An Introduction to Proxy Server

尹正奇
2023-12-01
An Introduction to Microsoft Proxy Server
Author: Kurt Hudson
Published: August 2000
Copyright: 2000
Publisher: Windows IT Library
 


Abstract
In this overview of Microsoft Proxy Server 2.0, you learn what a proxy server does and why it’s beneficial on a network. This chapter covers the specific advantages realized when using a proxy server and the three main services of MPS.


WHAT IS A PROXY SERVER?

To be a “proxy” means to act on behalf of another. This is exactly what a proxy server does; it acts on behalf of its proxy clients to interact with other servers. You could say that a proxy server is a “mediator” for computer communications.

Placing a proxy server on your network gives you several advantages, including security enhancements, caching enhancements, and greater control over your network users. The advantages to using Microsoft Proxy Server (MPS), listed below, are discussed in the following sections:
  • Common connection point
  • Caching
  • Packet filtering
  • Domain filtering
  • Control user access by service
  • Logging
  • Web publishing
Common Connection Point
MPS was designed to connect two networks, rather like a gateway. Typically, MPS connects an internal network and the Internet. This configuration gives the internal computers a common connection point to the Internet — through MPS.

When used to provide a common connection, MPS lets clients share a single connection to the Internet. Instead of giving each user on a Local Area Network (LAN) a separate modem, phone line, and dial-up account to the Internet, MPS can function as a gateway to the Internet using a single connection. Instead of using separate standard phone line connections, users can share a single higher-speed connection through the proxy server. The net effect is usually an overall cost savings and reduction in administrative overhead. One connection is usually cheaper and easier to maintain than several separate connections.

Caching
Since you can use MPS as a common connection point to the Internet, you can also use it to cache frequently accessed resources. MPS allocates a portion of the server’s hard disk space to store frequently accessed objects.

Caching can either be passive or active. Passive caching just stores objects as they are requested, so the cache is updated only when users request information. Active caching directs the server to refresh objects in the cache automatically.

You can selectively control MPS caching so that you can limit the size of cached objects, change the expiration limits (control the freshness of objects), and determine whether MPS always caches, or always excludes from cache, certain content.

Note: Caching only works with the Web Proxy Service in MPS. You will learn more about the Web Proxy Service later in this chapter.

Packet Filtering
To protect internal users from the outside world (in other words, to protect the network from outsiders), MPS provides packet-filtering services. A packet filter prevents unauthorized access from the outside by limiting the available connection points coming into the network. To that end, packet filters stop various types of protocols from entering the network.

MPS supports both static and dynamic packet filters. A static filter keeps all traffic of a certain description or type from passing through MPServer. A dynamic packet filter automatically determines which type of traffic is allowed in or out. With a static filter the administrator defines the port, the protocol, and maybe the IP address. With a dynamic filter the administrator just defines the service to be allowed or filtered.

Domain Filtering
MPS also lets you limit the access of your internal clients to the Internet. You can configure filters for a single computer, a group of computers, or a domain name. Many companies prefer to have this type of control over their users because they can block access to Internet sites that they believe reduce employee productivity or contain offensive material. Some popular examples of domain filtering are blocking access to Internet game servers or Web sites that contain pornographic material.

You can configure domain filters for a specific IP address, IP address and subnet mask, or domain name. IP address filters prevent users from contacting a single computer. Using the IP address and subnet mask as a filter limits access to an entire group (a subnet) of computers. Domain name filters can apply to an entire Web site or to subsections of that site.

Control User Access by Protocol or Service
You can also selectively enable and disable ports, services, and protocols through MPS. MPS lets you control access to Internet services at the user level. You can also enable or restrict access to protocols on a user or group basis. Many protocols are predefined in the default MPS configuration.

If the protocol or service you would like to enable or disable is not defined in the MPS property sheets, you can create a new sheet. You can define a protocol by TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) port number or range. This gives you the ability to control access by port.

Logging
Because all traffic between networks passes through MPS, MPS has the unique opportunity to log and track communication. You can track the information your internal clients get from other networks or the Internet and monitor inbound communication. You can use this information to help you secure your internal network from attack and unauthorized access. Plus, you can monitor where your users spend their time on the Internet and what information they are downloading.

Web Publishing
MPS can also act as a Web server. MPS can service requests from cache on behalf of a Web server, pass requests to the Web server on the local system, or pass requests to another Web server on the internal network. The terms “reverse proxying” and “reverse hosting” describe the Web Publishing services that MPS provides.

As a reverse proxy, MPS listens to incoming Web requests for a single Web server on the local network. The incoming requests are simply forwarded to another Web server. Web hosting requires more work on the part of MPS. As a reverse host, MPS can send requests to one of many Web servers. In this case, MPS responds as if the entire site were contained locally, even though the actual data may be coming from several different Web servers.

The main difference between reverse proxying and reverse hosting is that in performing reverse proxying, MPS forwards all requests to the Web server. In performing reverse hosting, MPS selectively forwards requests to multiple Web servers on the internal network. In reverse hosting, the Microsoft Proxy Server routes an external request for a resource (that specifies an Internet domain name) to one or more internal Web servers. For instance, requests for http://www.hudlogic.com/bios might be routed to an internal server named “business” (http://business), while requests for http://www.hudlogic.com/pictures could be sent to a different Web server named “server1” (http://server1).


SERVICES

Microsoft Proxy Server 2.0 supports Hypertext Transfer Protocol (HTTP) version 1.1, Windows Sockets version 1.1, SOCKS version 4.3a, and Secure Sockets Layer (SSL) 3.0. The MPS services that provide this support are the Web Proxy service, WinSock Proxy service, and the SOCKS Proxy service, respectively.

Web Proxy Service
The Web Proxy service provides support for HTTP (a.k.a. Web publishing), FTP, Gopher, and secure (SSL) communications. The Web Proxy service works with any CERN-compliant Web browser, such as Internet Explorer or Netscape Navigator. Because the Web Proxy supports only these widely adopted Internet standard communication methods, it isn’t operating system dependent. Clients running Unix, Macintosh, or Windows operating systems can communicate with the Web Proxy service as long as they’re configured with a CERN-compliant Web browser.

Note: Any operating system using a CERN-compliant Web browser can communicate through the Web Proxy server, regardless of its underlying operating system.

WinSock Proxy Service
The WinSock Proxy service supports Microsoft Windows operating systems using Windows Sockets. This support is available for both Transmission Control Protocol/Internet Protocol (TCP/IP) and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocols. The WinSock Proxy service applies mainly to Windows clients, including Windows 3.x, Windows 95, and Windows NT.

Windows Sockets is an interprocess communication mechanism derived from the Berkeley Sockets interface (originally designed for Unix systems). The Sockets interface was extended to support Windows-based clients running Microsoft implementations of TCP/IP. The name given to this Sockets interface for Windows was WinSock (for Windows Sockets).

The WinSock Proxy service supports many more protocols than the Web Proxy service. Table 1 shows a partial list of the protocols supported by the WinSock Proxy service.

Note: The WinSock Proxy Service doesn’t support 16-bit IPX/SPX clients, such as the Windows 3.x 16-bit NetWare clients.

SOCKS Proxy Service
The SOCKS Proxy service supports SOCKS version 4.3a client applications such as FTP, Gopher, and Telnet. Operating systems like Macintosh and Unix can run SOCKS 4.3a and access the SOCKS Proxy service when communicating through the Microsoft Proxy Server. One limitation of the SOCKS proxy service on MPS is that it does not support UDP-based protocols.

Note: UDP-based protocols aren’t supported through the SOCKS Proxy service, but the WinSock Proxy service does support UDP for Windows clients.


SUMMARY

Proxy servers can be quite useful as connection and control points between two networks, especially between the Internet and an internal network. Microsoft Proxy Server provides several advantages when placed between two networks. The Microsoft Proxy Server serves as a common connection point for internal users, allowing them to access other networks and the Internet through it. The Microsoft Proxy Server can cache objects as they’re downloaded and even actively update the cache as objects expire, which can reduce the time users wait to get information. To protect users and internal servers from external malicious attacks, packet filtering can be enabled on the Microsoft Proxy Server to screen inbound traffic.

You can also use Microsoft Proxy Server to control internal users. Domain filtering prevents internal users from connecting to certain Web sites or locations. At the user account level you can use protocol or service restrictions to keep internal users from using certain services.

To keep track of what’s happening between your internal and external network, the Microsoft Proxy Server also allows logging for each of its major services: Winsock Proxy, Web Proxy, and SOCKS proxy. You can monitor both inbound and outbound traffic with these types of logging.

The Microsoft Proxy Server also lets you publish documents on the World Wide Web for its own local Web server and for any number of other Web servers on the internal network. The Microsoft Proxy Server supports HTTP 1.1, Windows Sockets 1.1, and SOCKS 4.3a through its Web Proxy, WinSock Proxy, and SOCKS proxy services, respectively. In addition, it can also use Secure Socket Layer (SSL) encryption to protect data as it’s passed between the client and the server.
 类似资料:

相关阅读

相关文章

相关问答