*
Microsoft.com Home|Site Map
Microsoft TechNet*
Search Microsoft.com for:
|TechNet Home
TechNet Archive Home
Commercial Internet System
MCIS Commerce Server White Paper
Microsoft: Building a More Secure MCIS Data Center (MCIS 2.5)
Microsoft: Building a More Secure MCIS 2.0 Data Center
Microsoft MCIS: Protocol and Ports that Control Access to Services
High Availability for Microsoft Commercial Internet System
Microsoft TechNet: Hosting Multiple User Communities with a Membership Directory
Microsoft Site Server 3.0: Managing Large Member Communities
Microsoft MCIS 2.0 Mail Tuning and Scalability
Microsoft Commercial Internet System: MCIS Mail Server White Paper
Microsoft Getting Results with the MCIS Administration and Provisioning System 2.0
Microsoft MCIS 2.0 Administration & Provisioning System Upgrade
Microsoft Commercial Internet System (MCIS) 2.5 Resource Kit
Microsoft MCIS 2.0 Migration Kit
Microsoft Commercial Internet System (MCIS) 2.0 Resource Kit
Microsoft Windows NT Events for MCIS 2.0
Microsoft MCIS 2.5 Resource Kit Additional References
Microsoft MCIS 2.0 Resource Kit: Capacity and Performance Analysis Additional Resources
Microsoft SNMP Support for MCIS 2.0
Microsoft Commercial Internet System 2.5 Service Pack 1
Microsoft Site Server 3.0 Membership Directory Configuration and Tuning Guidelines
Microsoft: Membership Directory Group Scalability
Microsoft MCIS 2.0 News Tuning and Scalability
Microsoft Commercial Internet System: MCIS News Server White Paper
Microsoft: Online Services Deployment Guide
Microsoft: Using Windows NT Performance Monitor
Microsoft Commercial Internet System: MCIS Personalization System White Paper
Microsoft Site Server 3.0 P&M Scaling Summary
Microsoft MCIS 2.5 Architectural Overview
Microsoft Windows NT Events for MCIS 2.5
Microsoft MCIS Version 2.5 Resource Kit Readme
Microsoft MCIS 2.0 Scaling Recommendations with MCIS 2.5 Service Information
Microsoft MCIS 2.5 Training Guide
Microsoft MCIS Version 2.0 Resource Kit 2.0 Readme
Microsoft: Capacity Model for Internet Transactions
Microsoft HTML Mail Interface Performance Analysis
Installation, Tuning, and Maintenance Recommendations for MCIS News Services (Microsoft)
Microsoft MCIS Administration and Provisioning System 2.5 Deployment and Monitoring
Microsoft: Update Incorporating SQL Server 7.0 and Xeon Architecture
Microsoft Personal Web Pages Performance and Capacity Analysis
Unsolicited Commercial E-Mail Prevention and Filtering Performance Analysis (Microsoft)
Using the Membership Directory and Active User Object (AUO) for Session State Data (Microsoft)
Microsoft: Add-on Service Development Using MCIS SMTP Server Events
Microsoft Site Server 3.0 Dynamic Directory with NetMeeting Profile
Microsoft Site Server 3.0 Membership Directory Guidelines for Failsafe Operations
Microsoft: Using Site Server with SQL Server 7.0
Microsoft Site Server 3.0 Commerce Server: Capacity and Performance Analysis
Microsoft: Update Incorporating SQL Server 7.0 and Xeon Architecture
Microsoft Site Server 3.0 Content Deployment Service: Capacity and Performance Analysis
Microsoft Site Server 3.0 Content Management: Capacity and Performance Analysis
Microsoft Site Server 3.0 Dynamic Directory Service
Microsoft Site Server 3.0 Direct Mail: Capacity and Performance Analysis
Microsoft Site Server 3.0 Membership Directory: Capacity and Performance Analysis
Microsoft Site Server 3.0 Personalization Components: Capacity and Performance Analysis
Microsoft Site Server 3.0 Security Components
Microsoft Site Server 3.0 Search: Capacity and Performance Analysis
Microsoft Site Server 3.0 Usage Analysis
Microsoft: Virtual Private Networking Deployment Guide
Community
Downloads
Downloads for Windows NT
Internet Explorer
Internet Information Server 3.0
Microsoft IIS: Installation and Planning Guide
Microsoft IIS: Installing Internet Information Server
Microsoft IIS: Understanding the Internet and Internet Information Server
Microsoft IIS: Configuring and Managing Your Internet Information Server
Microsoft IIS: Networking for the Internet or an Intranet
Microsoft IIS: Securing Your Site Against Intruders
Planning Your Content Directories and Virtual Servers
Microsoft IIS: Logging Server Activity
Microsoft IIS: Publishing Information and Applications
Microsoft IIS: Using the FTP and Gopher Services
Microsoft IIS: Tuning Internet Information Server Performance
Internet Information Server 4.0
Microsoft Internet Information Server 4.0 Resource Guide
Introduction
Chapter 1 - Overview
Chapter 2 - Managing Content
Chapter 3 - Capacity Planning
Chapter 4 - Performance Tuning and Optimization
Chapter 5 - Developing Web Applications
Chapter 6 - Data Access and Transactions
Chapter 7 - ISP Administration
Chapter 8 - Security
Chapter 9 - Accessing Legacy Applications and Data
Chapter 10 - Migrating Web Sites and Applications
Appendix A - Using the IIS Resource Kit CD
Appendix B - ASP Standards
Appendix C - Debugging Applications and Components
Glossary
Interoperability and Migration
Interoperability - Demos
IT Solutions
Education Industry
Intranets
Mobility
Networking
E-Commerce
.NET Infrastructure and Services
Reliability
Server Consolidation
IT Tasks
Microsoft Mail
Third-Party Information Sharing Applications for Microsoft Mail 3.2
Microsoft Mail: Introduction to Messaging Standards
Microsoft Mail: Remote Client Architecture
Microsoft Mail Resource Kit: Introduction
Microsoft Mail: Product Architecture
Microsoft Mail: Product Information
Microsoft Mail: Configuration Planning
Microsoft Mail: Systems Management Guide
Security with Microsoft Mail 3.2 External Dial-Up
Creating Microsoft Office-Based Workgroup Solutions with Microsoft Mail
Building Advanced Microsoft Mail-Enabled Applications
Main-Enabling your Microsoft Access-Based Application
Archiving Electronic Mail
Writing Activity Management Applications using Schedule+ and OLE Automation
Creating Advanced Electronic Forms for Microsoft Mail
ZIP! Office Client Connection for Microsoft Mail to PROFS version 1.1
ZIP! Office Office Gateway for Microsoft Mail to PROFS version 3.4
Microsoft Mail: Directory Synchronization (Dir-Sync)
MS-DOS
MS-DOS 6 Technical Reference: Welcome
MS-DOS 6 Technical Reference: Setup
MS-DOS 6 Technical Reference: Working with Startup Files
MS-DOS 6 Technical Reference: DoubleSpace Integrated Compression
MS-DOS 6 Technical Reference: Memory Management
MS-DOS 6 Technical Reference: Other Programs and Features
MS-DOS 6 Command Reference
Limited Warantees: International
MS-DOS 6 Commands: ANSI.SYS - DBLSPACE.SYS
MS-DOS 6 Commands: Debug - EGA.SYS
MS-DOS 6 Commands: Emm 386 - Expand
MS-DOS 6 Commands: Fasthelp - Format
MS-DOS 6 Commands: Goto - Mode (Set Typematic Rate)
MS-DOS 6 Commands: More - Rename (ren)
MS-DOS 6 Commands: Replace - SMARTDRV.EXE
MS-DOS 6 Commands: Sort - Xcopy
How to Set Up the Microsoft Network Client Version 3.0 for MS-DOS
Microsoft MS-DOS 5.0 Messages Reference
Microsoft MS-DOS 6.0 - Resource Kit Utilities
Office
Personal Web Server
Project 98
Proxy Server
Microsoft Proxy Server: Harrah's Entertainment, Inc. - Solution Overview
Integrating Proxy Server with the Network
Internet Service Manager and Proxy Server
Managing Access to Resources and Configuring Proxy Server
Microsoft Proxy Server 2.0 Service Pack 1
Microsoft Proxy Server 2.0 and Microsoft Windows 2000
Backing Up Proxy Server
Creating a Proxy Server Chain
Enhancing Network Security through Packet Filtering
Balancing the Workload between Multiple Proxy Servers
Monitoring and Optimizing Proxy Server
Planning an Effective Proxy Server Configuration
Troubleshooting Proxy Server
Have the Internet your way with Proxy Server
Microsoft Proxy Server's Impact on LANs Connected Via the Internet
Cache Array Routing Protocol and Microsoft Proxy Server version 2.0
MS Proxy Server Security Evaluation
Coexistence with Microsoft Proxy Server
Microsoft Proxy Server: Structural Design
Troubleshooting Microsoft Proxy Server
Security
SNA Server
Systems Management Server
Transaction Server
Microsoft Transaction Server (MTS) Administrative Reference
Microsoft Transaction Server: Automating MTS Administration
Microsoft Transaction Server: Building MTS Applications
Microsoft Transaction Server: Creating MTS Packages
Microsoft Transaction Server: Distributing MTS Packages
Microsoft Transaction Server: MTS Error Codes
Microsoft Transaction Server (MTS): IGetContextProperties Interface
Getting Started with Microsoft Transaction Server
Microsoft Transaction Server: Installing Packages
Microsoft Transaction Server: Maintaining MTS Packages
Microsoft Transaction Server: Managing MTS Transactions
Microsoft Transaction Server 2.0 and High Availability using Microsoft Cluster Server 1.0
Microsoft Transaction Server 2.0 and COM Transaction Integrator 1.0
Securing a Web-based Microsoft Transaction Server Application
Microsoft Transaction Server: How Does MTS Work?
Microsoft Transaction Server: MTS Programming Concepts
Microsoft Transaction Server (MTS): Creating an ActiveX Component
Microsoft Transaction Server (MTS): Building Scalable Components
Microsoft Transaction Server (MTS): Building Transactional Components
Microsoft Transaction Server (MTS): Sharing State
Microsoft Transaction Server (MTS): Stateful Components
Microsoft Transaction Server (MTS): Multiple Transactions
Microsoft Transaction Server (MTS): Secured Components
Microsoft Transaction Server (MTS): ObjectControl Interface
Microsoft Transaction Server (MTS): SafeRef Function
Microsoft Transaction Server (MTS): IObjectContextActivity Interface
MTS Overview and Concepts
Developing Applications for MTS
Microsoft Transaction Server (MTS): SecurityProperty Object
Quick Tour of Microsoft Transaction Server
Writing Microsoft Transaction Server Resource Dispensers
Microsoft Transaction Server (MTS) Administrator's Guide
Microsoft Transaction Server (MTS): Sample Visual Basic Codes
Setting Up Microsoft Transaction Server
Microsoft Transaction Server (MTS): SharedPropertyGroupManager Object
Microsoft Transaction Server (MTS): TransactionContext Object
Visio
Microsoft Visio: Using Network AutoDiscovery and Layout with Diagram Kits
Microsoft Visio: Discovering Frame Relay Networks with AutoDiscovery and Layout
Microsoft Visio: Get the Most out of Your Network Diagrams with Space Plans
Windows 95
Microsoft Windows 95: Solution Overview
Hardware Cache Architecture and Microsoft Windows 95/Windows NT
Accessibility Products for Microsoft Windows NT, and Windows 95
Connecting to the Internet with Windows 95 Dial-Up Networking
Microsoft Windows 95: Desktop Operating System Strategy
Microsoft Windows 95: Setting Up Dial-Up Networking for Calling an ISP
Differences in WIN 32 API Implementations Among Windows Operating Sustems
What's This? How Support Help Professionas Can Use WinHelp 4.0
Fragmented IGMP Packet Security Vulnerability - Microsoft Windows 95
Using Third-Party Internet Aplications With Microsoft Windows 95
Long Filename Incompatibility and Administration Issues in Miocrosoft Windows 95
Patch Available for 'Malformed IPX NMPI Packet' Vulnerability (Microsoft Windows 95)
Mobile Computing in Microsoft Windows 95
Dial Up Networking 1.3 Performance & Security Update for Microsoft Windows 95
Microsoft TCP/IP and Windows 95 Networking
Troubleshooting Multimedia in Microsoft Windows 95
Technical Guide to Windows 95 and NetWare Networking
Enhanced Password Cache Security Update
What is Microsoft Plus! for Windows 95?
Point and Print Setup for Windows 95 Printers
Microsoft Windows 95: Disable and Delete User Profiles
Technical Guide to Windows 95 Remote Connectivity
Microsoft Windows 95: Renaming Printer Shares Solves Errors
Microsoft Windows 95 - Guided Tour for Administrators Microsoft Windows 95 - Gudied Tour for Administrators
Microsoft Windows 95: Deployment Planning Basics
Microsoft Windows 95: Deployment Strategy and Details
Microsoft Windows 95: Introduction to Windows 95 Setup
Microsoft Windows 95: Server-Based Setup for Windows 95
Microsoft Windows 95: Custom, Automated, and Push Installations
Microsoft Windows 95: Setup Technical Discussion
Windows 95 Networking: Introduction
Microsoft Windows 95 on Microsoft networks
Microsoft Windows 95: Windows 95 on NetWare Networks
Microsoft Windows 95 Resource Kit: Welcome
Microsoft Windows 95: Windows 95 on Other Networks
Microsoft Windows 95: Logon, Browsing, and Resource Sharing
Microsoft Windows 95: Network Adapter Drivers and Protocols
Microsoft Windows 95: Introduction to Systems Management
Microsoft Windows 95: Security
Microsoft Windows 95: User Profiles and System Policies
Microsoft Windows 95: Remote Administration
Microsoft Windows 95: Performance Tuning
Microsoft Windows 95: Introduction to System Configuration
Microsoft Windows 95: Devices
Microsoft Windows 95: Disks and File Systems
Microsoft Windows 95: Multimedia
Microsoft Windows 95: Application Support
Microsoft Windows 95: Printing and Fonts
Introduction to Microsoft Windows 95 Communications
Microsoft Windows 95: Modems and Communications Tools
Microsoft Windows 95: Electronic Mail and Microsoft Exchange
Microsoft Windows 95: MS Fax
Microsoft Windows 95: Dial-Up Networking and Mobile Computing
The Microsoft Network
Microsoft Windows 95 Internet Access
Microsoft Windows 95 Architecture
Microsoft Windows 95 Network Architecture
Microsoft Windows 95 Registry
International Windows 95
Microsoft Windows 95: General Troubleshooting
Microsoft Windows 95: Command-Line Commands Summary
Microsoft Windows 95 System Files
Microsoft Windows 95 INF Files
Microsoft Windows 95: MSBATCH.INF Parameters
Microsoft Windows 95: Systems Management Server
Macintosh and Microsoft Windows 95
G HOSTS and LMHOSTS Files in Microsoft Windows 95
Microsoft Windows 95 - Shortcuts
Microsoft Windows 95 - Accessibility
Microsoft Windows 95 Resource Directory
Trademark Information
Microsoft Windows 32-bit Financial Impact Analysis Tool
Make Windows 95 Automatic Logon More Secure
Microsoft Windows 95: Setting up dial-up networking for calling an ISP
Comprehensive Guide to Troubleshooting Setup in Windows 95
Troubleshooting with Windows 95 System Tools
Malformed Telnet Argument - Microsoft Windows 95
Windows 95 Tips and Tricks
Microsoft TechNet: Upgrading Windows 95 to Windows 98
Windows 95: User Profiles and System Policies
Windows 95 Resource Kit Utilities
Microsoft Windows 95 Virtual Private Networking Update
Microsoft Windows 95: Choosing Your Machine's Role for Optimal Performance
Microsoft Windows 95: Sorting the Details Makes Browsing Folders Easier
Microsoft Windows 95: Protecting your Data with Hard Disk Backups
Microsoft Windows 95: Copying Files Using the Send To Menu's Any FolderÃĸâ‚Ŧ|Command
Microsoft Windows 95: Starting Up in Sequence
Microsoft Windows 95: Networking on a Shoestring Budget
Microsoft Device Manager: Printing Resource Reports (Windows 95)
Windows 95 and USB: Tracking the Next Peripheral Communications Channel
Microsoft Windows 95: Examining the FAT 32 System
Windows 95: Configuring Windows Explorer for Multiple Disk Drives
Internet Explorer 4.0: Customizing the Quick Launch Toolbar
Windows 95 Automated Installation Guide
Microsoft Windows 95: Browsing and Networking
Patch fo IP Fragment Reassembly Vulnerability (W95)
Microsoft Windows 95: Update for 'Malformed IPX Ping Packet' Vulnerability
Windows 95 Dial-Up Networking Troubleshooting Index
Microsoft Windows 95: Diagnosing Performance Problems with Systems Monitor
Microsoft Windows 95:Windows 95 PIF Files
Microsoft Windows 95: Creating a Dual-Boot Setup
Microsoft Windows 95: Configuring a Microsoft Fax Server.
Microsoft Windows 95: Understanding the Windows 95 Boot Sequence
Microsoft Windows 95: Remote Server Administration and Diagmostics
Microsoft Windows 95: Troubleshooting Shutdown
Microsoft Windows 95: Using File and Print Services for NetWare
Microsoft Windows 95: Securing Stand-Alone Workstations
Microsoft Windows 95: Troubleshooting Hardware Conflicts
Windows 95 Demo Information
Microsoft Windows 95: Lab 1 - Introduction to New Features
Microsoft Windows 95: Lab 3 - Increased Control of the Desktop
Microsoft Windows 95 Service Pack
Implementing Mobile Computing
Windows 95 and NetWare: A Networking Insight
Microsoft Windows 95: Lab 2 - Improved Productivity Features
Microsoft Windows 95: Windows 95 Year 2000 Corporate Update Readme File
Microsoft Windows 95: Microsoft Windows 95 Year 2000 Update
Windows 98
Resource Kit
Windows 2000 Server
Windows for Workgroups
Windows for Workgroups Resource Kit: Welcome
MS Windows for Workgroups Resource Kit Addendum for Version 3.11
Microsoft Windows for Workgroups 3.11: Networks - A Technical Discussion
Windows for Workgroups Resource Kit: Architecture
Windows for Workgroups 3.11 - Installation and Setup
Windows for Workgroups 3.11 - Installation
Windows for Workgroups 3.11 - Initialization Files
Microsoft Windows for Workgroups Setup Information Files
Microsoft Windows for Workgroups Initialization Files
Windows for Workgroups 3.11 - Integrating with Other Protocols
Additional Windows for Workgroups Information
Windows for Workgroups 3.11 - Network Integration with Microsoft LAN Manager and Novell NetWare
Windows for Workgroups 3.11 - Integrating with Other Networks
Windows for Workgroups 3.11 - Microsoft at Work Fax
Tips for Configuring Microsoft Windows for Workgroups 3.1
Microsoft Windows for Workgroups: New and Updated Accessories
Windows for Workgroups 3.11 - Network Dynamic Data Exchange
Windows for Workgroups 3.11 - Mail
Microsoft Windows for Workgroups: Schedule+
Windows for Workgroups 3.11 - Troubleshooting
Microsoft Windows for Workgroups: Truobleshooting
Microsoft Windows for Workgroups - Glossary
Windows for Workgroups: Microsoft Mail Configuration Guide
Flowcharts for Troubleshooting Microsoft Windows for Workgroups
Microsoft Windows Version 3.1 Resource Kit Utilities
Windows ME
Windows NT Embedded
Windows NT Embedded: Overview
A Guide to MS Windows NT Embedded 4.0
Component Designer Tutorial
Target Designer Tutorial
Windows NT Server 4.0
Overview
Retiring Windows NT 4.0
Product Documentation
Resource Kit
Windows NT Terminal Server
Overview
Windows NT Workstation
Overview
Resource Kit
TechNet Archive Home

Chapter 9 - Coexistence with Microsoft Proxy Server

By Kostya Ryvkin, Dave Houde, Tim Hoffman

Chapter 9 from MCSE: Implementing and Supporting Microsoft Proxy Server 4.0, published by Prentice Hall

prxy01

This chapter tells you about Proxy Server connectivity issues. We will see how to integrate a Proxy Server computer with a Remote Access Server (RAS) using Point-to-Point Tunneling Protocol (PPTP). We will discuss different scenarios where PPTP enabled computers coexist with Proxy Server. If your network uses Exchange for messaging and you are not sure if it will still work after you install Proxy Server, this chapter will give you the answer. Here also we will point out different scenarios to allow you to accomplish this goal. We will also look at how Proxy Server works with SQL Server, FTP servers, and Telnet servers. You will learn what a "demilitarized zone" is (in the Information Technology context) and will be able to plan sophisticated network configurations with Proxy Server in a mixed environment

Proxy Server and the Point-to-Point Tunneling Protocol

How Does PPTP Work?

Why Can't WSP Clients Use PPTP?
Running PPTP on the Server

Proxy Server and Exchange Server

Installing Exchange Server on the Internal Network

Putting Exchange Server on the Proxy Server Computer

Microsoft SQL Server and Proxy Server

FTP Server Behind Proxy Server

Non-Windows Servers Behind the Proxy Server

Other Internet Services Behind Proxy Server

At the end of this chapter you will be able to:

Explain how PPTP works with Proxy Server

Plan Proxy and Exchange integration

Explain how SQL Server can publish data though Proxy Server

Implement Proxy Server connectivity with a wide variety of applications

Proxy Server and the Point-to-Point Tunneling Protocol

Today, many companies utilize the Internet not only for the purpose of gaining access to the information it contains, but also to provide network connections to employees who are out of the office or on the road. It has always been the case that utilizing the public Internet is a much cheaper form of connecting remote locations than using dedicated direct links or long distance phone lines. However, there have always been concerns about transferring confidential or secret information though the public Internet. The solution to this problem is to create a Virtual Private Network based on encrypted tunnels provided by the PPTP.

The idea behind PPTP is based on the encapsulation and encryption of IP packets into a secured tunnel. A tunnel is nothing more that an idea of sending streams of encapsulated packets in secured envelopes that cannot be easily decrypted. Even if somebody captures such an envelope during its travel through the Internet, its contents will not make sense.

A reasonable question in this case is, "How can I combine Microsoft Proxy Server features with the advantages of PPTP?" To answer this question, let's first look at PPTP operation and architecture.

How Does PPTP Work?

Point-to-Point Tunneling Protocol is a network protocol that provides a secure way to transfer data from a remote client to a private server or network by creating a Virtual Private Network (VPN) across TCP/IP-based data networks.

The networking technology of PPTP was created as an extension of the Point-to-Point Protocol (PPP) referred to in RFC 1171. PPTP is a network protocol that encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. PPTP can also be used in private LAN-to-LAN networking. The PPTP encapsulation technique is based on the Internet standard GRE (Generic Routing Encapsulation), which allows tunneling of protocols over the Internet. (For more information about this you may review RFC 1701 and RFC 1702. You can find RFCs at http://www.cis.ohio-state.edu/rfc/ or http://www.rfc-editor.org. )

A typical PPTP scenario assumes the remote client already has an Internet connection from its local Internet Service Provider (ISP). Clients may use computers running Windows NT Server or Workstation version 4.0, dial-up networking, and the remote access protocol PPP to connect to an ISP. Being connected to the Internet, the client makes a second dial-up networking call over the Internet connection. Data sent, using this second connection, is in the form of IP datagrams that contain PPP packets. This second call actually creates a virtual private networking (VPN) connection to a PPTP server on the private enterprise LAN - this is referred to as a tunnel.

Let's see how the PPTP client creates a packet to send to the PPTP server. For the purpose of our discussion, let's assume that the PPTP client is connected to the Internet using a LAN adapter (the situation changes slightly if the PPTP client uses a communication device such as modem).

The process of encapsulating the data in the PPTP datagrams is illustrated in Figure 9.1.

Figure 9.1: PPTP concepts.

Figure 9.1: PPTP concepts.
See full-sized image.

As you can see, when the application on the PPTP client computer sends a packet to the PPTP server, the data is first encapsulated in the IP datagram using the private IP address - the one that was assigned when the PPTP connection was established. Then the IP packet gets encapsulated into the PPP packet and is encrypted through the PPTP and GRE modules. The encrypted data is then inserted into the IP datagram once more. In this case the real, globally routable IP address is used. The packet is, then, transmitted over the Internet. On the receiving end, the PPTP server reverses the procedure. It receives the packet from the routing network and sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information in the encapsulated PPP packet.

The key point of this is that packets travel through the Internet in the PPTP tunnel - even if a third party computer in the Internet captures the packet, it will not be able to use the data inside it.

Now that we have a basic idea of how PPTP works, let's ask ourselves a question: "How does this technology work when we add Proxy Server to the picture?" Let's look at what combinations of Proxy Server and PPTP are possible?

Why Can't WSP Clients Use PPTP?

Although you can install PPTP client software on a WinSock client computer, there is no way to make the WSP client redirect PPTP packets though the Microsoft Proxy Server services. The main reason for this is found in the WinSock Proxy Client architecture. When a WinSock Proxy client receives a call from an application, it knows the call needs to be forwarded to a specific IP address and to a specific port. However, the WinSock Proxy client software tricks the application by intercepting packets on the TCP layer and sending them to the Proxy Server's WinSock Proxy service. Looking at PPTP encapsulation once more, we see the data has to cross the TCP layer twice. Since the WinSock Proxy Client software intercepts the packet on the first pass, this data passes the TCP layer only once.

There is a workaround for this issue. If you want a PPTP client or PPTP server to reside in you internal network, you should enable IP forwarding on the Proxy Server computer to let packets reach your internal PPTP client or server. Of course this will also create a significant security problem, since now your internal network is visible from the Internet. You can increase security by enabling packet filters. Microsoft Proxy Server contains predefined packet filters "PPTP call" and "PPTP receive." They should be added to the configuration in order to permit outbound and inbound PPTP connections, respectively.

Since your PPTP enabled computer is on the internal network, you should create a static filter that allows packets to travel to your PPTP enabled computer (see Figure 9.2).

Here, a packet filter for the internal PPTP server is created. The PPTP server is located in the internal network and has an IP address of 195.209.225.15. Note that this IP address should be routable from the Internet. In other words, you cannot use an IP address from the private address space (internal network) here.

Figure 9.2: Creating a PPTP filter for an internal host.

Figure 9.2: Creating a PPTP filter for an internal host.
See full-sized image.

There is a limitation in MS Proxy filtering, however. If you try to set up a custom filter for any computer on your internal network, you will get the message shown in Figure 9.3.

This happens when you create a packet filter for an internal IP address (one that is in the LAT). To solve this problem, you will have to exclude the IP address of that computer from LAT.

When you put a PPTP client or server on the internal network, you must keep in mind that, if IP routing on this computer is enabled, packets from the external network can reach other computers in your internal network. This of course makes the foregoing solution less desirable.

Figure 9.3: Invalid local host message.

Figure 9.3: Invalid local host message.
See full-sized image.

Running PPTP on the Server

It is more desirable to run PPTP server on the Proxy Server. To do this, you should install Routing and Remote Access Server (RRAS) on the Proxy Server computer. If, however, you install the software in the incorrect order, some services may not start or may fail to function properly. Let's review the recommended installation sequence.

To install RRAS server and Proxy Server on one computer, do the following:

1.

Install Windows NT Server 4.0

2.

Install all necessary Windows NT Services, Protocols, Network Adapters, and Software

3.

Apply Windows NT 4.0 Service Pack 4

4.

Install Routing and Remote Access Service

5.

Install Internet Explorer 4.01 SP1

6.

Install Windows NT 4.0 Option Pack

7.

Install Proxy Server 2.0

8.

Reapply Windows NT 4.0 Service Pack 4

9.

Apply Windows NT Service Pack 4.0 hotfixes. Check Microsoft Web site for any updated PPTP/RRAS fixes.

After all the software is installed, you should check that IP forwarding is disabled in the TCP/IP properties dialog box. If IP forwarding is enabled, your internal network is accessible from the Internet, which could be a serious security problem.

Additionally, you should enable packet filtering and create static packet filters for "PPTP Call" if your computer acts as a PPTP client; and "PPTP Receive" if your computer is a PPTP Server (see Figure 9.4).

There are a couple of other alternative solutions to integrate Microsoft Proxy Server 2.0 and RRAS. These solutions utilize RRAS packet filtering capabilities instead of Proxy Server packet filtering. RRAS packet filtering is beyond the scope of this book. You can find more information regarding this by referring to the RRAS documentation and Microsoft Knowledge Base article 169548 Using Proxy Server with Routing and Remote Access. http://support.microsoft.com/default.aspx?scid=KB;en-us;169548&sd=tech

Figure 9.4: PPTP packet filters.

Figure 9.4: PPTP packet filters.
See full-sized image.

Study Break

Testing the Deployment of Proxy Server and the PPTP-Enabled RAS Server

1.

To set up the PPTP client in the internal network, go to the Control Panel on the internal computer, click Network, and go to the Protocols tab. Ensure that the TCP/IP protocol is installed. Add the Point-to-Point Tunneling Protocol (PPTP) and Remote Access Server. Set the RAS port to Dial Out only. (For more information about installing and configuring Remote Access Server on Windows NT refer to product documentation).

2.

Install the PPTP enabled RAS server on the external network. Set the external RAS server to Receive Calls Only. In Control Panel | Network | Services | Remote Access Service | Network click Configure under the Server Settings box. Set the static address pool of IP addresses that will be used by the clients of this RAS server. (For more information about setting RAS server refer to Windows NT documentation.)

To configure the Proxy Server computer to pass PPTP requests:

1.

In the WinSock Proxy service properties, click Local Address Table and exclude the internal RAS client's IP address from the LAT.

2.

Click OK to close the Local Address Table Configuration dialog box. Click OK to close the WinSock Proxy service properties.

3.

Launch Control Panel, double click the Network icon, go to the Protocols tab, select TCP/IP properties, go to the IP forwarding tab, and check the box Enable IP forwarding.

4.

Reboot the Proxy Server computer.

5.

After the computer is restarted, launch Internet Service Manager and go to the WinSock Proxy service properties.

6.

Click the Security button and check the enable packet filtering checkbox on the external interface.

To add a static PPTP filter, click Add.

In the Packet filtering properties dialog box Select PPTP Call from the Predefined filter drop-down list.

To let the PPTP packet go to the specific internal computer, select the Internet computer option from the Local host box. Input the IP address of the internal PPTP client.

Optionally, you can set the packet filter to allow PPTP packets from the specific external PPTP enabled RAS server. To do this, specify the IP address of the external RAS server in the Single host field on the Remote host box.

Click OK to close the Packet Filter Properties dialog box.

Click OK to close the WinSock Proxy service properties dialog box.

7.

If you get the error message "An Invalid local host address was specified for the packet filter," check that the internal PPTP client's IP address is excluded from the Proxy Server LAT.

8.

Test the communication by connecting to the external PPTP server from the internal PPTP client.

Proxy Server and Exchange Server

It is impossible today to think of an organization that is connected to the Internet but has no e-mail connectivity. E-mail is still the most commonly used service on the Internet. Many software vendors have developed e-mail server software that allows you to send and receive e-mail messages from the Internet. Microsoft Exchange Server is one of the tools that offers e-mail functionality in addition to other powerful features such as scheduling, storage services, and corporate document flow. The reasonable question at this point is: "How does Exchange Server operate in a Proxy Server environment and what are the configuration steps to make it work?" This question becomes rather difficult when you consider that Exchange Server integrates several different messaging protocols (for example, SMTP, POP3, IMAP4, LDAP, and NNTP).

There are three methods that can be used to allow Exchange Server to coexist with Proxy Server:

Put Exchange Server and Proxy Server on the same physical computer

Put Exchange Server on a computer that is connected in parallel with the Proxy Server computer

Install Exchange Server on a computer that is located in the internal network and configure Proxy Server to propagate incoming requests from the Internet to the Exchange computer

Each solution requires not only installation of the corresponding software products, but also a sophisticated configuration or IP addressing scheme, DNS records, IP routing, and packet filtering.

Installing Exchange Server on the Internal Network

If you decide to install an Exchange computer on the internal network behind the Proxy Server you must use server proxying. Server proxying gives you the ability to listen for the inbound packets destined for a computer located on the internal network (behind the Proxy Server computer). Proxy Server forwards all incoming requests to the internal computer (see Figure 9.5).

In this scenario, the Internet hosts think that Exchange Server is running on the same computer as the Proxy Server computer while, in fact, Proxy Server listens for connections on behalf of the internal server. The Exchange Server computer does not have to have an IP address visible from the Internet - it is treated like a normal WinSock client.

In order to make the Exchange Server work behind Proxy Server, you need to perform the following steps:

1.

Install WinSock Proxy Client software on the Exchange Server computer

2.

Configure at least one address of an Internet DNS server in the DNS settings of the Exchange Server's Network TCP/IP settings

3.

Configure WinSock Proxy service access control

4.

Configure Proxy Server packet filtering

5.

Configure the Exchange services to use the WinSock Proxy service

6.

Update the DNS MX records to point to the Proxy Server's external interface

Figure 9.5: Exchange Server behind a Proxy Server computer.

Figure 9.5: Exchange Server behind a Proxy Server computer.
See full-sized image.

Let's now discuss some of these steps in greater detail. Before installing WinSock Proxy client software on an Exchange Server computer, you should select the Client connects to Microsoft Proxy Server by IP address option in the Client Installation/Configuration dialog of the WinSock Proxy Service Properties tab (see Figure 9.6).

After you have specified this option you must install (or reinstall) the WinSock Proxy client software by connecting to the Mspclnt shared folder and running setup.

You also need to ensure that the Exchange Server computer uses at least one Internet name server for host name resolution. If you donšt configure the DNS settings to point to at least one Internet DNS server, your Exchange Server will not be able to properly send e-mail messages to the Internet.

After the WinSock client is installed, it may be a good idea to check its functionality by using a WinSock client application, such as a command line FTP client or a newsreader like Outlook Express.

The next step is to configure the WinSock Proxy service access control. If Access Control is not enabled, no additional steps are required. If you decide to enable Access Control, you must grant access to the Exchange Server service account. This service account must be visible to the Proxy Server computer. In other words, it must belong to the same Windows NT domain as the Proxy Server or a domain trusted by that domain. You should grant the Exchange service account Unlimited access on the WinSock Proxy service Permissions tab.

Figure 9.6: Client computers should connect to Proxy Server by IP address?

Figure 9.6: Client computers should connect to Proxy Server by IP address…
See full-sized image.

You must also create two files named WSPCFG.INI and place them in the directory where the Exchange Server Internet Mail Service (or Internet Mail Connector for versions of Exchange prior to 5.0) and Information Store reside. These files are used by Exchange Server services to remote requests to the Proxy Server computer.

For the Internet Mail Service the WSPCFG.INI file should look like this:

[MSEXCIMC]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1

You must place this file to the directory where the Internet Mail Service executable file is located (usually \EXCHSRVR\CONNECT\MSEXCIMC\BIN). This will bind the SMTP Port (port number 25) on Exchange Server computer to the Proxy Server port number 25. Internet hosts will contact the Proxy Server port 25, as it is a well-known port for sending Internet mail messages, and Proxy Server will forward the requests to port 25 on the Exchange Server computer.

Note: If you have Internet Information Server 4.0 with SMTP service running on the Proxy Server computer, you must stop and disable the SMTP service to prevent it from capturing port 25. If you have a third party SMTP service running on the Proxy Server computer, you must disable it as well.

The second WSPCFG.INI file is used by the Microsoft Exchange Server Information Store. Create this file in any text editor such as Notepad and place it where the STORE.EXE file resides. By default, the STORE.EXE file is located in the \EXCHSRVR\BIN directory. The WPSCFG.INI file for the Information Store should resemble the following:

[STORE]
ServerBindTcpPorts=110,119,143
Persistent=1
KillOldSession=1

This file specifies that the Exchange Server Information Store should bind Post Office Protocol or POP3 (port 110); Network News Transfer Protocol (NNTP - port 119); and Internet Mail Access Protocol (IMAP) version 4 (port 143) to the corresponding ports on the Proxy Server computer. You can remove any port number from the WSPCFG.INI file if you do not need the related service to be visible from the Internet.

After you've created and saved these two files, reboot your Exchange Server computer. Exchange Server should now be listening on the external network interface of the Proxy Server computer. You can now check if Exchange Server can respond to Internet requests. This will not prevent a local client from connecting to Exchange Server using, for example, SMTP or POP3 protocols. Of course, local clients should use the internal IP address of the Exchange Server computer, not the Proxy Server's IP address.

Note: Make sure you've created and saved the WSPCFG.INI files without the TXT extension. When you save files with some text editors (such as Notepad), the default extension may be added to the original file name. In this case you will need to rename the file.

Additionally, if you want to provide outside users with Lightweight Directory Access Protocol (LDAP) connectivity to the Exchange Server, you should add the following lines to the WSPCFG.INI file located in the directory containing the Exchange Server Directory Service (DSAMAIN.EXE):

[DSAMAIN]
ServerBindTcpPorts=389
Persistent=1
KillOldSession=1

This means that you must add these lines to the WSPCFG.INI file that you have created for the Information Store.

Once you've determined that your Exchange Server responds to Internet requests, you should configure the DNS MX records to point to the external Proxy server IP address. This will permit e-mail to be sent successfully from anywhere on the Internet to your Exchange Server. If DNS records are pointing to the Proxy Serveršs internal IP addresses or to the Exchange Server IP address on the internal network, Exchange Server will not function correctly. If you are using an Internet Service provider to host your DNS, you must contact them and request that they change or add the MX and A records for your organization.

The MX record is used to identify which server on your network is to receive mail messages from the Internet. In the case when Exchange Server is located behind the Proxy Server and the Proxy Server external network interface has an IP address of w.x.y.z, the DNS records should look similar to the following:

A Record

exchs.mydomain.com

IN A w.x.y.z

MX Record

mydomain.com

IN MX 10 exchs.mydomain.com

PTR Record

z.y.x.w.in-addr.arpa

IN PTR exchs.mydomain.com

Note that the last entry is not required and should be added to the reverse DNS zone only if you want to provide reverse DNS lookup. The above DNS entries must be included in the DNS server that is used by Internet (external network) hosts, not internal clients.

Once you complete these steps, your Exchange Server should be able to send messages to and receive messages from the Internet. Computers from the Internet will be able to use SMTP, POP3, LDAP, IMAP4, and NNTP to connect to the Exchange Server computer.

To provide additional security, you could enable packet filtering on the Proxy Server computer to permit packets only from specific computers and only to specific services. If Exchange Server is located behind the Proxy Server computer, you can turn on packet filtering and enable dynamic packet filtering.

If you want to use Outlook Web Access on Exchange Server and put that Exchange Server behind Proxy Server, you will need to implement reverse proxying. You need to redirect certain URLs (which can be used to identify the Exchange Server on the external network) to the Exchange Server. Use the Publishing tab in the Web Proxy service properties to configure reverse proxying.

Note: Communication with Microsoft Exchange Server or other third-party SMTP servers may be very slow when you install them behind a Proxy Server version 2.0 computer with packet filtering selected (enabled). The mail delivery to and from the Internet may take several minutes or fail completely. To solve this problem, you must add the predefined filter for Identd. For more information about this issue, see Microsoft Knowledge Base article 176947.

For additional information about setting up Exchange Server behind Proxy Server, refer to Microsoft Knowledge Base article 181420.

Study Break

Multiple Exchange Servers Behind Proxy Server

If you decide to put multiple Exchange Servers behind a Proxy Server computer, you may run into a problem. You may remember that, in order to have multiple machines binding to the same port on the proxy server, the proxy server will have to have multiple external addresses. Multiple addresses can be added to the external interface of the proxy by adding multiple addresses to the same external network card.

To specify which address to bind to on the proxy server, we will need to place additional information in the WSPCFG.INI file. You must add the following lines for the application, or service, to specify which external address to bind to on the proxy server:

ProxyBindIp=[port]:[IP address],[port]:[IP Address]

For example, when an Exchange server needs to listen for port 119 (NNTP) on 207.22.36.1 and port 110(POP3) on 207.22.36.2, the ProxyBindIP line would look like:

ProxyBindIP=119:207.22.36.1,110:207.22.36.2

To successfully implement this feature, it is highly recommended you install the Microsoft Proxy Server 2.0 combined hotfix. The combined hotfix is described in Microsoft Knowledge Base article 190997.

Putting Exchange Server on the Proxy Server Computer

You can install Exchange Server on the Proxy Server computer. In this case, Exchange Server is able to serve all client requests from both the internal and external networks. However, if Proxy Server packet filtering is enabled, all communications with Internet mail clients and servers are blocked.

In the previous scenario, we solved the packet filtering issue by enabling the dynamic packet filtering on the Proxy Server computer. Dynamic packet filtering, however, allows WinSock Proxy clients to connect to the Internet when the requests are going through the Proxy Server service software. If you install Exchange Server on the Proxy Server computer, Proxy Server services are not involved when attempting to communicate with the Internet and dynamic packet filtering will not work.

To prevent Exchange Server communications from being blocked by Proxy Server, static filters must be configured and enabled. Exchange Server running on the Proxy Server computer requires two types of static filters: static filters for the client side (so Exchange Server can connect to other mail servers in the Internet) and static filters for the server side (so Internet servers are able to connect to Exchange Server). You need to create static packet filtering for outbound SMTP, POP3, and INETD access. You can do this by choosing the corresponding predefined static filters in the Packet Filter Properties dialog box. You also need to create custom static packet filters for inbound access for SMTP, POP3, and LDAP using the description shown in Table 9.1.

Table 9.1 Static Filters For Use With Microsoft Exchange Server

NameDirProtocolLocal PortRemote PortLocal AddressRemote Address

SMTP

In

TCP

25

Any

Default

Any

POP3

In

TCP

110

Any

Default

Any

LDAP

Both

TCP

389

Any

Default

Any

Study Break

Adding Predefined Packet Filters

To add predefined packet filters for Exchange-to-Internet-host communication:

1.

In the Security dialog box on the Packet Filters tab, click Add.

In the Packet Filter Properties dialog box, select the SMTP predefined filter.

By default, the predefined filters will allow communication to/from any host on the Internet. If needed, modify the Local host and Remote host settings.

2.

Click OK.

3.

Repeat steps 1 though 3 to add the IDENTD filter.

4.

Repeat step 1 though 3 to add the POP3 filter if you are using POP3.

To add predefined packet filters for Internet-host-to-Exchange communication:

1.

In the Security dialog box on the Packet Filters tab, click Add.

2.

For inbound SMTP connection add the following custom filter:

Direction: inbound

Local Port: fixed port: 25

Remote Port: ANY

Local Host: default proxy external IP addresses

Remote Host: any

By default, the custom filters will allow communication to/from any host on the Internet. If needed, modify the Local Host and Remote Host settings.

3.

Click OK.

4.

For inbound POP3 connection add the following custom filter:

Direction: inbound

Local Port: fixed port: 110

Remote Port: ANY

Local Host: default proxy external IP addresses

Remote Host: any

By default, the custom filters will allow communication to/from any host on the Internet. If needed, modify the Local Host and Remote Host settings.

5.

Click OK.

6.

For inbound LDAP connection add the following custom filter:

Direction: both

Local Port: fixed port: 389

Remote Port: ANY

Local Host: default proxy external IP addresses

Remote Host: any

By default, the custom filters will allow communication to/from any host on the Internet. If needed, modify the Local Host and Remote Host settings.

7.

Click OK.

8.

Click OK to close the Security dialog box and click OK to close service properties dialog box.

In addition to creating the static packet filters, you may want to change the MX record in DNS point to the Proxy Server external interface.

Exchange Server in Front of or in Parallel with the Proxy Server

Another option of integrating Exchange Server with Proxy Server is to put Exchange Server outside the local LAN (on the external network). In this case, no specific configuration to the Exchange Server or to Proxy Server is required.

You can also install Exchange Server in parallel with the Proxy Server and disable IP forwarding on the Exchange Server computer to prevent it from routing packets between the internal and external LAN. (When we say "in parallel," we mean the Exchange Server will have a network adapter that connects to the external network as well as one that connects to the internal network.) This could potentially decrease the load on Proxy Server since local clients are not required to pass it to reach the Exchange Server.

You should remember that, when the Exchange Server is installed in front of or in parallel with the Proxy Server, the Exchange Server does not benefit from any of the network protection afforded by Proxy Server.

Microsoft SQL Server and Proxy Server

If you want Microsoft SQL Server to coexist with Proxy server and respond to external requests, you again have different methods. The first and easiest is to install SQL on the same computer where Proxy Server resides. Another method is to set up SQL Server as a WinSock Proxy client and put it on the internal network.

In order to make SQL Server visible from the external network, you need to configure SQL Server to use TCP/IP sockets in its SQL Net Library. Proxy Server must use IP Address under the WinSock Proxy client configuration (as we did with the Exchange Server). You must install WinSock Proxy Client software on the SQL Server computer and add the SQL Server computeršs IP address to the Proxy Server's Local Address Table if it is not already there. If Packet Filtering is enabled on the Proxy Server, Dynamic Packet Filtering of Microsoft Proxy Server packets should also be selected.

The next step is to create the WSPCFG.INI file on the computer running SQL Server. The file should look like the following:

[sqlservr]
ServerBindTCPPorts=1433
Persistent=1
KillOldSession=1

Place the WSPCFG.INI file in the same folder as the Sqlservr.exe file. By default this is the C:\Mssql\Binn folder. The last step is to restart SQL Server computer.

After you complete the preceding steps, your SQL Server should be accessible to external SQL clients using TCP/IP (clients must be configured to use TCP/IP as their default network library ‹ this is accomplished with the SQL Server Client Network Utility that is installed with SQL Server). You must point SQL clients to the Proxy Serveršs external interface instead of the SQL Server.

Other Internet Services Behind Proxy Server

FTP Server Behind Proxy Server

If you have an FTP server you can place it behind Proxy Server as well. Before we begin our configuration discussion, let's take a brief look at how FTP works. FTP uses two separate TCP connections to communicate between the client and server: a control connection and a data transfer connection. The control connection starts the communication between the FTP client and the FTP server; it is maintained for the duration of the FTP session. The control connection uses port 21 on the server and an open port that is greater than 1023 on the client. The data connection (server port 20) exists only when there is data to be transferred between the client and the server. The data transfer connection closes each time a data transfer is completed. The control connection remains open.

You can configure an FTP service to work with Proxy Server to handle incoming Internet client requests. For the FTP service that is provided with Microsoft Internet Information Server 3.0, for example, you should create a Wspcfg.ini file with the settings below and place it in the directory that contains the inetinfo.exe file. Note that you should place the WSPCFG.INI file on the FTP server computer, not on the Proxy Server computer.

[INETINFO]
ServerBindTcpPorts=21
LocalBindTcpPorts=20
Persistent=1
KillOldSession=1
ForceCredentials=1

The ForceCredentials line is used to specify the user under whom the FTP service interacts with Proxy Server. You should use the Credtool utility found on your client machine in the \MSPCLNT directory to specify the user credentials. Credentials should be specified for the account that is used for inetinfo, which is the ftp service executable.

The proper syntax is:

credtool.exe ­w ­n inetinfo ­c username domain password

where:

 

inetinfo

specifies the name of the .exe file (in this case "inetinfo").

 

Username

specifies the user name.

 

Domain

specifies the local user account on the Proxy Server computer.

 

Password

specifies the user password.

In addition, if packet filtering is enabled, you must create a static packet filter definition on the Proxy Server computer providing the WinSock Proxy service, with the parameters from Table 9.2.

Table 9.2 Static Filters For Use With FTP

DirProtocolLocal PortRemote PortLocal AddressRemote Address

In

TCP

21

Any

Default

Any

Out

TCP

Dyn or Any

Any

Default

Any

Finally, in order for Internet users to be able to access your internal FTP by Fully Qualified Domain Name (FQDN), you will have to create an A or CNAME record for your FTP server which points to the proxy serveršs external address.

Non-Windows Servers Behind the Proxy Server

Non-Windows servers cannot use the WinSock Proxy client and therefore cannot benefit from Proxy Server's reverse hosting and server proxying. The only exceptions to this rule are HTTP servers that can use Proxy Server's Web publishing features and other services that are simply relayed by the third party software installed on the Proxy Server computer (for example, SMTP). In this case, it is reasonable to ask "How can non-windows servers coexist with Proxy Server?"

One of the most popular solutions to this problem is the creation of a so-called demilitarized zone (DMZ). This approach provides a secure way for a non-Windows server to publish to the Internet and, at the same time, be available for internal clients.

The basic idea of the DMZ is to create a third zone in your network that will be accessible to both local and Internet users (see Figure 9.7).

Technically, the DMZ is part of your local area network, but it has valid globally routable Internet addresses. The address space of the DMZ is excluded from the LAT and DMZ is essentially outside your network. The DMZ is routable from the Internet though Proxy Server and can be protected by Proxy Server filtering capabilities. Since servers in the DMZ are not necessarily WinSock-complaint, dynamic packet filters will not work. You must create static filters to allow Internet access to those servers. Note that the routing tables are set so that the DMZ servers can speak to computers in the internal network and vice-versa. Communications from the internal network to the Internet and from the Internet to the internal network must go through the Proxy Server services since the local network is assigned IP addresses that are not directly visible from the Internet.

To implement a demilitarized zone:

1.

Install your Proxy Server with three network interfaces. Two interfaces should have valid Internet addresses. One interface should have an IP address from the private address space. Check that your IP addressing scheme does not conflict with general IP addressing rules.

2.

Enable IP Forwarding.

3.

Make sure your DMZ servers have valid Internet IP addresses.

4.

Include IP addresses from the private address range in the LAT. Make sure your LAT does not contain IP addresses from the Internet and from the DMZ.

5.

Make sure you set your DMZ servers to use the Proxy Server computer as their Default Gateway. This is required to allow servers in the DMZ to publish to the Internet and be accessible to local clients.

6.

Test your configuration by trying to ping between your DMZ and a computer on the Internet.

Figure 9.7: Demilitarized zone.

Figure 9.7: Demilitarized zone.
See full-sized image.

Enabling Packet Filtering makes this configuration more secure. Unfortunately, the non-Windows servers in the DMZ do not benefit from dynamic filtering so you will have to create static filters for each of the ports you would like to open for each server. If, for example, you have a Unix-based telnet server in the DMZ at IP address 209.13.15.1, you would need to create the following static filter:

Protocol ID:

TCP

Direction:

Both

Remote Port:

ANY

Local Port:

23

Local Host:

Internal Computer 209.3.15.1

Remote Host:

ANY Host

You can, of course, change these settings to limit access to specific machines or change the port for different services.

Summary

In this chapter we discussed how Microsoft Proxy Server could coexist with other applications in the network. We mentioned that Proxy Server allows you to implement Point-to-Point Tunneling Protocol to provide secure access to your network from the Internet. We discussed different varieties of PPTP and Proxy Server coexistence. You can install a PPTP server or client on the internal network, but you have to enable IP forwarding and ensure that your PPTP-enabled computer is visible from the Internet. The reason for this unsecured solution is that PPTP requests cannot be redirected by the WinSock client software and therefore cannot take advantage of Proxy server proxying. In this scenario, you may want to increase security by implementing Proxy packet filtering. Another option is to install PPTP software along with the RRAS software on the Proxy Server computer. This provides a more secure solution for your network.

We also discussed how an Exchange Server could coexist with Proxy Server. We saw there were several ways to accomplish this. If you install Exchange Server in your internal network, you can take advantage of the WinSock Proxy service server hosting. The key point in this scenario is the creation of wspclnt.ini files. These files are placed in the directories that contain the Exchange Server executable files. They redirect WinSock requests and remote them to Proxy Server. Don't forget that you need to modify your DNS settings to direct Internet clients to the Proxy Server external interface. In this case, Proxy Server acts on behalf of Exchange Server. In this scenario you can also take advantage of dynamic packet filtering.

Alternatively, you may want to consider installing Exchange Server on the Proxy Server computer itself, or install Exchange Server in parallel with the Proxy Server computer. These solutions will also work, but they don't provide the attendant security advantages of putting the Exchange Server behind Proxy Server.

We also looked at how other applications and services can be used in conjunction with Proxy Server. You saw, for example, that SQL server and FTP server can be put behind Proxy without losing their functionality.

Finally, we provided you with guidelines to allow non-Windows servers to coexist with Proxy Server by introducing the concept of a "demilitarized zone."

About the Authors

KOSTYA RYVKIN, DAVE HOUDE, and TIM HOFFMAN, all MCSEs and MCTs (Microsoft Certified Trainers), are training specialists and consultants with Alida Connection, a Microsoft Certified Solutions Provider based in Nashua, NH.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.



© 2005 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
Microsoft