Before reading this chapter and installing Microsoft Proxy Server, make sure you have read and understand all the requirements presented in Chapter 3 of this book, "System Requirements and Preparation for Proxy Server." Chapter 3 details the system requirements for Microsoft Proxy Server and other important issues, such as connection methods. This chapter will explain the installation process in detail.
Unlike many other Microsoft Internet products, Microsoft Proxy Server is not being distributed for free. It's estimated retail price is $995 per server, with no connection licenses required. Microsoft Proxy Server will only run under Windows NT 4.0 and may be obtained through many channels. The most common channel most people will be using to get a copy of Microsoft Proxy Server is through the Internet. However, Microsoft may also be distributing Microsoft Proxy Server on an installation CD which may be obtained directly from Microsoft.
Microsoft Proxy Server can be downloaded from the Microsoft FTP site as a single installation archive. Many software vendors (this includes Microsoft) are distributing their "over the Internet" software in self-expanding archive files. Many novice users assume any file with an EXE extension that they download is the actual installation program. To make matters more confusing, some vendors do distribute their software in self-installing formats.
The way to test an EXE to find out if it is a self-extracting archive or an actual installation program is to use PKUNZIP.EXE to attempt to view the EXE as if it were a ZIP file. Most network administrators are familiar with ZIP and other archive file formats. ZIP files can be EXE files which can be run on their own without the main archive program (PKUNZIP.EXE) to extract the files contained inside. These EXE files can also be treated as though they were standard ZIP files. Microsoft Proxy Server is not distributed as such an EXE file. The file MSP.EXE is an NT installation application. However, the beta version of Microsoft Proxy Server was a self-extracting EXE file and was named CATAPULT.EXE. If you want to uninstall Catapult before installing Microsoft Proxy Server, you can unzip the archive CATAPULT.EXE as any other zip file. This will give you some practice at determining which EXE files are installation programs and which are self-extracting ZIP files. To test CATAPULT.EXE to ensure it is a self-extracting archive and not an installation program, run PKUNZIP.EXE on it like this:
PKUNZIP -v CATAPULT.EXE
The -v parameter of PKUNZIP.EXE will view the contents of the archive file without actually expanding it. This method can be used on any EXE file to test if it is a self-extracting archive. If the EXE is a normal program, PKUNZIP.EXE will report the following error:
PKUNZIP: (W04) Warning! XXXXXXXX.EXE - error in ZIP use PKZipFix
PKUNZIP: (E11) No file(s) found.
XXXXXXXX.EXE will be the program filename being tested. This error indicates that PKUNZIP believes there is an error in the archive and the EXE is therefore most likely a program of some kind. A normal display will show a list of all files contained in the archive as well as their imbedded pathnames.
MSP.EXE can be downloaded from ftp1.microsoft.com. It is located in the /msdownloads/proxy/i386 directory (for the Intel platform version of Microsoft Proxy Server). The archive will be at least 8 megs. Unfortunately, Microsoft does not prepare several smaller archive files for distributing Microsoft Proxy Server. This can be a pain if you are having trouble with a connection and cannot stay online long enough to get the entire 8+ meg file. Unlike BBS file transfers using a protocol like Zmodem , FTP file transfers cannot normally be resumed after a partial transfer attempt. If a download of an 8 meg file from the Internet fails for some reason, you have to start all the way from the beginning. Transferring many smaller files allows you to keep what was transferred successfully.
MSP.EXE can also be downloaded from the Microsoft web site, though it is significantly harder to find. At this time, Microsoft requires users to complete a questionnaire before being permitted to download Microsoft Proxy Server. Using the Microsoft FTP server avoids this questionnaire.
Service Pack 1 for NT 4.0 must be installed before Microsoft Proxy Server can be installed. This Service Pack can be found on the Microsoft FTP site ftp.microsoft.com in the \softlib\mslfiles directory. The filename is nt4_sp1i.exe. This is the Intel version of the service pack, but other versions of the service pack can also be found in this location. This service pack is an installation application, not a self-extracting zip file. Grab this application, run it, and then reboot your NT server. The installation process for the service pack simply installs replacement files into the NT directories (\winnt and \winnt\system32) and then forces you to reboot the server. Microsoft Proxy Server will now install without complaining.
Once an NT machine is ready for Microsoft Proxy Server, it can be installed by running MSP.EXE from the root directory of the Microsoft Proxy Server installation CD or by running the MSP.EXE application which was downloaded from Microsoft.
An initial licensing dialog box is displayed. Select Continue to proceed to the first installation dialog box, as shown in Figure 5.1.
At this stage, you can alter the directory Microsoft Proxy Server will be installed into. If you need to install Microsoft Proxy Server into a directory other than C:\MSP, select the Change Folder button and then locate the directory you want to install Microsoft Proxy Server into. If the default directory is acceptable, selecting the Installation Options button will continue the installation procedure to the next step, as shown in Figure 5.2.
This stage lets you select whether or not to install the Server and Client files, the Administrative tool, and Microsoft Proxy Server documentation. Microsoft has started a new approach to online documentation. The documentation for Microsoft Proxy Server is in HTML format and requires a web browser to read. This is a very handy form of documentation because cross-references from one section to another can be easily imbedded into the text.
The Install Microsoft Proxy Server check box allows you to set the installation of the Server and the Client share. Figure 5.3 shows the detailed view of the options of the check box. If any client files are installed, the installation routine will create a new network shared resource on the server called MSPCLNT. This shared resource contains all the necessary files for installing the WinSock Proxy client software onto workstations. The WinSock Proxy client software is required for non-CERN proxy-compatible software to function in a proxy environment. To determine which platform client files will be installed, highlight the Install Microsoft Proxy Server option and select Change Option. The dialog box shown in Figure 5.3 is then displayed.
You can cut down the amount of disk space used by the client share files by unchecking the systems architectures that do not apply to your network. The Alpha, MIPS, and PPC clients are NT-only clients. Microsoft only makes an NT OS version for these system architectures. Windows 95 is an Intel-only operating system. The Install Server check box controls whether or not the actual server software is installed. If you only need to install the WinSock Proxy client software, uncheck the Install Server check box. Uncheck all unneeded system architectures, select OK, and you will return to the main options dialog box.
You can always add support for clients of difference platforms at a later time by rerunning the installation routine and selecting platforms again.
If you only want the HTML documentation portion of Microsoft Proxy Server, clear the other two options and leave the HTML Documentation checked.
The Administration tool is actually the IIS Manager. This application is the gateway for accessing all control interfaces for Microsoft Internet server applications, such as the IIS Web Server and the Microsoft Proxy Server. You can install the Administration tool application on other NT machines that will need to access the Microsoft Proxy Server for configuration needs. Since the IIS Manager is installed at the same time as the IIS Web Server, installing the Administration tool is not needed on the server that will be running Microsoft Proxy Server. This option is mainly for adding the IIS Manager to other NT machines that might need to control the Microsoft Proxy Server.
Once you have selected all the appropriate options to install, select Continue to proceed with the installation. The Microsoft Proxy Server Cache Drives dialog box will be displayed as shown in Figure 5.4.
This dialog box allows you to indicate which local hard drives should be used to hold Microsoft Proxy Server cached information. The Microsoft Proxy Server cache should be set to at least 100 megs, plus 1/2 meg per support proxy client. Allocate as many hard drives as you feel you can to holding Microsoft Proxy Server cached information. If one cache drive becomes too full, Microsoft Proxy Server will begin to use other allocated drives for cache data. Controlling the cache is discussed in greater detail in Chapter 12, "Controlling the Proxy Server Cache." Select the desired drive(s), indicate the cache space to allocate to that drive, and select the Set button. Try to arrange at least 100 megs of cache between drives. Once you have indicated the cache arrangement, click OK to continue. The Network Configuration dialog box is displayed next, as shown in Figure 5.5.
This dialog box allows you to enter the IP addresses that should be considered as local addresses for the private LAN. This should include the IP address of any NIC installed in the NT server, even NICs which are connected directly to the Internet. Contacting all addresses entered here will be handled by the internal WinSockets of each workstation, and will not be forwarded to the Web Proxy or WinSock Proxy servers for outside remoting.
Addresses are entered in pairs and indicate a range. If you wish to enter a single address, enter the same address as the From and To address. Select the Add button to add the new address range to the Local Address Table (known as the LAT). Highlight an entry in the LAT side of the dialog box, and select Remove to remove the address.
Select the Construct Table button and the installation routine will examine the routing table information stored by the NT server itself. This should adequately set up the LAT with the correct values for your network. The Construct Table button will set the range of the subnet(s) the NT server is on into the LAT. This will also automatically set the range of private addresses which the InterNic has set aside for private networks into the LAT. On my own network, I have chosen the subnet of 220.200.200. This is not a private subnet range and may already be allocated to another valid Internet site. This can cause problems. You should set up the IP subnet for your LAN from one of the reserved addresses.
On the off chance a workstation on my private LAN attempts to connect to a real Internet site on the 220.200.200 subnet, Microsoft Proxy Server will consider the site to be local and never remote the connection attempt to the outside. This essentially cuts off sites on the real 220.200.200 subnet from my own LAN. So far, I have never needed to access any site within the 220.200.200.0 subnet, and I don't even know if this subnet is in use yet.
The subnets that have been set aside by the InterNic for use by private LANs to avoid Internet conflicts are:
Using any of the above subnets for a private LAN will ensure that no problems will arise due to conflicts with real Internet sites.
Clicking the Construct Table button will bring up the dialog box shown in Figure 5.6.
You can optionally indicate whether or not to include the known private subnets in your LAT by checking the first option. The Load from NT internal Routing Table check box allows the installation routine to pull from the internal routing table maintained by NT. This routing table controls TCP/IP traffic between all network interfaced on the NT server. You can indicate to pull subnets from all known interfaces, or just from a single interface card. The default is to pull from all interfaces. NT supports multiple NICs and so can be part of several different subnets. You should let the installation routing construct the table from all subnets the NT server is part of. Clicking OK will return you to the main LAT table dialog box.
If a LAN uses both IPX/SPX and TCP/IP between workstations and servers, you may optionally choose to have no addresses considered to be local. This will force the WinSock Proxy client software to utilize IPX as a transport method, and all TCP/IP traffic will be handled through Microsoft Proxy Server, even if the destination is within the private LAN. If IPX/SPX is the only protocol used between client and server, the addresses entered here as local IP addresses will not matter because WinSock Proxy will have to pass all TCP/IP packets to Microsoft Proxy Server for processing.
Once you have added all necessary IP ranges, selecting OK will continue the installation routine. The next stage will allow you to indicate how client workstations access Microsoft Proxy Server. Figure 5.7 shows this setup stage.
When the WinSock Proxy client software is installed on LAN workstations, the settings you indicate here will be used by clients. The top portion of this dialog box allows you to indicate how WinSock Proxy clients will access the WinSock Proxy server. When set to Computer or DNS name, the name you indicate in the entry field will by used by clients to access the WinSock Proxy server. This necessitates that your network has some form of name resolution capability, such as WINS or an internal DNS server available. If you do not use any internal name resolution service on your network, you will have to use the other option IP Address and indicate the IP address where Microsoft Proxy Server is running.
The figure shows the default setting of Machine or DNS name and my own NT server name loaded. Normal NT or Windows 95 machine names do not normally have a period (.) or a space in them, as does the one shown (Controller 4.0). This will cause problems with client setup: it isn't anything that can't be handled with a little manual editing, though. In order to alleviate client installation problems, it is best that the server name be a single word or a valid Internet-style name with no space. If a WINS server is running on the LAN, a static name entry can be added to the name database to represent the Microsoft Proxy Server (such as, MSP). If the machine name indicated at this point contains a space, the WinSock Proxy client software may only pick up the last part of the name. This will necessitate that the WinSock Proxy clients be manually configured for the correct machine name after installation.
One way around this problem, is to use the IP address of the Microsoft Proxy Server. This is the only choice if the LAN has no name resolution capability. It does cause extra configuration effort if the Microsoft Proxy Server is ever moved to a different machine because all client workstations will need to have their addresses modified. If Microsoft Proxy Server is accessed via a machine name, client workstations will simply resolve the name to a new address if the location of Microsoft Proxy Server changes (provided the machine name can follow the Microsoft Proxy Server to a new machine.) This is where a WINS server comes in very handy. If a static entry is added to represent the Microsoft Proxy Server, this is the only element that must be changed if the Microsoft Proxy server changes IP locations and clients are set to look for Microsoft Proxy Server via a network name.
The Enable Access Control check box controls how the WinSock Proxy server grants Internet access to clients. If this box is checked, the WinSock Proxy server will follow the access restrictions placed on individual protocols controlled by the WinSock Proxy. If this check box is unchecked, any WinSock Proxy client will be granted a connection to the Internet. If internal security is not an issue for your network, unchecking this option will save you some time in configuring access permissions. By default, no one has permission to use any protocols through the WinSock Proxy server.
The bottom portion of this dialog box allows you to indicate whether when installing the WinSock Proxy client software the workstation proxy settings should be altered as well. The Web Proxy element of workstation connections to Microsoft Proxy Server do not require any special client software, as WinSock Proxy connections do. However, they do need to have the proxy settings enabled in order to work correctly via proxy. The WinSock Proxy client installation routine can set these settings during installation if the Set Client setup to configure browser proxy settings check box is checked. The WinSock Proxy client setup routine can configure both internal Windows 95 Internet settings for Web Proxy use, as well as older versions of Internet Explorer and Netscape, which do not rely on the internal Internet settings maintained by Windows 95.
The Proxy to be used by client entry field allows you to indicate the proxy name or address the WinSock Proxy client installation routine should set the Web Proxy clients to communicate with. Again, the same precautions taken with naming conventions with the WinSock Proxy server name should be taken with the proxy server name.
The Clients Connect to Proxy via ## Port field is unchangeable. It indicates the TCP port that Microsoft Proxy Server will listen to for proxy traffic. This can only be changed by altering the port the IIS Web Server listens to and is done through the Web Server properties dialog box.
When the Enable Security check box of this area is checked, the Web Proxy will follow the security settings for client access. When this check box is not checked, any Web proxy client will be permitted access. If you do not have need for high security, you can uncheck this box.
Once these options have been set, select OK. The Microsoft Proxy Server installation routine will begin to install all necessary files. Once all files have been copied and installed, the IIS server will be restarted and Microsoft Proxy Server along with it. Microsoft Proxy Server is now running and listening for LAN traffic needing to get to the Internet. The NT server itself does not need to be restarted in order for Microsoft Proxy Server to be up and running correctly.
The default location of Microsoft Proxy Server is C:\MSP. Two sub directories branch off this directory. These are the C:\MSP\DOCS and C:\MSP\CLIENTS directories. The DOCS directory contains all of the HTML documentation files for Microsoft Proxy Server. Microsoft Proxy Server documentation can be read by selecting the Microsoft Proxy Server Documentation entry in the Microsoft Proxy Server folder (Start button, Programs, Microsoft Proxy Server folder). Figure 5.8 shows the path to the documentation:
In order to read the documentation, you must have a web browser installed on the NT machine that Microsoft Proxy Server is installed on. NT 4.0 installs IE 2.0, but you should obtain the most recent version of IE that is available.
The Microsoft Proxy Server Documentation entry simply starts up the default web browser on the system and loads the TOC_CAT.HTM. This is the Table of Contents document that links all chapters of the Microsoft Proxy Server Documentation.
As already mentioned, the Microsoft Proxy Server setup routine, if allowed, will create a new shared resource on the NT server called MSPCLNT. This is where the shared resource workstations should connect to in order to install the WinSock Proxy client software. Workstations do not need to map a network drive letter to this shared resource in order for the WinSock Proxy client installation software to run correctly. Some applications cannot be executed over a UNC (Universal Naming Convention) link. Instead, they must be run from a valid drive letter. Obviously most software created by Microsoft does not fall into this category. This means that the Network Neighborhood or the Windows Explorer can be used to run the WinSock Proxy client installation program. Figure 5.9 shows the Windows 95 Explorer with the MSPCLNT folder open without drive letter mapping.
The Microsoft Proxy Server installation routine sets the MSPCLNT share to be accessible to everyone on the network. Unfortunately, the share is also set to grant everyone full control over this resource, which means that workstations can modify or delete files contained in this share. It's advisable to modify the access permissions for this share on the NT server to make the share accessible to everyone, but only in read-only mode. This can be done through the NT Explorer. Open the NT Explorer, locate the C:\MSP\CLIENTS directory, and right click on it. A pop-up list will be displayed. Select the Sharing option. Figure 5.10 shows the dialog box for Sharing properties.
At this point, select the Permissions button. A new dialog box will appear, as shown in Figure 5.11.
You should change the Type of Access for Everyone for the MSPCLNT share from Full to Read. This will ensure that no client workstation on your LAN will inadvertently modify or delete files in this shared directory. Select OK until you return to the main NT Explorer display. If you later need to reinstall Microsoft Proxy Server for some reason, be sure and check to see if the installation routine has reset the permissions for the MSPCLNT share.
The Microsoft Proxy Server can be reinstalled to modify some of the installation settings when needed. SETUP.EXE, found in the C:\MSP\SETUPBIN directory, can be run to alter the installation settings of Microsoft Proxy Server. Running the installation routine again will preserve all settings that do not change. This is a simply way of altering such things as location of the client share and which client platforms are supported.
Running setup one more time will allow you to reconfigure the options you originally set during first installation. This is an easy way to modify such things as the Local Address Table and cache drive locations without having to go into the NT registry editor. Some of these settings can only be modified by reinstalling Microsoft Proxy Server. Luckily, permissions are preserved during a reinstall. Figure 5.12 shows the introductory dialog box after Microsoft Proxy Server has already been installed.
Selecting the Reinstall button will allow you to run through the installation process again, and reset any option you need to change. If the Local Address Table is modified, the machine will need to be restarted before the changes will take effect.
Components can be added or removed after the initial installation by selecting the Add/Remove button. If you need to reinstall components for WinSock Proxy clients because a network machine of a different architecture has been added, this is how to do it.
Microsoft Proxy Server can be removed by selecting the Remove All button from the setup dialog box. Microsoft Proxy Server can be removed successfully without having to restart the NT server it is running on.
There may be situations where Microsoft Proxy Server will not reinstall after a crash or other problem has arisen. Sometimes either the WinSock Proxy server of the proxy server will simply stop responding during startup and a reinstallation will not fix the problem. In these situations, you may need to remove the IIS Web server and reinstall it first before reinstalling Microsoft Proxy Server.
Microsoft Proxy Server is actually very resilient, if it must be installed many times. I have played around with some software that pukes after just two installations. For the task Microsoft Proxy Server does, it is actually a very simple sub service of the IIS web server. The largest part of it is made up of the client installation files for the multitude of system architectures that NT can operate on. Once Microsoft Proxy Server is installed, the job of configuring it begins.