The entire premise behind the use of Microsoft Proxy Server is an entire network of local users accessing the Internet through one nexus point (also known as the gateway computer on which Microsoft Proxy Server is running). Depending on how large your network of users is and how often they access the Internet, the stress on the Microsoft Proxy server may require you to optimize it for the job of gatewaying data from 10, 100, or perhaps even more connections.
The majority of LANs in use by every day people and businesses are 10 Mbps (megabits per second) networks. By comparison, a T1 line (the most common line used by businesses to bring in Internet access to an office LAN) is only a 1.54 Mbps channel. Though this speed is very fast by Internet standards (compared to a standard dialup connection at 28.8 Kbps or 0.0288 Mbps), a 10 Mbps network can quickly overload a T1 line. With the onset of newer 100 Mbps networks, a T1 line seems almost puny by comparison.
It's important that the Microsoft Proxy server on a LAN be set up as efficiently as possible to handle outbound and inbound Internet traffic. There will be inevitable hiccups in Internet related traffic if the outside channel is overloaded, but it is your job as the network administrator to see to it that there are no network hiccups due to server inefficiency.
Even though Windows NT Server is designed as a network-oriented system, user applications can still be executed on it while background network services are being performed. Novell servers do not permit any execution of normal applications on the server itself. This is one of the major differences between NT servers and Novell servers. People have opinions on both sides of the fence on this issue.
By default, NT gives quite a bit of CPU attention to any task that may be executing in the foreground on the server. If no user tasks are being executed, the priority NT gives to foreground execution is not an issue. However, if a Microsoft Proxy server will also be used as a network workstation, the application performance boost time should be lowered in order to ensure that Microsoft Proxy Server traffic is not slowed down.
To alter the boost time NT gives to foreground applications, complete the following steps:
Figure 10.1. The Performance tab of System Properties.
By default, the boost slider is set to the maximum value. This give a great deal of extra CPU time to any foreground application. Moving this slider to the left decreases the boost time.
Once the boost slider has been adjusted, simply select OK. The NT server must be restarted in order for the new settings to become effective.
While screen savers may look nice and can also increase server security, the high end screen savers of NT 4.0 can be real CPU hogs. The Open GL screen savers, while very impressive, can be real drains on server performance. It is suggested that no high end screen saver be used on any NT server that is responsible for any significant amount of network traffic. If a password protected screen saver is being used on an NT server to prevent unauthorized access to the server, simply logging off of the server will accomplish the same thing without placing any additional overhead on the duties the server must perform. In fact, NT servers perform better when no one is logged on to them (resources consumed by the Explorer shell are freed up when no one is logged on).
When new NICs (Network Interface Cards) are set up under NT, NT automatically binds all appropriate installed services to the cards. These services range from actual protocols to services such as WINS (Windows Internet Name Service). NT assumes that all NICs are destined to be full network interfaces. Because the purpose of Microsoft Proxy Server is to establish Internet connections to the outside world for LAN workstations, certain protocols and services can be unbound from the NIC that Microsoft Proxy Server will use to channel Internet destined data from the network. This will improve network performance over the Internet channel.
CautionUnbinding base elements from a NIC may cause higher level services to fail. When a base element (such as protocol) is unbound from a NIC, make certain that no dependent services are still bound to that NIC.
If a base-level service is unbound and some network services do not start on the next boot, rebind the service/NIC in question to remedy the situation. Unbinding network services should not prevent NT from being able to start. Such actions might simply stop the NT server from seeing or being seen on the network.
If RAS (Remote Access Services) is the primary Internet channel, special care must be taken to ensure that RAS is not adversely affected because of unbinding elements. The primary NIC that connects the Microsoft Proxy server machine to the rest of the LAN should also not be touched. Only alter the bindings of the NIC that gives Microsoft Proxy Server its Internet connection.
Alteration of network bindings is done through the Control Panel via the Network icon. To access the bindings dialog, complete the following steps:
Figure 10.2. Network bindings for all Services.
The Show Bindings for drop-down list can be used to change how the bindings are displayed.
Bindings can be displayed from the top down (to see which NICs are bound to what
services), or from the bottom up (to see which Services are bound to which NICs).
Depending on how the bindings need to be altered, the view of the bindings can be
adjusted. To alter the way bindings need to be changed now, it is best to view the
protocol bindings. This will display a list of the protocols and to which base elements
they are bound.
In the Show Bindings for drop-down list, select all protocols. The protocol bindings
are shown in Figure 10.3.
Figure 10.3. Network Bindings for all protocols.
All bindings on the Internet NIC that are not related to the TCP/IP protocol can
be disabled (unbound). Your arrangement of protocol bindings may be different than
the one shown in Figure 10.3. On my system, I do not have a dedicated Internet channel
and have to use RAS to connect my LAN to the Internet.
RAS channels can be treated like regular NICs for binding purposes. If RAS is used for dial in access to a LAN, make certain that inbound callers can get by with just the TCP/IP protocol. If RAS callers will need other protocols and services on the RAS channel, the bindings can still be adjusted to move the bindings to the TCP/IP protocol high in the priority chain.
Because the binding list of your network may appear different than the one shown in Figure 10.3, the Netbeui binding will be used as an example. To unbind the Netbeui protocol from the RAS channel (or from a dedicated NIC), complete the following steps:
All channels that have their bindings disabled from a protocol are denoted as such by a universal NO sign (red circle with a slash through it.)
Complete this procedure for all references to the specific NIC card or RAS channel that is to be streamlined for the TCP/IP protocol. In order to ensure network stability, only unbind the Internet NIC from the Netbeui and IPX/SPX protocols. All other bindings should remain in tact unless you are very familiar with altering binding. Services such as WINS and DHCP are related specifically to the TCP/IP protocol and should not be altered.
If the hierarchy of network interfaces needs to be adjusted to give the Internet NIC the highest priority when dealing with TCP/IP data, this can be easily done. Rather than selecting the Disable button to unbind a NIC from a protocol, the Move Up button can be used to raise up the selected NIC or RAS channel in the binding hierarchy. If all bindings must be kept in tact, but the performance of the Internet NIC still needs to be improved, moving the Internet NIC up in the binding hierarchy will do just that.
Another way of streamlining an NT server for Internet gatewaying is to remove all nonessential services or move the services to another NT server on the network. Many NT administrators make the mistake of overloading an NT machine with all network services simply for the ease of having all services in one centralized location that is easier to manage. An efficient network is one that has network services suck as WINS, DHCP, gatewaying, DNS, WWW Servers, and RAS spread out over as many NT servers as possible.
NT 4.0 supports two types of hard disk formats: traditional FAT and NTFS (NT File System). Because hopefully a large amount of Internet information will be stored in Microsoft Proxy Server's disk cache, it is a good idea to convert all hard disks on any NT server to the NTFS format. NTFS format has several major advantages over FAT:
The major draw back to NTFS is that it is not supported by MS-DOS. NT servers can be multi-boot systems, allowing an administrator to reboot the machine to another operating system, such as MS-DOS. When a hard disk is converted to NTFS, only NT Server and NT Workstation operating systems can read these volumes. If the boot disk of a system is converted to NTFS, the system can only be booted to an NT operating system.
Initial setup of NT allows the administrator to select which disk format the NT installation target disk should be. NT does have the ability to convert FAT hard disks to NTFS hard disks, while still maintaining data integrity of the disk. FAT hard disks can also be converted to NTFS at any time, not just during installation of NT. This can be done safely and without much effort or system down time
To convert a disk from FAT to NTFS, simply run the program CONVERT.EXE with a parameter indicating which disk is to be converted. The following is an example:
CONVERT.EXE E:
If the boot disk is being converted, the NT server must be restarted. Conversion of a boot disk to NTFS must be done prior to the full operating system being started and must therefore be done during the boot process.
The majority of people who will be needing Microsoft Proxy Server will be those who have a periodic network connection, such as a dialup connection to an ISP (Internet Service Provider), and would like to offer the rest of the users of a LAN the ability to connect to the Internet without having to have their own dialup accounts.
By far, the most bandwidth-consuming Internet activity is downloading files from FTP servers. Microsoft Proxy Server allows a great deal of flexibility when it comes to limiting which types of outside connections are permitted. If a LAN only has a small 28.8 or 33.6 Kbps connection to the Internet, it might be wise to prohibit the use of FTP in order to prevent serious outside connection bog downs. One FTP user can quickly drag down the normal performance of three or four WWW users. Chapter 8 covers Microsoft Proxy Server security issues and covers how to limit which types of connections Microsoft Proxy Server will allow.
Another draw back to FTP users on a network is that Microsoft Proxy Server does not cache FTP files. Meaning, if a user downloads a file via FTP, and then later must download it again, the file must be completely downloaded again from the Internet. Microsoft Proxy server does cache WWW objects such as graphics and sound bytes so that if those objects are referenced again, the Microsoft Proxy server can issue them to the requesting client without having to pull them in from the Internet. This greatly speeds up performance and allows more users to access the Microsoft Proxy Server channel without performance problems.
The numbers given below are my own estimations based on my experience with Internet
traffic and NT server. The following table shows on average how many WWW clients
should be able to use various bandwidth Internet connections through Microsoft Proxy
Server:
Table 10.1. WWW Clients to Bandwidth speeds.
| Bandwidth Speed | Number of WWW Users |
| 28.8 or 33.6 Kbps | 23 |
| 64 Kbps | 57 |
| 128 Kbps | 1214 |
| 1.54 Mbps | 5075 |
Obviously, these numbers take into account some cached data as well as non-concurrent accessing of large amounts of data, such as graphics or sound bytes.
Under normal network conditions, Microsoft Proxy Server's performance will allow
LAN clients to experience no appreciable network lags. Meaning, network clients should
see the same performance from Microsoft Proxy Server as they would if they were actually
dialed into an ISP on their local machine. Similar proxy servers, such as WinGate,
while very good in their own right, cannot claim such an accomplishment. Microsoft
Proxy Server's performance level is very impressive even when serving out data to
multiple LAN clients.
Making certain that Microsoft Proxy Server has a large cache for WWW objects will
also help ensure that connections to the Internet seem to be as fast as possible.
Microsoft Proxy Server should be configured for 100 megabytes plus 1/2 meg per Microsoft
Proxy Server user of disk space for its cache. If you have many LAN clients accessing
many different places in the outside world, it might be a good idea to increase Microsoft
Proxy Server's cache so that it can maintain local copies of most outside objects.
Chapter 12, "Controlling the Proxy Server Cache," deals with controlling
Microsoft Proxy Server's cache and how to effectively use it to ensure the highest
level of Internet access performance.
When the Microsoft Proxy Server connection to the Internet becomes heavily used or overloaded, clients may begin to see errors like Unable to Resolve Host Name or Connection Timed Out. These all stem from packets being delayed in transit, so much so, that the client believes the connection to have been broken.
If these errors are cropping up on a network and the Microsoft Proxy Server connection is not overloaded by LAN clients, the ISP itself may be overloaded. I have tried many ISPs and know for a fact that just because they claim to be the biggest and the fastest does not always mean they are the least overloaded. The late afternoon and early evening are normally when ISPs experience their highest volume of users. During these times, you may find the most problems with outside connections. Most of the time, attempting a connection again will prove successful after a while. However, there are just some times when an ISP is too overloaded to be of any use. That's when a dedicated channel is nice to have.
If the only connections to the Internet are modem based dialup connections, it might be wise to look at installing multiple Microsoft Proxy servers. When communicating with the Internet through RAS, Microsoft Proxy Server will only use the latest connection. Installing two or three modems on a single server and connecting all of them to an ISP will not yield any higher data throughput than connecting just one.
When connecting an NT server to another NT machine, multiple modems can
be used to gain a larger channel. This is called multi-link and is a RAS option which
allows multiple connections to server as a single connection. Since (sad to say)
NT is not yet the preferred choice of ISPs for their dial in service systems, multi-link
will not be an option for Internet connections. The nature of routing under TCP/IP
is such that when NT finds the first available gateway to the outside world, it will
use that. This means that only the latest RAS connection will ever be used for outbound
Internet traffic from the LAN. If RAS is used to offer separate inbound traffic a
connection method, then yes, two or more connections may be used. Figure 10.4 shows
my own personal scenario and use of Microsoft Proxy Server.
Figure 10.4. Multiple RAS links.
The diagram in Figure 10.4 also shows two RAS connections to the ISP, one being used
for Microsoft Proxy Server traffic from LAN users and the other is the domain connection
to the Internet that allows outside Internet users to access any Internet servers
(WWW, FTP, etc.) running on the NT Server. Obviously, two dial in accounts must be
available on the ISP for use in this manner. Obtaining a domain name and a static
IP is a special arrangement that must be made with the ISP. I have personally had
my domain established for some time, and when connected to my ISP through that domain
account, outside users can connect to my NT server and browse my WWW server or FTP
server.
In order for similar situations to work correctly, the Microsoft Proxy Server connection must be made last. Remember that Microsoft Proxy Server will always use the last connection made to the Internet. In order to leave the domain connection to itself, it must be connected to first. In this arrangement, the modem connected to the ISP that is maintaining the domain connection is not overloaded with incoming Internet traffic as well as outbound traffic from LAN users.
If the last connection is broken, Microsoft Proxy Server will automatically use any other connections to the Internet . This can be used as a form of redundancy to ensure that the Internet connection is not severed should one of the modems accidentally hang up.
Many ISPs have inactivity time out periods for dial in connections. This means that if there is no activity on a dial in connection for a certain amount of time (usually around 15 minutes) the ISP will disconnect the connection. There are many nice shareware applications available that are designed to keep a dial in connection open by pinging a server at preset times. The one I use is called Ponger, and can be downloaded from windows95.com.
Of course, the AutoDial feature of Microsoft Proxy Server can always be used to make an Internet connection should the connection be down. However, making a connection can sometimes take as long as a full minute. Some client applications will time out with an error before Microsoft Proxy Server can establish a RAS connection to the Internet. That's why I like to simply leave my NT server connected to my ISP via RAS. Many ISPs now offer "unlimited" access. I usually put that claim to the test. I'm like a fat guy at a buffet line. ISPs hate to see me coming.
If one Microsoft Proxy server is not enough to service the needs of the users on a LAN, multiple Microsoft Proxy servers can be set up on different computers. Different permissions can be granted to different LAN groups, giving only certain groups permission to use certain Microsoft Proxy Servers. This gives the network administrator the ability to evenly spread out the load which LAN users will place on Microsoft Proxy servers.
Because each network workstation must be told which proxy address to communicate with, any number of proxy servers can be on a LAN. Microsoft Proxy Server also has the ability to deny access to certain sites on the Internet. If LAN users are misusing the Microsoft Proxy Server connection, it is possible to indicate which IPs are allowed to be connected to. Administrators can filter out sites like www.playboy.com and prevent users from connecting to these sites.
If the network resources are available to dedicate multiple machines to outside connections, it's a good idea to have a plan of action for Microsoft Proxy Server's organization. It is possible to dedicate one Microsoft Proxy Server to WWW connections and another to FTP connections. However, it might make more sense to arrange separate groups of users who are authorized to connect to certain Microsoft Proxy servers. Chapter 8 covers security issues and describes how to set up a Microsoft Proxy server to allow or deny access to particular LAN users or Internet servers.
This section will briefly describe how to use the NT performance monitor to examine such things as CPU usage, RAS port usage, and other important bits of information that may help to track down bottlenecks on a Microsoft Proxy server. This section does not attempt to cover all the possibilities of the performance monitor, but rather to give a general overview of how it can be used correctly.
Performance Monitor can be located in the Administrative Tools folder on the Start
menu. When started, no counters are shown, so it appears that the performance monitor
is displaying nothing. Figure 10.5 shows the performance monitor when it is initially
started.
Figure 10.5. The NT Performance Monitor.
Like most Windows applications, performance monitor has a top tool bar of command
buttons. The middle area of the display will show performance information when counters
have been added to the display. Information is displayed in a percentage of usage
line chart. The display area ranges from zero percent usage, when chart lines are
at the bottom of the display, and near 100 percent usage, when chart lines reach
the top of the display. The bottom of the display area shows which counters are being
displayed in the display area. Each new counter added will be represented by a different
color and/or line thickness.
To add a counter to the display, select the + icon on the toolbar. A dialog will
open that will allow a specific counter to be added. Figure 10.6 shows the Add to
Chart dialog.
Figure 10.6. The Add to Chart dialog in
Performance Monitor.
A wide range of counters can be added to the display. Once the IIS servers and Microsoft
Proxy Server have been added to an NT server, a specific set of counters can be used
to display pertinent data concerning these applications. The following is a description
of each of the major elements of the Add to Chart dialog:
The Add button will add the selected counter to the display. The Explain button will expand the Add to Chart dialog with a Counter Definition area and show a description of the selected counter. This is very handy because the relevance of some of the counters is difficult to visualize.
The following is a small list of some of the counters that are useful when tracking the performance of a Microsoft Proxy server:
Once the desired counters have been added to the display, selecting Close will close the Add to Chart dialog and the display area of the performance monitor will begin to show the added counters.
By default, the display area shows data for the past 100 seconds of system activity.
The tracking bar jumps at one second intervals though this can be increased if more
than 100 seconds of data must be displayed. The Options icon on the toolbar (the
last one on the right) can be used to alter some of the chart settings, such as interval
time and grid line options. Figure 10.7 shows the Options dialog.
Figure 10.7. The Chart Options dialog.
By default, the chart is periodically updated each second. This can be changed to
a manual update if desired. A manual update is handy to use if random, user-initiated
snapshots of system activity are desired. The periodic interval can be adjusted to
any interval desired. The display chart is broken down into 100 segments so the overall
time displayed in the chart will be 100 times what ever interval is selected in this
dialog. If the interval is five seconds, the overall chart time will be 500 seconds.
The vertical scale can also be adjusted. If lowered, more detail will be shown for counters with smaller scales, but it may show other counters as constantly maxed out. If raised too high, the display may not show enough detail to be of any use. Trial and error is the best way to find the right vertical scale for a system.
Charts can be saved and later reloaded. From the File menu, the Save Workspace command will save the chart in its current view. Chart settings can also be saved by using the Save Chart Settings command from the File menu.
The performance monitor is the best tool to use for finding out where there might be a problem with a system. The wide range of data the performance monitor can display will keep you, as system administrator, informed of how well a Microsoft Proxy server is operating, and which parts of the system are overly taxed. Become familiar with performance monitor and use it frequently. If nothing else, it'll let you look smart in office meetings when you can tell the boss things such as, "Yep, Microsoft Proxy Server usage went up 37 percent last month. We need a larger budget for our Internet connection!"
Figure 10.8 shows what the performance monitor looks like with several counters
displayed.
Figure 10.8. An active view of Performance Monitor.
This view of the performance monitor shows three counters: percent Processor Time,
RAS Port COM3 Bytes Transmitted/Sec, and RAS Port COM3 Bytes Received/Sec. Note that
the counters for the RAS Port information max out for short periods. This is because
these counters are not percentage counters, and their data goes beyond 100. To fix
this, the scale of these counters should be decreased to a value that will allow
the counter data to fit within the display area. RAS Port COM3 is a 28.8 Kbps modem
and its bytes per second in either direction (transmitting or receiving) could rise
as high at 3,200 bytes per second. Setting the scale for these counters to 0.01 (or
1/100th scale view) will allow the data to fit nicely within the display. At a 0.01
scale, this RAS data will range from 0 to roughly 32 for a normal maximum value.
Several new objects and counters are available to the Performance Monitor once Microsoft Proxy Server is installed. These objects and counters are specifically intended to show vital information on how well Microsoft Proxy Server is servicing the needs of LAN users for outside Internet access. The following objects deal specifically with Microsoft Proxy Server:
You can use the counters from these objects to design performance monitoring charts to track all activity on the Microsoft Proxy Server. However, Microsoft has created a basic chart and included it with Microsoft Proxy Server.
In the Microsoft Proxy Server folder, you'll find a pre-made chart which will detail the basic performance counters that pertain to Microsoft Proxy Server's operation. This chart can be loaded by clicking the Monitor Microsoft Proxy Server Performance link found in the Microsoft Proxy Server folder. This link runs the Performance Monitor and automatically loads the chart, MSP.PMC. This chart should be found in the C:\MSP directory with the other Microsoft Proxy Server files.
The following counters are part of this chart:
These counters will provide all the necessary tracking elements to see the basic performance Microsoft Proxy Server, as well as how the entire system is performing. Feel free to add to or subtract from this included chart to track counters that you consider equally or more important.
NT offers a wide range of services to network users. It's easy to overload an NT server with many tasks. Having a clear plan for network layout and arrangement can be the best defense against problems that might pop up later that are difficult to get around. Make sure to spread out network services among as many NT servers as possible, and all services will run at their highest efficiency. This chapter gives important information you can use to better arrange your network services and ensure that Microsoft Proxy Server runs as best it can.
