Exploring Internet Access Server Software

Configuring client software for your proxy server

This article is the third in a seriesintroducing the Microsoft Catapult proxy server. The previous two articleslooked at installation and setup and advanced configuration issues for thisproxy server, Internet Access Server (IAS). This month's final installment looksin depth at configuring some popular client software packages that you can usewith IAS. You'll see that configuring any proxy- enabled client software for usewith IAS is straightforward once you know and understand the fundamentalparameter requirements.

As a proxy server, IAS can act on behalf of other computers on a network.IAS provides access to TCP/IP networks such as the Internet while keeping theworkstation address anonymous. To see how IAS makes intruder attacks on yourmachine almost impossible, see, "Microsoft's Internet Access Server,"September 1996.

Remember, if you use the lmhosts file to establish a load-balanced proxyenvironment--as described in "Configuring Microsoft's Internet AccessServer," October 1996--when you configure client software packages, you'llwant to use the proxy group name you established in the lmhosts file. If youdon't want a particular client software package to use the load balancing group,configure that client software to use your preferred proxy server name.

The Web browser is probably the most common type of client software peopleuse on the Internet today. Let's configure two popular Web browsers, InternetExplorer (IE) and Netscape Navigator. We'll also explore RealAudio, an audiosoftware tool, and VDOLive, a video software tool.

You sometimes need to bypass the proxy altogether to reach a certainInternet site. This need can occur if a site is behind a firewall. A proxyrunning on a host server outside a firewall cannot connect to a serverinside the firewall. To work around this firewall restriction, you mustbypass the proxy. (For information on firewalls and proxies, see Philip Cardenand Charles Kelly, "Firewalls: Securing NT Networks from InternetIntruders.")

Also, if your network uses nonroutable IP addresses--as described in mySeptember article--you can't bypass the proxy to reach sites on the Internet,because your network has no valid routes in and out of the Internet. However,you can still reach sites on your local network if your administrator hasestablished the proper routes. When configuring your proxy server and clients,use routable IP addresses instead of nonroutable addresses to avoid headachesdown the road. (For more on IP addressing, see Mark Minasi, "How to Set UpIP," February 1996; "IP Routing with NT," March; "NTWorkstations Using an IP Router," May; and "DHCP and Assigning IPAddresses," August.)

Microsoft Internet Explorer 2.0
Configuring IE 2.0 for Windows NT is simple. To arrive at the Propertiespage, where you'll make your configuration entries, click Start, selectSettings, select Control Panel, double-click the Internet icon, click the Advancedproperty sheet tab, select Use Proxy Server, and enter the proxyserver's URL, for example, http://proxyserver:80.

You must enter the proxy server's URL correctly. The example shows theproper syntax to define the port that the proxy server listens to for incomingrequests. At the end of the URL, you notice a colon followed by the number 80(:80). When a client requests an Internet object, the proxy server receives andprocesses the request on TCP/IP port 80.

If you want to bypass the proxy server when connecting to certain Internetsites, enter those sites in the Bypass proxy on data-entry window. Let'ssay you want to provide direct access to all computers at microsoft.com anddirect access to all FTP sites listening on TCP port 21. To accomplish this taskwith IE 2.0, enter microsoft.com,:21, as shown in Screen 1. A comma mustseparate each entry in the Bypass proxy on window. Be sure to prefix theport number with a colon.

Internet Explorer 3.0
Internet Explorer (IE) 3.0 configuration for NT is similar to that for IE2.0, with some subtle but important differences. You arrive at the Propertiesconfiguration page for IE 3.0 in almost the same manner as with IE 2.0. To openthe properties page, Proxy Settings, click Start, select Settings,select Control Panel, double-click the Internet icon, select the Connection tab,choose Connect Through a Proxy Server, and click Settings.

Screen 2 shows the two group boxes in this dialog: Serversand Exceptions. In the Servers options group, you can make five entries,one for each of the following protocol types: HTTP, Secure, FTP, Gopher, andSocks. You can define a different proxy server for each of these types ofInternet protocols. Just enter the appropriate proxy server information in theassociated field.

If you prefer one proxy or group of proxies for all protocol types, checkUse the same proxy server for all protocols. Checking this box grays outall the data entry fields except the ones associated with the Hypertext TransferProtocol (HTTP). You then enter the proxy server or proxy group's URL and portnumber in the corresponding HTTP fields. (Note: Although you enter theinformation in to the HTTP fields, the proxy server uses these same settings toprocess all other protocol requests.)

The second group box, Exceptions, has two setting options to configure, ifyou see the need on your network. The first field is Do not use proxy serverfor addresses beginning with. If you want certain protocols to bypass yourproxy server so they have a direct connection, enter them in this field. Forexample, if you want all FTP connections to bypass the proxy server, enter ftpin the box. Be sure to use semicolons to separate all entries in this box.

The second field in the Exceptions group box is Do not use proxy serverfor local (intranet) addresses. Check this box to instruct the clientsoftware to directly connect to servers on your intranet, bypassing the proxy.This instruction improves the performance of client software packages because itremoves the added overhead of communicating with IAS. You use IP addresses andsubnet masks to determine whether the destination is local.

Netscape Navigator 2.01
Netscape's Navigator 2.01 is a popular Web browser. Let's configure itstep-by-step to work with the proxy server. Open Netscape Navigator, and selectthe Options menu. On the Proxies property page, select Network Preferences,select Manual Proxy Configuration, and click View. In each proxy field(HTTP, Gopher, FTP, Security, WAIS, and Socks), type the name of the computerrunning the proxy server and its associated TCP/IP port number.

In the No Proxy for field, shown in Screen 3, enter hoststhat you want to access directly, bypassing the proxy server. For example, ifyou want Navigator 2.01 to connect directly to Netscape's public Web server,enter www.netscape. com:80. And be sure to insert a colon before the portnumber.

Netscape Navigator 2.02 and 3.0
The Netscape Navigator 2.02 and 3.0 proxy configurations for NT are alsostraightforward. To configure Netscape Navigator 2.02 and 3.0 to use the proxyserver for HTTP protocol requests, open Netscape Navigator, select Options, thenNetwork Preferences. Select the Proxy tab and Manual Proxy Configuration,and click View. In each proxy field (FTP, Gopher, HTTP, Security, WAIS, SOCKS),type the host name or IP address of the computer running the proxy server, andenter the proxy server's associated port number.

In the No proxy for field, follow the same instructions as forNavigator 2.01 to access hosts directly. Enter www. netscape.com:80 to connectdirectly to Netscape's public Web server.

RealAudio
RealAudio is a popular software tool (available for Windows 95, Windows3.1.x, NT, Mac OS 7.x, Linux, Solaris 2.4 and 2.5, SunOS 4.1.x, IRIX 5.3, andFreeBSD). It lets users listen to recorded and live audio across the Internet.RealAudio is widely used across the Internet as a means to deliver all sorts ofcreative audio content, ranging from live radio broadcasts to recorded speechesor mission statements from corporate executives.

IAS supports RealAudio through the Remote Windows Socket (RWS) service. Toconfigure the RealAudio Player software, you must understand how data movesacross the Internet.

RealAudio supports two basic types of transmissions: Transmission ControlProtocol (TCP) and User Datagram Protocol (UDP). I won't go into all the detailsof these two protocols, but I will tell you that UDP is less reliable than TCP.UDP provides no error correction and no guarantee that UDP packets will arriveat their intended destination. When UDP packets do arrive at theirdestination, they do not necessarily arrive in the same order as you send them.But, UDP requires less overhead than TCP and is therefore faster.

In addition to a proxy server, some networks incorporate a separate packetfiltering firewall system that doesn't let UDP traffic enter your intranet. Inthese cases, you must either reconfigure your packet filtering firewall to allowUDP packets for RealAudio, or reconfigure RealAudio to use TCP. The choice is upto you and your network administrators. I won't delve into using RealAudio inthis article, but I'll focus instead on configuring the software for use throughthe RWS using the UDP. RWS handles all Winsock applications transparently, soyou do not need to configure RealAudio to use the proxy server. Be sure theproxy server is disabled in the Real Audio preference settings.

To configure RealAudio Player to receive audio with the default UDP, startRealAudio Player, select the View menu, and then the Network Preferences tabshown in Screen 4. Click UDP, select the Proxy preferences tab shown in Screen 5, and deselect the Use Proxy field.

Use Specified UDP Port defines the port number the RWS service usesto receive RealAudio data from the Internet. Internet Service Manager in the RWSPermissions property sheet lets you specify the port setting on the RWS service.

VDOLive
IAS's RWS service supports the video protocol VDOLive (for Windows 3.1x,Windows 95, NT, and the PowerMAC). According to rumor, in future releases,Microsoft will integrate VDOLive technology into its new NetMeetingcollaborative conferencing software (which is part of the Normandy suite--seeRonald Arden, "Safe Internet Shopping with Microsoft Merchant System,"for information about another piece of this suite, and David Truncale, "CompuServeBrings NT Online," for information about CompuServe's plans to implementthis suite).

A VDOLive server can send continuous video images over the Internet toVDOLive-compatible clients. To configure your VDOLive client software packagesto use IAS, start VDOLive Player, click Setup, and select the Settings tab shownin Screen 6. Click Automatic selection of UDP port, and type theUDP port number RWS uses for VDOLive. The default RWS port is 7001.

Macintosh, UNIX, and Other Clients
You can configure other operating system client types for use with IAS aseasily as for the examples you've seen so far. You can configure any softwarethat uses a proxy server or is Winsock compatible for use with IAS with a fewsimple parameters, including the name of the computer running IAS and the portnumber IAS uses for the particular protocol.

Rest Easier with IAS
In closing this series on IAS, I will say that you can configure RWS servicefor just about any custom protocol and port number. This capability provides alot of forward compatibility for IAS users, especially because developersintroduce new Internet protocols every day.

A carefully planned and executed IAS installation will undoubtedly let mostnetwork administrators sleep a little bit better at night, knowing their networkenvironment is now a safer place to work from. Just remember: Never assumeyour network is completely safe. To ensure the highest degree of safety, youmust continually monitor your systems and re-evaluate your policies andprocedures. No network is impenetrable.

To find the latest information on IAS, point your Web browser to www.microsoft.com/proxy/default.htm, or get it (under its code name, Catapult) fromMicrosoft's FTP site at ftp.microsoft.com in the /msdownload/catapult directory.The file index.txt in that directory explains each file in the directory.

Microsoft also maintains a newsgroup about this proxy server. You can findthe newsgroup, microsoft.public. catapult.beta, on Microsoft's news server atmsnews.microsoft.com.