Appendix G

The Default Configuration
Publishing to the Internet
Publishing On Your Private Network

The Default Configuration

Microsoft Proxy Server must be installed on a server that already has Microsoft Internet Information Server (IIS) installed. When Microsoft Proxy Server is installed on a server, it configures IIS so that it will not listen to Internet requests (requests sent to the IP address of the server’s network adapter card that is connected to the Internet). In this default configuration, requests from Internet clients are ignored. IIS cannot publish to Internet clients, but can publish to private network (internal) clients.

Publishing to the Internet

Internet Publishing with Microsoft Proxy Server
How to Enable Publishing to the Internet
Further Suggestions Before Publishing

Internet Publishing with Microsoft Proxy Server

The Microsoft Proxy Server was designed primarily to manage outbound connections and performance for internal clients on a private network accessing Internet services. Although it offers increased security for your network, using a gateway computer running Microsoft Proxy Server for Internet publishing is not a preferred solution.

If you do decide to use Microsoft Proxy Server and IIS together for external Web publishing, it is recommended that you use different computers for Microsoft Proxy Server and IIS whenever possible.

If you have a small network and server costs are a primary concern, you may want to consider hosting your organization’s Web site by using leased server space available through your Internet service provider. Many ISPs offer this type of hosting service to businesses for a fixed monthly rate. For larger networks, where server security is of primary concern, consider carefully the possible consequences of combining Web servers publishing to the Internet, and the need for maintaining security and privacy for your internal network.

The following sections discuss steps needed to configure Microsoft Proxy Server for external publishing to the Internet. Also, a number of suggestions are provided to help you in making your private network secure when publishing on the Internet.

How to Enable Internet Publishing

From Internet Service Manager, double-click the computer name next to the Web Proxy service.
The Service Properties window appears. Make sure the Service tab is selected.
Set the Enable Internet Publishing option.
By default, this option is cleared. Selecting this option allows IIS to listen on port 80 of the server’s network adapter card that is connected to the Internet, allowing Internet Web clients to access published documents on this server. Clearing this option prevents the WWW service of IIS from publishing to the Internet.

Note This option has no effect on FTP or Gopher publishing to the Internet using ports 21 and 70 respectively. FTP and Gopher services do not distinguish between internal and external publishing. To restrict access from the Internet to these services other security measures should be used, such as setting ACL permissions for FTP or Gopher published files. Also, it is recommended that if FTP or Gopher services are not used, these services should be turned off using Internet Service Manager to stop each service.
From the Services tab, click OK.
The Internet Service Manager window returns.

Warning Publishing on the Internet compromises gateway security and increases the exposure of your private network to external users.

When Microsoft Proxy Server is used to service outbound proxy connections, your network and server are not continuously present or visible to Internet users. When Web publishing is allowed, your server maintains a continuous presence on the Internet and can allow users to try random or varied methods for intrusion to your network. Also, where interactive scripts or programming extensions (such as CGI or ISAPI DLLs) are used to allow dynamic changes in Web published content, the possibility exists for users to search out server security leaks through Web server applications that are not thoroughly tested or carefully designed.

Further Suggestions Before Publishing

If you are further considering using Microsoft Proxy Server for your Internet publishing server, the following is a list of items that suggest some ways to further secure your private network when doing so.

Never add external IP addresses used on the Internet to the Local Address Table (LAT) on the Microsoft Proxy Server.
Whether you are considering publishing to the Internet or not, adding external IP addresses to the LAT exposes your entire private network to Internet servers and clients. This can severely jeopardize your private network’s security.
Separate Microsoft Proxy Server and IIS publishing onto different computers or separate domains.

If your private network is large enough and you have multiple Windows NT domain servers, consider creating a separate domain for all computers running Microsoft Proxy Server and those running IIS for external publishing. By using separate Windows NT domains and establishing a single, one-way trust relationship between the Microsoft Proxy Server domain and another internal domain, you can further restrict access to your private network.

For example, if you have an internal domain named CORPORATE established for internal Windows NT-based servers on your private network, you might add a new domain named PROXY to include the computer running Microsoft Proxy Server and any IIS-based servers publishing to the Internet. By setting a single domain trust relationship where the PROXY domain trusts the CORPORATE domain, you can allow users on your internal network to have fully assignable access permissions to Microsoft Proxy Server services on the PROXY domain, but restrict Internet users from accessing resources on the internal CORPORATE domain.
Set default access to shared volumes and directories to read-only access.

Use Windows NT Explorer to set up default sharing permissions for all users and limit external user logons.

Set a default Access Control List (ACL) for all URL cache and IIS publishing directories (such as C:\Winnt\System32\Inetsrv\Wwwroot) on the Microsoft Proxy Server to allow Read Access for Everyone.
Do not use network drive mappings.

Network drive mappings to other remote servers on your internal network should not be used. This is critically important if you are also using the same computer for Microsoft Proxy Server and for Web publishing with IIS.
Avoid publishing with active scripts or input forms.

If you choose to combine external Web publishing with Microsoft Proxy Server, it is better to avoid using active HTML-based scripts when publishing Web documents. Active HTML-based scripts can include any Common Gateway Interface (CGI), Visual Basic (VB), ActiveX, or Java scripts or forms that are used in your Web publishing. If scripts are used in Web publishing, be sure that Windows NT File System (NTFS) partitions are used to secure script directories.
Enable auditing of all system and critical directories for server volumes.

For more information on setting up auditing of Microsoft Proxy Server server volumes, see “Server Administration.”

Publishing on Your Private Network

You can use the copy of IIS that is on the same computer as Microsoft Proxy Server to publish to private network clients with no effect on gateway security.