxy Server Within the Private Network
Place Proxy Server within the private network so that:
Web objects are cached for network segments within an organization to
reduce private network traffic.
Screened subnets are created within the private network, thereby protecting
confidential data.
Network packets can be exchanged between dissimilar network segments,
such as between an Ethernet network segment and an asynchronous transfer
mode (ATM) network segment.
Proxy Server at the Edge of the Private Network
Place Proxy Server at the edge of the private network so that:
Users on the private networks can access the Internet.
Web objects are cached for the entire organization.
The private network is isolated from the public network, thereby protecting
confidential data.
Network packets can be exchanged between the private network segments
and public network segments, such as between an Ethernet private network
segment and an Integrated Services Digital Network (ISDN) public network
segment.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
9
Integrating Proxy Server into the Existing Network
Slide Objective
To describe how to select
the proxy server interface
characteristics that affect
the integration of the proxy
server into the network.
Lead-in
You must select the proxy
server interface
characteristics so that you
can integrate Proxy Server
into the existing network.
Screened
Subnet
Internet
Branch
Office
Web
Server
Proxy
Server
Central
Office
Proxy
Server
Screened
Subnet
Branch
Office
Demand-Dial
Proxy
Server
Interface Address and Subnet Mask
Interface Data Rate and the Persistence
Depending on the size of the network, your network design can include a
number of proxy servers. Each proxy server in the network design must have at
least one interface, although most proxy servers have more than one. For each
proxy server interface, you must describe the interface characteristics so that the
proxy server can be integrated into the existing network.
Note Specify one interface in the proxy server if the design requires only
Proxy Server caching or if Proxy Server provides IPX to Transmission Control
Protocol/Internet Protocol (TCP/IP) translation.
Selecting the Interface Address and Subnet Mask
When selecting the proxy server interface address and subnet mask, remember
that:
Each proxy server interface requires an IP address and subnet mask.
The IP address assigned to the proxy server interface must be within the
range of addresses that are assigned to the network segment that is directly
connected to the interface.
The subnet mask assigned to the proxy server interface must match the
subnet mask that is assigned to the network segment that is directly
connected to the interface.
10
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Selecting the Interface Data Rate and the Persistence
Each proxy server interface connects to a private or public network segment.
These network segments can be persistent or non-persistent. In addition, the
data rates for these network segments can vary considerably. You need to
specify the data rate and persistence for proxy server interfaces so that the
proxy server can connect to private and public network segments.
Interfaces that connect to private network segments
Private network segments are based on local area network (LAN) technologies
that are persistent interface connections. The data rate of the private network
segment is determined by the LAN technology, such as 100 megabits per
second (Mbps) data transfer rate for 100 Mbps Ethernet.
Interfaces that connect to public network segments
Public network segments are based on LAN and demand-dial technologies that
can be persistent or non-persistent. Public network segments that appear to
Proxy Server as LAN interfaces are persistent, and the data rate is determined
by the LAN technology.
Public network segments that appear as demand-dial interfaces are
nonpersistent, and the data rate is determined by the underlying technology. An
example of this would be a 56-Kbps dial-up modem connection that supports a
maximum data rate of 56 Kbps.
If the public network segments are based on LAN technologies, you include
demand-dial interfaces in your solutions, such as a VPN connection over a
digital subscriber line (DSL) connection. Include a demand-dial interface in
your design if:
An exchange of credentials is required to perform authentication, such as
VPN tunnel authentication.
Charges, such as ISDN connection charges, are accumulated if the public
network segment is active.
To connect to another location across the Internet, one solution is to specify a
VPN tunnel over a DSL network segment. In this case, you will need to include
the following interfaces in your design:
A LAN interface that supports the persistent DSL network segment.
A demand-dial interface to perform the authentication required by the VPN
tunnel.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
11
Determining Proxy Server Client Requirements
Slide Objective
To identify the Proxy Server
client requirements to be
included in the Proxy Server
design.
Lead-in
You must determine the
Proxy Server client
requirements so that you
can specify the private
network address ranges and
select the appropriate
software for connecting to
Proxy Server
Private
Network
All Traffic
Using Proxy
Server Client
Internet
HTTP/FTP Traffic
Using IE 5.0
Proxy
Server
SOCKS
Client
UNIX
Specify Private Network IP Address Ranges
Select Software for Connecting to Proxy Server
You determine the Proxy Server client requirements so that you can specify the
private network address ranges and select the appropriate software for
connecting to Proxy Server.
Specifying Private Network IP Address Ranges
You must identify the IP address ranges within the private network so that you
can specify these address ranges in the Proxy Server design. Proxy Server
clients can then determine if the destination IP address in an IP packet must be
sent directly to the private network destination, or forwarded to the proxy
server.
The IP address ranges that you specify are stored in the local address table
(LAT) file on the proxy server. When requests are sent to the proxy server, the
proxy server uses the LAT to determine if the request is within the private
network or on the Internet.
For computers on the private network that do not have Proxy Server client
software, you need to specify the IP address of the proxy server’s private
network interface as the default gateway. Because the proxy server is the
default gateway for the computer, all requests that are not on the computer’s
local subnet are forwarded to the proxy server. The proxy server forwards the
request to the Internet.
When the computers on the private network have Proxy Server client software
installed, they have a local copy of the LAT file. The Proxy Server clients use
their local copy of the LAT file to determine if requests are within the private
network, or on the Internet. Private network requests are sent directly to the
destination within the private network. Internet requests are sent to the proxy
server.
12
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Selecting Software for Connection to Proxy Server
You can specify that the private network interface of the proxy server is the
default gateway entry for computers on the private network. If you specify the
proxy server as the default gateway, the private network traffic increases
because all traffic destined for other subnets in the private network is forwarded
first to the proxy server and then on to the final destination.
To prevent the unnecessary private network traffic, specify that the private
network computers be configured with software to forward traffic to the proxy
server if the final destination is the Internet.
The following table lists the software options for private network computers
and the reason to include the options in your design.
Select
If you need to support
Microsoft Internet
Explorer 5.0
HTTP and FTP traffic only.
Any operating system that includes Internet Explorer 5.0.
Packet filters and domain filters for filtering traffic.
Proxy Server client
All IP protocol traffic.
Any operating system that supports the WinSock standard.
Packet filters and domain filters for filtering traffic.
IPX/SPX-based private networks.
SOCKS
All IP protocols supported by the SOCKS applications.
UNIX, Macintosh, or operating systems that run SOCKScompatible applications.
SOCKS rules, Protocol rules, and IP packet filters for filtering
traffic.
No client software
All IP protocols.
Any operating system with the default gateway configured to
send Internet traffic to the proxy server.
Protocol rules, and IP packet filters for filtering traffic.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
13
Discussion: Designing a Proxy Server Solution
Slide Objective
To evaluate the decisions
involved in designing Proxy
Server solutions.
Lead-in
To design a Proxy Server
solution, you must decide
where to place Proxy Server
and how to integrate Proxy
Server. You must also
determine the Proxy Server
client requirements.
Montreal
Calgary
Vancouver
Winnipeg
Delivery Tip
Read the scenario to the
students and review the
questions as a group. Give
the students time to
consider their answers and
then lead a discussion
based on their responses.
Toronto
As you create Internet connectivity solutions, you need to translate information
relating to the solution into design requirements. This discussion involves
designing basic Internet connectivity solutions. During the discussion, note any
ideas presented by other students in the class that are relevant to the routing
solution.
The following scenario describes the current network configuration of a legal
firm that specializes in patent and copyright law. Read the scenario and answer
the questions. Be prepared to discuss your answers with the class.
Scenario
A legal firm specializes in patent and copyright law. At each geographic
location, legal assistants within the firm conduct research for the firm’s partners
on potential patent and copyright infringements. The majority of the research is
conducted by searching the Internet for these potential infringements.
The central office for the firm is in Montreal, where the firm has a T1
connection to the Internet. With the exception of the Vancouver branch office,
all other branch offices are connected directly to the Montreal office by using a
56-Kbps connection. The Vancouver branch office is connected through
Calgary to the Montreal central office.
14
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Questions
1. The legal firm currently has an existing firewall at the Montreal location and
dedicated rack-mount routers at the branch offices. The firm would consider
replacing any of the existing equipment. What solutions could you provide
to the firm by using Proxy Server?
You could make the following recommendations:
• Place a proxy server at each geographic location at the edge of the
private network.
• Specify that all Windows clients run Internet Explorer 5.0, if it is not
already installed.
• Specify that Internet Explorer 5.0 automatically detect the proxy
server settings.
• Specify that all operating systems that support the SOCKS standard
use the local proxy server.
• Specify that all other operating systems change the default gateway to
the local proxy server.
2. The legal firm has just acquired a competing firm in Edmonton. The firm in
Edmonton currently has an IPX/SPX-based network. The senior partner in
the firm insists the legal assistants in the new Edmonton branch be
productive as soon as possible. What would be the best method of providing
Internet access to the new Edmonton branch?
You could make the following recommendations:
• At the Edmonton branch, place a proxy server at the edge of the
private network.
• Specify that all desktop and laptop computers load the proxy server
client software.
• Over a period of time, convert the Edmonton network from an
IPX/SPX-based network to a TCP/IP-based network.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
15
Securing a Proxy Server Solution
Slide Objective
To provide an overview of
the strategies needed to
secure the Proxy Server
solution.
Lead-in
You can specify that Proxy
Server isolates and secures
communication between the
private network and the
Internet.
Restricting Access to Internet Resources
Determining the Number of Screened Subnets
Restricting Traffic with Packet Filters
Restricting Outbound Traffic with Domain Filters
Restricting Inbound Traffic with Web Publishing
The security of a Proxy Server design is measured by the ability of the design to
prevent unauthorized access to data transmissions and private network
resources. Proxy Server enhances the security by isolating the private network
from the Internet and restricting traffic between the private network and the
Internet.
To secure a Proxy Server solution, consider:
Restricting access to the Internet.
Providing access to private network resources by using screened subnets.
Restricting IP traffic by using IP packet filters.
Restricting IP traffic by using domain filters.
Enabling access to private network resources by using Web Publishing.
16
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Restricting Access to Internet Resources
Slide Objective
To describe the method that
can be used to restrict
access to Internet
resources.
Lead-in
You can restrict access to
Internet resources on a
user-by-user basis.
Private
Network
Proxy
Server
Internet
Active
Directory
Active
Directory
Proxy
Server
Private
Network
Internet
Local
Accounts
Networks Based on Active Directory
Networks Not Based on Active Directory
You can restrict access to Internet resources on a user-by-user basis, with users
defined in Active Directory, or as local user accounts on member servers.
Networks Based on Active Directory
If your network design includes Active Directory, you can grant access to users
and groups in Active Directory. Proxy Server is integrated with Active
Directory to provide single logon access to the Internet.
The following table lists the users and groups to which you can grant access,
and why you would choose to grant access to that user or group.
Grant Permission to
To enable access to Proxy Server for
Everyone
All users, including unauthorized users, when the
Windows 2000 Guest account is enabled.
Active Directory Groups
Members of a group.
Active Directory Users
Specific users granted permission on an individual basis.
Although not typically a best practice, you would enable the Guest account if
your Proxy Server design is integrated in a highly heterogeneous network. If
you enable the Guest account, you allow anonymous access to the users whose
accounts do not exist in Active Directory.
Note You can provide single logon access for users in heterogeneous networks
by using products such as Services for UNIX, Client Services for NetWare, or
Services for Macintosh.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
17
Networks Not Based on Active Directory
If your network design is predominantly composed of other operating systems,
such as UNIX or NetWare, or you are not including Active Directory in the
design, you can specify that Proxy Server be installed on a stand-alone
Windows 2000–based computer. The stand-alone Windows 2000–based
computer has local users and groups that you can use to grant Proxy Server
access.
If the network consists of other operating systems, such as UNIX or NetWare,
you can specify that the:
Other operating systems replicate the user accounts to the Windows 2000–
based computer running Proxy Server.
For example, in a network that is based on Novell Directory Services
(NDS), you would specify that NDS users and groups must be replicated to
the proxy server by using Novell software.
Guest account on the proxy server is enabled and granted Proxy Server
access, thereby allowing anonymous access to the proxy server.
All users on the private network are granted access, and you are unable to
restrict Proxy Server access on a user-by-user or group basis.
18
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
Determining the Number of Screened Subnets
Slide Objective
To determine the number of
screened subnets required
in the Internet connectivity
design.
Internet
Proxy
Server
Internet
Proxy
Server
Screened
Subnet A
Lead-in
The number of screened
subnets required in an
Internet connectivity design
is based on the security
requirements of an
organization.
Proxy
Server
Screened
Subnet C
Screened
Subnet A
Screened Subnet B
Proxy
Server
Screened
Subnet C
Screened
Subnet B
Multiple Interfaces or Multiple Servers
Hierarchical Screened Subnet Designs
You can determine the number of screened subnets in a Proxy Server solution
based on the security requirements of an organization. You can establish a
screened subnet whenever you want to prevent traffic from passing through the
proxy server. You can prevent traffic from passing through the proxy server by
using IP packet filters, Web proxy security, SOCKS proxy security, or
WinSock proxy security.
Based on the users or applications that need access to the resources on the
screened subnet, specify a screened subnet for each security requirement. For
example, you would define three screened subnets to isolate resources that need
to be accessed by all Internet-based users, users in a partner organization, and
users within the private network.
Multiple Interfaces or Multiple Servers
You can define multiple screened subnets by using multiple private network
interfaces in a Proxy Server, using multiple proxy servers with a single
interface, or using a combination of both. The following table lists the methods
for establishing multiple screened subnets, along with the reasons to select each
method.
Select this method
To establish a screened subnet if the
Multiple interfaces
System resources of the proxy server are not saturated.
Organization requires a centralized administration model.
Multiple servers
Performance for the screened subnet needs to be maximized.
Organization requires a decentralized administration model.
Module 7: Microsoft Proxy Server 2.0 as a Solution for Internet Connectivity
19
Hierarchical Screened Subnet Designs
In designs that require more than one screened subnet created by multiple proxy
servers, you place the proxy servers in a hierarchy. Specify hierarchical
screened subnet designs to:
Delegate the administration of the screened subnets.
Specify broad security requirements at the top of the hierarchy, such as the
security requirements for an entire organization.
Specify stronger security requirements lower in the hierarchy, such as the
security requirements for a department or application.