Proxy Server 2.0 Release Notes

Last reviewed: October 23, 1997
Article ID: Q174922
The information in this article applies to:
  • Microsoft Proxy Server version 2.0

**********************************************************************

           Microsoft(R) Proxy Server 2.0 Release Notes
                         September 1997
**********************************************************************
          (c)1997 Microsoft Corporation. All rights reserved.

Please review this entire document before you install Microsoft Proxy Server version 2.0. It contains important information about installing and using Proxy Server, and it supplements the on-line documentation that is installed with the product.

CONTENTS

* Software Requirements * Internet Information Server Fix * Internet Explorer 3.02, Script Routing & NTLM * Internet Explorer 3.x, NTLM, & SSL * Display Not Synchronized When Viewing Documentation On-Line * Installing Internet Information Server 4.0 With Proxy Server * Proxy Server With Single Network Adapter Configuration * Client Configuration Dialog Box * Starting and Stopping the Socks Proxy Service * NetBIOS Packet Filtering Issues * WinSock Proxy Domain Filters * Enabling Passive FTP For Web Proxy * Server Proxy Issues For Using Exchange With DNS * Packet Filtering Slows Performance if server uses Identd * Additional Notes On Configuring Packet Filters * Administering Arrays * Registry Entries for Arrays * Registry Entry for Disabling Socks Proxy * Remote Use Of System Services With WinSock Proxy * Setting Autodisconnect for Auto Dial * Web Browsers That Support SOCKS v4.3 Do Not Proxy DNS Lookups * Using Routing and Remote Access Service (RRAS) * Logging to an Access Database * Acknowledgments

SOFTWARE REQUIREMENTS

The following components must already be installed on the server computer before you install Proxy Server 2.0:

* Microsoft Windows NT(R) Server version 4.0 or later * Microsoft Internet Information Server version 3.0 or later * Service Pack 3 or later for Microsoft Windows NT Server 4.0

INTERNET INFORMATION SERVER FIX

There is a bug in Microsoft Internet Information Server Version 3.0 that can cause the Web service to abnormally terminate. You should download and install the software fix on any computer that runs IIS and/or Microsoft Proxy Server. You can use your browser to connect to:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/iis-fix/

For more information on this IIS issue, read the Q143484.txt file. For information on how to download and install the fix, read the readme.txt file.

INTERNET EXPLOER 3.02, SCRIPT ROUTING AND NTLM

When using Proxy's routing script with Internet Explorer version 3.02, NTLM authentication does not work properly. This is fixed in IE version 4.0.

INTERNET EXPLORER 3.X, NTCR, & SSL

When using some versions of Internet Explorer version 3.x with Micro- soft Proxy Server, NTCR authentication does not work properly when accessing secure web sites (https://...). Please check IE information on the Microsoft Corporation Web page, or Microsoft Knowledge Base, etc. for an update on this issue.

DISPLAY NOT SYNCHRONIZED WHEN VIEWING DOCUMENTATION ON-LINE

Occasionally when viewing the on-line documentation, you may detect problems with the display topics being unsynchronized with a selected topic in the contents view. This problem has been reported during some installations, particularly where "Index" mode is used to view the table of contents. If you detect this problem, reselecting the topic appears to resolve the problem and refresh the display correctly.

To reselect a topic and refresh the display:

  1. Click a topic in the table of contents, then click "Display".
2. In "Topics Found", double-click the topic.

Note: As an option, you may redisplay a topic in "Topics Found" by clicking it once and then clicking "Display."

INSTALLING INTERNET INFORMATION SERVER 4.0 WITH PROXY SERVER

Note: The information provided in this section is current for installing and using the Beta 3 release of Microsoft Internet Information Server (IIS) 4.0 with Microsoft Proxy Server. For possible changes between Beta 3 and the final release of IIS 4.0, review final release notes for IIS 4.0.

>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 1.0

Before installing IIS 4.0, you must upgrade from MSP 1.0 to MSP 2.0. You can upgrade and install MSP 2.0 using an in-place upgrade directly over your previous installation of MSP 1.0. There is no need to uninstall MSP 1.0 prior to upgrading. In addition, MSP maintains prior server configuration settings, such as Access Control Lists (ACLs) and other settings, after the upgrade to MSP 2.0 is completed.

	
>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 2.0

Once you upgrade to use IIS 4.0 on a server computer running MSP 2.0 and IIS 3.0, you will need to run MSP 2.0 setup again. This rein- stallation is needed because IIS 4.0 installs Microsoft Proxy Server as a global ISAPI filter for all Web servers. Repeating MSP 2.0 setup configures Microsoft Proxy Server correctly, as a non-global filter of the IIS default Web service for the local server computer (or "localhost").

There is no need to uninstall MSP 2.0 prior to upgrading to IIS 4.0. Also, MSP 2.0 maintains prior settings, such as Access Control Lists (ACLs) and other configuration settings when in-place reinstallation of MSP 2.0 is completed.

>>>Verifying Authentication Settings After IIS 4.0 is Installed

After you have upgraded to IIS 4.0, you should verify that "Password Authentication" settings are maintained and correctly configured as you have chosen to use them in IIS 3.0.

For IIS 3.0, "Password Authentication" properties are set using the Internet Service Manager (ISM). To view or modify these settings using ISM, do the following:

  1. Double-click the computer name next to the "WWW service."

  2. Under "Password Authentication", note which methods are selected

        for use in authenticating users.  The methods that can be option-
    
    ally set include either "Allow Anonymous", "Basic (Clear Text)", or "Windows NT Challenge/Response".

  3. Click "OK" or "Cancel" to close this dialog.

For IIS 4.0, "Password Authentication" properties are set through use of Microsoft Management Console (MMC). To view or modify these settings using MMC, do the following:

  1. From the Start menu, select "Programs"-->"Microsoft Proxy Server"

        -->"Microsoft Management Console"
    

  2. In MMC, double-click the IIS root folder in the scope pane on the

        left to open and expand its contents.
    

  3. Double-click "Default Web Site" to open and expand its contents.

  4. Double-click "SCRIPTS" to open and expand its contents.

  5. Click "Proxy".

  6. Right-click and select "Properties".

  7. Click the "Directory Security" tab.

  8. In "Password Authentication", click "Edit".

  9. Verify password authentication settings are set correctly as

        previously configured for IIS 3.0 in the previous procedure 
    
    using ISM.
Note: If you have Windows NT 4.0 Option Pack installed, you may also
      open the IIS management console as described in step 1 using a
	  the following alternate shortcut:
	  
	  From the Start menu, select "Programs"-->"Windows NT 4.0 Option 
	  Pack"-->"Microsoft Internet Information Server"-->"Internet 
	  Service Manager"
	  
PROXY SERVER WITH SINGLE NETWORK ADAPTER CONFIGURATION

You can run Microsoft Proxy Server on a computer with only a single internal network adapter, such as for a chained downstream configura- tion or a caching-only configuration. Since such a computer has a single IP address, the following considerations apply:

* Packet filtering cannot be enabled. * It is advised that you either disable the WinSock Proxy service, or

   disable access control for the WinSock Proxy service if the Proxy 
   Server computer is connected to the Internet.

CLIENT CONFIGURATION DIALOG BOX

There is a check box in the "Client Configuration" dialog box that is missing from the product's online documentation. This check box can be used to determine whether or not Web browsers use the Configuration URL to automatically download a client configuration script. The check box is "Configure Web browsers to use Automatic Configuration", and is located under "Automatically configure Web browser during client setup." By default, this feature is disabled.

In addition, the client configuration file, Mspclnt.ini, has an entry "Set Browsers to use Auto Config" in the [Common] section to support this feature.

STARTING AND STOPPING THE SOCKS PROXY SERVICE

In the on-line documentation, under "Administration"-->"Setting Server Parameters"-->"Configuring Auto Dial" -> "Restarting Services", the following command-line syntax is invalid:

  NET STOP | START SPSVC for the Socks Proxy service

Proxy Server's Web Proxy and Socks Proxy run within the WWW service of IIS. To stop or start these proxy services, use:

  NET STOP | START W3SVC

NETBIOS PACKET FILTERING ISSUES

By default, packet filtering is not enabled when Microsoft Proxy Server is installed. Where packet filtering is enabled, this section details recommended configuration options for secure and reliable operation of the proxy server depending on your need to allow or restrict NetBIOS traffic on the server's external network interface.

With packet filtering enabled on Microsoft Proxy Server, several pre- defined filters for NetBIOS are provided for your use. Depending on your need to support NetBIOS traffic on the server's external network interface, you may choose among the following ways to configure WINS client and NetBIOS packet filtering options for Microsoft Proxy Server:

* If NetBIOS traffic is not used or supported on the external net-

   work, the WINS client should be disabled in bindings for the 
   server's external network adapter card.  In addition, the prede-
   fined NetBIOS filters should NOT be activated.
   
* If NetBIOS traffic is used and supported on the external network,
   the WINS client can remain enabled by default in bindings or be 
   disabled as needed. 
   
In addition, where NetBIOS must be supported on the external network, activate the predefined NetBIOS filters for the following reasons:

* Where the WINS client is enabled for the server's external network

   interface, activate the predefined "NetBIOS (WINS client only)" 
   filter to provide secure filtering of NetBIOS traffic by Microsoft 
   Proxy Server between the internal and external networks. 
   
* Where the WINS client is disabled for the server's external net-
   work interface, NetBIOS traffic is securely blocked from 
   entering the internal network.  This policy is in effect regard-
   less of whether NetBIOS predefined filters are activated. However, 
   if the NetBIOS predefined filters are not activated, the packet 
   filter driver will detect any NetBIOS broadcast packets on the 
   external network that are received on the server's external 
   adapter card as a possible attack on the proxy server. 
   Consequently, it will log each of these packets and possibly
   generate an alert. This results in system overhead, and reduction
   in the usefulness of the logging & alerting features. To avoid this 
   situation, you can activate the "NetBIOS (All)" predefined
   packet filter to stop logging of these NetBIOS packets when 
   NetBIOS traffic is expected on the external network. 

WINSOCK PROXY DOMAIN FILTERS

In the on-line documentation, under "Administration"-->"Setting Security Parameters"-->"Domain Filters", the following note is incorrect:

  "To control WinSock Proxy access to Internet sites, create a filter 
   for both the domain and the IP address of the site. When a WinSock 
   application attempts to access an Internet site, it first converts 
   the domain name to the IP address, and then tries to access the 
   site by using the IP address. When the default filtering policy is 
   set to "Denied", the filters (which allow access) must be created 
   for both the domain name and IP address in order for access to that 
   site to succeed."

To control WinSock Proxy access to Internet sites, you only need to create a filter for the domain name. It is no longer necessary to create an additional domain filter for the IP address of an Internet site.

ENABLING PASSIVE FTP FOR WEB PROXY

FTP service can use two possible types of communication between the FTP server and its clients: passive FTP mode and non-passive FTP. Some FTP servers do not support both types.

* How "non-passive"(or traditional) FTP works

In "non-passive" FTP, the client connects to the server making a control channel. For each data operation, the client tells the server how to connect back to it, specifying the parameters for the data connection (data port, transfer mode, representation type, and structure). The server then uses these parameters to make the data channel.

This type of FTP communication is the same as the model for FTP specified in the Internet standard draft for FTP (RFC 959) and has been traditionally used on all TCP/IP networks in the past.

"Non-passive" FTP is required for all FTP service implementations and is by default the mode of FTP communication used by the Web Proxy service in Microsoft Proxy Server versions 1.0 and 2.0.

* How Passive FTP differs from "Non-passive" FTP

Passive FTP differs from "non-passive" FTP in that the client is responsible for making all connections with server, including the initial connecting request and subsequent data channel connections. In this way, passive FTP provides some additional security to the client against malicious attack by an FTP server.

Because passive FTP is used on some recently implemented FTP servers on the Internet, Microsoft Proxy Server 2.0 provides support through the Windows NT Registry to enable the Web Proxy service to use passive FTP mode if it is needed. You may also need to support passive FTP for the following reasons:

* You are using a firewall that cannot allow an inbound connection

   from the FTP server.

* You are using third-party FTP applications. Some applications are
   simpler to configure where passive FTP is used.

To enable Web Proxy support for passive FTP mode, the following reg- istry key can be modified. The entry name, data type, and supported values are as follows:

* NonPassiveFTPTransfer is type REG_DWORD. The default value for this

   entry is 1, which uses Sendport (or "non-passive") FTP as the 
   default transfer mode for FTP proxy. 
   
If the entry is changed to 0, the Web Proxy service will support FTP proxy with servers that use passive FTP mode. Otherwise, the value should be left to its default value of 1.

This entry is installed by Microsoft Proxy Server to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM

  \CurrentControlSet
    \Services
      \W3proxy
        \Parameters

You should exercise caution when making any changes to the Windows NT Registry.

Note: Passive FTP support is not an issue for the WinSock Proxy service which supports both passive and "non-passive" modes of FTP.

SERVER PROXY ISSUES FOR USING EXCHANGE AND DNS

Server proxy allows you to place a server, such as Microsoft Exchange Server using the Internet Mail Connector (IMC) on your private network behind Microsoft Proxy Server. With this configuration, an Exchange Server can provide Internet mail service by using the WinSock Proxy client and relying on features of Proxy Server 2.0 for protection. In addition, the Exchange Server computer will not require an additional registered Internet IP address.

* How Server Proxy Works

The WinSock Proxy Client allows you to bind services or applications to the external network interface of the server computer running Microsoft Proxy Server. Once a service or application is bound on the external network interface, it is then available to hosts on the Internet. The proxy server will then "listen" for connections on behalf of the service or application.

For example, if you bind an internal SMTP/POP mail server to the proxy server, mail clients or SMTP servers on the Internet would be able to contact this mail server by connecting to the proxy server's Internet IP address. To remote computers on the Internet, these services will appear to be running on the proxy server computer.

* Setting Up Server Proxy for Exchange Server

>>>To set up server proxy for Exchange Server 5.0:

  1. Install and configure Microsoft Proxy Server.

  2. Install and test the WinSock Proxy (WSP) Client on the Exchange

        Server computer by running a WinSock client application.
    

        Once the WSP Client is working, additional settings are required 
        for server proxy on the Exchange Server.  In most cases, you 
        should create specific and local Wspcfg.ini files (instead of 
        making changes in Mspclnt.ini) for the Exchange Server since 
        these settings will not need to be globally applied to all WSP 
        Client users on your network.
        
    
3. Place the Wspcfg.ini file in the directory where the application
    *.Exe file is installed.  
    
    Note: Since Exchange Server has more than one .exe file for Inter-
	net mail and each EXE needs to be bound to the proxy, more than 
	one Wspcfg.ini file will be needed.
    
4. Create a Wspcfg.ini file for use with the Exchange SMTP service.
    Add the information below to Wspcfg.ini and place this file in the 
    directory where Msexcimc.exe is located.  
    
    [MSEXCIMC]
    ServerBindTcpPorts=25
    Persistent=1
    KillOldSession=1
    
    Note: The SMTP port (25) on the Exchange Server will then be bound
    to the proxy server's port 25.
    
5. Create a second Wspcfg.ini file for the Exchange store (Store.exe).
    Add the information below to this Wspcfg.ini and place the file in 
    the directory where Store.exe is located.  

    [STORE]
    ServerBindTcpPorts=110,119,143
    Persistent=1
    KillOldSession=1
    
    Note: Additional ports, such as ports 119 and 143 shown above, can
    be listed since Store.exe provides Network News Transfer Protocol 
    (NNTP) on port 119, POP mail on port 110, etc.
    
6. If dynamic packet filtering is enabled (recommended), the proxy
    server will dynamically open all necessary ports when they are 
    requested.  No special configuration is needed.
    
7. Stop and start the Exchange services or reboot the Exchange Server
    for the new settings to take effect.
    
8. You should now be able to contact the Exchange server by connect-
    ing to the proxy server's Internet IP address using SMTP, NNTP, or
    POP.
    
* Configuring DNS for Server Proxy with Exchange Server   	

  • Verify that any MX and A resource records used by remote mail

        servers on the Internet refer to the IP address for the proxy 
        server's external network adapter and not the internal IP 
        address of the Exchange Server or SMTP server itself.
    

        For example, if your registered Internet domain name is 
        "mydomain.com", and your internal Exchange server uses a DNS host 
        name of "exchange1", you would need to use an MX, or mail ex-
        changer, record to provide other Internet hosts the name of your 
    
        internal Exchange server.   In this case, an MX record added in 
        the "mydomain.com" zone could provide this information as follows:
    	
           mydomain.com IN MX 10 exchange1.mydomain.com
    	
        You would then need to create an A, or address, record for 
        "exchange1.mydomain.com" that uses an external IP address of the 
        proxy server.  If the external IP address of your proxy server 
        were 127.34.56.89, you would add the following A record to the 
        "mydomain.com" zone:
    	
           exchange1.mydomain.com       IN A 127.34.56.89
    	
        In addition, you can add or create a PTR, or pointer, record to 
        the "mydomain.com" zone to provide reverse lookup.  A valid PTR 
        record to do this would be:
    	
           89.56.34.127.in-addr.arpa   IN PTR exchange1.mydomain.com  
        
    
    2. The Exchange/SMTP server computer must be configured to resolve
        external (Internet) names by directly accessing an 'external' DNS
        server.
    
        Specify a DNS server on the DNS server search listing of your 
        Exchange/SMTP server computer that can resolve Internet DNS 
        addresses.  
    	
        This DNS server can be a server located on your network, located 
        on your Proxy Server gateway computer, or located externally on 
        the Internet. The IP address of this DNS server must be listed 
        on the same machine running Exchange Server that is used to route 
        mail from your network to the Internet. 
    	
        You may assign the DNS server's IP address to the Exchange Server
        using either static or dynamic assignment.  For static assignment,
        set the IP address by adding it to "DNS Service Search Order" in 
        TCP/IP Protocol Properties. For dynamic assignment, configure your 
        DHCP server to provide this address by way of the standard DHCP 
        assigned option code 6 (DNS Server List) to your Exchange Server
        machine. (Note: if your Exchange Server uses DHCP to obtain its 
        IP address, you should reserve this address with the DHCP server 
        for permanent assignment to the Exchange Server computer.)
    
    
    PACKET FILTERING SLOWS PERFORMANCE IF SERVER USES IDENTD

    If packet filtering is enabled, outbound access to servers (SMTP, FTP, IRC, etc.) can suffer slow performance if the remote server on the external network is running the Identification protocol (Identd) service.

    To correct performance problems in this situation, activate the pre- defined "Identd" packet filter on Microsoft Proxy Server.

    ADDITONAL NOTES ON CONFIGURING PACKET FILTERS

    The "Local Host" selection box in Packet Filter properties is used to select the local host computer that will exchange packets with a remote host computer. When configuring the "Local Host" selection box in the Packet Filter properties dialog box, please note the following:

    * To allow any IP address assigned to an external interface of the

       Proxy Server computer to exchange packets, click "Specific Proxy 
       IP" and enter 0.0.0.0 for the IP address. 
    
    
    * Also, if the "Internal computer" field in the same dialog is
       selected, the IP address entered in this field should be excluded 
       from the proxy server's Local Address Table (LAT). 
       
       For more information on how to change the LAT, see "Administration"
       -->"Setting Server Parameters"-->"Changing the LAT" in the on-line 
       documentation.
    
    
    ADMINISTERING ARRAYS

    You should only administer one member of an array at a time. This ensures that array synchronization performs correctly and is simpler from an administrative standpoint.

    REGISTRY ENTRIES FOR ARRAYS

    There are two registry keys for Proxy Server that you can create that are not documented. These keys can be used to change the default ping timeout value and the number of communication attempts used in an array. The entry names, data types, and default values are as follows:

    * MaxPingTries is type REG_DWORD. The default value when this entry

       is absent is 3.
    
    
    * PingTimeout is type REG_DWORD. The default value when this entry is
       absent is 500 (milliseconds).
    
    
    You can create these entries using the Registry Editor. The entries must be installed to the following Windows NT Registry key path:

    HKEY_LOCALMACHINE\SYSTEM

      \CurrentControlSet
        \Services
          \Mspadmin
            \Parameters
    
    
    You should exercise caution when making any changes to the Windows NT Registry.

    REGISTRY ENTRY FOR DISABLING SOCKS PROXY

    The following registry key can be modified for Microsoft Proxy Server to disable the Socks Proxy service if Socks service is not used on your network.

    The entry name, data type, and supported values are as follows:

    * SocksServiceEnabled is type REG_DWORD. The default value for this

       entry is 1, which is enabled. A value of 0 indicates the service 
       is disabled.
       
    
    If the entry is changed to 0, the Socks Proxy service is fully dis- abled on the server computer. Microsoft Proxy Server will not start the Socks Proxy service automatically at system boot. Also, the service cannot be started manually using Microsoft Proxy Server ad- ministrative tools (such as Internet Service Manager or Remotmsp.exe) until the value is reset to a value of 1.

    This entry is installed by Microsoft Proxy Server to the following Windows NT Registry key path:

    HKEY_LOCALMACHINE\SYSTEM

      \CurrentControlSet
        \Services
          \W3proxy
            \Parameters
              \Socks
    
    
    You should exercise caution when making any changes to the Windows NT Registry.

    REMOTE USE OF SYSTEM SERVICES WITH WINSOCK PROXY

    In general, most Windows NT system services are disabled from remote use by WinSock Proxy when Microsoft Proxy Server is installed. If you are attempting to proxy a system service application, you may have problems establishing a remote WinSock Proxy connection if the service was started prior to the NtLmSsp service during system boot.

    If you are attempting to use a Windows NT system service to access the Internet or another external network, be sure that the NtLmSsp service is started first. You may either adjust the order in which the service starts automatically during system boot to start after the NtLmSsp service has started, or manually start the service after the boot process is complete and the NtLmSsp service has already started.

    Another solution is to use the SC.EXE utility included in the Windows NT Resource Kit to make the service that you want 'remoted' be dependent on the NtLmSsp service:

    To create a service dependency, use the following command: SC \\MyMchineName CONFIG MyServiceName DEPEND= ntlmssp (don't omit the space after the =)

    To query a service dependency: SC \\MyMachineName QC MyServiceName

    SETTING AUTODISCONNECT FOR AUTO DIAL

    When using either Remote Access Service (RAS) or Routing and Remote Access Service (RRAS) for automated dial-up with Auto Dial, the following procedure should be used for applying dial-up connection settings that determine when a connection automatically disconnects after remaining idle.

    To set autodisconnect properly for a RAS or RRAS phonebook entry:

    1. Locate the phonebook file (typically, this file is located in

          %SystemRoot%\System32\Ras\Rasphone.pbk) and open it using a 
          text editor, such as Notepad.
          
      
    2. Find the section specific to the dialing entry used for Auto
        Dial connection by Microsoft Proxy Server.  (Note: each section in 
        the phonebook file has a separate heading in the form of 
        [Phonebook Entry].)
        
    
    3. Find the value for "IdleDisconnectSeconds". In most cases, the
        value is typically set to 0.  Increase the value to a number of 
        seconds of your choosing that will be used to timeout and 
        automatically disconnect if the line remains idle.  
        
    
    4. Check to see if an option for "OverridePref" is included in the
        dialing entry section.  If this option exists, set the value to 4.
    	(Note:  if this value does not exist, do not add it.)
        
    
    5. Save the file, Rasphone.pbk, and close your text editor
        application.
        
    
    Note: There is no need to reboot after applying the previous changes. RAS or RRAS will use your revised settings the next time dialing occurs.

    In general, it is recommended that you disable WINS client bindings for the dial-up adapter when using Auto Dial with Microsoft Proxy Server. If you require the use of NetBIOS on the dial-up adapter and decide not to disable bindings on the dial-up adapter for WINS client, you will also need to stop the computer's Browser service.

    To stop the Browser service, use the following two commands:

    NET STOP BROWSER NET CONFIG SRV /HIDDEN

    Also, you will need to disable the Computer Browser to prevent the service from restarting when the computer is rebooted.

    To disable the Computer Browser service:

    1. Open Control Panel, select Services.
    2. Click "Services." 3. Select "Computer Browser" from the list of services. 4. Click "Startup." 5. In "Startup Type", click "Disabled", then click "OK." 6. Click "Close."
    	 
    
    WEB BROWSERS THAT SUPPORT SOCKS V4.3 DO NOT PROXY DNS LOOKUPS

    In the on-line documentation, under "Administration"-->"Administering Clients"-->"Configuring Web Proxy Client Applications", the following note text is incorrect:

    "Note: The Socks Proxy service supports the SOCKS 4.3a standard, which specifies name resolution. Web browsers do not use this feature. They require instead that name resolution of Internet addresses is avail- able on the client computer. If you are running a Web browser as a Socks client on a non-Windows client platform, you need to provide a DNS proxy server to your clients for name resolution. The DNS proxy server resolves names by forwarding client requests to a server on the Internet."

    It should be corrected to read:

    "The Socks Proxy service supports the SOCKS 4.3a standard, which specifies name resolution. Many Web browsers, including Microsoft Internet Explorer 3.02 and 4.0 and Netscape Navigator 3.0 do not use this feature. Instead, these browser applications, when configured to use a Socks server, require that DNS name resolution of Internet addresses be available on the client computer."

    "If you are running one of these Web browser applications as a Socks client on a non-Windows client platform, you need to provide a DNS server for these clients to use for their resolution of external DNS names. In this situation, there are two possible methods for implementing DNS service for these clients:"

    "1) Install a DNS server, such as Microsoft DNS Server, on the proxy

         server computer. You can then configure TCP/IP or DNS properties
         on your Socks client machines to point at the internal IP address
         of the proxy server as one of the their listed DNS servers. This 
         is the recommended configuration for providing DNS service to 
         Socks clients on your internal network."
        
    
    "2) As an alternative, you may point Socks clients towards a DNS
         server on your internal network that has been enabled to provide 
         forwarding to the Internet for DNS name resolution.  This config-
         uration is not recommended as it requires that Microsoft Proxy 
         Client software first be installed on your internal DNS server, 
         and may require additional reconfiguration of your internal DNS 
         server to use forwarding to an external DNS server on the Inter-
         net."     
    
    
    USING ROUTING AND REMOTE ACCESS SERVICE (RRAS)

    Routing and Remote Access Service (RRAS) can be used along with Micro- soft Proxy Server to provide a secure enterprise internetworking solution.

    >>> Required RRAS hotfix

    In order to run RRAS and Proxy Server v2.0 on the same computer, you must install a required RRAS hotfix. This hotfix resolves issues associated with reliable, secure, integration between RRAS and Proxy.

    In order to run RRAS and Proxy Server v2.0 on the same computer, you must install a required RRAS hotfix. This hotfix resolves issues associated with reliable, secure, integration between RRAS and Proxy.

    To download the corrected file connect to:

    http://www.microsoft.com/proxy/fix/rras_0.htm

    >>> Recommended configurations

    This section addresses several common configurations and outlines recommended configurations for interworking both RRAS and MSP 2.0 on your network.

    * Departmental server running RRAS and MSP 2.0

    A departmental server on an internal network (typically with only one network interface) should have packet filtering turned off.

    * Edge server connecting to the Internet running RRAS and MSP 2.0

    This configuration involves the MSP 2.0 server computer using either two network adapters (one for internal interface, one for the external interface). For the internal interface, a network adapter card is needed. For the external interface, either a network adapter card or a modem can be used.

    An edge server in this configuration should have MSP packet filtering turned on with MSP 2.0 predefined packet filters activated with no additional custom packet filters configured.

    * Edge server with "Extranet" or barrier LAN segment

    An edge server in this configuration requires a third network adapter to be installed on the MSP 2.0 server computer to interface to the Extranet LAN segment (sometimes referred to as a DMZ network). The Local Address Table (LAT) on the server must not include IP addresses used on the Extranet LAN.

    Typically, routing is enabled between the external network and the Extranet LAN, and computers on the Extranet network with registered IP addresses can communicate directly with Internet computers. RRAS can be used to configure routing for each Interface.

    All communication between the Extranet LAN and the internal network should be done using Microsoft Proxy Server services (Web Proxy, WinSock Proxy, Socks Proxy). Where this configuration is applied, WinSock servers can also be remoted by means of configuration in the Wspcfg.ini file using application-specific settings.

    For more information on configuring these settings, see "Administration"-->"Administering Clients"-->"Configuring WinSock Proxy Client Applications" in the on-line documentation.

    Note: As an alternative, you can use RRAS instead for communication between the internal LAN and the Extranet LAN segments. This can be done by way of "Enabling IP Forwarding", eliminating the need to use MSP 2.0 services for proxy communication. However, this configuration is not preferred.

    Logging to an Access Database

    In the on-line documentation, under "Administration"-->"Configuring Logs"-->"Logging to a Database", there is an error in the description of creating an Access Table. Here are the updated instructions:

    Creating an Access Database Table You can use the database template files, Msp.sql and Pf.sql, to create a database table in Microsoft SQL Server or Microsoft Access. In order to create a database table in Microsoft Access using a database template file, implement the following procedure:

    1. Rename the database template file with a TXT file extension and

          open the file in a text editor, such as Microsoft Notepad. The 
          database template files are located in:
      
      %systemroot%\help\proxy\misc.
    2. Start Access and open the database you previously created for
        Proxy Server logging.
    	
    

  • On the "Queries" tab, click "New" to create a new query.

  • In the "New Query" dialog box, , click "Design View", and then

        click "OK."
    

  • Click close on the "Show Table" dialog.

  • Click "SQL View" on the View menu, and then delete any text pre-

        sent in "Query."
    

  • Copy and paste the entire contents of the file previously opened

        in Notepad in "Query", click "Save" and then click "OK."
    

  • Double-click the query you just saved. Click "Yes" in any pop-up

        message boxes.
    

    Rename the Access table to use it with a particular Proxy Server service.

    ACKNOWLEDGMENTS

    Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft. Permission to print one copy for personal use is hereby granted if your only means of access is electronic.

    Microsoft may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property rights except as expressly provided in any written license agreement from Microsoft.

    (c)1997 Microsoft Corporation. All rights reserved.

    Microsoft, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    Other product and company names mentioned herein may be the trademarks of their respective owners.


  • Additional query words: readme .txt
    Keywords : kbreadme
    Version : 2.00
    Platform : winnt
    Hardware : ALPHA x86


    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    Last reviewed: October 23, 1997
    © 1998 Microsoft Corporation. All rights reserved. Terms of Use.