Back To Basics: Troubleshooting Proxy Server 2.0 -- Part 2

Back To Basics: Troubleshooting Proxy Server 2.0 -- Part 2


October 30, 2000

Thomas Shinder

This week we'll continue our discussion on how to troubleshoot common problems with Microsoft Proxy Server 2.0. Last week we went over the basics of how the three Proxy Services worked, and some common problems in Troubleshooting the Server configuration. If you missed it, you can read that article by going HERE.

This week we'll cover issues related to the Web Proxy, WinSock Proxy and SOCKS Proxy Service. These are the core services provided with Microsoft Proxy Server and knowing the common headaches associated with them can save you some time should things go wrong.

Common Web Proxy Service Problems

Many problems involving the Web Proxy service are related to the security configuration of the IIS Server on which the Web Proxy service depends. Remember, the Web Proxy service is an ISAPI plug-in to the IIS Server's WWW Service. You configure the type of security required to access the Web Proxy service at the IIS Server console. Below you see the authentication methods configuration interface on the IIS Server.

On this IIS 5.0 Server, you can see that all three of the supported authentication methods are allowed: Basic Authentication, Digest authentication and Integrated Windows authentication. Keep in mind that Basic Authentication sends the username and password in clear text and can be easily sniffed. Digest Authentication is new with IIS 5.0. The IIS Server send some information to the client, and the client browser will hash this information with the username and password. The hash is sent to the server for authentication. The Integrated Windows authentication is the same as the NT Challenge/Response authentication you used in IIS 4.0.

When you see the following error:

HTTP/1.0 500 Server Error (-number)

It may be related to the use of Integrated Windows Authentication. Change your authentication method to Basic Authentication and see if problem goes away. If it does, you should consider problems related to the use of NTLM on the network and perhaps consider using only anonymous access, or Digest Authentication.

You can start and stop IIS integrated services from the command line. The net stop and net start commands can be used to quickly stop and start IIS services. For example, if you want to stop the WWW Service, you could type at the command prompt:

net stop w3svc

To start it again, type:

net start w3svc

If you try to start the WWW service from the command line, and you get an error such as:

An instance of this service is already running

Its most likely because you've started the Web Proxy Service already. Since the Web Proxy service is dependent on the WWW service, when you start the Web Proxy service it will automatically start the Web Proxy service.

Thomas Shinder

Cache (flow) Problems

The Web Proxy services Web Cache is a wonderful thing. If you're in an environment where you have to pay packet charges on data moving through your Internet connection, you can save a lot of money by implementing caching of web pages. The Web Cache can also significantly improve perceived performance on the end user's side, which should help reduce the calls you get regarding the "Internet" being slow.

The Cache works in the background and caches content based on the configuration parameters you've set. The Web Cache configuration sets how aggressively you want caching to be performed, and whether or not you want Active Caching initiated by the Proxy Server. Active Caching will cause the Proxy Server to fetch "popular" web pages in the background, so that these pages have the freshest content. This "fetching" is done during times of low processor usage.

The configuration interface for caching appears below.



The cache expiration policy controls how often the server will send pages back to the user from the cache versus how often it will forward the request to the server on the Internet. The more aggressive caching policies will encourage more cache hits. The drawback is that users may see stale pages more often. The caching feature can always be side-stepped from the client side by hitting the F5 key.

You can see the Advanced Settings for the Web Cache HERE.

The Web Cache doesn't run into problems very often. When there are problems, they're usually related to corruption of some of the files in the web cache. When the Web Proxy service starts up, it always checks the integrity of the web cache. If the cache is large, it may take some time for the Web Proxy service to fully initialize. Keep this in mind if you've configured a very large web cache and it seems like it takes a long time for the service to boot up.

If the Web Proxy service fails to start, check for proxy problems in the Event Viewer. If problems related to cache corruption are mentioned, open a command prompt, change the focus to the drive that contains the cache, and type:

chkdsk /R

This will find and correct file system problems and hopefully fix them. Make sure that the Web Proxy service is stopped when you are performing any of these maintenance tasks! You might also try resizing the cache after performing this operation.

If this doesn't fix the things, you might be experiencing more significant issues with the cache folder hierarchy. In this case, you should disable caching and then delete the cache folder hierarchy. If disk file related problems are getting this bad, you should make sure that the disk is in good shape. If the disk drive is in the process of going belly-up, you should replace the disk before re-enabling the Web Cache again.

Thomas Shinder

WinSock Proxy Related Problems

The WinSock Proxy service is used to provide access for WinSock programs that are not able to use the Web Proxy service. Since the Web Proxy service supports only CERN compliant applications and only the FTP, HTTP, HTTPS and gopher protocols, you must use the WinSock Proxy service to support any other application layer protocols you want to put into service. Common examples would be for SMTP, POP3, and NNTP.

The WinSock Proxy service is able to accomplish this amazing feat by replacing the winsock.dll's on the client machines that need to use the WinSock Proxy service. This is one of the major sticking points for many administrators. They are loath to add client software because of concern over how the client software will interact with other software installed on the client machine. In our experience, the WinSock client has little or no effect on the overall performance of client workstations on which it is installed.

The WinSock Proxy client .dll's will pick up the request made from user agents on the client workstations and forward those requests to the WinSock Proxy service on the Proxy server. All this takes place in the background and the users are not aware of the process. There is no application configuration required in most cases.

WinSock Proxy related problems often can be traced back to the Local Address Table or LAT. The LAT is used to determine if a request should be handled by the WinSock Proxy service, or if the request can be forwarded directly to the server. The LAT therefore should contain address ranges that encompass your internal network. If a foreign address is included in the LAT, requests to that address will not be subjected to WinSock Proxy service access controls.

Common service requests such as DNS must go through the WinSock Proxy client software. If the machine tries to make a DNS query and it does not have permission to do so, the DNS query will fail. Normally, the DNS Server is on the internal network, therefore access permissions are not an issue. If DNS queries are failing, make sure that the DNS Server is included on the LAT so that WinSock Proxy access controls are not applied.

You can also use the chkwsp32.exe application on the WinSock Proxy clients to check out the connection status between the WinSock Proxy client and server. Often you'll find out that the WSP Service has been disabled in the Control Panel, and its just a matter of turning the client back on and everything is fine. Also, make sure that the Internet connection is actually functional by going to the Proxy Server itself and confirming that Internet access is possible.

Thomas Shinder


SOCKS Proxy Problems



The SOCKS Proxy service is used to allow non-Windows clients access to the Internet via the Proxy Server. If you are running a Windows only environment, it would be best to completely ignore the SOCKS Proxy service. Better yet, disable the SOCKS Proxy. You can stop the SOCKS Proxy service via the Internet Services Manager interface, but when you restart the machine, it will just "grow back".



A better solution for eradicating the SOCKS Proxy service is to whack it via the Registry. The key is:



HKLM\System\CurrentControlSet\Services\W3Proxy\Parameters\Socks



Change the value for SocksServiceEnabled to 0, and say goodbye to SOCKS.



If you must run the SOCKS Proxy Service, keep in mind that the default rule is to deny all connection requests. Access controls for the SOCKS Proxy are not integrated with the SAM or Active Directory as they are with the Web and WinSock Proxies. To control access, you identify source and destination port and IP addresses, as seen in the shot of the SOCKS configuration interface below.

It is best policy to deny all requests, and then create specific rules for those ports that you want accessible to the SOCKS Proxy clients. When configuring the rule, you must set the action (deny or permit), the source and destination IP addresses or network IDs, and the port number for the destination machine. To see the rules interface click HERE.

Next Week...

Check out Basic To Basics next week, when we'll go over the issue of using PING behind a Proxy Server and also how to configure your Proxy Server on a DMZ subnet.