Microsoft’s Internet Access Server

Microsoft is about to launch another powerful tool into the BackOffice Suite.The product, a proxy server code named Catapult, makes connecting your intranetto the Internet much safer than ever before. The tentative release name for thislittle gem is the Microsoft Internet Access Server (IAS), and it is in beta 3testing as I write this article. Slated for release sometime before the end ofthis year, this product will let you sleep a little better at night, knowingyour network is now a safer environment.

What Is a Proxy?
First, the definition of proxy in ageneral sense is the "authority or power to act for another." In anetwork environment, a proxy server has the authority to act on behalf of othercomputers on the network. The IAS serves as proxy by providing access to theTCP/IP networks such as the Internet while keeping the workstation addressanonymous. Workstation anonymity makes intruder attacks on your machine almostimpossible. I say almost because a trojan horse or virus can stillinfiltrate your workstation through a file you download from the Internet, so tobe completely safe at the workstation level, you need more than a proxy server.But when the workstation is anonymous, a potential intruder has no way ofknowing what client address to attack.

How a Proxy Works
Proxies keep workstations anonymous byservicing TCP/IP protocol requests for the client. First, the client workstationmakes a TCP/IP-based protocol request, such as entering a universal resourcelocator (URL) into a Web browser to pull up a Web page. The client sends therequest to the proxy server and waits for the reply. Then, the proxy serverreceives the request and sends it to the destination address, substituting itsserver address for the client address. This substitution maintains the anonymityof the client address. Next, the destination processes the request and sends theresults back to the proxy server. Finally, the proxy returns the results to theclient.

Eliminate Alternative Routes
Simple enough, right? Actually, itis. The secret to establishing a proxy server is to make sure it is the onlyroute to your workstations and servers. The proxy server needs at least onevalid, routable IP address. If a real route to the rest of your network doesn'texist, traffic can't reach your machines.

You can eliminate alternative routes in two ways. The first is to choose anarbitrary Class C network pool to use internally. For instance, pick somethingsuch as 206.136.112.0 out of the air for one of your Class Cs. This choice givesyou 206.136.112.1 through 206.136.112.254 as internal addresses. This Class Cnetwork pool is probably assigned to someone already, and the routes on theInternet point to that network, not yours, so you're safe using arbitraryaddresses this way. (For more on IP addressing, see Mark Minasi, "How toSet Up IP," Windows NT Magazine, February 1996; "NTWorkstations Using an IP Router," May 1996; and "Unlock Your Gatewayto the Internet," June 1996.)

The second way is to use what I'll call test address pools. Severalnon-routable test address pools are available from InterNIC, the US organizationthat manages domains on the Internet. What you need to understand about thesetest addresses is that lots of people all over the Internet use them. None ofthe backbone Internet Service Providers (ISPs) include routes to theseaddresses, so they are useless for routable traffic but perfect for internal usebehind a proxy server.

You're safe using Class C addresses out of the Class A network address poolof 10.0.0.0. This pool provides more than enough IP addresses for an averageintranet. If you need fewer than 254 addresses, use a Class C network from thispool. For example, you can have a Class C network, ranging from 10.0.0.1 through10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than oneClass C for internal addresses, simply subnet the 10.0.0.0 again (break the poolinto more manageable pieces for routing in different directions), creatingadditional address pools. Subnetting can get rather complex, so seekadministrative help if necessary.

IAS Features
IAS consists of the Remote Windows Socket (RWS)service and the proxy service. Either of these services or both provide secureaccess for your intranet.

The proxy service operates with TCP/IP only and is CERN-Proxy compatible,which broadens the scope of available client software. The proxy server supportsWeb, gopher, and ftp and has a caching feature that can store frequentlyrequested documents for a given period. Caching reduces bandwidth utilizationand speeds information delivery to the client. The proxy lets you configure whatto cache, what not to, and the size of the cache. You can implement user-levelsecurity, controlling who can and cannot access any particular service. You canalso implement IP address filtering, so you can determine overall access to theproxy by granting and denying access according to a workstation's address. TheRWS service allows other types of TCP/IP protocols through the IAS and supportsmost popular Internet tools.

RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange(SPX) protocol on your network. This combination can provide an additional levelof security in the form of a protocol barrier. TCP/IP can't talk to IPX/SPX, soyou get the picture. RWS is compatible with most existing Windows Sockets1.1-compatible applications and lets you control inbound and outbound access byport number, protocol, and user or group. You can establish restrictions viafilters that control access to Internet sites by domain name, IP address, andsubnet mask.

The IAS integrates seamlessly into an existing Microsoft Internet suite. Ifyou're already running Microsoft's Internet Information Server (IIS), IAS fitslike a glove, letting you control the services through the Internet ServiceManager, which comes with both IIS and IAS.

Step-by-Step Installation
The initial setup process is simpleand quick, so you won't need more than about 30 minutes to install the entireproduct. Before you begin installation, review the checklist in the sidebar, "InstallationChecklist," on page 85. You'll need to have the necessary information readyafter you download IAS from ftp.microsoft.com/msdownload/catapult.

The setup routine installs IAS, copies client software packages to theserver and pre-configures them for easy installation, and establishes a networkshare for installing client software. Here are the eight steps in theinstallation process.

Additional Configuration
That's the initial installation. Beaware that additional configuration is still necessary. These configurationsettings can take from 30 minutes to several hours or even days, depending onthe number of users needing access to the server.

You'll want to start the Internet Service Manager on the Start Button menu:Select the Programs folder, then the Catapult Server folder, then the InternetService Manager. You'll find that the Setup program has created a shareddirectory, iasclnt, on the server.

You access this directory with the universal naming convention (UNC) name\servernameiasclnt. Your workstations will connect to this share to access andinstall the appropriate client access software package.

Beyond Installation
When you look at some features of IAS andwalk through the initial installation and preliminary configuration options andsettings, you see that the complete IAS package is not very large or complex toconfigure. The installation process is intuitive and straightforward. I'll coverall the individual security options and settings in detail in my next article.