Designing a network architecture for a LAN that will use Microsoft Proxy Server as its primary Internet gateway is one of the most important steps you will take. Microsoft Proxy Server can always be reconfigured pretty easily, but once the topology of a network is set, it is sometimes very difficult and time-consuming to change. This is especially true of medium or large networks. If you have the luxury of designing your network before it is used by tens or hundreds of users, you will be able to carefully plan out most of the foreseeable situations you might encounter. Unfortunately, most network administrators do not have the luxury of building a network before users become active on it.
Most networks come into being a piece at a time, and the design process is an ongoing chore, which is more of a problem-solving task than actual topography design. Most network administrators will inherit a network from a previous administrator. This means that the new administrator will not only have the job of trying to understand what has already been done, but also must figure out how to improve the network and upgrade it to current standards. Networking is one of the fastest growing segments of computer technology, and with the onset of the Internet as a daily business tool, learning how to properly integrate the two will ensure that your network has the capabilities that are needed in business.
This chapter discusses the issues of setting up a network for use with Microsoft Proxy Server and how to best implement Microsoft Proxy Server itself. This chapter obviously cannot possibly cover all the network scenarios that a network administrator will encounter. Hopefully this chapter will present enough information to enable you to deal with most situations that you may encounter and understand how to best deal with them.
In this chapter, I deal almost exclusively with Microsoft networking architecture and tools. While Novell still commands the majority of the networking market, NT and Windows 95 are making strong inroads on Novell's hold on the networking arena. Even if Novell servers and NDS (Network Directory Service) are used on a network which is partly Microsoft in design, they should not conflict with anything related to NT servers. In reality, NT servers and Novell servers get along quite nicely on a network, when properly configured. Windows 95 machines can utilize both Microsoft Network client software and Novell Networking client software simultaneously to access both types of servers.
This section will discuss how a network should best be designed if a network administrator could have every wish granted. Obviously some of the topics discussed here can be optionally implemented, or implemented in an alternate manner to suit the specific needs of your own network. There are always multiple ways of getting something done, and not everyone has the same opinion on the best way to do a task. I don't claim that the advice given in this chapter has been clinically proven to be the best and voted as such by four out of five network administrators. However, I also don't believe I'm a dunce when it comes to network design, having installed more than my fair share over the past few years. The discussion presented in this chapter is my own personal opinion and should be taken as such.
The first decision that must be made is what network protocol will be used as the primary transport method for Microsoft Proxy Server. Microsoft Proxy Server can use either TCP/IP or IPX between workstations and the NT server running Microsoft Proxy Server. The NT server that runs Microsoft Proxy Server must have TCP/IP installed and working properly, but the workstations can use IPX exclusively.
The TCP/IP protocol is the native protocol used on the Internet and has some advantages over just using IPX. Keep in mind that there are two components to Microsoft Proxy Server: the Web Proxy and the WinSock Proxy. The WinSock Proxy requires special client software to be installed on each workstation that will allow nearly any windows socket application to communicate with the Internet through Microsoft Proxy Server. This client software simply renames the existing WinSock DLLs and replaces them with new ones that are designed to forward TCP/IP traffic to the WinSock Proxy server, if the TCP/IP traffic is destined for the outside world. If the traffic is to be kept local, the original WinSock DLLs take over and the WinSock Proxy server is not hampered by routing local traffic. Figure 4.1 shows a possible network architecture with TCP/IP.
The figure shows that local TCP/IP traffic will be routed directly to any local Web servers that may be accessed by users of a network. Many businesses today are using intranet web servers for a wide range of business needs. Operations such as information distribution, database searching, and forms processing can all be handled via a well set up web server. Figure 4.2 shows a possible network architecture using only IPX on the workstations and IPX and TCP/IP used on the servers.
If IPX is the only network protocol available to the workstations, the WinSock Proxy will be required to handle all WinSock traffic, both local and external. As you can see in figure 4.2, even if a workstation is connected to a local web server, the WinSock Proxy will be required to act as an intermediary between the workstation and the web server. The web server and the WinSock Proxy server will communicate with each other via the TCP/IP protocol, but the workstations will communicate with the WinSock Proxy server via the IPX protocol. This will add more stress to Microsoft Proxy server if any local intranet servers are accessed frequently by LAN users.
A huge drawback to using only the IPX protocol as the transport method between workstations and Microsoft Proxy server is that the Web Proxy portion of Microsoft Proxy Server will be completely unused. The Web Proxy requires workstations to use the TCP/IP protocol. If only IPX is used, the WinSock Proxy will be handling all traffic. The WinSock Proxy can handle all traffic that the Web Proxy can, but it does so through other methods. Keep in mind that the WinSock Proxy does not cache any information passing through it like the Web Proxy does. This means a greater amount of work will be placed on the WinSock Proxy, because it will have to go out to the Internet for all data requests. The Web Proxy caches information which passes through it and will use this cached data whenever possible to cut down on the amount of time it has to go out to the Internet for information.
A benefit to using only the IPX protocol is enhanced security and less configuration time. Admittedly, the TCP/IP protocol requires more network configuration than does the IPX protocol. Also, when IPX is used, network administrators can be certain that all LAN Internet traffic is being handled through one service (the WinSock Proxy). If you have a high speed connection to the Internet, and do not need to provide caching services to workstations, using the IPX protocol between workstations and Microsoft Proxy Server will eliminate your need for configuring two proxy servers. It will also allow you to prevent LAN users from doing things like setting up their own FTP or WWW servers. I know many large companies want to restrict LAN users from setting up their systems to operate as servers, even though this is a built-in feature of Windows 95. Imagine a network with 500 or more computers all showing up in the Network Neighborhood when users go browsing. Network performance would drop dramatically and users would be swapping files without having to go through a network server.
A new generation of semi-literate computer users is evolving who have the knowledge to circumvent network security by doing things such as running their own FTP servers or WWW servers. By using only the IPX protocol, you can prevent clever LAN users from getting around company policies.
The benefits of the caching services built into the Web Proxy are hard to let go if your connection to the Internet is a small one compared to the number of users accessing the Internet from your LAN. My advice is to use the TCP/IP protocol, which will enable the use of both the Web Proxy and WinSock Proxy servers. A network will always have security problems from internal network users. Vigilant monitoring of network activity is the best way to ensure proper use of network services. As a network administrator you can always limit problem users to just the IPX protocol. There is no configuration issue which limits the entire network to just one of the transport methods Microsoft Proxy Server supports. The two can be used in concert with each other to achieve the desired results.
The next most important issue to discuss when dealing with network setup is what IP address range should be used with a network. This discussion is only relevant when the TCP/IP protocol is used.
The InterNic has set aside several address ranges that can be used by private networks for their own TCP/IP configuration. These address ranges will never be found on the Internet and were set aside so that private networks could use the TCP/IP protocol and not conflict with any other site found on the Internet. The private addresses are as follows:
Throughout this book, you see my own personal examples of my network setup. You will note that the address range I have selected is the 220.200.200 class C subnet range. This is not a private address range, and as such may already be registered to a site on the Internet. When I initially set up my own network, I just selected 220.200.200 because it was easy to type. Because this address range may already exist on the Internet, I have created a problem for Microsoft Proxy Server. If one of my workstations attempts to contact a server on the Internet within the 220.200.200 address range, Microsoft Proxy Server will consider this to be a local address and bounce the request back to the local network. I have in essence cut off part of the Internet from my own workstations. If you have done something similar, you would be well advised to take the time to reconfigure your network for one of the private address subnets mentioned previously.
If you are not familiar with subnets, I'll give you a quick definition. Class A subnets are subnets of 16 million addresses. Any IP address starting with a number between 0 and 126 is a class A subnet. These subnets are all taken by large companies like IBM and so on. A Class B subnet contains 65,000 addresses and is any IP address starting with a number between 128 and 191. Class B subnets are also all spoken for. Class C subnets contain 254 addresses and are any IP address starting with a number between 192 and 223. It has been estimated that the InterNic has enough class C subnets to hand out for another four or five years. After that, the addressing scheme of the Internet will have to be altered to handle the ever-increasing growth rate.
The 127 subnet range is a special subnet range reserved for local addressing only. If you are an experienced network administrator, you will know that the IP address 127.0.0.1 is always a reference to the local host (computer). If you perform a PING on 127.0.0.1, and TCP/IP is configured correctly on your network, the local workstation should immediately respond to the ping request.
If you are like most people thinking about using Microsoft Proxy Server to service the Internet needs of your network, you will not have a dedicated connection and will be relying on a periodic dialup link via a modem (or set of modems) or ISDN. These periodic connections do not provide you with a permanent subnet of valid Internet IP addresses, so you will need to set up your network with one of the previously mentioned subnets. If you do have a dedicated connection of some kind, you will most likely have been given a valid class C subnet (or multiple subnets) address from the InterNic to use. If you have a dedicated connection and the know-how to correctly configure an NT server to act as the official gateway between your LAN and the Internet, each workstation on the network can have a valid presence on the Internet and not need to go through Microsoft Proxy Server for their connection.
When each workstation on a network has a valid Internet address, you as network administrator lose a great deal of access control. Workstations with their own valid Internet presence have a virtual free reign over Internet access. NT is not designed to monitor or restrict TCP/IP access in valid network arrangements. Microsoft Proxy Server, on the other hand, is heavily designed to monitor and restrict the activities of clients to the Internet. It is for this reason that Microsoft Proxy Server is sometimes the best choice for network users to use to access the Internet.
If you do have a dedicated connection to the Internet and have been given a valid class C subnet or subnets, it is a good idea to just shelve those addresses and use a reserved address listed previously in this chapter. A huge advantage to this approach is that you can use the class A subnet, or one of the class B subnets, if your network will need to support more than 254 network workstations. Large networks that are forced to use multiple class C subnets to cover the number of workstations on the network are much more difficult to administer due to the routing problems that isolated class C subnets cause. When you have the ability to use a larger subnet, administering a large network becomes much easier.
Once you have decided what protocol and IP subnet to use (if you will be using TCP/IP), the next step is to decide whether DHCP (Dynamic Host Configuration Protocol) will be used and what form of name resolution (if any) will be used on your network.
DHCP is an NT service which is designed to hand out IP configurations to workstations on a network. When workstations are set to use DHCP for their IP configuration, when they start up, they will broadcast a datagram requesting configuration information from the network. DHCP servers are designed to hear these datagram broadcasts and respond with setup information pertinent to the network architecture. DHCP greatly cuts down on the amount of administration work an administrator must do for each workstation on a network. Imagine having a 200 workstation network and having to manually configure the IP address for each workstation. It would not only be time-consuming, but also very inflexible. Should something change on the network, it would be a huge task to alter the IP address scheme. Using DHCP gives the network administrator the ability to centralize the TCP/IP configuration of all workstations. Should the TCP/IP arrangement of a network change, only the DHCP server needs to be reconfigured.
The Microsoft DHCP service is an NT service that can run on any NT server. It does not have to be running on the primary domain controller or a backup domain controller. It cannot be separated from a portion of the network by a router. Routers do not forward broadcast packets. Therefore, new workstations which are booting up and looking for a DHCP server, which happens to be across a router, will never find the server because the router will not forward on the broadcast information they generate.
If you are unfamiliar with the Microsoft DHCP service, there is a great deal of help on it in the internal NT help system. By default, it is not installed as a service. There should be only one DHCP server for a network.
Another network element that must be considered is a name resolution mechanism. In NT 4.0 two-name resolution mechanisms are available: WINS (Windows Internet Naming Service) and DNS (Domain Name Service). WINS is a Microsoft-only name resolution service that performs both NetBios name resolution and Internet-style name resolution, but only to Microsoft clients. WINS is only supported by Microsoft operating systems. It is not supported by UNIX, MAC, or OS/2 systems. These systems must rely on the globally-accepted DNS resolution method.
The ability to resolve Internet style name to IP address is a function which will add a high level of flexibility to your network. When Internet clients attempt to contact Microsoft Proxy Server (either the Web Proxy or WinSock Proxy services), they can do so either directly by IP address, or by NetBios or Internet-style name. If all workstations are set to address Microsoft Proxy Server via a static IP, changing the location of Microsoft Proxy Server can be a tough task. In these cases, all workstations would have to be manually altered to address the new IP address. On large networks, this can be a very time-consuming task.
When clients are set to access Microsoft Proxy Server via a name, the location of Microsoft Proxy Server can easily be changed by altering the IP address that is resolved to the name in question. For example, a static mapping in the WINS server can be established for PROXY at 192.168.10.101. Should the location of Microsoft Proxy Server change, the static mapping for PROXY can be edited to point to the new IP location. All workstations would immediately begin to resolve the name "PROXY" to the new address.
If your network must support workstations of other platforms, such as UNIX or Macintosh, you will need to provide DNS resolution capabilities. NT 4.0 does ship with an available DNS service that can run along side of the WINS service without conflict. By default, Windows workstations will attempt to access a WINS server before they will attempt to contact DNS servers (if workstations are configured to look for both types of name servers). Entire books have been written on the topic of WINS and DNS, and it's not the purpose of this book to describe how to set them up. Their basic functionality requires little extra networking knowledge and their presence on a network can greatly enhance the functionality of services such as Microsoft Proxy Server or other Internet-style servers.
By now you should understand that Microsoft Proxy Server is actually two separate services running along side of each other. The Web Proxy server is a CERN-compliant proxy server that provides cross-platform proxy services to any client that is capable of interacting with a CERN-compliant proxy. The Web Proxy can handle HTTP, FTP, and Gopher traffic from clients all through TCP/IP port 80 (This is a default, but this port can be changed). Clients such as Internet Explorer and Netscape Navigator all have the built-in ability to communicate with a CERN-compliant proxy server. Other Internet clients like WS_FTP also have the ability to communicate via CERN proxy standards.
The WinSock Proxy is very new and is currently only supported by Windows environments. The WinSock Proxy involves special client software, which takes traffic that is destined to the outside Internet and redirects it through the WinSock Proxy server. When the WinSock Proxy client software is installed on Windows systems, nearly any WinSock application can have access to the Internet, even if it does not have built-in CERN proxy communication ability.
Benefits of using the Web Proxy are:
Benefits of using the WinSock Proxy are:
Both servers can be highly configured for security and site restrictions. If you do not want to provide support for any client other than a web browser, you will not need to worry about dealing with the WinSock Proxy. This will cut your configuration chores down by at least half. Using the Web Proxy will also ensure that the special WinSock Proxy client software does not cause any configuration problems on workstations. I have not seen the WinSock Proxy client software cause any problems to date, and I have put it through it's paces enough to be comfortable with it. However, I also know that my network does not encompass all possible scenarios either.
Most small networks will need the services of both servers. I say this because most small networks will not have high end NT services such as an Exchange gateway available to them. The only major thing lacking in the Web Proxy is the ability to support mail clients. If your network users use a mail program such as Eudora to retrieve their mail from an Internet host, the Web Proxy alone will not be able to give them this access. On medium or large networks, it is more common to find an Exchange server available. An Exchange server is another Microsoft product which provides network and Internet mail services to LAN users. The Exchange client is commonly accessed by workstations as the Inbox icon found on the desktop. When an Exchange server is available, the only part of Microsoft Proxy Server that is normally needed is the Web Proxy. However, some WWW functionality may be lost if only the Web Proxy is used. It is becoming more common for web browsers to execute hidden client applications such as Shockwave and RealAudio player without the knowledge of the user. These kinds of clients do require the WinSock Proxy because they do not communicate via CERN standards. Again, it may be better not to support these kinds of clients because they are exceedingly high band width consumption clients. Shockwave and RealAudio are clients which involve high volume data transfers of sound, video, and animation information. These kinds of clients can quickly drag down the entire performance of a network's Internet connection.
The most common use of Microsoft Proxy Server will be through small Internet connections. If you have only one large dedicated connection Microsoft Proxy Server will be using, the physical setup is simple. However, if you will be using multiple smaller connections, you have some decisions to make as to how Microsoft Proxy Server will be used on each connection.
A WINS server or a DNS server can be used to daisy chain multiple Web Proxy servers together. Don't confuse this with multiple Web Proxy Servers working together as one unit. This is not a feature of the current release (1.0) of Microsoft Proxy Server. A WINS server can be easily configured to resolve names for a multi-homed group. A static mapping can be added to a WINS database that represents all available Web Proxy servers on the network. For example, a multi-homed group called WEBPROXIES can be added to the WINS database. This group would list the IP addresses of the participating members of the group. When referenced by a client, the WINS server would select an IP of a member of the group to resolve the name to. The selection criteria is based on the proximity of the group member to the client asking for name resolution. Members of the group within the same subnet as the client will be resolved to the name before groups outside the subnet. If there are no close candidates within the group, the WINS server will select a member at random.
Through this method, you can set up a group of Web proxy Servers that will be used by users of a network addressing a proxy server named WEBPROXIES (for example). Figure 4.3 shows this possible arrangement.
In this example, we can assume that a multi-homed group called WEBPROXIES has been set up on the WINS server. In this group, the IP addresses for Alpha, Beta, and Gamma have been established. When any of the workstations attempt to address WEBPROXIES, the WINS server will pick the best candidate out of the group and resolve the name request to that IP address. If the requesting workstation had been outside of the subnet, the WINS server would have resolved the address to a randomly selected member of the group.
Through this name resolution method, you can set up a group of cascading Web Proxy servers for a network so that the work load of Internet traffic will be spread out among multiple Web Proxy servers. However, you are not required to use a WINS server. You can manually configure each workstation to access a specific Web Proxy server. If you have multiple Internet channels, you should do your best to distribute the work load equally among them.
WinSock Proxy servers should not be arranged in this manner. A workstation should be specifically configured to access one WinSock Proxy server. If a group of WinSock Proxy servers are arranged in a cascading group, Internet clients will not function properly. WinSock Proxy clients must have a constant connection to a single WinSock Proxy server to operate correctly.
When you are configuring members of your network to access specific Web Proxy servers, you have two choices to consider. In the proxy configuration area of the Internet control panel, you can specify the address to be used for the HTTP proxy, the FTP proxy, and Gopher proxy. To spread out the traffic load among multiple Web Proxy servers, you can opt to divide your LAN users into groups assigned to each available Web Proxy server, or you can set all users to access a separate Web Proxy server for each type of connection they need to make.
Since FTP traffic will cause the most stress on a connection, you might want to assign all Web Proxy users to access a dedicated FTP Proxy server, and leave another Web Proxy server dedicated to only serve out HTTP connections. The Web Proxy server serving out FTP connections should have the largest available connection. This approach may help increase the contentment your network users have with your proxy arrangement. Because access to the Web is generally more interactive than downloading files via FTP, you want to make sure your users are not staring blankly at their screens waiting for an HTML document to pop up.
Unfortunately, the protocols supported by the WinSock Proxy server cannot be split up like the protocols supported by the Web Proxy server can. When a workstation is configured to access a WinSock Proxy server, that server will be used for all protocols supported. This being the case, you might want to be thorough when understanding what activities your network users will be doing through the available WinSock Proxy servers. Users who will be accessing a WinSock Proxy server just to retrieve e-mail will be causing far less of a work load on the server than those users drawing a RealAudio feed. Spread users out evenly based on the amount of traffic they will be generating for each WinSock Proxy server.
By far, the most powerful feature Microsoft Proxy Server has for controlling the amount of Internet traffic caused by LAN users is the ability to filter out access to specific sites on the Internet. Both the Web Proxy and the WinSock Proxy can be set to filter out access to all or just some sites on the Internet. By default, there is no filtering policy set for either server. However, it is a simple task to add a filter for certain sites, or you can set a general no access policy for the entire Internet and set exceptions to the rule.
There are many distractions on the Internet, and one of the biggest problems a company has once network users have desktop access to the Internet is wandering minds. One of the more popular office distractions these days is a software package known as the Pointcast screensaver. The Pointcast screensaver is a Windows 95 screen saver that goes out to the Internet to the Pointcase site and transfers all manner of news and information back to the user's machine where it is displayed throughout the day whenever the screen saver kicks in. When you have hundreds of LAN users all generating Internet traffic for a screen saver, you're Internet bill might be an ugly thing. I happen to know that the Pointcast screen saver will operate through the Web Proxy server so the information that comes into the network will be cached and usable by other network users. However the range of information the Pointcast screen saver can retrieve is very wide, and the information is updated many times a day. While the caching element of the Web Proxy server will help, LAN users will still generate a lot of Internet traffic.
In this example, the Pointcast site pointcast.com could be filtered from access by the network administrator. This would eliminate the traffic problem entirely (It might make many of the network users mad, but what the hey. They're not paying the bill, are they?).
Unfortunately, site filtering is still rough around the edges and does not support many filter options. Site filtering is done on a yes or no basis only. Perhaps in future releases of Microsoft Proxy Server, site filtering will be able to take into account filtering for time of day and specific users. Currently though, the Web Proxy can only globally permit or deny access to filter sites.
If you need to really restrict access to the outside Internet, a global deny policy can be set, and a few exceptions to this rule can be defined. This basically controls which Internet sites your network users will have access to. Unfortunately, Microsoft Proxy Server does not have the ability to filter sites based on a user by user approach. This means that you cannot define filters for specific users. Perhaps this will be a feature in later releases of Microsoft Proxy Server, although I have not heard of this yet.
Obviously, one of the strongest elements of Microsoft Proxy Server is its ability to utilize the internal security system of NT. You have to decide which of your network users will have access to the Internet and which ones will not. You should become familiar with the User Manager for Domains. This utility controls the user database of NT and can be used to define new security groups and set user access rights.
Before you set up Microsoft Proxy Server, you should take some time to decide
how you are going to configure security groups. Working with groups of users who
share common needs is far easier than trying to configure individual user access
for each protocol supported by both the Web Proxy and the WinSock Proxy. Once you
have defined a group, or set of groups, for Internet access, you can configure security
for the Web and WinSock Proxy servers much more readily.
Unfortunately, Microsoft Proxy Server does not have the ability to configure
access for specific times of the day and night. If you have a large network of users,
but a relatively small link to the Internet, it would be nice to have the ability
to separate a morning group and an afternoon group of Internet users. This would
go a long way to more evenly distributing the traffic load the Internet link sustains
throughout the day. I have been in large network environments and I have found that
the Internet connection is slowest about an hour after everyone gets in the morning
(after everyone has had a cup of coffee and talked with their cube mates) and about
a 1/2 hour after lunch (when people really don't want to get back to work and would
much rather go see what's new on their favorite Internet site).
Perhaps later releases of Microsoft Proxy Server will have a wider range of time-driven access controls. For right now, you'll have to make due with security groups defined within User Manager for Domains.
The following is a suggested list of decisions you will need to make when setting up Microsoft Proxy Server:
Do yourself a big favor and thoroughly think through the installation and implementation of Microsoft Proxy Server. Once Microsoft Proxy Server is in place, it's difficult to alter the architecture. Try to think of all the future possibilities you can, and make allowances for them. Many network administrators fail to look far enough down the road and cause a lot more work for themselves than is necessary. Hopefully this chapter gives you some food for thought about the setup process. I certainly don't cover all the possibilities, but hopefully I cover enough to let you think of other things that might need to be considered.