Back To Basics: Troubleshooting Proxy Server 2.0
October 23, 2000
One of the subjects that you must get acquainted with in order to excel in any network environment, and on your Windows 2000 MCSE exams, is that of proxy servers and firewalls. Microsoft has an exceptional proxy server in their product Proxy Server 2.0. Although this product is getting a little long in the tooth, and is about to be supplanted by Microsoft Security and Internet Acceleration Server, it still remains a powerful ally on any Microsoft network.
What is Microsoft Proxy Server?
Microsoft Proxy Server can provide both inbound and outbound security for an organization. In addition to its security features, Proxy Server 2.0 is able to cache objects retrieved from the Internet. This caching feature significantly improves the perceived client performance for Internet access, and has the potential for reducing traffic both on the external interface of the proxy server, and at the corporate network backbone.
The Proxy Server Services
Microsoft Proxy Server is actually a collection of server services. Some of these services are dependent upon, or "run on top of", Microsoft Internet Information Server. The Proxy Server services are:
Each of these services have capabilities and requirements that are specific to that service. In addition, there are aspects of the Proxy Server configuration which span all three of the Proxy Server Services.Thomas Shinder
The Web Proxy Service
The Web Proxy Service provides access to FTP, HTTP, HTTPS and Gopher protocols for CERN compliant browsers. With a CERN compliant web browser, users can access FTP, Web and Gopher sites via the Web Proxy Service.
One of the most useful aspects of the Web Proxy Service is the Web Cache. Almost all objects that are retrieved by the Web Proxy Service are placed in the Web Cache. After the object is placed in cache, a subsequent request for the same web object can be returned to the Web Proxy client from cache, rather than the web server from which the object originated. This improves the perceived performance from the client end, and can reduce bandwidth utilization on the external interface of the Proxy Server.
Like all three of the Proxy Server services, the Web Proxy clients can be subject to access controls. You can control what users or groups can access various Web Proxy Protocols. Figure 1 shows the configuration dialog box to configure these permissions.
The Web Proxy Service is an ISAPI "plug-in" to the WWW Service of the Microsoft Internet Information Server. This makes the Web Proxy Service dependent on the WWW Service in order to function properly. The authentication mechanism used by the Web Proxy Service is configured in the WWW Service's properties dialog box.Thomas Shinder
The WinSock Proxy Service
The WinSock Proxy Service provides Internet access to WinSock applications that are not CERN compliant. Since the Web Proxy Service provide support only for CERN complaint browsers, and only supports FTP, HTTPS, HTTP and Gopher, the WinSock Proxy Service provides the support for other important protocols. SMTP, NNTP, IRC, POP3 and Telnet are just a few of the protocols that are supported out of the box. You can configure support for other protocols if you require them.
Unlikely the Web Proxy Service, the WinSock Proxy Service is not dependent on Internet Information Server, and is specifically not dependent on the WWW Service. Another important consideration is that the WinSock Proxy Service clients do not take advantage of the Web Cache. Remember that the Web Cache is solution a service provided by the Web Proxy Service for Web Proxy Clients. However, there is no reason why network client machines cannot be both Web and WinSock Proxy Clients.
Access Controls for the WinSock Proxy Service are configured in a fashion similar to that of the Web Proxy Service. Figure 2 shows the configuration dialog box for the WinSock Proxy Service.
The SOCKS Proxy Service
The SOCKS Proxy Service allows Internet access for your non-Windows clients that need access to protocols not supported by the Web Proxy Service. You might think of the SOCKS Proxy Service as the Mac/UNIX version of the WinSock Proxy service. However, the two services are managed quite differently from one another.
Proxy Server 2.0 supports SOCKS version 4.3a and does not support SOCKS version 5.0. This is important to keep in mind if you have games or other applications that require SOCKS support.
Security configuration of the SOCKS Proxy Service is somewhat clumsy when compared to the Web and WinSock Proxy configuration schemes. The SOCKS Proxy Service is not security account aware. You configure access based on source and destination IP addresses or network IDs. Figure 3 shows an example of the SOCKS Security configuration dialog box.
It is interesting to note that the SOCKS Proxy Service is implemented as a part of the Web Proxy Service, and therefore it too is dependent on the WWW Service of the IIS Server to function properly.Thomas Shinder
Troubleshooting Microsoft Proxy Server 2.0
Although Proxy Server 2.0 appears on the surface to be relatively simple in design and implementation, it can be challenging to get all parts of the program to work the way you want them to work. Since Proxy Server 2.0 is actually several servers in one, you must be able to mange, configure and troubleshoot multiple services and server configuration issues.
We can break down problems you might encounter with Proxy Server 2.0 in the following ways:
Let's begin with Troubleshooting common Proxy Server 2.0 Server Configuration issues.
Troubleshooting the Server Configuration
The most common server configuration issues you will run into are related to either the Network Interface Card, the Local Address Table, and Packet Filtering issues.
Network Interface Configuration Issues
There are a few issues that are commonly encountered by both new and experienced administrators when they configure the interfaces on the proxy server. One of these has to do with how the Default Gateway is configured for the machine.
For the Proxy Server to work correctly, you need to assign only one default gateway on that computer. The default gateway entry should be made only on the external interface of the Proxy Server machine. If you add other gateways, you might find yourself getting into trouble, and having some of the packets routed back to your internal network.
The most common problem we run into is that the administrator has configured a default gateway on the internal interface of the proxy server computer. Once that entry is removed, everything ends up working fine. Also remember to disable IP Forwarding on all the interfaces so that users won't be able to circumvent the Proxy Server.
When setting up the Proxy Server, be sure that you are able to supply all the required information for the external interface. This includes the remote router (default gateway), the Proxy Server's public IP address and subnet mask, and the DNS Server's address. If you find that clients are able to connect to resources via IP address and not via FQDN, then check on the configuration of the DNS Server address.
Local Address Table Issues
The local address table is used to determine which machines are located on the internal network, and therefore putatively do not require processing by the Proxy Server. If a request comes to the Proxy Server for a machine who's IP address is located in the Local Address Table (LAT), then the Proxy Server will forward the request to the internal server without subjecting it to further processing, such as the application of access controls.
Be sure not to place the external interface's IP address on the LAT. If you do so, the Proxy Server will interpret the external interface as a local address, and the proxy server will not forward requests to Internet hosts!
If you find that clients are suffering from poor performance when accessing local servers on the network, check to see if those local server's are on the LAT. The Proxy Server must evaluate all requests for resources that are not contained in the LAT. If you internal server's IP addresses are not on the LAT, then the Proxy Server must evaluate all requests made to those internal servers. This might lead to a situation where the Proxy Server has to evaluate large volumes of requests for internal resources. If the Proxy Server becomes "bogged down" evaluating such request, overall performance will suffer.
To prevent the Proxy Server from being overwhelmed by these internal requests, check that all internal server's IP addresses are included in the LAT.Thomas Shinder
Client-side Array Routing
When a Proxy Server that is a member of a Proxy Array receives a request for an Internet object, it must perform a series of calculations to determine where the object is located in the Web Cache, and if it is located in there at all. This takes a number of processor cycles on the Proxy Array member. When Array members must to all the intra-array cache route processing, it can have a negative effect on the overall performance of the array.
To reduce the impact of array routing on the Proxy Servers, you can have the clients perform this function. In order to do so, you must configure the clients to use the Automatic Configuration Script, which can be configured in the client's browsers. This scripts takes the format:
and you replace <servername> with the name of a Proxy Server that is a member of an array.
When you configure the clients to use this script, the clients will perform the routing functions necessary to identify the location of web objects that may be located in cache. This offloads the processing overhead on the Proxy Servers, and distributes it across all the proxy clients on the network.
Keep in mind of who the Proxy Clients are on your network. Client workstations are always thought of as Proxy Server client. However, another important Proxy Server client are down-stream Proxy Servers in a Proxy chain. Be sure to configure the down-stream servers to use the automatic configuration script as well.
Proxy Server can also act as a rudimentary firewall product by implementing Packet Filtering on the external interface. The proxy server will examine all packets received on the external interface and assess whether or not that packet should receive further processing. If the packet arriving on the external interface does not meet the requirements set for the packet filters, the packet will be immediately dropped without any futher processing.
The key problem a lot of administrators implementing Proxy Server run into is that they don't realize that these packet filters apply to the external interface only. The packet filter settings you configure on the Proxy Server do not apply to any of the internal interfaces. In addition, you won't even be able to configure packet filters at all unless you have configured an external interface on the Proxy Server.
In this next installment of the Back to Basics, we'll go over issues related to troubleshooting the Web Proxy, WinSock Proxy, and SOCKS Proxy Service. We'll also cover special configuration issues and DMZ subnets.