Proxy Server 2.0 Release Notes

 Last reviewed: October 23, 1997
Article ID: Q174922
The information in this article applies to:
  • Microsoft Proxy Server version 2.0

********************************************************************** 

           Microsoft(R) Proxy Server 2.0 Release Notes
                         September 1997
********************************************************************** 
          (c)1997 Microsoft Corporation. All rights reserved.
Please review this entire document before you install Microsoft Proxy Server version 2.0. It contains important information about installing and using Proxy Server, and it supplements the on-line documentation that is installed with the product.

CONTENTS

* Software Requirements * Internet Information Server Fix * Internet Explorer 3.02, Script Routing & NTLM * Internet Explorer 3.x, NTLM, & SSL * Display Not Synchronized When Viewing Documentation On-Line * Installing Internet Information Server 4.0 With Proxy Server * Proxy Server With Single Network Adapter Configuration * Client Configuration Dialog Box * Starting and Stopping the Socks Proxy Service * NetBIOS Packet Filtering Issues * WinSock Proxy Domain Filters * Enabling Passive FTP For Web Proxy * Server Proxy Issues For Using Exchange With DNS * Packet Filtering Slows Performance if server uses Identd * Additional Notes On Configuring Packet Filters * Administering Arrays * Registry Entries for Arrays * Registry Entry for Disabling Socks Proxy * Remote Use Of System Services With WinSock Proxy * Setting Autodisconnect for Auto Dial * Web Browsers That Support SOCKS v4.3 Do Not Proxy DNS Lookups * Using Routing and Remote Access Service (RRAS) * Logging to an Access Database * Acknowledgments

SOFTWARE REQUIREMENTS

The following components must already be installed on the server computer before you install Proxy Server 2.0:

* Microsoft Windows NT(R) Server version 4.0 or later * Microsoft Internet Information Server version 3.0 or later * Service Pack 3 or later for Microsoft Windows NT Server 4.0

INTERNET INFORMATION SERVER FIX

There is a bug in Microsoft Internet Information Server Version 3.0 that can cause the Web service to abnormally terminate. You should download and install the software fix on any computer that runs IIS and/or Microsoft Proxy Server. You can use your browser to connect to:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/iis-fix/

For more information on this IIS issue, read the Q143484.txt file. For information on how to download and install the fix, read the readme.txt file.

INTERNET EXPLOER 3.02, SCRIPT ROUTING AND NTLM

When using Proxy's routing script with Internet Explorer version 3.02, NTLM authentication does not work properly. This is fixed in IE version 4.0.

INTERNET EXPLORER 3.X, NTCR, & SSL

When using some versions of Internet Explorer version 3.x with Micro- soft Proxy Server, NTCR authentication does not work properly when accessing secure web sites (https://...). Please check IE information on the Microsoft Corporation Web page, or Microsoft Knowledge Base, etc. for an update on this issue.

DISPLAY NOT SYNCHRONIZED WHEN VIEWING DOCUMENTATION ON-LINE

Occasionally when viewing the on-line documentation, you may detect problems with the display topics being unsynchronized with a selected topic in the contents view. This problem has been reported during some installations, particularly where "Index" mode is used to view the table of contents. If you detect this problem, reselecting the topic appears to resolve the problem and refresh the display correctly.

To reselect a topic and refresh the display:

  1. Click a topic in the table of contents, then click "Display".
2. In "Topics Found", double-click the topic.

Note: As an option, you may redisplay a topic in "Topics Found" by clicking it once and then clicking "Display."

INSTALLING INTERNET INFORMATION SERVER 4.0 WITH PROXY SERVER

Note: The information provided in this section is current for installing and using the Beta 3 release of Microsoft Internet Information Server (IIS) 4.0 with Microsoft Proxy Server. For possible changes between Beta 3 and the final release of IIS 4.0, review final release notes for IIS 4.0.

>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 1.0

Before installing IIS 4.0, you must upgrade from MSP 1.0 to MSP 2.0. You can upgrade and install MSP 2.0 using an in-place upgrade directly over your previous installation of MSP 1.0. There is no need to uninstall MSP 1.0 prior to upgrading. In addition, MSP maintains prior server configuration settings, such as Access Control Lists (ACLs) and other settings, after the upgrade to MSP 2.0 is completed.
>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 2.0

Once you upgrade to use IIS 4.0 on a server computer running MSP 2.0 and IIS 3.0, you will need to run MSP 2.0 setup again. This rein- stallation is needed because IIS 4.0 installs Microsoft Proxy Server as a global ISAPI filter for all Web servers. Repeating MSP 2.0 setup configures Microsoft Proxy Server correctly, as a non-global filter of the IIS default Web service for the local server computer (or "localhost").

There is no need to uninstall MSP 2.0 prior to upgrading to IIS 4.0. Also, MSP 2.0 maintains prior settings, such as Access Control Lists (ACLs) and other configuration settings when in-place reinstallation of MSP 2.0 is completed.

>>>Verifying Authentication Settings After IIS 4.0 is Installed

After you have upgraded to IIS 4.0, you should verify that "Password Authentication" settings are maintained and correctly configured as you have chosen to use them in IIS 3.0.

For IIS 3.0, "Password Authentication" properties are set using the Internet Service Manager (ISM). To view or modify these settings using ISM, do the following:

  1. Double-click the computer name next to the "WWW service."

  2. Under "Password Authentication", note which methods are selected 

        for use in authenticating users.  The methods that can be option-
    ally set include either "Allow Anonymous", "Basic (Clear Text)", or "Windows NT Challenge/Response".

  3. Click "OK" or "Cancel" to close this dialog.

For IIS 4.0, "Password Authentication" properties are set through use of Microsoft Management Console (MMC). To view or modify these settings using MMC, do the following:

  1. From the Start menu, select "Programs"-->"Microsoft Proxy Server" 

        -->"Microsoft Management Console"

  2. In MMC, double-click the IIS root folder in the scope pane on the 

        left to open and expand its contents.

  3. Double-click "Default Web Site" to open and expand its contents.

  4. Double-click "SCRIPTS" to open and expand its contents.

  5. Click "Proxy".

  6. Right-click and select "Properties".

  7. Click the "Directory Security" tab.

  8. In "Password Authentication", click "Edit".

  9. Verify password authentication settings are set correctly as 

        previously configured for IIS 3.0 in the previous procedure
    using ISM.
Note: If you have Windows NT 4.0 Option Pack installed, you may also 
      open the IIS management console as described in step 1 using a
	  the following alternate shortcut:
	  
	  From the Start menu, select "Programs"-->"Windows NT 4.0 Option 
	  Pack"-->"Microsoft Internet Information Server"-->"Internet 
	  Service Manager"
PROXY SERVER WITH SINGLE NETWORK ADAPTER CONFIGURATION

You can run Microsoft Proxy Server on a computer with only a single internal network adapter, such as for a chained downstream configura- tion or a caching-only configuration. Since such a computer has a single IP address, the following considerations apply:

* Packet filtering cannot be enabled. * It is advised that you either disable the WinSock Proxy service, or 

   disable access control for the WinSock Proxy service if the Proxy 
   Server computer is connected to the Internet.
CLIENT CONFIGURATION DIALOG BOX

There is a check box in the "Client Configuration" dialog box that is missing from the product's online documentation. This check box can be used to determine whether or not Web browsers use the Configuration URL to automatically download a client configuration script. The check box is "Configure Web browsers to use Automatic Configuration", and is located under "Automatically configure Web browser during client setup." By default, this feature is disabled.

In addition, the client configuration file, Mspclnt.ini, has an entry "Set Browsers to use Auto Config" in the [Common] section to support this feature.

STARTING AND STOPPING THE SOCKS PROXY SERVICE

In the on-line documentation, under "Administration"-->"Setting Server Parameters"-->"Configuring Auto Dial" -> "Restarting Services", the following command-line syntax is invalid: 

  NET STOP | START SPSVC for the Socks Proxy service
Proxy Server's Web Proxy and Socks Proxy run within the WWW service of IIS. To stop or start these proxy services, use: 

  NET STOP | START W3SVC
NETBIOS PACKET FILTERING ISSUES

By default, packet filtering is not enabled when Microsoft Proxy Server is installed. Where packet filtering is enabled, this section details recommended configuration options for secure and reliable operation of the proxy server depending on your need to allow or restrict NetBIOS traffic on the server's external network interface.

With packet filtering enabled on Microsoft Proxy Server, several pre- defined filters for NetBIOS are provided for your use. Depending on your need to support NetBIOS traffic on the server's external network interface, you may choose among the following ways to configure WINS client and NetBIOS packet filtering options for Microsoft Proxy Server:

* If NetBIOS traffic is not used or supported on the external net- 

   work, the WINS client should be disabled in bindings for the 
   server's external network adapter card.  In addition, the prede-
   fined NetBIOS filters should NOT be activated.
* If NetBIOS traffic is used and supported on the external network, 
   the WINS client can remain enabled by default in bindings or be 
   disabled as needed.
In addition, where NetBIOS must be supported on the external network, activate the predefined NetBIOS filters for the following reasons:

* Where the WINS client is enabled for the server's external network 

   interface, activate the predefined "NetBIOS (WINS client only)" 
   filter to provide secure filtering of NetBIOS traffic by Microsoft 
   Proxy Server between the internal and external networks.
* Where the WINS client is disabled for the server's external net- 
   work interface, NetBIOS traffic is securely blocked from 
   entering the internal network.  This policy is in effect regard-
   less of whether NetBIOS predefined filters are activated. However, 
   if the NetBIOS predefined filters are not activated, the packet 
   filter driver will detect any NetBIOS broadcast packets on the 
   external network that are received on the server's external 
   adapter card as a possible attack on the proxy server. 
   Consequently, it will log each of these packets and possibly
   generate an alert. This results in system overhead, and reduction
   in the usefulness of the logging & alerting features. To avoid this 
   situation, you can activate the "NetBIOS (All)" predefined
   packet filter to stop logging of these NetBIOS packets when 
   NetBIOS traffic is expected on the external network.
WINSOCK PROXY DOMAIN FILTERS

In the on-line documentation, under "Administration"-->"Setting Security Parameters"-->"Domain Filters", the following note is incorrect: 

  "To control WinSock Proxy access to Internet sites, create a filter 
   for both the domain and the IP address of the site. When a WinSock 
   application attempts to access an Internet site, it first converts 
   the domain name to the IP address, and then tries to access the 
   site by using the IP address. When the default filtering policy is 
   set to "Denied", the filters (which allow access) must be created 
   for both the domain name and IP address in order for access to that 
   site to succeed."
To control WinSock Proxy access to Internet sites, you only need to create a filter for the domain name. It is no longer necessary to create an additional domain filter for the IP address of an Internet site.

ENABLING PASSIVE FTP FOR WEB PROXY

FTP service can use two possible types of communication between the FTP server and its clients: passive FTP mode and non-passive FTP. Some FTP servers do not support both types.

* How "non-passive"(or traditional) FTP works

In "non-passive" FTP, the client connects to the server making a control channel. For each data operation, the client tells the server how to connect back to it, specifying the parameters for the data connection (data port, transfer mode, representation type, and structure). The server then uses these parameters to make the data channel.

This type of FTP communication is the same as the model for FTP specified in the Internet standard draft for FTP (RFC 959) and has been traditionally used on all TCP/IP networks in the past.

"Non-passive" FTP is required for all FTP service implementations and is by default the mode of FTP communication used by the Web Proxy service in Microsoft Proxy Server versions 1.0 and 2.0.

* How Passive FTP differs from "Non-passive" FTP

Passive FTP differs from "non-passive" FTP in that the client is responsible for making all connections with server, including the initial connecting request and subsequent data channel connections. In this way, passive FTP provides some additional security to the client against malicious attack by an FTP server.

Because passive FTP is used on some recently implemented FTP servers on the Internet, Microsoft Proxy Server 2.0 provides support through the Windows NT Registry to enable the Web Proxy service to use passive FTP mode if it is needed. You may also need to support passive FTP for the following reasons:

* You are using a firewall that cannot allow an inbound connection 

   from the FTP server.
* You are using third-party FTP applications. Some applications are 
   simpler to configure where passive FTP is used.
To enable Web Proxy support for passive FTP mode, the following reg- istry key can be modified. The entry name, data type, and supported values are as follows:

* NonPassiveFTPTransfer is type REG_DWORD. The default value for this 

   entry is 1, which uses Sendport (or "non-passive") FTP as the 
   default transfer mode for FTP proxy.
If the entry is changed to 0, the Web Proxy service will support FTP proxy with servers that use passive FTP mode. Otherwise, the value should be left to its default value of 1.

This entry is installed by Microsoft Proxy Server to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM 

  \CurrentControlSet
    \Services
      \W3proxy
        \Parameters
You should exercise caution when making any changes to the Windows NT Registry.

Note: Passive FTP support is not an issue for the WinSock Proxy service which supports both passive and "non-passive" modes of FTP.

SERVER PROXY ISSUES FOR USING EXCHANGE AND DNS

Server proxy allows you to place a server, such as Microsoft Exchange Server using the Internet Mail Connector (IMC) on your private network behind Microsoft Proxy Server. With this configuration, an Exchange Server can provide Internet mail service by using the WinSock Proxy client and relying on features of Proxy Server 2.0 for protection. In addition, the Exchange Server computer will not require an additional registered Internet IP address.

* How Server Proxy Works

The WinSock Proxy Client allows you to bind services or applications to the external network interface of the server computer running Microsoft Proxy Server. Once a service or application is bound on the external network interface, it is then available to hosts on the Internet. The proxy server will then "listen" for connections on behalf of the service or application.

For example, if you bind an internal SMTP/POP mail server to the proxy server, mail clients or SMTP servers on the Internet would be able to contact this mail server by connecting to the proxy server's Internet IP address. To remote computers on the Internet, these services will appear to be running on the proxy server computer.

* Setting Up Server Proxy for Exchange Server

>>>To set up server proxy for Exchange Server 5.0:

  1. Install and configure Microsoft Proxy Server.

  2. Install and test the WinSock Proxy (WSP) Client on the Exchange 

        Server computer by running a WinSock client application.


        Once the WSP Client is working, additional settings are required 
    for server proxy on the Exchange Server.  In most cases, you 
    should create specific and local Wspcfg.ini files (instead of 
    making changes in Mspclnt.ini) for the Exchange Server since 
    these settings will not need to be globally applied to all WSP 
    Client users on your network.
3. Place the Wspcfg.ini file in the directory where the application 
    *.Exe file is installed.  
    
    Note: Since Exchange Server has more than one .exe file for Inter-
	net mail and each EXE needs to be bound to the proxy, more than 
	one Wspcfg.ini file will be needed.
4. Create a Wspcfg.ini file for use with the Exchange SMTP service. 
    Add the information below to Wspcfg.ini and place this file in the 
    directory where Msexcimc.exe is located.  
    
    [MSEXCIMC]
    ServerBindTcpPorts=25
    Persistent=1
    KillOldSession=1
    
    Note: The SMTP port (25) on the Exchange Server will then be bound
    to the proxy server's port 25.
5. Create a second Wspcfg.ini file for the Exchange store (Store.exe). 
    Add the information below to this Wspcfg.ini and place the file in 
    the directory where Store.exe is located.  

    [STORE]
    ServerBindTcpPorts=110,119,143
    Persistent=1
    KillOldSession=1
    
    Note: Additional ports, such as ports 119 and 143 shown above, can
    be listed since Store.exe provides Network News Transfer Protocol 
    (NNTP) on port 119, POP mail on port 110, etc.
6. If dynamic packet filtering is enabled (recommended), the proxy 
    server will dynamically open all necessary ports when they are 
    requested.  No special configuration is needed.
7. Stop and start the Exchange services or reboot the Exchange Server 
    for the new settings to take effect.
8. You should now be able to contact the Exchange server by connect- 
    ing to the proxy server's Internet IP address using SMTP, NNTP, or
    POP.
    
* Configuring DNS for Server Proxy with Exchange Server

  • Verify that any MX and A resource records used by remote mail 

        servers on the Internet refer to the IP address for the proxy 
    server's external network adapter and not the internal IP 
    address of the Exchange Server or SMTP server itself.


        For example, if your registered Internet domain name is 
    "mydomain.com", and your internal Exchange server uses a DNS host 
    name of "exchange1", you would need to use an MX, or mail ex-
    changer, record to provide other Internet hosts the name of your 

        internal Exchange server.   In this case, an MX record added in 
    the "mydomain.com" zone could provide this information as follows:
	
       mydomain.com IN MX 10 exchange1.mydomain.com
	
    You would then need to create an A, or address, record for 
    "exchange1.mydomain.com" that uses an external IP address of the 
    proxy server.  If the external IP address of your proxy server 
    were 127.34.56.89, you would add the following A record to the 
    "mydomain.com" zone:
	
       exchange1.mydomain.com       IN A 127.34.56.89
	
    In addition, you can add or create a PTR, or pointer, record to 
    the "mydomain.com" zone to provide reverse lookup.  A valid PTR 
    record to do this would be:
	
       89.56.34.127.in-addr.arpa   IN PTR exchange1.mydomain.com  
    

    2.  The Exchange/SMTP server computer must be configured to resolve 

        external (Internet) names by directly accessing an 'external' DNS
    server.

    Specify a DNS server on the DNS server search listing of your 
    Exchange/SMTP server computer that can resolve Internet DNS 
    addresses.  
	
    This DNS server can be a server located on your network, located 
    on your Proxy Server gateway computer, or located externally on 
    the Internet. The IP address of this DNS server must be listed 
    on the same machine running Exchange Server that is used to route 
    mail from your network to the Internet. 
	
    You may assign the DNS server's IP address to the Exchange Server
    using either static or dynamic assignment.  For static assignment,
    set the IP address by adding it to "DNS Service Search Order" in 
    TCP/IP Protocol Properties. For dynamic assignment, configure your 
    DHCP server to provide this address by way of the standard DHCP 
    assigned option code 6 (DNS Server List) to your Exchange Server
    machine. (Note: if your Exchange Server uses DHCP to obtain its 
    IP address, you should reserve this address with the DHCP server 
    for permanent assignment to the Exchange Server computer.)


     
PACKET FILTERING SLOWS PERFORMANCE IF SERVER USES IDENTD 
 

    
If packet filtering is enabled, outbound access to servers (SMTP,
FTP, IRC, etc.) can suffer slow performance if the remote server on 
the external network is running the Identification protocol (Identd)
service.  

    
To correct performance problems in this situation, activate the pre-
defined "Identd" packet filter on Microsoft Proxy Server. 

    
 
ADDITONAL NOTES ON CONFIGURING PACKET FILTERS
 

    
The "Local Host" selection box in Packet Filter properties is used to 
select the local host computer that will exchange packets with a 
remote host computer. When configuring the "Local Host" selection box 
in the Packet Filter properties dialog box, please note the following:

    
*  To allow any IP address assigned to an external interface of the 

       Proxy Server computer to exchange packets, click "Specific Proxy 
   IP" and enter 0.0.0.0 for the IP address. 


    *  Also, if the "Internal computer" field in the same dialog is 

       selected, the IP address entered in this field should be excluded 
   from the proxy server's Local Address Table (LAT). 
   
   For more information on how to change the LAT, see "Administration"
   -->"Setting Server Parameters"-->"Changing the LAT" in the on-line 
   documentation.


     
ADMINISTERING ARRAYS
 

    
You should only administer one member of an array at a time. This 
ensures that array synchronization performs correctly and is simpler
from an administrative standpoint.

    
 
REGISTRY ENTRIES FOR ARRAYS
 

    
There are two registry keys for Proxy Server that you can create that 
are not documented. These keys can be used to change the default ping 
timeout value and the number of communication attempts used in an 
array. The entry names, data types, and default values are as follows:

    
*  MaxPingTries is type REG_DWORD. The default value when this entry 

       is absent is 3.


    *  PingTimeout is type REG_DWORD. The default value when this entry is

       absent is 500 (milliseconds).


    You can create these entries using the Registry Editor. The entries 
must be installed to the following Windows NT Registry key path:

    
HKEY_LOCALMACHINE\SYSTEM

      \CurrentControlSet
    \Services
      \Mspadmin
        \Parameters


    You should exercise caution when making any changes to the Windows NT 
Registry.

    
 
REGISTRY ENTRY FOR DISABLING SOCKS PROXY
 

    
The following registry key can be modified for Microsoft Proxy Server 
to disable the Socks Proxy service if Socks service is not used on 
your network.  

    
The entry name, data type, and supported values are as follows:

    
*  SocksServiceEnabled is type REG_DWORD. The default value for this 

       entry is 1, which is enabled. A value of 0 indicates the service 
   is disabled.
   

    If the entry is changed to 0, the Socks Proxy service is fully dis-
abled on the server computer.  Microsoft Proxy Server will not start 
the Socks Proxy service automatically at system boot. Also, the 
service cannot be started manually using Microsoft Proxy Server ad-
ministrative tools (such as Internet Service Manager or Remotmsp.exe)
until the value is reset to a value of 1. 

    
This entry is installed by Microsoft Proxy Server to the following 
Windows NT Registry key path:

    
HKEY_LOCALMACHINE\SYSTEM

      \CurrentControlSet
    \Services
      \W3proxy
        \Parameters
          \Socks


    You should exercise caution when making any changes to the Windows NT 
Registry.

    
 
REMOTE USE OF SYSTEM SERVICES WITH WINSOCK PROXY
 

    
In general, most Windows NT system services are disabled from remote 
use by WinSock Proxy when Microsoft Proxy Server is installed. If you 
are attempting to proxy a system service application, you may have 
problems establishing a remote WinSock Proxy connection if the 
service was started prior to the NtLmSsp service during system boot.

    
If you are attempting to use a Windows NT system service to access the 
Internet or another external network, be sure that the NtLmSsp service 
is started first.  You may either adjust the order in which the 
service starts automatically during system boot to start after the 
NtLmSsp service has started, or manually start the service after the 
boot process is complete and the NtLmSsp service has already started.

    
Another solution is to use the SC.EXE utility included in the Windows
NT Resource Kit to make the service that you want 'remoted' be
dependent on the NtLmSsp service:

    
To create a service dependency, use the following command:
SC \\MyMchineName CONFIG MyServiceName DEPEND= ntlmssp
(don't omit the space after the =)

    
To query a service dependency:
SC \\MyMachineName QC MyServiceName

    
 
SETTING AUTODISCONNECT FOR AUTO DIAL
 

    
When using either Remote Access Service (RAS) or Routing and Remote 
Access Service (RRAS) for automated dial-up with Auto Dial, the 
following procedure should be used for applying dial-up connection 
settings that determine when a connection automatically disconnects 
after remaining idle.

    
To set autodisconnect properly for a RAS or RRAS phonebook entry:


    1.  Locate the phonebook file (typically, this file is located in

          %SystemRoot%\System32\Ras\Rasphone.pbk) and open it using a 
    text editor, such as Notepad.
    

    2.  Find the section specific to the dialing entry used for Auto

        Dial connection by Microsoft Proxy Server.  (Note: each section in 
    the phonebook file has a separate heading in the form of 
    [Phonebook Entry].)
    

    3.  Find the value for "IdleDisconnectSeconds".  In most cases, the 

        value is typically set to 0.  Increase the value to a number of 
    seconds of your choosing that will be used to timeout and 
    automatically disconnect if the line remains idle.  
    

    4.  Check to see if an option for "OverridePref" is included in the 

        dialing entry section.  If this option exists, set the value to 4.
	(Note:  if this value does not exist, do not add it.)
    

    5.  Save the file, Rasphone.pbk, and close your text editor 

        application.
    

    Note: There is no need to reboot after applying the previous changes.  
RAS or RRAS will use your revised settings the next time dialing 
occurs.

    
In general, it is recommended that you disable WINS client bindings 
for the dial-up adapter when using Auto Dial with Microsoft Proxy
Server.  If you require the use of NetBIOS on the dial-up adapter and 
decide not to disable bindings on the dial-up adapter for WINS client, 
you will also need to stop the computer's Browser service.  

    
To stop the Browser service, use the following two commands:

    
NET STOP BROWSER
NET CONFIG SRV /HIDDEN

    
Also, you will need to disable the Computer Browser to prevent the 
service from restarting when the computer is rebooted.  

    
To disable the Computer Browser service:


    1.  Open Control Panel, select Services.

    2.  Click "Services."
3.  Select "Computer Browser" from the list of services.
4.  Click "Startup."
5.  In "Startup Type", click "Disabled", then click "OK."
6.  Click "Close."	 

    	 

     
WEB BROWSERS THAT SUPPORT SOCKS V4.3 DO NOT PROXY DNS LOOKUPS
 

    
In the on-line documentation, under "Administration"-->"Administering 
Clients"-->"Configuring Web Proxy Client Applications", the following 
note text is incorrect:

    
"Note: The Socks Proxy service supports the SOCKS 4.3a standard, which 
specifies name resolution. Web browsers do not use this feature. They 
require instead that name resolution of Internet addresses is avail-
able on the client computer. If you are running a Web browser as a 
Socks client on a non-Windows client platform, you need to provide a 
DNS proxy server to your clients for name resolution. The DNS proxy 
server resolves names by forwarding client requests to a server on 
the Internet." 

    
It should be corrected to read: 

    
"The Socks Proxy service supports the SOCKS 4.3a standard, which 
specifies name resolution. Many Web browsers, including Microsoft 
Internet Explorer 3.02 and 4.0 and Netscape Navigator 3.0 do not use 
this feature. Instead, these browser applications, when configured
to use a Socks server, require that DNS 
name resolution of Internet addresses be available on the client 
computer."

    
"If you are running one of these Web browser applications as a Socks 
client on a non-Windows client platform, you need to provide a DNS 
server for these clients to use for their resolution of external 
DNS names. In this situation, there are two possible methods for 
implementing DNS service for these clients:"

    
"1)  Install a DNS server, such as Microsoft DNS Server, on the proxy 

         server computer. You can then configure TCP/IP or DNS properties
     on your Socks client machines to point at the internal IP address
     of the proxy server as one of the their listed DNS servers. This 
     is the recommended configuration for providing DNS service to 
     Socks clients on your internal network."
    

    "2)  As an alternative, you may point Socks clients towards a DNS 

         server on your internal network that has been enabled to provide 
     forwarding to the Internet for DNS name resolution.  This config-
     uration is not recommended as it requires that Microsoft Proxy 
     Client software first be installed on your internal DNS server, 
     and may require additional reconfiguration of your internal DNS 
     server to use forwarding to an external DNS server on the Inter-
     net."     


     
USING ROUTING AND REMOTE ACCESS SERVICE (RRAS)
 

    
Routing and Remote Access Service (RRAS) can be used along with Micro-
soft Proxy Server to provide a secure enterprise internetworking 
solution. 

    

    
>>> Required RRAS hotfix

    
In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues 
associated with reliable, secure, integration between RRAS and Proxy.

    

    
In order to run RRAS and Proxy Server v2.0 on the same computer, you
must install a required RRAS hotfix. This hotfix resolves issues
associated with reliable, secure, integration between RRAS and Proxy.

    
To download the corrected file connect to:

    
http://www.microsoft.com/proxy/fix/rras_0.htm

    

    
>>> Recommended configurations

    
This section addresses several common configurations and 
outlines recommended configurations for interworking both RRAS and MSP 
2.0 on your network.

    
* Departmental server running RRAS and MSP 2.0

    
A departmental server on an internal network (typically with only one
network interface) should have packet filtering turned off.

    
* Edge server connecting to the Internet running RRAS and MSP 2.0

    
This configuration involves the MSP 2.0 server computer using either 
two network adapters (one for internal interface, one for the external
interface).  For the internal interface, a network adapter card is 
needed.  For the external interface, either a network adapter card or 
a modem can be used.

    
An edge server in this configuration should have MSP packet filtering 
turned on with MSP 2.0 predefined packet filters activated with no
additional custom packet filters configured. 

    
* Edge server with "Extranet" or barrier LAN segment

    
An edge server in this configuration requires a third network adapter
to be installed on the MSP 2.0 server computer to interface to the 
Extranet LAN segment (sometimes referred to as a DMZ network). 
The Local Address Table (LAT) on the server must
not include IP addresses used on the Extranet LAN. 

    
Typically, routing is enabled between the external network and the 
Extranet LAN, and computers on the Extranet network with registered 
IP addresses can communicate directly with Internet computers. RRAS 
can be used to configure routing for each Interface.

    
All communication between the Extranet LAN and the internal network 
should be done using Microsoft Proxy Server services (Web Proxy, 
WinSock Proxy, Socks Proxy). Where this configuration is applied, 
WinSock servers can also be remoted by means of configuration in the 
Wspcfg.ini file using application-specific settings.  

    
For more information on configuring these settings, see 
"Administration"-->"Administering Clients"-->"Configuring WinSock 
Proxy Client Applications" in the on-line documentation.

    
Note:  As an alternative, you can use RRAS instead for communication 
between the internal LAN and the Extranet LAN segments.  This can be
done by way of "Enabling IP Forwarding", eliminating the need to use 
MSP 2.0 services for proxy communication.  However, this configuration
is not preferred. 

    
 
Logging to an Access Database
 

    
In the on-line documentation, under "Administration"-->"Configuring
Logs"-->"Logging to a Database", there is an error in the description 
of creating an Access Table. Here are the updated instructions:

    

    
Creating an Access Database Table
 
You can use the database template files, Msp.sql and Pf.sql, to create 
a database table in Microsoft SQL Server or Microsoft Access.
In order to create a database table in Microsoft Access using a 
database template file, implement the following procedure:


    1.  Rename the database template file with a TXT file extension and 

          open the file in a text editor, such as Microsoft Notepad. The 
    database template files are located in:

      	  %systemroot%\help\proxy\misc.
	  

    2.  Start Access and open the database you previously created for 

        Proxy Server logging.
	

  •  On the "Queries" tab, click "New" to create a new query.


  •  In the "New Query" dialog box, , click "Design View", and then 

        click "OK."

    	

  •  Click close on the "Show Table" dialog.


  •  Click "SQL View" on the View menu, and then delete any text pre-

        sent in "Query."

    	

  •  Copy and paste the entire contents of the file previously opened 

        in Notepad in "Query", click "Save" and then click "OK."

    	

  •  Double-click the query you just saved. Click "Yes" in any pop-up 

        message boxes.

    
Rename the Access table to use it with a particular Proxy Server 
service. 

    
 
ACKNOWLEDGMENTS
 

    
Information in this document is subject to change without notice. 
Companies, names, and data used in examples herein are fictitious 
unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for
any purpose, without the express written permission of Microsoft. 
Permission to print one copy for personal use is hereby granted if 
your only means of access is electronic.

    
Microsoft may have patents or pending patent applications, trademarks,
copyrights, or other intellectual property rights covering subject 
matter in this document. The furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other 
intellectual property rights except as expressly provided in any
written license agreement from Microsoft.

    
(c)1997 Microsoft Corporation. All rights reserved.

    
Microsoft, MS, Windows, and Windows NT are either registered 
trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

    
Other product and company names mentioned herein may be the trademarks
of their respective owners.

    

	
	
    		• 
	
    

    

    






    

    

	
    


    


Additional query words: readme .txt
    
Keywords          : kbreadme
    
Version           : 2.00
    
Platform          : winnt
    
Hardware          : ALPHA x86
    

    
    

    

    
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

    

    

    
	
	Last reviewed:  October 23, 1997
	
    
	© 1998 Microsoft Corporation. All rights reserved. Terms of Use.