Configuring Microsoft’s Internet Access Server
Last month's article introduced Windows NT 4.0's new proxy server, IAS. This month, learn how to set up IAS to make your Web connections safer than before.
September 30, 1996
Last month's article, "Microsoft's Internet Access Server," lookedat the installation and basic setup process for Microsoft's new Internet AccessServer (IAS), a proxy server that makes connecting your intranet to the Interneta much safer thing to do. IAS, which is in beta 3 testing, is slated for releaseby the end of the year. This article looks at some details of configuring IASonce you install it.
The Proxy Server
In a network environment, a proxy server hasthe authority to act for other computers on the network. The IAS is a proxy,providing each workstation with access to TCP/IP networks such as the Internet,while keeping the workstation address anonymous. Such anonymity makes intruderattacks on your machine almost impossible.
You manage IAS through the Internet Service Manager (ISM). To start ISM,click Start, select Programs, Catapult Server, and then Internet ServiceManager. If you have other Internet services on your Windows NT machine, you'llsee them in the ISM display. Screen 1 shows the ISM with all the servicesinstalled and running.
All the configuration settings are on the administrative interface for eachservice. To display a service's administrative interface, double-click theservice name in the ISM or right-click the service name and select ServiceProperties.
The Proxy Service
The Proxy service controls access to FTP, WWW,and Gopher sites on the Internet. The administrative interface for the Proxyservice has five tabs: Service, Permissions, Caching, Logging, and Filters.
The Service tab is for informational purposes only and containsnothing to configure but a comment field, which lets you describe this serviceso users can view the description in ISM. Click Current Sessions todisplay a list of the users connected to the Proxy service at any given moment.
The Permissions tab, as shown in Screen 2, lets you grant or denyvarious users and groups access rights to the proxy for Internet access. You canseparately manage three types of access here: FTP, Web, and Gopher. To allowaccess to a service, select it in the Rights pulldown, and click Add to displaythe Add Users and Groups dialog. Once you add the users and groups thatget access, click OK. To disallow access rights to a user or group, select theuser or group and click Remove.
Tip: The User Manager for Domains lets you create a groupthat includes the user accounts of all users who need access to FTP, Web, orGopher. Once you create this group, you need to apply permissions for eachservice only once for the group, rather than once for each member. This approachcan be a real time saver.
The Caching tab, shown in Screen 3, presents the cache propertysettings. The Proxy service cache lets you configure the service to storeInternet objects on your local hard drive for a given period. This option cangreatly reduce response times and bandwidth utilization. When a client machinerequests an Internet object that is in the cache, the Proxy server delivers thecached copy instead of getting the object from the Internet site.
The cache expires at intervals the administrator sets. The proxy serverwill retrieve a fresh copy of the Web object when a client requests it again orbefore a client requests the object, depending on how the cache is configured.
The cache has two modes of operation: passive and active. In the passivemode, IAS copies each object someone requests from the Internet to the hard diskof the computer running the IAS server. In active mode, IAS updates objects inthe cache periodically, whether a user requests them or not.
The proxy cache has five areas to configure:
The Enable Caching check box enables and disables the cache.
The Cache Expiration Policy lets you adjust the freshness ofobjects in the cache. Freshness is a measure of how long to store and use alocal copy of a cached object before IAS updates it from the Web site. A sliderbar lets you adjust this setting. Move the slider bar toward Always RequestUpdates to keep objects fresher and increase the traffic the IAS servergenerates. Move the slider bar toward Fewest Internet Requests tolengthen the time you store objects before IAS refreshes and to decrease thetraffic the IAS server generates.
The Active Caching Policy ensures the freshness of Internet objects youstore on the hard disk, by letting the cache manager generate a request for anInternet object without a client's prompting. Move the slider bar toward MostClient Cache Hits to update the cache more frequently, or toward FewestInternet Requests to reduce the frequency of update requests to Internetsites.
The Cache Size lets you add and remove drives from caching and set theamount of disk space for caching Internet objects. The limit to the cache sizeis the amount of disk space available. Theoretically, cache size has no upwardlimitations.
The Advanced Cache Options let you specify which objects to cache and themaximum object size to cache, and enable server protection and cache filtering.Cache filtering lets you specify filename, directory name, and domain name torestrict which objects to always cache or never cache. To display Advanced CacheOptions, click Advanced.
The Logging tab presents the available log settings. You can turnlogging on or off, select regular logging or verbose logging, and select datalogging to a text file or a database. Each log record contains the username,client type, client protocol, time and date stamp, and size of the requestedobject.
The Filters tab, in Screen 4, presents the filtering propertiesthat let you control access to Internet sites through the server. The filteringmechanism grants or denies access based on the IP address or domain name ofparticular Internet sites. For example, to block access to a Web site to keepemployees from misusing company time, you select Denied, click Add, selectDomain, and then enter the Web address in the Domain data entry window. That'sall there is to it.
Remote Windows Socket
Now let's look at the Remote Windows Socket (RWS) service. As I mentionedlast month, RWS is a mechanism that makes a Windows Sockets-compatibleapplication running on a private network perform as if it were directlyconnected to the Internet, when actually, a gateway computer connects the twonetworks. IAS can be the gateway.
You access the administrative interface for RWS the same way as for theproxy server. Open ISM, and double-click the RWS service. The RWS administrativeinterface consists of four tabs: Service, Permissions, Logging, and Filters.
The Service tab has only one field, Comment, which lets youdescribe this service. ISM lets you view the comment.
The Permissions tab is the most extensive area of the RWSadministrative interface. You can add, change, and remove protocols and controlaccess to each protocol. This page has five elements: Service, Right, Add,Remove, and Protocols.
Service lists the Internet protocols available to users of the RWS servicethat is using this server. To add a protocol to this list, choose Protocols andcomplete the dialog. To grant a user protocol access, select that protocol fromthe Service box, click Add, and complete the dialog. The Right box lists theusers and groups that can use the protocol on this server. Add lets you assign auser or group the right to use a protocol. You must first select the protocolfrom Services, choose Add, and then complete the Add Users and Groupsdialog. Remove deletes a user or group's right to use a protocol on this server.Protocols displays the dialog that lets you add a protocol, modify an existingprotocol configuration, or remove a protocol.
The Logging tab, shown in Screen 5, is the same as the Logging tabfor the proxy server. You can turn logging on or off, select regular or verboselogging, and select data logging to a text file or a database.
The Filters tab lets you grant and deny access to Internet sitesthat users can access through RWS. Access filtering can prohibit access tospecified sites or allow access to only the sites specified. The filteringapplies to all users who access the Internet through RWS on this server.
Working Together
You can configure the Proxy service and the RWS service to work together.Doing so lets you use Internal Package eXchange (IPX) and Sequenced PacketeXchange (SPX) on the internal network. This capability eases integration forNovell shops because they don't have to migrate to TCP/IP. Having the proxy andRWS work together also allows streaming and datagram Internet protocols and theWindows NT Challenge/Response authentication between the client and IAS server.
To configure the proxy to work with RWS, follow these steps:
Configure the client's Internet browser to use the Catapult Server Proxyservice.
Configure the client computer to use any RWS server on the internalnetwork.
If the private network is running TCP/IP, use the IAS setup to configurethe Local Address Table (LAT) to remove the Proxy server's internal IP addressfrom the LAT. This configuration forces the use of RWS between the client andIAS server. You must modify the LAT on all IAS servers on the private network.If your internal network runs on IPX/SPX, you can skip this step because youwon't have TCP/IP routing tables to manage.
Proxy Gateways in DNS
Configuring multiple proxy server gatewaysis becoming more common in large network environments. As the number of userswho need Internet access from your LAN grows, load balancing multiple proxyservers will become increasingly important to you.
Balance your network traffic with IAS by creating a group name in yourlmhosts file. To this group, you assign all client computer applications. Thegroup will contain a list of all the machine names and IP addresses for eachproxy server on your network. The lmhosts file includes sample entries thatdemonstrate how to correctly create entries in this file.
Use the lmhosts file to create a group to configure clientsoftware to implement load balancing by following these steps:
Open the lmhosts file with a text editor such as Notepad. Asample lmhosts file named lmhosts.sam is in the systemrootsystem32driversetcdirectory. If you have not configured a lmhosts file for your network, open thelmhosts.sam file and save it (in the same directory that contains lmhosts.sam)to a new file called lmhosts.
Create a new group name for the proxy servers that will participate in theload balancing. Be sure the group name does not conflict with other group namesor NT domain names. Enter the group name to make new proxy server entries, oneper line, in the lmhosts file. The proxy denotes groups by the #dom tag at theend of each proxy server entry. Be sure that each proxy server's entry includesthe IP address, the NetBIOS machine name, and the #dom tag with the group name.In the example below, the group name is proxygate.
206.4.11.69 proxy1 #DOM:proxygate #PRE206.4.11.70 proxy2 #DOM:proxygate #PRE206.4.11.71 proxy3 #DOM:proxygate #PRE
As the example shows, you can include the #pre tag. It tells NT to preloadthese entries when the operating system boots. The #pre tag is not required, butit can help improve the overall proxy server performance because name lookupsresolve faster if the proxy doesn't have to read the lmhosts file from disk.Screen 6 shows a sample lmhosts file.
Save the file, and exit the editor.
Configure your client software to use the proxy name.
When you use a group in the lmhosts file, client computers requesting anInternet object through the group name tell Domain Name System (DNS) to cyclethrough the gateways listed in the group, one at a time. (See SpyrosSakellariadis, "Configuring and Administering DNS," August 1996, formore on DNS components.) The first request uses the first name in the list, thesecond request uses the second name, and so on. This cycle establishes loadbalancing, which can ease the burden of any particular proxy server. The lmhostsfile is in the systemroot system32 driversetc subdirectory.
Gateways in WINS
If your network relies on Windows Internet NameService (WINS) instead of DNS for name resolution, WINS lets you configure amulti-homed environment to facilitate Internet object requests. (SpyrosSakellariadis covers DNS and WINS in "Integrating and Administering DNS,"September 1996, and Ed Tittel and Mary Madden explain multi-homing in "Multi-Homingon the Web," September 1996.) WINS is similar to the DNS environment: Youcreate one entry that contains the list of IP addresses for all the proxy servergateways. (For more on IP addressing, see Mark Minasi "How to Set Up IP,"February 1996; "IP Routing with NT," March; "NT WorkstationsUsing an IP Router," May; "Unlock Your Gateway to the Internet,"June; "DHCP and Assigning IP Addresses," August; and "GatewaysRevisited," on page 47.)
WINS provides three levels of name resolution for this configuration.First, the WINS server attempts to match a client's request with the client's IPaddress. Next, WINS will seek a proxy server on the same subnetwork as theclient. Then WINS seeks a proxy server on the same network as the client. IfWINS cannot match a client to a gateway, it will randomly pick a gateway fromthe WINS list of gateways to facilitate the Internet object request.
RWS with Multiple Gateways
By default, clients on an internal network use the RWS gateway that youconfigure them for. You achieve load balancing by installing RWS on the clientsfrom each gateway you want the client to use. For example, if you expecta particular group of users to produce heavier-than-normal traffic to the RWSservice--as with video conferencing--distribute the users across your gatewaysto lighten the load on any particular server.
Securing Your Network
Overall, IAS provides a great way to begin securing your network. With RWS,you'll find the future expandability adequate as new Internet protocols becomeavailable. Now that NT 4.0 is available, you can expect the release of IAS soon.
As I end this article, I leave you with one final and very importantthought to ponder--no panacea for network security exists, so actdiligently. For more on network security, see John Enck, "ConfrontingYour Network Security Nightmares," page 81, and Keith Pleas, "SecuringWindows NT," on page 74.
Internet Access Server beta 3 |
Microsoft * 206-882-8080Web: www.microsoft.com/infoserv/catapultPrice: Free |
Read more about:
MicrosoftAbout the Author
You May Also Like