Preinstallation Requirements

Hardware Requirements
Software Requirements
Before You Install
Server Security Checklist
Connecting the Server to the Internet

Before installing Microsoft Proxy Server, please review this entire chapter. It contains important information about installation requirements.

Hardware Requirements

Microsoft Proxy Server has the same hardware requirements as Microsoft Windows NT Server version 4.0. For more information, see the documentation for Windows NT Server version 4.0.

Software Requirements

The following must already be installed on the server computer before Microsoft Proxy Server can be installed:

Microsoft Windows NT Server version 4.0
Microsoft Internet Information Server version 2.0
The Windows NT Server 4.0 Service Pack (provided on the Microsoft Proxy Server compact disc)

The server computer can be configured as a stand-alone server, a primary domain controller (PDC), or a backup domain controller (BDC). However, for the highest security level and best performance it is recommended that you install Microsoft Proxy Server on a computer configured as a stand-alone server. For more information about member servers, PDCs, and BDCs, see your documentation for Windows NT.

For best cache performance, it is strongly recommended that at least one disk drive on the server computer be configured as an Windows NT File System (NTFS) volume.

Before You Install

Verifying Your Software Configuration
Verifying Your Hardware Configuration

Verifying Your Software Configuration

Before you install Microsoft Proxy Server, complete the following tasks:

Verify that Microsoft Windows NT Server 4.0 is installed.
Verify that Microsoft Internet Information Server 2.0 is installed.
Verify that TCP/IP is installed on the server.

Verifying Your Hardware Configuration

Setting Up the Disk Drives
Setting Up the Network Adapters
Setting Up a Modem or ISDN Adapter

Setting Up the Disk Drives

Microsoft Proxy Server can be installed on computers that have their hard disks configured as file allocation table (FAT) or NTFS volumes. However, for security and performance, it is recommended that at least one of the server’s hard disks be configured as an NTFS volume.

Features that NTFS volumes provide (and FAT volumes do not) include:

A maximum file size of up to 64 gigabytes (GB) (depending on the size of the disk clusters).
Integration with Windows NT security to control and audit file, share, and directory access.
An Activity log, which can be used to restore the disk in the event of power failure or other problem.
Support for flexible per-file compression.

The Web Proxy service of Microsoft Proxy Server stores cached Internet objects on one or more of the server’s drives. The particular drives used for this purpose are selected during installation. For best cache performance, it is strongly recommended that all the drives having space allocated to the cache be configured as NTFS drives.

If your current server disk volume is formatted to use FAT partitions, before or after installing Microsoft Proxy Server you can convert these partitions to NTFS using the Convert program included with Windows NT Server. Convert does not overwrite data on the disk. For more information about using this program to convert FAT volumes to NTFS volumes, see your documentation for Windows NT Server or type convert /? at the command line in the Command Prompt window.

Setting Up the Network Adapters

Before you install Microsoft Proxy Server, verify that network adapter cards are installed and configured properly. To create a secure configuration, the Microsoft Proxy Server computer must have at least one network adapter connected to the private network, plus one network adapter, modem, or integrated services digital network (ISDN) adapter to connect to the Internet.

You should install the network adapter cards in your server computer before installing Microsoft Proxy Server. For more information on installing network adapter cards, refer to documentation provided with your adapter cards. Once the adapter cards are installed, you can configure each card by using the Network application in Control Panel.

To configure additional network adapter cards

Open Control Panel.
Double-click the Network application, then click Adapters to display that property sheet.
Add the additional network adapter card by clicking the Add button in the Adapters property sheet.

To configure TCP/IP settings for internal and external network adapter cards

Set TCP/IP protocol bindings for the external network adapter card.

Set the binding to TCP/IP, so that it can communicate over the Internet. When binding this network card to TCP/IP, you are prompted for the card’s Internet Protocol address. This address is usually supplied by your Internet Service Provider (ISP).

If the external network adapter card will be used to connect to the Internet, it must be bound only to the TCP/IP protocol. In particular, do not bind IPX/SPX or NetBEUI to the externally connected cards.
Set protocol bindings for the internal network adapter card.
If the server will be running the Web Proxy service, the network adapter card connected to the private network must be bound to TCP/IP. If the server will be running the WinSock Proxy service, the network adapter card connected to the private network can be bound to TCP/IP, IPX/SPX, or both.

Note You can choose to implement Microsoft Proxy Server on a server that has only one network adapter card. This configuration can be used primarily for providing limited proxy service in the following ways:
- Caching service for internal Web Proxy clients.
- An IP application-level gateway to support internal IPX clients that use WinSock Proxy service.
For more information, see “Server Administration.”
Use one IP default gateway.
A Microsoft Proxy Server computer should have only one IP default gateway. The IP address of the default gateway should be configured on the external network adapter card only.
Disable dynamic host configuration protocol (DHCP) for the adapter cards.
Use static IP addresses on the adapter cards. DHCP will attempt to reset the IP default gateway you selected for Microsoft Proxy Server.

Setting Up a Modem or ISDN Adapter

RAS and Microsoft Proxy Server
Setting Up a Modem
Setting Up an ISDN Adapter
Setting Up RAS

RAS and Microsoft Proxy Server

With Microsoft Proxy Server you can use the Windows NT Remote Access Service (RAS) dial-out client to connect to an Internet service provider (ISP). RAS dial-out requires the use of at least one of the following on the Server computer:

Modem You can install one or more modems. High-speed modems, such as 28.8 Kbps modems, are recommended.

ISDN adapter If you are using an ISDN line and have signed up for the ISDN service option with an ISP, install an ISDN adapter.

When selecting any hardware for use with a dial-up network connection, check the Windows NT Hardware Compatibility List to confirm that the modem or adapter you are purchasing is supported. Microsoft has tested these modems and ISDN adapters for use with RAS.

Also, try to select a modem or ISDN adapter that is the same or very close to the one that is used by the ISP you are using. This helps ensure optimal performance and the highest possible connection rates.

For information about selecting and installing a modem or ISDN adapter, see your documentation for Windows NT Server 4.0 or documentation provided with your modem or ISDN adapter.

Setting Up a Modem

To set up a modem on the server computer

Install the modem and start the server computer.
In Control Panel, double-click the Modems application icon.
Follow the on-screen instructions for installing a new modem.

For information about installing a modem, see your documentation for Windows NT Server 4.0 and the documentation provided with your modem.

Setting Up an ISDN Adapter

Integrated Services Digital Network (ISDN) offers a much faster communication speed than ordinary telephone service which uses analog equipment. ISDN can operate at speeds of 64 or 128 Kb per second.

Unlike most available modems, not all ISDN hardware uses the same signaling technology. This can introduce connection problems between your ISDN provider (local telephone company) and your hardware adapter. In some cases, the adapter may not work at all with service in your area. For this reason it is important to consult with both telephone and Internet service providers you will working with in your local area before making final selection on ISDN adapters. As with modems, obtaining an adapter that is support by Microsoft and listed on the Hardware Compatibility List is also highly recommended.

To install an ISDN adapter

Install an ISDN card and start the server computer.
In Control Panel, double-click the Network application icon, click the Adapters tab, and click Add.
Follow the on-screen instructions to select or install a device driver for the ISDN adapter.

You must restart the computer after you have installed the ISDN drivers. Otherwise, not all of the available ISDN ports may be listed on screen when you configure Remote Access for ISDN.

Setting Up RAS

RAS can be installed during initial Windows NT Server installation or afterward. To install and configure RAS after Windows NT is installed, use the Network application in Control Panel. You will need to logged on as member of the Administrators group. Also, because you are connecting to an ISP, you need to have the TCP/IP Protocol installed before installing RAS.

To install the RAS client with Microsoft Proxy Server

In Control Panel, click on Network, click the Services tab, and click Add.
From the Network Service box, select Remote Access Service, and then click OK.
Follow the on-screen instructions to complete the installation of Remote Access Service.
Select Dial out only for port usage to configure RAS for dialout-only connection to an ISP. Port usage can be set by clicking Configure in the Remote Access Service Setup dialog box.

Network protocol settings should include TCP/IP only (the IPX/SPX and NetBEUI check boxes should be cleared). Network protocols can be set by clicking Network in the Remote Access Service Setup dialog box.

For more information on setting up RAS, see your documentation for Windows NT Server 4.0. For information on setting dial out options, see “Server Administration.”

Server Security Checklist

Connecting computers to the Internet provides for some very powerful and useful scenarios. It becomes possible to communicate with millions of people and computers worldwide by using the TCP/IP protocols. This broad flexibility imposes a degree of risk: Not only can you communicate with people and systems using the protocols that you choose, it is also possible for users to attempt to initiate communication with your systems.

Review the following list to learn how to reduce security risks.

If your private network runs TCP/IP, the server’s Enable IP Forwarding check box in the Network application should not be selected.
Clearing the Enable IP Forwarding check box prevents unauthorized IP packets from infiltrating your network. The Enable IP Forwarding check box is located in the Microsoft TCP/IP Properties dialog box. To open this, use the Network application in Control Panel.

To disable IP forwarding on Windows NT Server 4.0
1. From the Start menu, select Settings, and then click Control Panel.
2. In Control Panel, double-click the Network icon.
3. In the Network dialog box, click the Protocols tab, select TCP/IP Protocol, and then click Properties.
4. In the Microsoft TCP/IP Properties dialog box, click Routing.
5. Make sure the check box for Enable IP Forwarding is cleared.
6. Click OK, then click OK again.
Warning If the Windows NT Remote Access Service (RAS) is installed on your gateway after Microsoft Proxy Server is installed, IP forwarding will be enabled. You must disable IP forwarding after installing RAS.
Use NTFS volumes.
The Windows NT File System (NTFS) provides security and access control for your data files. By using NTFS, you can limit access to portions of your file system for specific users and services.
Run only the services that you need.
The fewer services you are running on your system, the less likely a mistake will be made in administration that could be exploited. Use the Services application in Control Panel to disable any services not absolutely necessary on your system.

Also, if FTP or Gopher services are not needed or used, turn off these services using Internet Service Manager to stop each service.
Unbind unnecessary services from your Internet adapter cards.
Use the Bindings feature in the Network application in Control Panel to unbind any unnecessary services from any network adapter cards connected to the Internet.

For example, you might use the Server service to upload new images and documents from computers in your internal network, but you might not want users to have direct access to the Server service from the Internet. If you need to use the Server service on your private network, the Server service binding to any network adapter cards connected to the Internet should be disabled.

You can use the Windows NT Server service over the Internet; however, you should fully understand the security implications and comply with Windows NT Server licensing requirements issues. When you are using the Windows NT Server service you are using Microsoft networking—that is, the Server Message Block (SMB) protocol—and all Windows NT Server licensing requirements still apply.
Check permissions set on network shares
If you are running the Server service on your Internet adapter cards, be sure to double-check the permissions set on the shares you have created on the system. It is also wise to double-check the permissions set on the files contained in the shares’ directories to ensure that you have set them appropriately.
Limit the membership of the Administrator group.
By limiting the members of the Administrator group, you limit the number of users who might choose bad passwords.
Enforce strict account policies.
User Manager for Domains provides configuration options called security policies, such as one that allows a system administrator to specify how quickly account passwords expire (forcing users to regularly change passwords), and another that determines how many bad logon attempts will be tolerated before a user is locked out. Use the User Manager for Domains security policies to configure the server against exhaustive or random password attacks.
Choose good passwords.
Although this may seem obvious, a stolen or easily guessed password is the best opportunity for someone to gain access to your system. Make sure that all passwords used on the system, especially those with administrative rights, have difficult-to-guess passwords. In particular make sure to select a good administrator password (long, mixed-case, alphanumeric password) and set the appropriate account policies. Passwords can be set by using Windows NT User Manager for Domains.

Connecting the Server to the Internet

Assessing Bandwidth Requirements
Selecting Connection Hardware
Selecting an ISP
Analyzing Connection Costs

Assessing Bandwidth Requirements

Before establishing a connection for your server to the Internet, estimate the amount of connected use that is expected to occur. First, determine the number of users requiring Internet access. Other factors to consider include determining what applications and services will be used for this connection, and setting reasonable limits for data transfer between remote sources on the Internet and computers on your private network. If real-time application processing is required, this could also enter into your decision-making process.

Internet access is generally scaled to fit a wide range of service needs by using one of several access methods. Service is usually packaged to offer either dial-up analog access with a modem, the use of Integrated Digital Services Network (ISDN) technology, or T1 line services for large-scale network access. This section describes each of these methods separately.

Dial-Up Analog Access
This type of connection most often uses SLIP/PPP (Serial Line Interface Protocol/Point to Point Protocol) to connect to an Internet Service Provider (ISP) for access to the Internet. Using dial-up access, Microsoft Proxy Server can operate with an analog phone line using a high-speed analog modem with data rates limited to 28.8 Kbps. This type of access is acceptable for limited situations, such as a single network user requiring outbound access for Web browsing, or for handling routine e-mail traffic for a small to medium-sized office. The analog modem is generally connected to a serial port interface installed within the Microsoft Proxy Server computer. The Remote Access Service (RAS) in Windows NT is used on the server computer to manage dial-up sessions and connect to a service provider.
ISDN Lines
The Integrated Services Digital Network (ISDN) specification is a digital replacement for the analog phone system. An ISDN phone system is similar to a computer network. Currently, standard phone service requires using modems to convert data from digital signals generated by computers to analog signals that can be transferred across the analog phone lines that are located in most homes and businesses. Because ISDN is digital, no modem conversion is needed.

An ISDN network requires ISDN lines and adapters. There are two ISDN line standards; ISDN Basic Rate Interface (BRI) and ISDN Primary Rate Interface (PRI). Each of these ISDN line standards consists of the following:
- B-channels for voice and data that can transfer data at 64 Kbps per channel.
- D-channels for signaling and line control. This channel is used for out-of-band signaling for call setup.
BRI service provides the option of split service over two 64-Kbps B-channels or, by bridging the B-channels, speeds of 128 Kbps are possible for a single connection. PRI service provides a combined service rate of up to 1.544 Mbps (megabits per second) over multiple B-channels.

Starting in the 1960s, telephone companies began to replace their internal backbone networks with digital technology. This digital technology uses the same signaling system as that specified for use with ISDN to manage line traffic and increase the number of connections that can be placed over a single physical line. ISDN extends this improved digital networking to the consumer site. Some phone systems do not provide support for ISDN.

Microsoft supports ISDN functionality and has provided a number of device drivers for ISDN adapters currently available on the market. Also, Windows NT Remote Access Service offers support for ISDN as well. For more information on using ISDN with Microsoft products, refer to the Microsoft Web site or Microsoft Technet. You may also contact ISDN providers in your area or call your local phone company for more information on ISDN in your area.

Typically, ISDN lines require additional installation and usage fees beyond normal phone service, but can be a good option for small or mid-sized companies that need larger bandwidth requirements than dial-up access can provide. ISDN can also be used by single users who require the fastest possible connections for accessing the Internet.
T1 Line
A T1 line is another standard for high bandwidth transmission. A T1 line is similar to an ISDN line in that it allows multiple simultaneous channels, with each channel forming a separate connection. Standard T1 service in the United States offers 24 channels that each have rated capacities of 56 Kbps for each channel. T1 service is generally considered expensive in comparison to ISDN or normal phone service, but T1 line costs are decreasing.

T1 lines are typically used by large organizations that do high-bandwidth data communications between remote sites. A variant of T1 service, known as 64 Kbps Dedicated Digital Line (DDL) service, or “fractional T-1,” is also available. When planning for purchasing of T1 lines, remember that Microsoft Proxy Server offers caching capabilities that can reduce bandwidth demands significantly.

Selecting Connection Hardware

You can connect your server to the Internet with any of several hardware options. This section will focus on several hardware options for direct connection from your Microsoft Proxy Server gateway to the Internet, or in some cases, installing Microsoft Proxy Server behind a router on your network.

Analog Modems
A typical analog modem transfers data at 14.4 or 28.8 Kbps. These speeds are usually appropriate only for a single user connecting to the Internet from a workstation, or for a dial-up mail gateway computer performing light e-mail routing. To establish shared access for multiple users for Web browsing and access to other online services, additional analog modems must be available for each user. For multiple users requiring modem access, consider modem pooling or LAN communication servers.
ISDN Adapters
As ISDN network service becomes more affordable, ISDN adapters are becoming more prevalent and less costly. Each ISDN adapter is used to dial an ISDN access number and maintain a continuous open connection to the ISDN carrier. Microsoft Windows NT and Windows 95 are fully compatible with ISDN adapters for which there are Windows standard drivers.
Routers
A router is a hardware device that connects one network to another. The router usually functions on the network as a peer to other networked devices such as workstations and servers. Under TCP, the router can have its own network IP address or network name under IPX/SPX. The router then becomes responsible for maintaining the dial-out connection to the ISP—typically an ISDN or T1 connection.

Selecting an ISP

Because the Internet consists of many networks and organizations linked together, service access points are not centrally administered. The Internet backbone networks are operated by large telecommunications companies who sell access to their high-speed network of computers to smaller companies. These companies may in turn sell or further parcel out service to other smaller companies who deliver service to individual consumers.

Any company that connects an organization to the worldwide Internet for a fee is termed an Internet Service Provider (ISP). This model is in flux and even the largest Internet providers are providing service to homes, while some smaller ISPs offer ISDN and even T1 service. Listings of ISPs can be found everywhere from Internet-related magazines to your local newspaper.

In most cases, selecting an ISP requires answering questions related to your own specific needs. The most basic concerns that all Internet users must consider are the type of service connection and bandwidth you will require (such as dial-up, ISDN, or T1) and how your service usage will be billed. In most cases, ISPs can offer a single flat rate for unlimited usage, or as an alternative, charge an hourly rate for a limited number of hours of Internet access time each month.

Another issue to consider when choosing an ISP is whether you will require assistance in setting up a registered DNS domain name or IP address for your private organization or company. Some ISPs provide this service for an additional fee.

Note This is a distinction between commercial online services, such as CompuServe and America Online, which do provide Internet access by use of proprietary dial-up software, and an ISP, which provides a direct network connection to the Internet. You cannot connect your Internet gateway to a commercial online service.

Analyzing Connection Costs

Two factors that can affect the cost of your Internet connection are bandwidth and the persistence of connection.

To select appropriate bandwidth connections for your network, you will want to examine peak level demands created by all of your network users using Internet access. In most cases, users who browse graphics-intensive sites will consume most of the available bandwidth. With the object caching capabilities and domain filtering features available with Microsoft Proxy Server, you may be able to reduce your actual bandwidth requirements by caching frequently accessed sites locally, or by restricting access to some graphic intensive sites. For more information about caching, see “Configuring the Web Proxy Service,” and Appendix D, “Architecture.”

Also, ISPs provide access in some cases that is available at an hourly rate or on a 24-hour, 7-days per week basis. Consider whether your users need full-time or part-time access to the Internet and compare pricing for alternative service plans.