dcsimg

High-end/Enterprise-level proxy server for Windows NT

By ServerWatch Staff (Send Email)
Posted Jun 5, 2002


A proxy server should work on two levels -- keeping unwanted content out while quickly serving Web pages to internal users. On both scores, Microsoft Proxy Server 2.0 excels. Although it is on the expensive side - $995 list price - Microsoft Proxy Server is clearly the class of current proxy offerings.

Of course, like most Microsoft products, that class comes with a few caveats. Unlike competing products from Netscape, Microsoft Proxy Server 2.0 runs only on Windows NT Server 4.0 (with Service Pack 2 or better installed), so forget about configuring Microsoft Proxy Server on a UNIX box. The server is designed to work with NT-style groups and users, granting permissions to specific users and groups for specific protocols (for instance, you could allow only an upper-management group access to IRC), while at the same time denying any Internet access at all to users or groups. Logging is done in the same fashion as other BackOffice products: data can be sent to a text file or to a SQL or ODBC database. It's also tightly integrated with Microsoft Internet Information Server (IIS) 4.0, furthering the bonds between Microsoft Proxy Server and other Microsoft server products. On both scores, Microsoft Proxy Server 2.

Another feature that's a Microsoft-only solution is the Cached Array Routing Protocol (CARP), which manages multiple-user Web requests across a proxy array (which is nothing more than multiple proxy servers). This represents Microsoft's commitment to the enterprise, where such a proxy array makes sense in dividing the load across the entire network. (It's also an approach taken by Netscape.) However, CARP uses a different hashing algorithm than the industry-standard Internet Cache Protocol (ICP), and so far it hasn't caught on with other proxy-server vendors. This won't play a factor in most situations, but it will matter on the enterprise level.

Microsoft Proxy Server 2.0 is actually two separate servers, both managed through the Internet Service Manager (ISM): a Web proxy server and a Winsock proxy. (Alas, ISM isn't a browser-based administration tool, which means system administration must occur from a Windows machine.) The Web proxy server handles requests in the HTTP, FTP, Gopher, and SSL protocols, caching Web pages in the process. The Winsock proxy is configured to handle other protocols, such as POP3, although you can add support for other protocols in both proxies (but you cannot do any blocking of Java, ActiveX, and/or MIME types). Permissions are extensive - you can disallow or allow access based on domain, zone, port or IP address (including ranges of addresses).

Microsoft has positioned Proxy Server as an alternative to firewalls, and on a basic level this is a very valid argument. Proxy Server 2.0 supports SOCKS 4.3 for authentication - a method used by some virtual private network vendors - but more importantly it supports true network separation and address translation. If you install two network interfaces (any combination of network cards, ISDN cards or modems), you can separate outside Internet access to the network from the trusted internet network. While other proxy servers support this - notably Netscape Proxy Server - the Microsoft approach is unique in that its Proxy Server's built-on local address translation (LAT) camouflages your internal network topology. The recommended approach is to use Class C addresses for your internal network and allow Proxy Server to translate to those internal address, instead of allowing a direct query. This approach also prevents IP spoofing attacks while presenting only one registered IP address - as maintained by Proxy Server - to the Internet.

Security is also enhanced by Microsoft's support of dynamic packet filtering. A packet filter usually works by listening to a specific port - usually port 80 - for all inbound traffic, which means that the port is always open (and any open port is a potential entry point for an intruder). Dynamic packet filtering doesn't open the port to listen to it; rather, the proxy server lets an HTTP request through which is then evaluated by the server. When the transaction is done, the port is closed.

One additional advantage to Microsoft Proxy Server derives from its support of dial-up networking as part of Windows NT's Remote Access Service (RAS). The Proxy Server helps manage RAS access to the server, restricting dial-up access at specific times (either times of the day of days of the week). Such dial-up support isn't widely found in the larger proxy-server world.

Pros: 7 High-performance proxy server that also performs some firewall functions, 7 Dynamic packet filtering, 7 RAS support, 7 True network separation and address translation, 7 Support for proxy arrays

Cons: 7 Close ties to Microsoft products deter integration into non-Microsoft environments, 7 No UNIX versions available, 7 Most expensive proxy server on the market, 7 No browser-based administration

New: 7 Hierarchical proxying/caching, 7 Dynamic Packet Filtering, 7 Support for Virtual Private Networks, 7 FTP caching, 7 HTTP 1.1 support, 7 SOCKS support; 7 Release Notes
Upgrade Meter: 5

Version Reviewed: 2.0
Date of Review: 4/22/98
Reviewed by: Kevin Reichard

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.