Microsoft’s Internet Access Server

NT 4.0's new proxy server, IAS, makes connecting your intranet to the Internet much safer than ever before.

ITPro Today

August 31, 1996

8 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft is about to launch another powerful tool into the BackOffice Suite.The product, a proxy server code named Catapult, makes connecting your intranetto the Internet much safer than ever before. The tentative release name for thislittle gem is the Microsoft Internet Access Server (IAS), and it is in beta 3testing as I write this article. Slated for release sometime before the end ofthis year, this product will let you sleep a little better at night, knowingyour network is now a safer environment.

What Is a Proxy?
First, the definition of proxy in ageneral sense is the "authority or power to act for another." In anetwork environment, a proxy server has the authority to act on behalf of othercomputers on the network. The IAS serves as proxy by providing access to theTCP/IP networks such as the Internet while keeping the workstation addressanonymous. Workstation anonymity makes intruder attacks on your machine almostimpossible. I say almost because a trojan horse or virus can stillinfiltrate your workstation through a file you download from the Internet, so tobe completely safe at the workstation level, you need more than a proxy server.But when the workstation is anonymous, a potential intruder has no way ofknowing what client address to attack.

How a Proxy Works
Proxies keep workstations anonymous byservicing TCP/IP protocol requests for the client. First, the client workstationmakes a TCP/IP-based protocol request, such as entering a universal resourcelocator (URL) into a Web browser to pull up a Web page. The client sends therequest to the proxy server and waits for the reply. Then, the proxy serverreceives the request and sends it to the destination address, substituting itsserver address for the client address. This substitution maintains the anonymityof the client address. Next, the destination processes the request and sends theresults back to the proxy server. Finally, the proxy returns the results to theclient.

Eliminate Alternative Routes
Simple enough, right? Actually, itis. The secret to establishing a proxy server is to make sure it is the onlyroute to your workstations and servers. The proxy server needs at least onevalid, routable IP address. If a real route to the rest of your network doesn'texist, traffic can't reach your machines.

You can eliminate alternative routes in two ways. The first is to choose anarbitrary Class C network pool to use internally. For instance, pick somethingsuch as 206.136.112.0 out of the air for one of your Class Cs. This choice givesyou 206.136.112.1 through 206.136.112.254 as internal addresses. This Class Cnetwork pool is probably assigned to someone already, and the routes on theInternet point to that network, not yours, so you're safe using arbitraryaddresses this way. (For more on IP addressing, see Mark Minasi, "How toSet Up IP," Windows NT Magazine, February 1996; "NTWorkstations Using an IP Router," May 1996; and "Unlock Your Gatewayto the Internet," June 1996.)

The second way is to use what I'll call test address pools. Severalnon-routable test address pools are available from InterNIC, the US organizationthat manages domains on the Internet. What you need to understand about thesetest addresses is that lots of people all over the Internet use them. None ofthe backbone Internet Service Providers (ISPs) include routes to theseaddresses, so they are useless for routable traffic but perfect for internal usebehind a proxy server.

You're safe using Class C addresses out of the Class A network address poolof 10.0.0.0. This pool provides more than enough IP addresses for an averageintranet. If you need fewer than 254 addresses, use a Class C network from thispool. For example, you can have a Class C network, ranging from 10.0.0.1 through10.0.0.254, that uses a subnet mask of 255.255.255.0. If you need more than oneClass C for internal addresses, simply subnet the 10.0.0.0 again (break the poolinto more manageable pieces for routing in different directions), creatingadditional address pools. Subnetting can get rather complex, so seekadministrative help if necessary.

IAS Features
IAS consists of the Remote Windows Socket (RWS)service and the proxy service. Either of these services or both provide secureaccess for your intranet.

The proxy service operates with TCP/IP only and is CERN-Proxy compatible,which broadens the scope of available client software. The proxy server supportsWeb, gopher, and ftp and has a caching feature that can store frequentlyrequested documents for a given period. Caching reduces bandwidth utilizationand speeds information delivery to the client. The proxy lets you configure whatto cache, what not to, and the size of the cache. You can implement user-levelsecurity, controlling who can and cannot access any particular service. You canalso implement IP address filtering, so you can determine overall access to theproxy by granting and denying access according to a workstation's address. TheRWS service allows other types of TCP/IP protocols through the IAS and supportsmost popular Internet tools.

RWS works with an Internet Packet eXchange (IPX)/Sequenced Packet eXchange(SPX) protocol on your network. This combination can provide an additional levelof security in the form of a protocol barrier. TCP/IP can't talk to IPX/SPX, soyou get the picture. RWS is compatible with most existing Windows Sockets1.1-compatible applications and lets you control inbound and outbound access byport number, protocol, and user or group. You can establish restrictions viafilters that control access to Internet sites by domain name, IP address, andsubnet mask.

The IAS integrates seamlessly into an existing Microsoft Internet suite. Ifyou're already running Microsoft's Internet Information Server (IIS), IAS fitslike a glove, letting you control the services through the Internet ServiceManager, which comes with both IIS and IAS.

Step-by-Step Installation
The initial setup process is simpleand quick, so you won't need more than about 30 minutes to install the entireproduct. Before you begin installation, review the checklist in the sidebar, "InstallationChecklist," on page 85. You'll need to have the necessary information readyafter you download IAS from ftp.microsoft.com/msdownload/catapult.

The setup routine installs IAS, copies client software packages to theserver and pre-configures them for easy installation, and establishes a networkshare for installing client software. Here are the eight steps in theinstallation process.

  1. Setup searches for installed components.

  2. You then choose a directory for the software installation.

  3. You can choose components to install from the list in Screen 1. Here's anice surprise: The documentation is in Hypertext Markup Language (HTML) format,which Microsoft has promised for all Help files as we move toward thebrowser-based desktop.
    The options include the various client software packages necessary to usethe proxy server. Some available client packages are NT versions for Intel,PowerPC, MIPS, Alpha, Intel-based Windows 95 clients, and Windows 3.x clients,as you see in Screen 2.

  4. Setup stops any Microsoft Internet services, such as the IIS Web server,that are running.

  5. You choose the drive(s) you want for caching documents from the list inScreen 3. Setup recommends drives with at least 50MB of free space. You cancertainly choose drives with less space, but you'll be limited in how muchinformation you can cache.

  6. You define the IP address ranges on your internal networks as shown inScreen 4. The information you enter here creates a Local Address Table (LAT).The LAT is the iaslat.txt file, which, by default, is in the iasclientsdirectory on the same drive on which you install the server. When a workstationruns the client setup program, the LAT downloads from the server to the clientworkstation.
    When an RWS-type client attempts to access an IP address, it uses the LATto determine whether the address is local or remote. Local addresses are on yournetwork, and remote addresses are outside your network on the Internet. You canconnect to local addresses directly and to remote Internet addresses throughIAS.

  7. Setup lets you preconfigure most aspects of the client software packages,which minimizes administrative efforts. Screen 5 shows the settings in twogroups, one for RWS and one for the proxy. The RWS access settings are asfollows.

    • A radio button group pre-configures the client software package to contactthe RWS service by name or IP address. To rely on DNS names or machines namesfor client access, check that box and enter the server name. (For moreinformation on DNS, see Spyros Sakellariadis, "Configuring andAdministering DNS" and "Integrating and Administering DNS," WindowsNT Magazine, August and September 1996.) To access the server by IP address,check that box and enter the server IP address.

    • A check box lets you disable Access Control. If you check this box, allinternal clients can use RWS without restriction. When this box is not checked(the default setting), only clients that have permissions for specific protocolscan use RWS. The Internet Service Manager lets you assign these permissions.

    The proxy access settings are as follows.

    • A check box tells the IAS setup to configure the client packages so thatthey automatically configure Web browsers for use with a given proxy accessserver. To automate some of the client package installation process, check thisbox.

    • A data entry box lets you predetermine the machine name of the proxy accessserver that the client packages on this computer will use. If you check setClient setup to configure browser proxy settings, enter the proxy servername in this data-entry box.

  8. Setup checks for necessary disk space and copies the required files. Oncethe file copy operation is complete, Setup restarts any Internet Services thatit had stopped, and then exits.

Additional Configuration
That's the initial installation. Beaware that additional configuration is still necessary. These configurationsettings can take from 30 minutes to several hours or even days, depending onthe number of users needing access to the server.

You'll want to start the Internet Service Manager on the Start Button menu:Select the Programs folder, then the Catapult Server folder, then the InternetService Manager. You'll find that the Setup program has created a shareddirectory, iasclnt, on the server.

You access this directory with the universal naming convention (UNC) name\servernameiasclnt. Your workstations will connect to this share to access andinstall the appropriate client access software package.

Beyond Installation
When you look at some features of IAS andwalk through the initial installation and preliminary configuration options andsettings, you see that the complete IAS package is not very large or complex toconfigure. The installation process is intuitive and straightforward. I'll coverall the individual security options and settings in detail in my next article.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like