Overview of WinSock Proxy Service Configuration
Configuring WinSock Proxy Protocols and Ports
Setting Up WinSock Proxy Users
Controlling WinSock Proxy User Access to Internet Sites
Logging WinSock Proxy Service Activity
Setting WinSock Proxy Access Control
After you have installed Microsoft Proxy Server, you will usually perform the following steps to configure the WinSock Proxy service:
Set up protocols and ports, to determine which Windows Sockets applications are allowed to access the Internet by using the WinSock Proxy service.
Set up permissions, to determine which Windows NT groups or users are granted the ability to use each of the Internet protocols supported by the WinSock Proxy service.
Set up filtering, to determine the specific Internet sites that all users of the WinSock Proxy service are allowed to access.
Set up logging, to determine how WinSock Proxy service activity information is saved in the WinSock Proxy service log.
These steps are described in this chapter.
Note If the WinSock Proxy service is stopped, you can use Internet Service Manager to change its configuration settings but the changes will not take effect until you restart the service.
Setting Up Protocol Configurations
About the Predefined Protocol Configurations
Protocol configurations determine which Windows Sockets applications can be used to access the Internet through the WinSock Proxy service on a server, and for each protocol configuration, which ports can be used for outbound and inbound connections. You create, modify, and delete protocol configurations by using the Protocols property sheet in the WinSock Proxy Service Properties window.
When Microsoft Proxy Server is installed, some default protocol configurations are created by the Setup program. These are described in Default Protocol Configurations, later in this chapter.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Protocols tab.
To create a protocol configuration and add it to the list of protocols that can be used to access the Internet through the WinSock Proxy service on the server, click Add and complete the Protocol Definition dialog box.
See the next procedure for instructions on how to complete the Protocol Definition dialog box.
When the Protocol Definition dialog is completed and you click OK, the WinSock Proxy Protocols property sheet returns and the protocol is added to the Protocol Definitions list.
To modify the settings for a configured protocol, select a protocol from the Protocol Definitions list, click Edit, and modify the settings in the Protocol Definition dialog box.
To delete a protocol configuration, select it from the Protocol Definitions list and click Remove.
Repeat steps 2-4 until all protocol configurations are defined appropriately for the WinSock Proxy service on this server.
Click OK to save the settings.
The preceding procedure sets protocol configurations for one server. If your network has more than one server running the WinSock Proxy service, repeat the procedure for each server.
From the WinSock Proxy Protocols property sheet, open the Protocol Definition dialog box as described in the preceding procedure.
In the Protocol Name box, type a name for this protocol configuration.
This name will appear in lists of protocol configurations, in the WinSock Proxy Protocols and Permissions property sheets when this server is administered.
In the Port box, type the number of the port on the server that will be used for the initial connection.
For a discussion of ports, see Server Administration.
Under Type, specify the protocol type used for initial connections. Select TCP (for Transmission Control Protocol) or UDP (for User Datagram Protocol).
Under Direction, specify whether the initial connection port will be configured for Outbound or Inbound.
If you selected TCP as the Type, select Outbound to allow clients to initiate connections to external sites through this port. Select Inbound to allow external sites to initiate connections to clients through the port.
If you selected UDP as the Type, select Outbound to allow the port to pass packets sent from a client to an external site. Select Inbound to allow the port to pass packets sent from an external site to a client.
Use the Port Ranges for Subsequent Connections options to define how to handle connections or packets that originate as a result of requests or packets sent on the initial connections port number. The list under Port Ranges for Subsequent Connections displays the port, packet type, and direction for each subsequent connection configuration (if any exist). There can be one or more configurations for subsequent connections in this list.
Note A port range setting of 0 for inbound connections indicates Port_Any, which allows the server to select the port from the range 1024-5000.
To specify a port or port range that will be used for subsequent connections, click Add, and complete the Port Range Definition dialog box. See the next procedure for instructions on how to complete the Port Range Definition dialog box.
To modify the settings for a port range for a subsequent connection, select the port range from the Port Ranges for Subsequent Connections list, click Edit, and complete the Port Range Definition dialog box.
To remove a port or port range from the list of those that will be used for subsequent connections, select the port range from the Port Ranges for Subsequent Connections list and click Remove.
Click OK. The WinSock Proxy Protocols property sheet returns. The new or modified protocol configuration appears in the Protocol Definitions list.
Subsequent connections are those that originate as a result of requests or packets sent on the initial connections port number. The subsequent connection parameters include the port number or range, the protocol type, and the direction.
From the Protocol Definition dialog box open the Port Range Definition dialog box, as described in the preceding procedure.
In the Port or Range boxes, type a single port or a range of port numbers to use to receive connections or packets that originate as a result of requests or packets sent on the initial connections port number. Note that you can type 0 to indicate Any, which allows connections to ports 1024-5000.
For a discussion of ports, see Server Administration.
Under Type, specify the protocol type that will be used for subsequent connections. Select TCP (for Transmission Control Protocol) or UDP (for User Datagram Protocol).
Under Direction, specify whether the subsequent connection ports will be configured for Inbound or Outbound.
If you selected TCP as the Type, select Inbound to allow external sites to initiate connections to clients through the ports. Select Outbound to allow clients to initiate connections to external sites through the port.
If you selected UDP as the Type, select Outbound to allow the ports to pass packets sent from a client to an external site. Select Inbound to allow the ports to pass packets sent from an external site to a client.
Click OK. The Protocol Definition dialog box returns. The new or modified subsequent connection configuration appears in the Port Ranges for Subsequent Connections list.
When a new protocol configuration is created it does not have any permissions granted. To allow users to use the protocol to access the Internet, permissions must be granted as described in Setting Up WinSock Proxy Users, later in this chapter.
Microsoft Proxy Server Setup installs a default set of predefined WinSock Proxy protocol configurations on the server. These appear in the Protocols lists in the WinSock Proxy Protocols and Permissions properties sheets. You are not limited to these predefined protocol configurations, nor are you restricted to Windows Sockets applications that work with these predefined protocol configurations. Use the WinSock Proxy Protocols property sheet to add additional protocol configurations that support additional Windows Sockets applications.
WinSock Proxy permissions determine which users or groups of users can access the Internet by using a particular protocol configuration through the WinSock Proxy service on a server. Permissions are granted separately for each protocol configuration.
When Microsoft Proxy Server is installed, by default there are no WinSock Proxy permissions granted. You must grant permissions before users can access the Internet by using the WinSock Proxy service.
Before assigning WinSock Proxy permissions it is a good idea to use User Manager for Domains to create user groups containing the user accounts of users who need access to a particular protocol or sets of protocols. Then you can apply permissions to groups, rather than to individual users. For more information about user groups and about User Manager for Domains, see Server Administration. Also see your documentation for Windows NT.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Permissions tab.
To grant a user or group the right to use a protocol to access the Internet through the WinSock Proxy service on this server, select the protocol from the list in the Protocol box, choose Add, and complete the Add Users and Groups dialog box that appears.
A special selection in the Protocol list, Unlimited Access, allows access to all protocols and all ports of this server. This includes ports not defined in any protocol configuration. Also, users granted Unlimited Access are not affected by WinSock Proxy domain filtering. Grant permission to Unlimited Access only to users who should have such access.
When you select a protocol from the list, the Grant Access To box lists the users and groups that are already granted permissions for that protocol.
To remove a user or group from the list of those granted the right to use a protocol to access the Internet through the WinSock Proxy service on the server, select the protocol from the Protocol box, select the user or group from the Grant Access To list, and choose Remove.
When permissions are set appropriately for the selected protocol, select another protocol from the list, and grant or remove permissions as necessary.
When all protocols have their permissions set appropriately, click OK.
This procedure sets permissions for one server. If your network has more than one server running the WinSock Proxy service, repeat the procedure for each server.
For convenience, you can copy user permissions from one protocol to one or more other protocols. You can also remove user permissions from several protocols at once.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Permissions tab.
Select a protocol from the Protocol list, then select one more users and groups from Grant Access To list.
Choose either Copy To or Remove From.
To grant those users and groups permissions to use several protocols, click Copy To and complete the Protocol Selection dialog box that appears.
To remove permissions for those users and groups to use several protocols, click Remove From, and complete the Protocol Selection dialog box that appears.
When permissions are set appropriately for the users of the selected protocol, repeat steps 2 and 3 as necessary.
When all protocols and users have their permissions set appropriately, click OK.
The protocol configurations that appear in the Protocol list in the Permissions property sheet are added, removed, and modified by using the Protocols property sheet, as described in Configuring WinSock Proxy Protocols and Ports, earlier in this chapter.
You can allow or prevent client access to specific Internet sites. This is called filtering, and is accomplished on per-server basis. It applies to all users who access the Internet by using either service (Web Proxy or WinSock Proxy) on that server.
You can allow or prevent access to a single computer, a group of computers, or an Internet domain. You can control access by IP address, subnet mask, and domain name.
Note that for the WinSock Proxy service, filtering by domain name does not affect Internet requests where the client application accesses a site by using an IP address. To effectively filter a site you may find it useful to create filters both on the domain name and the IP address.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Filters tab.
Select the Enable Filtering option.
Select the filtering mode. Set an overall policy first, then specify exceptions to that policy.
To deny access to specific Internet sites, select Granted.
Users will be denied access to those Internet sites that appear in the Except to those listed below list, and will be allowed access to all other Internet sites.
Select Denied to allow access to specific Internet sites.
Users will be allowed access to specific Internet sites that appear in the Except to those listed below list, and will be denied access to all other Internet sites.
To create a filter, click Add and complete the dialog box that appears.
Select Single Computer to filter a single computer. If you select this option, you must also enter that computers IP address in the IP Address box.
Select Group of Computers to filter a group of computers. If you select this option you must enter an IP address in the IP Address box, and a subnet mask in the Subnet Mask box.
Select Domain to filter a domain. If you select this option, enter a domain name in the Domain box.
When you have completed the dialog box, click OK. The Filters tab returns, with the new filter added to the Except to those listed below list.
Repeat step 4 until all needed filters are defined for this server.
To alter a listed filter, select it from the list, click Edit, and modify the settings in the dialog box that appears.
To remove a filter from the list, select the item and click Remove.
Click OK.
Note Only the selected mode, Granted or Denied, is in effect. If you switch between modes, filters created for the deselected mode are retained, but are not in effect.
This procedure sets up filtering for one server. If your network has more than one server running Microsoft Proxy Server, repeat the procedure for each server.
Microsoft Proxy Server can log information about all Internet requests made by WinSock Proxy service clients. It can log to a text file or to a table in an ODBC-compliant database (such as Microsoft Access or Microsoft SQL Server).
By default, WinSock Proxy service information is logged to a text file. After installing Microsoft Proxy Server, you can set the configuration parameters for text file logging, or you can set up logging to an ODBC-compliant database.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Logging tab.
Make sure the Enable Logging option is selected.
Select either Regular Logging or Verbose Logging.
Regular Logging records only a subset of all available information for each Internet access. This option reduces the disk space needed for a log file. Verbose Logging records all available information for each Internet access.
Make sure the Log to File option is selected.
Select or clear the Automatically open new log option.
Select this option to periodically create a new WinSock Proxy service log file, using the interval specified by the Daily, Weekly, Monthly, or When File Size Reaches options. When a new log file is started, the old log file is closed (and can optionally be archived on other storage media).
Clear this option to use the same WinSock Proxy log file continuously.
If you select the Automatically open new log option, specify the interval used to open a new log file. Select Daily, Weekly, Monthly, or When File Size Reaches. If you select When File Size Reaches, also enter a value in the MB box.
Review and if appropriate change the log file directory.
To change this location, type a new path in the Log File Directory box, or click Browse and complete the dialog box that appears. It is possible to log to a local or remote drive, but in general it is recommended that you store your WinSock Proxy log file on a local disk.
Note To help prevent the disk filling up, it is a good idea to store the logs and the Web Proxy service cache on different volumes.
Click OK.
The log settings are saved.
For more information about logging to a text file, including detailed information about the data that is logged and the difference between regular and verbose logging, see Monitoring.
The following procedure shows you the basic steps you will perform to log WinSock Proxy service information to an ODBC-compliant database. For detailed instructions about how to accomplish each of these steps, see Monitoring.
Install the database. The database can be installed on the local computer or a remote computer.
Create a table in the database, creating the fields necessary to support WinSock Proxy service log data. The required fields are described in detail in Monitoring.
Install the ODBC driver for the database you are using.
Create a System Data Source Name (system DSN) for the database that will receive the log data.
Detailed instructions are provided in Monitoring.
When Microsoft Proxy Server is installed the Setup program presents an option to enable or disable access control for the WinSock Proxy service. If access control is enabled, only users who are granted WinSock Proxy permissions can use WinSock Proxy protocols to access the Internet through the WinSock Proxy service. If access control is disabled, any client can access the Internet through the WinSock Proxy service; this is the WinSock Proxy equivalent of Anonymous access.
From Internet Service Manager, open the WinSock Proxy Service Properties window for the server to be administered, and click the Permissions tab.
To enable access control, select the Enable Access Control check box. To disable access control, clear the check box.
© 1996 by Microsoft Corporation. All rights reserved.