Server Administration Overview
Using Internet Service Manager
Putting Users in Windows NT Groups
Network Configuration
LAT Configuration
Dial-Up Support
Other Server Configuration Issues
Server Administration OverviewMicrosoft Proxy Server can be administered by using administrative tools provided with the product. It also interacts closely with Internet Information Server (IIS) and Windows NT Server settings. Together, using the tools provided with each of these Microsoft server products, you can develop an appropriate administrative configuration for Microsoft Proxy Server on your private network.
This chapter covers the following topics, which discuss how to administer Microsoft Proxy Server, as well as further considerations for administering the server to operate appropriately with other services on your network.
Internet Service Manager is an administrative tool provided by IIS. Internet Service Manager can be used to administer properties for two services provided by Microsoft Proxy Server: the Web Proxy and WinSock Proxy services.
For administering access to Web Proxy and WinSock Proxy services, it is recommended that you add users to groups, and then assign permissions to those groups. By using group assignments, you can simplify the administrative tasks needed to grant or revoke user permissions for Microsoft Proxy Server.
A number of considerations can affect how you choose to configure or install Microsoft Proxy Server on your private network. Configuring server network adapter cards and TCP/IP ports correctly is an important consideration. Also, for networks that use other TCP/IP services such as DNS, WINS, DHCP, or multiple gateways, further considerations apply when using Microsoft Proxy Server on your network.
The Local Address Table (LAT) is used by Microsoft Proxy Server to define your private network. It is used actively by both the Web Proxy and WinSock Proxy services when processing client requests. Because the LAT is a critical component for correct functioning of the proxy service, any discrepancies between addresses recorded in the LAT and the actual addresses used on your network must be monitored and corrected as they occur. You can modify or replace the LAT that is stored on the server as necessary.
On-demand dial-out is a supported feature of Microsoft Proxy Server. Dial-out uses a Remote Access Service (RAS) compatible tool that supports RAS phone book entries. These entries can be used to schedule automated dial-out connections to the Internet through your Internet service provider.
Using Internet Service ManagerUse Internet Service Manager, provided with Microsoft Internet Information Server, to administer the Microsoft Proxy Server services.
The Microsoft Internet Service Manager window is displayed. All installed Internet services for the current server are listed.
If you will be managing a remote server, connect to that server.
To connect to a specific server, from the Properties menu click Connect to Server and complete the Connect to Server dialog box that appears.
Note The WinSock Proxy service on other server computers is not detected when Find All Servers is used. To connect to WinSock Proxy service for different computers, use Connect to Server and specify the server name for connection.
To administer a server’s Internet service, double-click the computer name next to the service name.
The Service Properties window for the selected service appears.
For more information about administering the Microsoft Proxy Server services, see “Configuring the Web Proxy Service,” and “Configuring the WinSock Proxy Service.”
Putting Users in Windows NT GroupsConsiderations For Planning Windows NT Groups
Creating New Groups For Proxy Users
Assigning Groups to Service Permissions
Considerations For Planning
Windows NT GroupsThe Microsoft Proxy Server allows several possibilities for assigning permission rights for users to the Web Proxy and WinSock Proxy services. These permissions can be configured or enabled by using the Internet Service Manager.
For each of the service options that allow user permissions to be assigned, it is recommended that you create and use groups of users to simplify management of permissions for each user. You can use User Manager for Domains to create groups, which can be local groups on the server, or groups on the domain.
By separating your users into groups, you can simplify the process of modifying, adding, and removing user permissions Microsoft Proxy Server as your network service needs change.
The following are some guidelines for how to simplify managing user permissions for Microsoft Proxy Server by creating new local groups for this purpose.
For example, if you have a very small network, you could decide to manage all proxy users within a single group. This group could then be granted all Web Proxy and WinSock Proxy service permissions you choose to enable.
If your network has more than a few users, you might want to create separate permissions for some services on your network. To do this, you can create additional user groups so that you can limit these special permissions to only a certain group of proxy users.
Creating New Groups For Proxy UsersFrom the desktop, click Start, select Programs, and then select Administrative Tools (Common).
Click User Manager for Domains.
Connect to the domain or server to be administered.
From the User menu choose Select Domain and complete the Select Domain dialog box that appears.
As necessary add users and groups, and add users to groups.
For instructions see the online Help for User Manager for Domains. Also see your documentation for Windows NT.
For further examples of how to use groups effectively to restrict access permissions on your internal network using groups, see “Security.”
Assigning Groups to Service PermissionsOnce groups have been created, you can use Internet Service Manager to assign appropriate service permissions to each of the new groups.
For more information about administering service permissions, see “Configuring the Web Proxy Service,” and “Configuring the WinSock Proxy Service.”
Network ConfigurationSetting up Network Adapter Cards
Using TCP/IP Ports
Using DNS, WINS, and DHCP with Microsoft Proxy Server
Using Multiple Microsoft Proxy Server Gateways
More About DNS, WINS, and DHCP
Setting up Network Adapter CardsSetup Considerations When Using Two Adapters
Configuring the External Network Adapter Card
Configuring the Internal Network Adapter Card
Setup Considerations When Using a Single Adapter
The following section outlines some considerations to be followed when installing network adapter cards for use with Microsoft Proxy Server. In most installations, two network adapter cards will need to be installed on the server; one network adapter card for connecting to the internal private network, and the other adapter card to be used for external connection to the Internet or another external network.
In some circumstances, Microsoft Proxy Server may also be used with only a single adapter card as a way to provide limited use for caching services on a local network. When only one server adapter card is installed, gateway services are not in effect and the server can be configured similarly to other internal servers or clients on your network.
Setup Considerations When Using Two
AdaptersWhen setting up two network adapter cards for gateway operation, first install both network adapter cards in the server computer. Comply with any special manufacturer instructions for configuring the multiple network adapters for use in the same computer.
In most cases, device conflicts are possible where hardware settings are preconfigured for memory base I/O addresses or IRQ levels on each of the adapter cards. Check that base I/O and IRQ settings are set differently for each card and use settings that do not conflict with other devices that are currently installed on your system.
Make note of the configured settings used for each network adapter card as the card is installed and update these notes if changes are made while you are installing. Keeping notes can help reduce the amount of time required to troubleshoot any hardware device conflicts later.
Verify that both adapter cards are installed and configured correctly by using the Adapters property sheet in the Network application of Control Panel. Check for unique I/O base address and IRQ values for each adapter.
Tip If the hardware description for both server adapter cards is identical, it may be confusing to keep track of which adapter you are configuring. Windows NT identifies each adapter added to the system with a leading number, such as [1] for the first adapter installed and [2] for the second adapter installed. Refer to these numbers when you are attempting to verify or change settings for a specific hardware adapter.
Configuring the External Network Adapter
CardThe following considerations must be complied with when setting up the network adapter card that will be connected to the Internet.
Disable bindings for SMB Server, NWLink IPX/SPX Compatible Transport, WINS Client (TCP/IP), and the NetBEUI Protocol. For the WINS Client listing, disable bindings for all interfaces (Server, Workstation and NetBIOS interface). The only binding to be enabled for the external network adapter card should be TCP/IP Protocol.
For external TCP/IP connection to the Internet, you should check with your Internet Service Provider (ISP) to obtain correct information to enter for TCP/IP settings. In particular, you will need to know the IP address, subnet mask, default gateway, Domain Name System (DNS) domain name, and IP addresses for DNS servers to be used in DNS name searches. In some cases, your ISP may be using dynamic host configuration protocol (DHCP) or Bootstrap Protocol (BOOTP) to enable dynamic assignment of client addresses. Contact your ISP for further information about configuring the external adapter card where these services are active.
Use
the Ping.exe (or similar utilities) provided with
Windows NT and Windows 95 on another internal
IP client computer to verify the server external adapter
card is set correctly. You will need to use another
computer located on the external segment when using Ping
or other echo-reply type testing.
Configuring the Internal Network Adapter
CardThe following process details considerations for setting up the network adapter card that will be used to connect Microsoft Proxy Server internally to your private network.
Disable any bindings that are not needed or currently used on your internal network, such as NetBEUI Protocol or WINS Client (TCP/IP). You must enable bindings for either NWLink IPX/SPX Compatible Transport, or TCP/IP Protocol on this adapter card.
For NWLink IPX/SPX Compatible Transport protocol properties on the internal network adapter, enter the same network number for Internal Network Number that is used by other Novell-based servers and clients on your private network. In most cases, you can use Auto Frame Type Detection to have Windows NT automatically detect the correct frame type that is in use on your internal network. In some cases, you may need to enter the frame type manually by using Manual Frame Type Detection. If you manually enter a frame type, be sure it is the same frame type supported by other Novell-based servers and clients on your network.
If your private network uses RIP/SAP routing internally, you may also choose to enable RIP routing on the Routing tab as well. (Because RIP routing adds a considerable amount of traffic to your network, enable this only where it is needed for devices to communicate on your network.)
Although TCP/IP Protocol Properties must be set for both network adapter cards, for internal TCP/IP connection, all address settings should be specified manually.
Do not use the Obtain an IP address from a DHCP server option for obtaining an IP address for use on the internal network. In particular, you should enter a permanent reserved IP address for the Microsoft Proxy Server and an appropriate subnet mask for your local network. Also, do not enter an address for Default Gateway for the internal network adapter.
Note If your private network uses DNS, Windows Internet Name Service (WINS), or DHCP services, you will need to consider how to configure the internal network adapter for the Microsoft Proxy Server to work with these services. For more information on using Microsoft Proxy Server with DNS, WINS, or DHCP services, see the “Using DNS, WINS, and DHCP Services” section later in this chapter.
Use the Ping.exe (or similar
utilities) provided with Windows NT and
Windows 95 on another internal IP client computer to
verify the server internal adapter card is set correctly.
Also, if you are using IPX/SPX exclusively on your
internal network, you can use an IPX-based utility that
does pinging or echo-reply type testing.
Setup Considerations When Using a Single
AdapterIn some cases, the Microsoft Proxy Server can be used with a single network adapter on a private network. In this type of installation, no gateway services for Internet access are configured and the Microsoft Proxy Server is used primarily to provide a document caching service for local network users.
For configuring a Microsoft Proxy Server for a single network adapter connection to the internal network, you can use IP and DNS settings that are appropriate for servers and clients on your local TCP/IP network. There are no special considerations for TCP/IP network settings for this type of installation.
Using TCP/IP PortsWhat are TCP/IP ports?
Setting WinSock Proxy Port Permissions
Advanced TCP/IP Security with Windows NT
What are TCP/IP ports?Ports are used in TCP/IP to name the ends of logical connections that carry long-term conversations. A port is an abstraction to allow transport protocols such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) the capability of handling communications between multiple hosts. It allows a communication to be uniquely identified. The WinSock Proxy service uses ports extensively to provide a way of redirecting applications.
For the purpose of providing services to unknown callers, a service contact port is defined. Each WinSock Proxy-enabled application specifies a port to be used as the contact port on the server for TCP or UDP. The contact port is sometimes called the “well-known port.” To some extent, these same port assignments are used with UDP. In order to use UDP, the application must supply the IP address and port number of the destination application.
Ports are identified by a positive integer. Originally, the assigned ports available were in the range 0 – 255. Currently, the range for assigned ports has been expanded to the range allow 4-digit port numbers up to 9999. The assigned ports use a small portion of the range of possible port numbers, allowing other unassigned port numbers to be designated as alternatives if the initial port is not available or to be used for new custom server applications.
Ports can be designated to use either TCP or UDP as the transport-level protocol specifying how ports send and receive data. In addition, port assignments are enabled separately for inbound ports and outbound ports on Microsoft Proxy Server. Inbound ports are used to listen for client requests from Internet clients, and outbound ports are used to listen for requests from clients on the internal private network.
Setting WinSock Proxy Port PermissionsThe Microsoft Proxy Server uses application service ports for the WinSock Proxy service. In order for each Windows Sockets-based application to work through a network connection, ports are used in combination with IP addressing to form a “socketed” connection. For information on how Windows Sockets works, see Appendix D, “Architecture.”
When ports are defined for the WinSock Proxy service, port permissions can be assigned to users for each application defined on the Microsoft Proxy Server gateway. For example, VDOLive is a supported application for the WinSock Proxy service. It uses outbound TCP port 7000 and inbound UDP port 0 as its “well-known ports” for defining service on the Microsoft Proxy Server. Users can then be granted permission to use VDOLive with WinSock Proxy. Once permissions are granted by using the Permissions property sheet in WinSock Proxy Properties, users have access to those ports (both inbound and outbound) that are assigned.
If you want to enable access to inbound and outbound service ports separately for users on your network, you can create additional protocol definitions in WinSock Proxy service properties for that purpose.
For example, suppose you wanted to permit both outbound and inbound port access for FTP service to all internal users on your network, but allow only inbound FTP logon for a single Internet client user called FTPClient1.
In this example, you might use the predefined protocol, FTP, and assign all of the internal users permissions to this protocol because it enables inbound and outbound port access. Then, to allow only inbound port access for the FTPClient1 user account only, you could create a new protocol definition called “FTP (inbound only)” and define only the inbound TCP port 0 for it. The FTPClient1 account could then be assigned permissions to the “FTP (inbound only)” protocol permissions list.
For more information on how to add WinSock Proxy protocol definitions and set access permissions, see “Configuring the WinSock Proxy Service.”
Advanced TCP/IP Security with
Windows NTIn addition to port-access permissions and protocol definitions created by using the Microsoft Proxy Server properties, Windows NT Server 4.0 provides additional settings for advanced TCP/IP security. This feature can be useful in instances where you want to selectively enable and disable TCP/IP ports or protocols globally for all users of that server on your network.
Some examples of cases where this feature might be useful include the following scenarios:
You are conducting testing of a new application that uses UDP ports on your local network. While testing is occurring, you need a way to quickly enable and disable selected UDP ports on your computer running Microsoft Proxy Server. In this case, you could remove and recreate user permission assignments or UDP protocol service definitions by using the Web Proxy and WinSock Proxy service properties, but these steps become much too involved to be repeated numerous times.
From the desktop, click the Start button.
Select Settings and click Control Panel.
The Network properties window is displayed.
Click the Protocols tab.
The Microsoft TCP/IP Properties sheet is displayed.
The Advanced IP Addressing property sheet is displayed.
The Configure button located beneath Enable Security is enabled.
The TCP/IP Security dialog box is displayed.
The Add button is enabled.
Enable ports or protocols.
Repeat this step for all ports or protocols that require enabling.
Using DNS, WINS and DHCP with Microsoft
Proxy ServerConsiderations for Using DNS
Considerations for Using WINS
Considerations for Using DHCP
The following section details further considerations for using the Microsoft Proxy Server with DNS, WINS, or DHCP services on your private network. For an overview of these services, see More About DNS, WINS, and DHCP, later in this chapter.
Considerations for Using DNSMicrosoft Proxy Server as a DNS Server
Microsoft Proxy Server as DNS Client
Microsoft Proxy Server as a DNS ServerWhen DNS services are used on the internal network, a computer running Windows NT Server and Microsoft Proxy Server can also be used as a DNS server for the internal network. The internal server adapter card must use static IP addressing (a permanent address on the local network) and no default gateway should be specified.
If you use the same server for Internet gateway access with Microsoft Proxy Server and for DNS servicing, be sure that the Windows NT DNS service and all internal hosts file information is accessible only to internal network clients. Set file system security appropriately to deny Internet users access, and disable DNS Server for the external network adapter.
For more information on configuring Windows NT Server for use as a DNS server, see your documentation for Windows NT Server.
Microsoft Proxy Server as a DNS ClientThere are no special considerations for Microsoft Proxy Server as a DNS client on the internal network. This is a recommended configuration for networks already using DNS service. Also, a HOSTS file can be used as an alternative when no DNS services are available on the internal network.
For more information on configuring Windows NT Server for use as a DNS client, see your documentation for Windows NT Server.
Considerations for Using WINSMicrosoft Proxy Server as a WINS Server
Microsoft Proxy Server as a WINS Client
Microsoft Proxy Server as a WINS ServerWhen WINS services are used on the internal network, the computer running Microsoft Proxy Server can also be used as a WINS server. The internal server adapter card must use a permanent IP address on the local network, with no default gateway specified. To be sure that the internal WINS database information cannot be seen by Internet users, deny these users file access to WINS service and LMHOSTS files and disable all WINS services for the external network adapter.
Microsoft Proxy Server as a WINS ClientThere are no special considerations for Microsoft Proxy Server as a WINS client on the internal network. This is a recommended configuration for networks already using WINS service. Also, an LMHOSTS file can be used as a WINS alternative when no WINS services are available on the internal network.
For more information on configuring Windows NT Server for use as either a WINS server or a WINS client, see your documentation for Windows NT Server.
Considerations for Using DHCPMicrosoft Proxy Server as a DHCP Server
Microsoft Proxy Server as a DHCP Client
Microsoft Proxy Server as a DHCP Relay Agent
Microsoft Proxy Server as a DHCP ServerWhen DHCP services are used on the internal network, the computer running Microsoft Proxy Server can be used as a DHCP server. However, The server must use a permanent address on the local network and no default gateway should be specified on the internal server adapter card. Also, be careful to enable DHCP Server for the internal network adapter only and to disable DHCP Server for the external network adapter.
For information on installing and configuring Microsoft DHCP Server, see your documentation for Windows NT Server.
From the desktop, click Start, select Settings, click Control Panel.
Double-click the Network icon.
Click the Bindings tab.
From the Show Bindings for list box, select all services.
The service listing expands to show protocols supported for this service.
The service listing expands to show all adapters that are bound for this protocol and service.
Microsoft Proxy Server as a DHCP ClientIt is recommended that the Microsoft Proxy Server not be enabled as a DHCP client on the internal network. Instead use static IP addressing and assign a permanent IP address for the internal network on the server adapter card. Do not specify a default gateway when assigning IP addressing for this card.
Microsoft Proxy Server as a DHCP Relay
AgentThere are no special considerations for using Microsoft Proxy Server as DHCP relay agent on the private network between another DHCP server and DHCP clients. Use the Network application in Control Panel to set TCP/IP properties to enable DHCP relay. This option can be enabled by adding DHCP server addresses to the search list on the DHCP Relay property sheet.
Using Multiple Microsoft Proxy Server
GatewaysMultiple Gateway Overview
Using Multiple Proxy Gateways in a DNS Environment
Using Multiple Proxy Gateways in a WINS Environment
Using Multiple WinSock Proxy Service Gateways
For an overview of the DNS, WINS, and DHCP services, see More About DNS, WINS, and DHCP, later in this chapter.
Multiple Gateway OverviewA private network can have more than one Microsoft Proxy Server gateway in use. Where multiple server computers are configured for Microsoft Proxy Server, Internet traffic loads can be balanced across each separate gateway by configuring clients to use all gateways evenly. For example, if you have two Microsoft Proxy Server gateways, one named PROXY1 and the other PROXY2, you would specify either PROXY1 or PROXY2 in the proxy connection settings for each client browser and the valid port to be used (typically, port 80 is used for HTTP proxy service). Load balancing is managed in this manner when multiple proxy gateways are added.
Another option with multiple proxy gateways is to separate loads by service type across different servers. For example, you can enable HTTP proxy service for server (such as PROXY1) for a client and specify a second server (such as PROXY2) for enabling FTP proxy service.
Using Multiple Proxy Gateways in a DNS
EnvironmentWhen you use multiple gateways on a private network with DNS services, you must configure at least one entry for each gateway that indicates an IP address to be searched for on the local network to provide DNS name resolution. The DNS server address specified will be used to forward all domain name requests. In some cases, you may also have a secondary DNS server address to be searched for and used if the first DNS server is not available.
Note When working with DNS environments that are located on the Internet, it is not unusual for companies to make mutual arrangements to host each other’s DNS entries. This ensures that, if a primary DNS server becomes unavailable, there is a backup domain server for the domain. This backup domain server is listed with the domain record that is registered with the Internet Network Information Center (InterNIC). Both DNS servers are mutually configured to provide secondary DNS service to the complimentary domain.
You can also use DNS “round-robin,” a feature that offers load balancing for multiple DNS servers on a network. Round-robin involves assigning a single DNS domain name to be serviced by multiple DNS servers, each with its own IP address on the local network. The round robin configuration assures that for all DNS name lookup requests, any server assigned for round-robin can that is currently available can respond to a DNS request.
For more information about configuring Windows NT Server as a DNS server, see your documentation Windows NT Server.
Using Multiple Proxy Gateways in a WINS
EnvironmentIn a WINS environment, you use the WINS Server to configure a multi-homed environment. This is similar to the DNS environment in that you create one entry, which contains the list of IP addresses for all the Microsoft Proxy Server gateways. In a WINS environment, there are three levels of name resolution. At first the WINS Server matches a client’s request with the client’s IP address. The WINS Server seeks a Proxy Server with the same subnet as the client. The WINS Server then seeks a Microsoft Proxy Server gateway with the same net as the client. If WINS cannot match a client to a gateway in this fashion, it picks a gateway from the WINS list at random.
For more information about configuring Windows NT Server as a WINS server, see your documentation for Windows NT Server.
Using Multiple WinSock Proxy Service
GatewaysWinSock Proxy clients use the WinSock Proxy service on the server they were configured to use by the client Setup program.. This information is preconfigured during Proxy Client Setup, in the Mspclnt.ini file. To balance the load across each of your Microsoft Proxy Server gateways configure the Microsoft Proxy Server client initialization files appropriately (for example, to use DNS round-robin).
For information about configuring WinSock Proxy clients and the Mspclnt.ini file, see “Setting Up Clients.”
More About DNS, WINS, and DHCPBackground on Internet Naming and Addressing
What is DNS?
What is WINS?
What is DHCP?
Background on Internet Naming and
AddressingAs the Internet continues to increase grow in size and numbers, the use of TCP/IP for private internetworking increases along with it as well. The primary reason for this increase is that TCP/IP offers the benefit of a widely deployed set of open protocol standards that are well suited to forming wide area networks (WANs).
In order for each computer to identify itself on the TCP/IP network, each host must be uniquely identified by the following information:
An IP address This is a 32-bit field that is composed of four octets (8-bit numbers from 0 to 255). Each address has decimal notation to separate octet numbers, such as 10.10.100.201.
A subnet mask This indicates how the IP address is to be read. It indicates how to separate the network identifying information from the host identifying information, and interprets the IP address correctly. For example, if a subnet mask of 255.255.255.0 is applied for an address 10.85.189.24, it indicates that the host number is 24 located on the 10.85.189 subnetwork.
A default gateway This is used to specify the address for the nearest routing device that will be used by the host device to forward addressed packets onto the network.
One way to configure this address information is to have a network administrator or technician manually enter these settings on each computer before it is joined to the local network. For small networks, this does not present an overly difficult problem, but as networks become larger or further divide into multiple subnetworks, integrating new devices onto existing networks becomes a significant chore for network administrators to manage. In addition, this chore might need to be repeated each time a device is relocated to a different subnetwork.
This type of manually applied configuration is referred to as static IP addressing. It requires that all addresses be recorded and centrally maintained by a network administrator. This is to provide an orderly procedure for adding new devices and avoid problems that can arise from duplicating address assignments on the network.
Another limitation of IP addressing is that users find it awkward to deal with numbers when locating devices on the network. Although IP addressing is an efficient scheme that works optimally for computers and routers, in practice it is true that network users find common names for hosts(such as myserver.mycompany.com) much easier to remember than IP addresses (such as 10.100.206.195). Further solutions for mapping user-friendly names to assigned IP addresses simplify user access, but compound the existing administrative problems already inherent in TCP/IP.
The following section covers some of the accepted and proposed standards that have been drafted to provide solutions for all of these TCP/IP shortcomings. Standards for mapping IP addresses to common names through the use of the Domain Naming System (DNS) and for maintaining dynamic storage of network names and IP addresses by use of the Windows Internet Name Service (WINS) are discussed first. Protocols developed to automate the process of assigning IP addresses and configuring clients, such as the Dynamic Host Configuration Protocol (DHCP) are also discussed.
What is DNS?The Domain Naming System (DNS) was developed by the Internet Engineering Task Force (IETF) as an attempt to standardize a way to map pairings of logical host names to actual IP addresses on a TCP/IP network.
DNS is an acceptable method for resolving names to addresses, but it requires the use of host files, and DNS servers must be overseen and updated manually as names and addresses are modified. This furthers the administrative chores that a TCP/IP network administrator must perform, although it does simplify network access for users.
For DNS to work properly it requires the use of a name space. The DNS name space is hierarchical in nature and allows host names to be stated in absolute or relative terms. Absolute names, or Fully Qualified Domain Names (FQDNs) are defined from the root of the name space and uniquely identify a node in the hierarchy. FQDNs end with a trailing dot. Relative names are represented relative to a name in the hierarchy. For example, server.microsoft.com is a relative DNS name of a host defined from the com part of the DNS name space hierarchy, which contains domain names of commercial organizations.
If the domain name of a company is:
mycompany.com
then the following domain names:
sales.mycompany.com
and:
marketing.mycompany.com
are known as subdomains of the mycompany.com domain.
In addition to planning for domain hierarchies, DNS services use host files, which are flat text files that pair DNS domain names and IP address pairings for hosts on the local network. Host files are used by the DNS server to process and resolve name query requests forwarded by DNS clients initiating communications on the local network. In nearly all cases where DNS is used, host files must be created and updated manually for DNS service to work properly for all hosts.
Because DNS is a supported standard for all TCP/IP networks, there are typically no restrictions to using DNS services on most private networks that support TCP/IP network. Although other TCP/IP servers that are not Windows-based can be made to function as DNS servers, Windows NT Server provides the option of acting as a DNS server as well.
For more information on setting up Windows NT Server for use as a DNS Server, see your documentation for Windows NT Server. Also see Using DNS, WINS, and DHCP with Microsoft Proxy Server, earlier in this chapter.
What is WINS?Windows Internet Naming Service (WINS) is another option for resolving host names on networks that use Microsoft TCP/IP. It provides a distributed database for registering and querying dynamic computer name-to-IP address mappings in a routed network environment. WINS uses the NetBIOS computer name for any Microsoft-based network client to register each client in the WINS database on a computer running Windows NT Server.
A WINS system consists of the following:
WINS server Runs on a Windows NT Server and handles name registration requests from WINS clients and registers their names and IP addresses. The server also responds to name queries from WINS clients by returning the IP address of the name being queried (assuming the name is registered with the WINS server).
WINS client Registers its name with the WINS server when it joins or leaves the network. It also queries the WINS server for remote name resolution.
WINS proxy Helps resolve names on behalf of non-WINS clients. The proxy communicates with the WINS server to resolve names (rather than maintaining its own database) and then caches the names for a certain amount of time. The proxy serves as an intermediary between the WINS server and the non-WINS client, either by communicating with the WINS server or by supplying a name-to-IP address mapping from its cache. The presence of a WINS proxy in a WINS system is dictated solely by the presence of non-WINS clients.
If you are administering a routed internetwork, WINS is the best choice for NetBIOS name resolution, because it is designed to solve the problems that occur with name resolution in a complex internetwork. WINS goes beyond eliminating the need for an LMHOSTS file (a hosts file of NetBIOS names–to–IP address pairs) by reducing the use of local broadcasts for name resolution and allowing users to easily locate systems on remote networks.
Using WINS provides several benefits. In a dynamic network environment where host IP addresses can change frequently, WINS provides an excellent way to dynamically register these changes as they occur. It centralizes management of the NetBIOS names–to–IP addresses mapping database, so that there is no need to manage multiple LMHOSTS files on across several servers on a network. It also reduces IP broadcast traffic in a NetBIOS-based internetwork, while allowing the clients to locate remote systems across local or wide area networks easily. Finally, with WINS, users on a Windows NT network can browse transparently across routers (for Windows NT domains that span multiple subnets). Browsing without WINS is complicated and involves manual procedures.
For more information, see Using DNS, WINS, and DHCP with Microsoft Proxy Server, earlier in this chapter.
What is DHCP?The Dynamic Host Configuration Protocol (DHCP) was established to relieve the administrative burden of manual configuration of TCP/IP hosts on the network. DHCP provides an alternative to static IP addressing by enabling automatic configuration of the TCP/IP-related parameters when a DHCP client becomes active on the local network.
Note DHCP provides a way of passing configuration information to hosts that is based on an earlier protocol standard, known as the Bootstrap Protocol (BOOTP). BOOTP was conceived as a way to allow diskless workstations to obtain TCP/IP configuration settings and perform a network “boot.” DHCP uses some of the same concepts as BOOTP, such as a shared message format, which allows existing BOOTP clients to interoperate with DHCP Servers. However, there are further additions to DHCP that distinguish it from BOOTP and the two protocols are not identical in all respects.
DHCP provides safe, reliable, and simple TCP/IP network configuration. It ensures that address conflicts do not occur, and helps conserve the use of IP addresses by use of centralized management of address allocation. DHCP conserves addresses that are not in use by having the DHCP server reclaim an address after the address lease period has elapsed.
The system administrator controls how IP addresses are dynamically assigned by the DHCP server. To establish DHCP service, you set several parameters that are used to manage dynamic assignment of IP addresses. First, a lease period for each address is set. A lease specifies how long a computer can use an assigned IP address before having to renew the lease with the DHCP server. Another parameter that must be set for DHCP service is a scope. A scope indicates the available range of addresses that can be used within DHCP assignment. The scope provides for an available pool of addresses for the DHCP server to use when assigning and configuring clients. The scope exists only once for an entire subnetwork, but it can be further defined by excluding reserved subranges of addresses from the pool of assignable addresses allowed by the scope.
There are three major benefits to setting up a DHCP environment. First, it requires no additional address configuration for the workstation. This is useful because users do not need to know or maintain their computer’s TCP/IP address configuration. This can be useful for mobile computer users who use portable computers that are moved to different offices or subnets frequently. Second, DHCP clients can be configured with additional TCP/IP parameters, such as the DNS server address or WINS server addresses that are essential for successful name-to-IP-address resolution by a host. Third, DHCP gives you better control of IP address assignment and management. For example, if the IP address for a router in a network changes and 250 client computers have to be updated with the new address, with DHCP you do not have to visit every workstation to reconfigure the default gateway manually.
DHCP is based on a client/server model. The DHCP server runs on a server, such as a Windows NT Server. The DHCP client runs on a network client such as a Windows 95 or Windows NT Workstation.
During system startup (the initializing state), a DHCP client computer sends a DHCP “discover” message that is broadcast on the local network and can be forwarded to all the DHCP servers on the private internetwork. Each DHCP server that receives the discover message responds with an “offer” message containing an IP address and valid configuration information for the DHCP client computer that sent the request.
The DHCP client then collects the configuration and enters a selecting state, where it chooses one of the address “offers” provided by the DHCP servers. The client selects one of the offered configurations and enters a requesting state. It then sends a “request” message to specify a request from that DHCP server. The selected DHCP server sends an “acknowledgment” message that contains the address requested, a valid lease for the address, and TCP/IP network configuration parameters for the client. The client enters a bound state after receiving the acknowledgment from the server and can now participate on the TCP/IP network.
Client computers with local disk storage save the received address for use during subsequent system startup. As the lease approaches its expiration date, the client attempts to renew its lease with the DHCP server. If the DHCP server that initially offered the lease is not available or the lease has expired, the client repeats the process and gets a new configuration from any of the DHCP servers available.
The following three types of hosts can be active in a DHCP configuration process.
DHCP Server Contains IP addresses, lease duration, and associated TCP/IP configuration information. The DHCP server listens for client requests and processes them.
DHCP Client Gets its IP address and related TCP/IP configuration parameters from the DHCP server during the initialization stage. The client also extends the lease on the IP address by renewing the lease before it expires.
DHCP Relay Agent A relay agent software (compliant with RFC 1542) assists in forwarding the DHCP packets between subnets in a routed internetwork. Usually, this component runs on the routers.
For more information about setting up DHCP services, see your documentation for Windows NT Server. Also see Using DNS, WINS, and DHCP with Microsoft Proxy Server, earlier in this chapter.
LAT
ConfigurationOverview of LAT Configuration
Modifying the LAT
Replacing the LAT
During Microsoft Proxy Server installation the Setup program helps you create a list of the IP addresses that constitute your private network. The information you provide is used to create a table, called the Local Address Table (LAT), that defines your private network. IP addresses that are external to your private network are specifically excluded from this table. The server maintains the master copy of the LAT, and a copy is downloaded to client computers.
The Setup program creates the original copy of the LAT. After installation, the server’s copy of the LAT can be modified by using Internet Service Manager.
Modifying the LATYou can modify the existing LAT, adding or removing to the IP address pairs provided by the Windows NT Server internal routing tables.
The Service Properties window appears. Make sure the Service tab is selected.
The Local Address Table Configuration dialog box appears.
Verify that the entries in the Internal IP Ranges box correctly identify your internal network. Add any needed IP address pairs until all addresses of your internal network are defined. Remove any IP address pairs that define external (Internet) addresses.
To add a range of IP addresses to the list, under Edit type a pair of addresses in the From and To boxes, and then click the Add button.
To add a single IP address to the list, under Edit type the same address in both the From and To boxes, and then click the Add button.
Be sure to exclude from the LAT any IP addresses associated with Internet-connected network adapter cards on servers running Microsoft Proxy Server. These are external IP addresses and should not be included in the LAT.
When the configuration is properly set, click OK, and click OK again.
Stop and start the WinSock Proxy and Web Proxy services.
The LAT changes
do not take effect on the server until the services are
restarted.
Replacing the LATYou can also completely replace the LAT, generating a new list of IP address pairs from internal routing tables used by Windows NT Server.
The Service Properties window appears. Make sure the Service tab is selected.
The Local Address Table Configuration dialog box appears.
The Construct Local Address Table dialog box appears.
To add to the LAT three ranges of IP addresses defined by IANA as private address ranges that can be used in a private IP network that is not connected to the Internet, select the Add the private ranges check box.
To choose the network adapter cards on the server whose IP addresses will be included in the LAT, select Load from NT Internal Routing Table and complete its options.
If you do not know which of the server’s network adapter cards are connected to the private network, select Load known address ranges from all IP interface cards.
If you know which of the server’s network adapter cards are connected to the private (internal) network and which are connected to the Internet, load only those IP addresses associated with the server’s internally connected cards. Select Load known address ranges from the following IP interface cards. Then, in the list of network adapter cards, select the check box for each of the internally connected cards, and clear the check box for each of the externally connected cards.
The Local Address Table Configuration dialog box returns. A list of IP address pairs is displayed in the Internal IP Ranges box.
Be sure to exclude from the LAT any IP addresses associated with Internet-connected network adapter cards on servers running Microsoft Proxy Server. These are external IP addresses and should not be included in the LAT.
When the LAT configuration is properly set, click OK, and then click OK again.
Stop and start the WinSock Proxy and Web Proxy services.
The LAT changes do not take effect on the server until the services are restarted.
Dial-Up SupportHow Dial-Up Support Works
Using RAS with Microsoft Proxy Server
Using Microsoft Proxy Auto Dial
Restarting Services After a Dial-Up Connection
How Dial-Up Support WorksFor Microsoft Proxy Server, dial-up support for connecting to an Internet service provider (ISP) is managed by using the Microsoft Proxy Auto Dial utility, Adialcfg.exe.
Microsoft Proxy Auto Dial uses Remote Access Service (RAS) phone book entries to perform on-demand dial-up connections as a RAS client. Once a RAS client is installed and configured on the server computer, Dial-Up Networking can be used to create RAS phone book entries for service dialing with Microsoft Proxy Server.
For dial-up support, connections are made by Microsoft Proxy Server when the following service demands occur:
Using RAS with Microsoft Proxy ServerConfiguring RAS Options
Creating RAS Phone Book Entries
Other RAS-Related Issues
Configuring RAS OptionsTo configure dial-up support for Microsoft Proxy Server, first verify that RAS has been installed and configured properly. (If RAS is not currently installed, refer to your Windows NT product documentation for more information on installing and configuring RAS.) Once RAS is installed, you must configure port usage for dial-out only (to support dial-up service).
Note If RAS was installed and ports were configured initially as a RAS server (to receive calls) and not as a RAS client (to dial out only), port usage must be changed. For more information on changing from RAS server to RAS client settings, see Using RAS Server and Microsoft Proxy Server.
Once the RAS client is installed, you must reconfigure Remote Access Autodial Manager and Remote Access Connection Manager services to use Microsoft Proxy Auto Dial to manage dial-up support.
Creating RAS Phone Book EntriesOnce a RAS client has been configured, an initial dialing entry must be created by using the Dial-Up Networking program. This entry will be used to dial your ISP’s phone number. Before creating a dialing entry, first check with your ISP for any specific connection settings that you will need to use when creating your dialing entry.
Note When creating a RAS phone book entry for use with Microsoft Proxy Server, you must first log on by using an account with Administrator privileges.
Other RAS-Related IssuesUsing RAS Server and Microsoft Proxy Server
Using PPTP and Microsoft Proxy Server
Using RAS Server and Microsoft Proxy
ServerWarning Enabling a RAS Server with Microsoft Proxy Server is not a recommended configuration. If you are considering using RAS dialup, or if you configured a RAS server during installation of RAS, read the following section carefully for more information on issues related to RAS server usage and Microsoft Proxy Server.
If you have installed RAS and configured an initial port for dial-out use after Microsoft Proxy Server was installed, check that port usage is set for Dial Out Only. If Dial Out and Receive Calls or Receive Calls Only is selected, the server is configured as a RAS server. In almost all cases, RAS should be reconfigured for RAS client use (to dial out only).
There is one exceptional case where a RAS server can be installed and used: if an additional separate port is configured to receive calls only. For example, if dial-up support is configured on the COM2 port of the server, a dial-in server could be allowed on the server’s COM1 port.
When configuring any additional ports for RAS server usage, limit dial-in clients by selecting This Computer Only and clear Entire Network access during Remote Access Service setup. (If access to the entire network is allowed, IP forwarding will be also be enabled. IP forwarding is not allowed with Microsoft Proxy Server.)
Using PPTP and Microsoft Proxy Server Point-to-Point Tunneling Protocol (PPTP) is a networking protocol that supports multiprotocol virtual private networks (VPNs), enabling secure network access over the Internet between remote computers.
Warning Using PPTP with Microsoft Proxy Server is not recommended. If PPTP is installed, read the following section carefully for information on issues related to PPTP usage with Microsoft Proxy Server.
If PPTP is installed on the same computer used for Microsoft Proxy Server, the following configuration changes must be made after installation:
Using Microsoft Proxy Auto DialAbout Microsoft Proxy Auto Dial
Setting Credentials
Setting Dialing Hours
About Microsoft Proxy Auto DialMicrosoft Proxy Auto Dial is an additional tool that can be used to manage dial-up support for connecting Microsoft Proxy Server to your ISP. You can use the Auto Dial tool to configure the following options for any configured RAS phone book entry.
Setting CredentialsYou can use the Credentials property sheet if your ISP requires additional user and password information to be entered when a dial-up connection is made. This information can be stored for use by Microsoft Proxy Auto Dial and used each time when dialing a specific phone book entry.
Setting Dialing HoursYou can use the Dialing Hours property sheet to specify selected hours or days during the week when service dialing is to be allowed. When dialing hours are selected, Microsoft Proxy Server will allow on-demand dialing to occur. When dialing hours are cleared, service dialing will not occur.
This feature can be used to prevent service dial-up connections from being made during certain selected hours during the day, or for selected days of the week. In some cases, limiting dialing to certain specified hours can be useful where Internet access is billed by connection time or where there are toll charges applied each time an ISP’s access number is dialed.
When dialing hours are set for a specific phone book entry, this information stored by Microsoft Proxy Auto Dial and used each time when dialing the entry.
Note Microsoft Proxy Auto Dial does not provide an option for automated dial-up connections. To automate dial-up connections, use RAS dial-out scripting options, which can be set within the designated RAS scripting file, Switch.inf. For more information on RAS scripting, see your documentation provided with Windows NT Server 4.0 or RAS online Help.
Restarting Services After a Dial-Up
ConnectionWhen Microsoft Proxy Auto Dial is used to establish a dial-up connection to an ISP, the WWW, Web Proxy, and WinSock Proxy services must be restarted if:
Microsoft Proxy Auto Dial is being used for the first time. To initialize use with Microsoft Proxy Auto Dial, services must be restarted.
Settings made using Microsoft Proxy Auto Dial are later cleared. When settings are cleared, services must be restarted for new parameters to take effect.
Once Microsoft Proxy Auto Dial has been used at least once (click Apply and OK to store settings), further changes to Auto Dial settings will be used by Web Proxy and WinSock Proxy services for subsequent dial-out connections without requiring services to be stopped and started each time.
You can stop and restart all services (WWW, Web Proxy, and WinSock Proxy) by using Internet Service Manager.
Also, you can stop and start the WWW, Web Proxy, and WinSock Proxy services from the command prompt by issuing the following set of commands:
net stop w3svc
net stop wspsrv
net start w3svc
net start wspsrv
It is not necessary to issue a separate command to stop and start the Web Proxy service. Stopping and starting the WWW Service also stops and starts the Web Proxy service.
Other Server Configuration IssuesWeb Proxy Support for Anonymous FTP Clients
Ping and Tracert
Microsoft Exchange and Internet Mail Connector
Web Proxy Support for Anonymous FTP
ClientsSome FTP sites require an e-mail user name as the password to be entered for anonymous FTP client access. Where a password is required for anonymous access, the e-mail name to be sent by Web Proxy is:
proxyuser@domain
where domain is the current Internet DNS domain setting in use on for TCP/IP properties on Microsoft Proxy Server, such as mycompany.com.
Ping and TracertPing and Tracert are two standard utilities used to assist in troubleshooting TCP/IP-related problems on your network.
Ping is a utility that helps to verify IP-level connectivity. When troubleshooting, the Ping command is used to send an Internet Control Message Protocol (ICMP) echo request to a targeted DNS domain name or IP address. Tracert is a route-tracing utility. Tracert uses the IP TTL field and ICMP error messages to determine the route followed from one host to another through a network.
Because the Ping and Tracert utilities operate at the transport layer by using ICMP (which does not use Windows Sockets), these utilities can not be redirected by Microsoft Proxy Server. Results obtained through proxy connections using the Ping and Tracert utilities to test connections between remote and local hosts will be invalid.
Microsoft Exchange and Internet Mail
ConnectorThe Internet Mail Connector is used to provide message exchange between Microsoft Exchange Server and systems that use Simple Mail Transfer Protocol (SMTP) for Internet e-mail.
Microsoft Proxy Server cannot support proxy forwarding of SMTP-based requests when Exchange Server is installed on another server computer on the internal network. This prevents another computer running Exchange on your private network from using Internet Mail Connector to service Internet e-mail messaging.
However, Exchange Server can be installed together with Microsoft Proxy Server on the same server and communicate normally to both internal and external SMTP clients.
© 1996 by Microsoft Corporation. All rights reserved.