Tải bản đầy đủ (.pdf) (25 trang)

Tài liệu MCSE STUDY GUIDE_ Proxy Server 2.0 Exam 70-88 pdf

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (164.52 KB, 25 trang )

Troy Technologies USA
MCSE
STUDY GUIDE
Proxy Server 2.0
Exam 70-88
Congratulations!!
You have purchased one of the Troy Technologies USA MCSE Study
Guides.
This study guide consists of a selection of questions and answers very, very
similar to the ones you will find on the official MCSE exam. All you need to
do is study and memorize the following questions and answers.....and you
will be ready to take the exam. Remember, we guarantee it!
Average study time is 10 to 12 hours. Then you are ready.
GOOD LUCK!
Guarantee
Should you use this study guide and still fail the appropriate MCSE exam,
then send your original of the official score notice, along with your mailing
address to:
Troy Technologies USA
11134 Hunter Oaks
San Antonio, TX 78233
We will gladly refund the full cost of this study guide. However, you are not
going to need this guarantee if you follow the above instructions.
Ó Copyright 1998 Troy Technologies USA. All Rights Reserved.
Further Suggested Reading for Microsoft Certified System Engineer

• Exam Cram, MCSE Windows 2000 Network: Exam 70-216 (Exam Cram) by
Hank Carbeck, et al. Paperback (September 28, 2000)
• MCSE Windows 2000 Accelerated Study Guide (Exam 70-240) (Book/CD-ROM
package) by Tom Shinder (Editor), et al. Hardcover (October 6, 2000)
• MCSE 2000 JumpStart: Computer and Network Basics


by Lisa Donald, et al.
Paperback (April 2000)
• MCSE: Windows 2000 Network Infrastructure Administration Exam Notes
by
John William Jenkins, et al. Paperback (September 19, 2000)
• Public Key Infrastructure Essentials: A Wiley Tech Brief
- Tom Austin, et al;
Paperback
• Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure -
Russ Housley, Tim Polk; Hardcover
• Digital Certificates: Applied Internet Security
- Jalal Feghhi, et al; Paperback
• Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private
Networks - Naganand Doraswamy, Dan Harkins; Hardcover
• A Technical Guide to Ipsec Virtual Private Networks
- Jim S. Tiller, James S.
Tiller; Hardcover
• Big Book of IPsec RFCs: Internet Security Architecture
- Pete Loshin (Compiler);
Paperback
• MCSE Windows 2000 Core 4 for Dummies: Exam 70-210, Exam 70-215, Exam
70-216, Exam 70-217
1
Proxy Server Concepts
The primary functions of Microsoft Proxy Server is to act as a gateway to and from the Internet. Clients
connect to Proxy Server when they make a request for resources located on the Internet. Proxy Server gets
the resource and returns it to the client. The Server can also allow selected computers or protocols to
access the internal network. Since you are only presenting one IP address to the Internet, Proxy Server
effectively hides your internal network.
A Proxy Server has one network card for the private internal network and it has another network adapter

with which to connect to the Internet. This adapter may be another network card or it may be an ISDN
adapter. The Proxy Server is the only computer in the network attached to both internal and external
networks.
Microsoft Proxy Server consists of 3 different services: Web Proxy, WinSock Proxy, and SOCKS Proxy.
Web Proxy Service
The Web Proxy service runs as a service on a Windows NT Server. It runs as an extension to IIS 3.0 or
higher. You must have IIS installed on your NT server in order for the Web Proxy service to run. Clients
contact the Web Proxy service and it contacts other Web servers on behalf of the client and then relays the
information back.
The Web Proxy service supports Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) for
computers on the local LAN.
Caching
The Web Proxy service maintains a local copy of HTTP and FTP objects on a local hard disk. This is
called caching. Not all objects are cached. Some objects change frequently, even each time they are
accessed, so caching them is a waste of processing time. Some objects have a security context and are not
cached for security reasons. The Proxy Server performs two types of caching: Passive caching and Active
caching.
Passive Caching
Passive caching is the method used most. It is also know as on-demand caching because it is available on
demand when the client makes the request.
In a network that does not have a Proxy Server, the client contacts the Web server on the Internet. The
Web server responds to the request and sends the requested objects directly back to the client. Proxy
Server sits in the middle of this process. The Proxy client contacts Proxy Server with the request. Proxy
Server goes to the Internet with the request and retrieves the requested object. It caches that object. If you,
or any other client, requests the object again, Proxy Server gets the object from the local cache rather than
from the Web server on the Internet.
In order to ensure that the cached information is still current, several techniques are used. One technique
is to set an expiration time on the object. This expiration time is known as the time to live (TTL). When a
client requests an object that is cached, Proxy Server checks the TTL to determine if the requested object
is still valid. If the TTL has not expired, then the object is returned to the client. If the TTL has expired,

then Proxy Server goes out to the Internet and retrieves the object and the TTL process begins again.
2
In order to manage disk space, Proxy Server deletes older cached objects to make room for new ones when
the disk becomes too full.
Active Caching
Active caching supplements passive caching. The intent of active caching is to maximize the probability
that an object will be in local cache when the client requests the object from Proxy Server. To accomplish
this, Proxy Server will automatically retrieve objects from the Internet. It chooses objects by considering
such factors as:
Frequency of request - Objects that are more frequently requested are kept in the cache. If the TTL on one
of these objects expires, a new object is requested.
Time-To-Live - Objects having a greater TTL are better to cache than objects with shorter TTLs. In other
words, if an object has a short TTL and is seldom requested, it is not advantageous to cache it because the
TTL will have expired by the time the next request arrives.
Server Activity - Proxy Server seeks to cache more objects during times of low activity than it does during
periods of high activity.
WinSock Proxy Service
The WinSock Proxy service works with Windows-based client computers. The WinSock Proxy service
allows WinSock applications to run remotely. This service is a client/server process that runs only on
Windows NT 4.0 Server running Proxy Server. It allows client applications to run as if they are directly
connected to the Internet.
Local Address Table (LAT)
The function of the LAT is to define the IP addresses on the internal network. Network addresses not
contained in the LAT are considered external addresses.
The LAT entries are pairs of IP addresses. Each pair defines an address range. This address range can be
an entire network ID or a single IP address. The LAT is built when you install Proxy Server. The LAT is
generated from the Windows NT Server routing table. This method may not record all the addresses of the
internal networks. You may have subnets that need to be added. There may also be external network
addresses that need to be removed. It is important to remove external network addresses from the LAT.
When you install the Proxy client, the Setup program installs a file named msplat.txt. This file is installed

in the \mspclnt folder. The file contains the LAT. The contents of this file are identical to the LAT on the
server. To keep this file consistent, the server regularly updates the msplat.txt file on the client.
When a WinSock application needs to establish a connection using an IP address, the msplat.txt file is
consulted to determine if the requested IP address is internal or external. If the address is listed in the
msplat.txt file, then it is considered to be on the internal network and the connection with the resource is
made directly. If the address is not listed, then it is considered to be on an external network and the
connection is made through the Proxy Server.
If the LAT at the server does not contain all of the internal network addresses, you can modify the
msplat.txt at the client to include the other internal network addresses. However, these address
modifications are lost when the server periodically sends the LAT update to the client. To overcome this,
you can create a custom LAT for the client using a text editor. You add the additional address pairs that
are on the internal network so that the client recognizes them as part of the internal network. You then
3
save the file in the \mspclnt folder. The file must be named Locallat.txt. The WinSock client checks both
files, if they are present, for local IP addresses.
TCP/IP and IPX/SPX
There are several important points you need to know about using TCP/IP or IPX/SPX protocols and the
WinSock Proxy service. When you are using TCP/IP on your LAN and an application wants to
communicate with a server, that server may be local or remote to the application. Based on the addresses
contained in the LAT, the application can tell if the requested server is local or remote. If the address is
local, the client forwards the request directly. If the address is not local, then the WinSock Proxy service
is involved.
If your LAN is running the IPS/SPX protocol, the scenario changes. In this case, the WinSock Proxy
service is also acting as a protocol gateway. It converts the IPX/SPX protocol to the TCP/IP protocol and
back again. Since you are not running TCP/IP, there is no LAT table to be downloaded to the WinSock
Proxy client at installation time. Since there are no TCP/IP hosts on the local network, all attempts to
connect to a TCP/IP host are considered requests for a remote host and are processed according to those
rules.
SOCKS Proxy Service
The SOCKS Proxy service is a cross-platform mechanism used to establish secure communications

between the server and non-Windows based clients like UNIX and Macintosh. This service allows for
transparent access to the Internet using Proxy Server. This service does not support applications that use
UDP, nor does it support the IPX/SPX protocol.
Implementation
Microsoft lists three environments to consider when implementing Proxy Server. The environments are:
Small, Medium, and Large networks.
Network Clients served per Proxy Server
Small 1 - 200
Medium 201 - 2000
Large 2001 - higher
Multiple Proxy Servers
You configure multiple Proxy Servers in your organization to support two objectives: Redundancy and
Load sharing. Having more than one Proxy Server allows you to have multiple gateways to the Internet.
Designing a plan to share the load among the gateway computers is an important issue. You can configure
this load sharing in several ways. They are:
Load sharing using DNS
Load sharing using WINS
Load sharing using multiple Proxy Servers
For clients using the Web Proxy service, you can configure the clients to use a specific Proxy Server or
you can configure them to use all Proxy Servers. For clients using the WinSock Proxy service, you must
configure them to use a specific Proxy Server.
4
Load Sharing Using DNS
DNS servers are responsible for providing host name-to-IP address resolution. Before the Web browser
can establish the session with the Web server, it must have its IP address. If you are using multiple Proxy
Servers, you can configure the DNS in such a way that it distributes the workload of the servers by
supplying a different IP address for each successive request.
When you have information that is accessed heavily by users and that information may be on three
different Web servers. Clients access that information using the URL, but since the URL contains the host
name and each of the three servers has a different host name, each client needs to specify a different URL.

This is undesirable because you want all clients to specify a single URL. This process needs to be
transparent to the user.
The Microsoft DNS server supports a process known as round robin. This process balances the workload
of the servers, in this case, the three Web servers. To do this, you must create an alias that points to
multiple IP addresses. This alias record is a CNAME record entry in your DNS server file,
DNS gives the client the IP address of the first host in the list. The DNS then moves that host to the
bottom of the list. When the next request arrives, DNS gives the IP addresses of the second server, now at
the top of the list, and moves that server name to the bottom of the list, and so on. In this manner, each
host receives an equal share of client requests and the process is transparent to the user.
Load Sharing Using WINS
If you are using Windows and the TCP/IP protocol, then you should have at least one WINS server
deployed. WINS is Microsoft’s implementation of an RFC NetBIOS Name server. WINS serves a similar,
but different function than DNS. DNS resolves FQDNs (Fully Qualified Domain Names) to IP addresses.
WINS resolves NetBIOS names to IP addresses. All Microsoft operating systems rely on NetBIOS for
their networking.
You can use WINS in the same manner as you use DNS to share the load of your Proxy Servers. You
create a static entry in your WINS server table for the Proxy Server alias and map it to multiple IP
addresses.
Load Sharing Using WinSock Proxy
You install the WinSock Proxy client from a Proxy Server. The client then attaches to and uses the
WinSock Proxy service of the Proxy Server from which the client was installed. To balance the workload
of the WinSock Proxy services, configure each clients from a different Proxy Servers. This distributes the
load among the Proxy Servers in the organization.
Distributed Caching
You can configure caching to be distributed among multiple Proxy Servers in the organization. This
improves both the active and passive caching. You distribute the cached objects and provide for fault
tolerance if one Proxy Server fails or becomes unavailable. Distributed caching is implemented by one of
two methods, or by combining and using both methods: Chaining or Arrays.
Chaining
Using Proxy Server to route to another proxy server is a technique that involves a process called upstream

routing. By configuring upstream routing, a Web Proxy client request can be routed to an upstream Proxy
5
Server, to a Proxy Server array, or directly to the Internet. The term "upstream," from a data flow point-
of-view, refers to being closer to the Internet. This technique is also known as chaining.
You can also specify a backup route to use in the event that the upstream proxy server is unavailable. The
backup route is fully functional and provides for automatic transfer transparently. From time to time, the
primary route Proxy Server is queried to see if it is available. When the primary Proxy Server is available,
the primary route is re-established automatically.
Proxy Server Array
An array is a group of Proxy Servers bound together by an array name. Proxy Servers in an array are
administered as a single unit. Configuring an array provides for load sharing, fault tolerance, and easier
administration. Arrays can be useful in Branch offices, Networks that are too large to be serviced by a
single Proxy Server, and Consolidating multiple Internet connections.
You must create an array. You do this from the Internet Service Manager (ISM). An array is common to
all Proxy services. Each Proxy Server maintains a list of which members of the array are available and
which members are not available. Each individual member in the array uses a hash to make routing
decisions. A Hash is a mathematical algorithm used for routing decisions.
The configuration for a single array member may be propagated and synchronized to all members of the
array. The following parameters are propagated when auto-synchronization is enabled:
Advanced caching options
Client configuration files
Domain filters
LAT
Logging information
Publishing information
Upstream routing options
Web Proxy user permissions
WinSock protocol definitions
Cache Array Routing Protocol (CARP)
Proxy Server 2.0 supports Cache Array Routing Protocol (CARP). This is an enhancement of the Internet

Cache Protocol (ICP). The purpose of this protocol is to allow a proxy server to query other proxy servers
to see if those servers have cached copies of requested objects before the proxy server goes to the Internet
for the object.
CARP expands on the ICP protocol in several ways. CARP uses a "queryless" hash-based algorithm. The
hash-based routing results in the URL being resolved to the same Proxy Server. This means there is a
single hop resolution for the requested object. CARP becomes faster the more Proxy Servers are added.
This is because the location of each cached object is known within the array, unlike ICP, which must
query for each requested object.
CARP prevents multiple servers from caching the same object. This makes the CARP array much more
efficient than an ICP array.
Client Installation
When you install Proxy Server, the Setup Wizard creates the \msp\clients folder. Client software utilities
are installed in their respective folders. For example, the Alpha folder contains Alpha-specific files and
6
the I386 folder contains the Intel-specific files. The Setup Wizard also shares the \msp\clients as a share
called mspclnt.
You have to install the WinSock client software on the client computers. The client setup program
configures the computer to be a client of the WinSock Proxy service on the server where the setup was
initiated. Also, as part of the installation, the Web browser is configured as a client of the Web Proxy
service.
You can start the client setup program using one of two techniques. You can connect to the UNC
\\server_name\mspclnt and run the client setup program. Or, you can use a browser, such as Internet
Explorer, point it to http://computer_name/msproxy, and click the Install WinSock Proxy 2.0 client. If you
are installing the client on a Web server, the setup program stops the Web service while the installation is
in progress.
The Mspclnt.ini file contains configuration information about the client. This is a text file and can be
edited with any text editor. By default, the client configuration file is downloaded to the client each time a
client computer is restarted and is updated every six hours after an initial refresh. When a refresh occurs,
the order of server share paths, listed in the [Master Config] section of Mspclnt.ini, is used to determine
the location of updated configuration files. At least one entry must be present. Entries are tried in the

order listed. Additional path listings are tried only in the event that preceding paths are not available.
For Mspclnt.ini changes made on the server to be reflected on a client, you either have to manually update
the WinSock Proxy client or wait for the client to be automatically updated. Keep in mind that if you
change the client’s Mspclnt.ini file and want the changes to remain, you should also modify the file on the
server as well.
Using Javascript
When a Web browser client is started, you can specify that a client configuration script be downloaded to
the client computer. This configuration script is written in JavaScript and is located on the Proxy Server
computer for that client computer. Remember, every client contacts a specific Proxy Server.
The script is downloaded to the browser on the client computer and is executed against every URL that the
browser requests. The output of the script is an ordered list of Proxy Servers that is used by the browser to
retrieve the object specified by the URL. This can reduce some of the routing work performed by the
Proxy Server array.
Access Control
Outbound Access
You can allow your clients complete access to the Internet or you can control what they access. Microsoft
Proxy Server provides several methods for controlling outbound access. These methods allow you to
configure as granular control as you require in order to determine what your clients can and cannot access
on the Internet. There are three primary methods for configuring outbound access: Controlling access by
Internet service, Controlling access by IP parameters, and Controlling access by TCP port.
Internet Service
One of the keys of security is to allow access to resources and services only by those who need them. In the
context of Proxy Server, you limit specific services to only those users who need to use the service. You
can set the access control permissions individually for the Web Proxy, WinSock Proxy, and the SOCKS
7
Proxy services. You set the permissions from inside the ISM using the property sheet of the specific
service.
Web Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can then specify who can
have access to the following protocols:
WWW This is for access to HTTP protocol.

FTP Read This is for access to FTP services.
Gopher Gopher is a menu-based system used to supplement FTP.
Secure This is the SSL service. If you have access granted, then you can use SSL
security.
WinSock Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can specify
“Unlimited Access” or you can specify who can have access to the following protocols: AlphaWorld,
AOL, Archie, Echo, Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP,
Telnet, and VDOLive. Other protocols can be added with the WinSock Proxy service.
SOCKS Proxy Service - You use the same procedure to set the permissions for using the SOCKS service.
You get a dialog box you use to configure this service. The “source” specifies the origin of the request.
You do this either by IP address and subnet, for a particular Internet Domain or for all computers. The
“Destination” side is where you allow (or deny) the destination of the permitted entry.
IP Parameters
Proxy Server allows you to control access by specific IP parameters such as: IP address, IP subnet, and
Internet domain name. This is done by enabling filtering and then specifying the appropriate IP address,
subnet, or domain.
When configuring this security, there are two methods you can use. You can grant access to everyone and
then restrict access by denying certain IP addresses, subnets, or domains. Or, you can deny access to
everyone and then grant access by exception by specifying the IP address, subnet, or domain.
Just as with configuring access by Internet service, you can set these parameters for each individual Proxy
Server.
Port
You can configure which port is used by the TCP and UDP protocols and thus control the access to the
WinSock Proxy service. Proxy Server comes with a default set of protocol definitions. You can add your
own protocol definitions or modify the definitions of the default protocols to suit your requirements.
Proxy Server uses application service ports for the WinSock Proxy and SOCKS Proxy services. WinSock-
based applications work through a network connection. Ports are used in combination with IP addressing
to form socket connections. A socket is an endpoint in the communication process. The WinSock Proxy
service can also redirect a listen() call. The implication of this is that Proxy Server can listen to Internet
requests on behalf of your application. It then redirects the request from the Internet to your application.

There is also a special setting called “Unlimited Access”. You can also enable access to inbound and
outbound service ports selectively for users on your network. You do this through the ISM by selecting the
WinSock property sheet and then selecting the Protocols tab.
You can create definitions and modify existing protocol definitions. You can save these definitions and
load them at a later date. You can save this file from one Proxy Server and load it at another Proxy Server.

×