Module 7: Microsoft Proxy Server 2.0 As a Solution for Internet Connectivity.

Module 7: Microsoft Proxy Server 2.0 As a Solution for Internet

Connectivity

Overview

Introducing Proxy Server

Designing a Functional Proxy Server Solution

Securing a Proxy Server Solution

Enhancing a Proxy Server Design for Availability

Optimizing a Proxy Server Design for Performance

Organizations connect to the Internet to provide Internet access to users on the private network, and to allow users on the Internet access to private network resources. The Internet connectivity solution must prevent unauthorized users from accessing private network resources.

Microsoft Proxy Server 2.0 (Proxy Server) provides solutions to Internet connectivity requirements for Microsoft® Windows® 2000 networks. Proxy Server is a group of services that is not included with Windows 2000 but runs on Windows 2000.

At the end of this module, you will be able to:

Evaluate Proxy Server as a solution for Internet connectivity.

Evaluate and design a functional Proxy Server solution for baseline Internet connectivity.

Select appropriate strategies to secure a Proxy Server solution.

Select appropriate strategies to enhance Proxy Server availability.

Select appropriate strategies to improve Internet connectivity performance.

Note: Throughout the module, Proxy Server with initial capitalization is used to indicate the Microsoft Proxy Server 2.0 product. When proxy server appears without initial capitalization, it indicates a computer that is providing proxy services.


Design Decisions for a Proxy Server Solution

Features of Proxy Server

Integration Benefits

Proxy Server connects private networks to the Internet, while also protecting private network resources from unauthorized users. Proxy Server supports the essential requirements for any Internet connectivity design, and provides additional features to enhance the security, availability, and performance of the Internet connectivity solution.

To design an Internet connectivity solution based on Proxy Server, you must:

Identify the design decisions that influence a Proxy Server solution.

Identify how the features provided by Proxy Server support the design requirements for Internet connectivity.

Identify the benefits provided by integrating Proxy Server with other services in Windows 2000.

Design Decisions for a Proxy Server Solution

Secure Internet and Private Network Access Required?

Routed or Non-routed Network?

Number of Resources Shared with Internet?

Number of Locations?

Internet

ProxyServer

PrivateNetwork

By using Proxy Server, your design decisions for an Internet connectivity solution must be based on the security requirements, the network configuration, the number of Internet-exposed resources, and the number of geographically distributed locations of the organization. Proxy Server is an appropriate solution for Internet connectivity if: Internet and private network access is restricted on a

user-by-user basis or on a resource-by-resource basis. A number of private network resources need to be

shared with Internet-based users. The private network encompasses multiple geographic

locations.


Isolate the Private Network

Restrict Internet and Private Network Traffic

Cache FTP and HTTP Requests

Integrate Into Existing Networks

Internet

ScreenedSubnet A

ProxyServer

PrivateNetwork

ScreenedSubnet B

To incorporate Proxy Server into your network design, you need to identify how the features of Proxy Server support the Internet connectivity requirements

Isolating the Private Network

Proxy Server enhances the security of an organization by isolating the private network from the Internet, and acting as an intermediary in the exchange of traffic between the Internet and the private network. With the private network isolated, you can reduce the number of required public addresses by selecting a private addressing scheme.

Restricting Internet and Private Network Traffic

Proxy Server allows you to restrict the traffic between the Internet and private network so that you can limit the access of private network users to Internet-based resources, and limit Internet user access to private, network-based resources.


You can use Proxy Server to restrict the traffic between the Internet and the private network by:

Granting Internet access to authorized users.

Establishing filters that forward or discard IP packets based on the IP address, protocol number or TCP/UDP port number.

Intercepting inbound Uniform Resource Locater (URL) requests and determining whether the requests must be forwarded to a private network resource.

Using screened subnets to provide the required level of network security.

Caching FTP and HTTP Requests

Proxy Server intercepts File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) Internet requests for Web objects and saves the retrieved Web objects in a local cache. When private network users request Internet-based resources, Proxy Server checks the local cache to see if the equest is stored there. If the request is found in the local cache, the Web object is retrieved from the local cache and no Internet request is necessary.

Integrating into Existing Networks

If integrated into existing networks, Proxy Server:

Supports both Windows Sockets (WinSock) and non-WinSock clients on a variety of client operating systems.

Supports integration with the Active Directory™ directory service accounts in Windows 2000 to provide single logon access for users on Windows-based computers.

Supports IP and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocols on private networks so that IP and IPX/SPX-based clients can access the Internet through Proxy Server.

Integration Benefits

Authenticationand IPSec Tunnels

User Account Authentication

Demand-Dial Connections,IP Filters, and VPN Tunnels

Proxy Server

Active Directory

IPSec Routing and RemoteAccess

Proxy Server integrates with other networking services to take advantage of their features. The integration of these features requires you to include additional technologies (such as virtual private network (VPN) tunnels that are used for authentication and data encryption) in the design.

The following table describes the benefits of integrating Proxy Server with other networking services.

Proxy Server integrates with To

Internet Protocol Security (IPSec)

Provide Proxy Server authentication and the encryption of data transmitted between locations over public networks.

Routing and Remote Access Provide support for nonpersistent connections by using specified demand-dial connections.Reduce undesired traffic by using specified IP Filters.

Active Directory Provide Kerberos version 5 protocol and user account support so that authentication occurs when specified.


Placing Proxy Server Within a Network

Integrating Proxy Server into the Existing Network

Determining Proxy Server Client Requirements

Discussion: Designing a Proxy Server Solution

There are a few essential decisions that you need to make for an Internet connectivity solution, so that you can derive the specifications for the Proxy Server design. After these essential decisions are established, you can optimize the Internet connectivity solution by adding security, availability, and performance enhancements to your design.

The essential decisions for your Proxy Server design include:

Where to place Proxy Server within a network so that network traffic is localized without compromising security.

Which IP address, persistence, data rate, and security router interface characteristics affect the integration of the router into the existing network.

How the private network clients will access the proxy server, and the software that the clients will use to access the proxy server.

Placing Proxy Server Within a Network

Proxy Server Within the Private Network

Proxy Server at the Edge of the Private Network

Internet

WebServer

ProxyServer

ProxyServer

ProxyServer

Demand-Dial

ScreenedSubnet

ScreenedSubnetCentral

Office

BranchOffice

BranchOffice

You must place Proxy Server between the network segments so that network traffic is localized and security is maintained. To improve performance, you can place Proxy Server so that Web objects are cached for an entire organization, a location within an organization, or a network segment within an organization.

Proxy Server Within the Private Network

Place Proxy Server within the private network so that:

Web objects are cached for network segments within an organization to reduce private network traffic.

Screened subnets are created within the private network, thereby protecting confidential data.

Network packets can be exchanged between dissimilar network segments, such as between an Ethernet network segment and an asynchronous transfer mode (ATM) network segment.

Proxy Server at the Edge of the Private Network

Place Proxy Server at the edge of the private network so that:

Users on the private networks can access the Internet.

Web objects are cached for the entire organization.

The private network is isolated from the public network, thereby protecting confidential data.

Network packets can be exchanged between the private network segments and public network segments, such as between an Ethernet private network segment and an Integrated Services Digital Network (ISDN) public network segment.

Integrating Proxy Server into the Existing Network

Interface Address and Subnet Mask

Interface Data Rate and the Persistence

Internet

WebServer

ProxyServer

ProxyServer

ProxyServer

Demand-Dial

ScreenedSubnet

ScreenedSubnetCentral

Office

BranchOffice

BranchOffice

Depending on the size of the network, your network design can include a number of proxy servers. Each proxy server in the network design must have at least one interface, although most proxy servers have more than one. For each proxy server interface, you must describe the interface characteristics so that the proxy server can be integrated into the existing network.

Note: Specify one interface in the proxy server if the design requires only Proxy Server caching or if Proxy Server provides IPX to Transmission Control Protocol/Internet Protocol (TCP/IP) translation.

Selecting the Interface Address and Subnet Mask

When selecting the proxy server interface address and subnet mask, remember that:

Each proxy server interface requires an IP address and subnet mask.

The IP address assigned to the proxy server interface must be within the range of addresses that are assigned to the network segment that is directly connected to the interface.

The subnet mask assigned to the proxy server interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface.

Selecting the Interface Data Rate and the Persistence

Each proxy server interface connects to a private or public network segment. These network segments can be persistent or non-persistent. In addition, the data rates for these network segments can vary considerably. You need to specify the data rate and persistence for proxy server interfaces so that the proxy server can connect to private and public network segments.

Interfaces that connect to private network segments

Private network segments are based on local area network (LAN) technologies that are persistent interface connections. The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet.

Interfaces that connect to public network segments

Public network segments are based on LAN and demand-dial technologies that can be persistent or non-persistent. Public network segments that appear to Proxy Server as LAN interfaces are persistent, and the data rate is determined by the LAN technology.

Public network segments that appear as demand-dial interfaces are nonpersistent, and the data rate is determined by the underlying technology. An example of this would be a 56-Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps.

Interfaces that connect to public network segments ...

If the public network segments are based on LAN technologies, you include demand-dial interfaces in your solutions, such as a VPN connection over a digital subscriber line (DSL) connection. Include a demand-dial interface in your design if:

An exchange of credentials is required to perform authentication, such as VPN tunnel authentication.

Charges, such as ISDN connection charges, are accumulated if the public network segment is active.

Interfaces that connect to public network segments ...

To connect to another location across the Internet, one solution is to specify a VPN tunnel over a DSL network segment. In this case, you will need to include the following interfaces in your design:

A LAN interface that supports the persistent DSL network segment.

A demand-dial interface to perform the authentication required by the VPN tunnel.

Determining Proxy Server Client Requirements

Specify Private Network IP Address Ranges

Select Software for Connecting to Proxy Server

SOCKS Client

HTTP/FTP TrafficUsing IE 5.0

Internet

ProxyServer

PrivateNetwork

All Traffic Using Proxy Server Client

UNIX

You determine the Proxy Server client requirements so that you can specify the private network address ranges and select the appropriate software for connecting to Proxy Server.

Specifying Private Network IP Address Ranges

You must identify the IP address ranges within the private network so that you can specify these address ranges in the Proxy Server design. Proxy Server clients can then determine if the destination IP address in an IP packet must be sent directly to the private network destination, or forwarded to the proxy server.

The IP address ranges that you specify are stored in the local address table (LAT) file on the proxy server. When requests are sent to the proxy server, the proxy server uses the LAT to determine if the request is within the private network or on the Internet.

Specifying Private Network IP Address Ranges …

For computers on the private network that do not have Proxy Server client software, you need to specify the IP address of the proxy server's private network interface as the default gateway. Because the proxy server is the default gateway for the computer, all requests that are not on the computer's local subnet are forwarded to the proxy server. The proxy server forwards the request to the Internet.

When the computers on the private network have Proxy Server client software installed, they have a local copy of the LAT file. The Proxy Server clients use their local copy of the LAT file to determine if requests are within the private network, or on the Internet. Private network requests are sent directly to the destination within the private network. Internet requests are sent to the proxy server.

Selecting Software for Connection to Proxy Server

You can specify that the private network interface of the proxy server is the default gateway entry for computers on the private network. If you specify the proxy server as the default gateway, the private network traffic increases because all traffic destined for other subnets in the private network is forwarded first to the proxy server and then on to the final destination.

To prevent the unnecessary private network traffic, specify that the private network computers be configured with software to forward traffic to the proxy server if the final destination is the Internet.

The following table lists the software options for private network computers and the reason to include the options in your design.

Select If you need to support

Microsoft Internet Explorer 5.0

HTTP and FTP traffic only. Any operating system that includes Internet Explorer 5.0.Packet filters and domain filters for filtering traffic.

Proxy Server client All IP protocol traffic. Any operating system that supports the WinSock standard. Packet filters and domain filters for filtering traffic. IPX/SPX-based private networks.

SOCKS All IP protocols supported by the SOCKS applications. UNIX, Macintosh, or operating systems that run SOCKS-compatible applications. SOCKS rules, Protocol rules, and IP packet filters for filtering traffic.

No client software All IP protocols. Any operating system with the default gateway configured to send Internet traffic to the proxy server. Protocol rules, and IP packet filters for filtering traffic.

Discussion: Designing a Proxy Server Solution

Vancouver

Montreal

Winnipeg Toronto

Calgary

As you create Internet connectivity solutions, you need to translate information relating to the solution into design requirements.

The following scenario describes the current network configuration of a legal firm that specializes in patent and copyright law.

Scenario

A legal firm specializes in patent and copyright law. At each geographic location, legal assistants within the firm conduct research for the firm's partners on potential patent and copyright infringements. The majority of the research is conducted by searching the Internet for these potential infringements.

The central office for the firm is in Montreal, where the firm has a T1 connection to the Internet. With the exception of the Vancouver branch office, all other branch offices are connected directly to the Montreal office by using a 56-Kbps connection. The Vancouver branch office is connected through Calgary to the Montreal central office.


Restricting Access to Internet Resources

Determining the Number of Screened Subnets

Restricting Traffic with Packet Filters

Restricting Outbound Traffic with Domain Filters

Restricting Inbound Traffic with Web Publishing

The security of a Proxy Server design is measured by the ability of the design to prevent unauthorized access to data transmissions and private network resources. Proxy Server enhances the security by isolating the private network from the Internet and restricting traffic between the private network and the Internet.

To secure a Proxy Server solution, consider:

Restricting access to the Internet.

Providing access to private network resources by using screened subnets.

Restricting IP traffic by using IP packet filters.

Restricting IP traffic by using domain filters.

Enabling access to private network resources by using Web Publishing.

Restricting Access to Internet Resources

Networks Based on Active Directory

Networks Not Based on Active Directory

Private Network

ProxyServer

Internet

Active Directory

Private Network

ProxyServer

Internet

LocalLocalAccountsAccounts

Active Directory

You can restrict access to Internet resources on a user-by-user basis, with users defined in Active Directory, or as local user accounts on member servers.

Networks Based on Active Directory

If your network design includes Active Directory, you can grant access to users and groups in Active Directory. Proxy Server is integrated with Active Directory to provide single logon access to the Internet.

The following table lists the users and groups to which you can grant access, and why you would choose to grant access to that user or group.

Grant Permission to

To enable access to Proxy Server for

Everyone All users, including unauthorized users, when the Windows 2000 Guest account is enabled.

Active Directory Groups

Members of a group.

Active Directory Users

Specific users granted permission on an individual basis.

Although not typically a best practice, you would enable the Guest account if your Proxy Server design is integrated in a highly heterogeneous network. If you enable the Guest account, you allow anonymous access to the users whose accounts do not exist in Active Directory.

Note: You can provide single logon access for users in heterogeneous networks by using products such as Services for UNIX, Client Services for NetWare, or Services for Macintosh.

Networks Not Based on Active Directory

If your network design is predominantly composed of other operating systems, such as UNIX or NetWare, or you are not including Active Directory in the design, you can specify that Proxy Server be installed on a stand-alone Windows 2000-based computer. The stand-alone Windows 2000-based computer has local users and groups that you can use to grant Proxy Server access.

Networks Not Based on Active Directory …

If the network consists of other operating systems, such as UNIX or NetWare, you can specify that the:

Other operating systems replicate the user accounts to the Windows 2000-based computer running Proxy Server.For example, in a network that is based on Novell Directory Services (NDS), you would specify that NDS users and groups must be replicated to the proxy server by using Novell software.

Guest account on the proxy server is enabled and granted Proxy Server access, thereby allowing anonymous access to the proxy server.All users on the private network are granted access, and you are unable to restrict Proxy Server access on a user-by-user or group basis.

Determining the Number of Screened Subnets

Multiple Interfaces or Multiple Servers

Hierarchical Screened Subnet Designs

ProxyServer

Internet

ScreenedSubnet A

ScreenedSubnet C

Screened Subnet B

ProxyServer

Internet

ScreenedSubnet A

ScreenedSubnet C

Screened Subnet B

ProxyServer

ProxyServer

In its simplest form, a certification hierarchy consists of a single CA. Large organizations typically require multiple CAs due to the large number of services and applications requiring certificates. Multiple CAs are arranged in a hierarchy with clearly defined parent/child relationships.

In a CA hierarchy, each parent CA certifies the child CAs below it. The CA at the top of a hierarchy is called the root authority or root CA. The child CAs of the root CAs are called subordinate CAs. The root CA is used only to sign subordinate CA certificates and the CA certificate for the root CA itself. Below the subordinate CAs are issuing CAs that issue certificates directly to users and computers.

A certificate trust list (CTL) is a set of certificates that the administrator determines to be trustworthy. The CTL defines the certification path from the issuing CA up to the root CA. For a client authentication certificate to be used successfully, a CA listed in the CTL must issue the certificate.

Multiple Interfaces or Multiple Servers

You can define multiple screened subnets by using multiple private network interfaces in a Proxy Server, using multiple proxy servers with a single interface, or using a combination of both. The following table lists the methods for establishing multiple screened subnets, along with the reasons to select each method.

Select this method

To establish a screened subnet if the

Multiple interfaces

System resources of the proxy server are not saturated.Organization requires a centralized administration model.

Multiple servers Performance for the screened subnet needs to be maximized.Organization requires a decentralized administration model.

Hierarchical Screened Subnet Designs

In designs that require more than one screened subnet created by multiple proxy servers, you place the proxy servers in a hierarchy. Specify hierarchical screened subnet designs to:

Delegate the administration of the screened subnets.

Specify broad security requirements at the top of the hierarchy, such as the security requirements for an entire organization.

Specify stronger security requirements lower in the hierarchy, such as the security requirements for a department or application.

Restricting Traffic with Packet Filters

Packet Filter Restrictions

Packet Filter Criteria

PrivateNetwork OutgoingProxy

Server

CentralOffice

Internet

Incoming

ProxyServer

ProxyServer

PartnerNetwork

WebServer

To ensure a secure network, you must prevent traffic between the private network and the Internet. You can prevent traffic by specifying Proxy Server packet filters. Proxy Server packet filters affect the SOCKS proxy, Web proxy, and WinSock proxy. You can create a combination of Proxy Server packet filters to addresses any security requirement.

Packet Filter Restrictions

Proxy Server packet filters are layer two filters that affect the IP traffic received by Proxy Server. These filters specify which IP packets are forwarded or rejected by Proxy Server. Proxy Server packet filters restrict:

Traffic for all Proxy Server services.

Both inbound and outbound traffic.

Internet access to private network resources, such as servers.

Private network user access to Internet-based resources, such as partner networks or Web sites.

Packet Filter Criteria

You can create Proxy Server packet filters by specifying the source or destination IP address range and the protocol number of the packets to be filtered. To address any security requirement, you can create a combination of filters by specifying multiple filters for each interface.

You can base your packet filter design on a single criteria or any combination of the following:

Direction

Protocol ID

Local port

Remote port

Local host IP address

Remote host IP address

Direction

The direction of the traffic that the filter must affect. You can specify traffic inbound to the private network, outbound for the Internet, or moving in both directions.

Protocol ID

The IP protocol ID for the filter. You can specify TCP protocol ID, Internet Control Message Protocol (ICMP) protocol ID, or any protocol ID.

Local port

The TCP or UDP port number for the source if the packet originates from the private network, or the destination if the packet originates outside the private network. You can specify any port number, a specific port number, or a range of unknown port numbers.

Remote port

The TCP or UDP port number for the source if the packet originates outside the private network, or the destination if the packet originates inside the private network. You can specify any port number, a specific port number, or a range of unknown port numbers.

Local host IP address

The IP address of the computer on the private network that exchanges IP packets with the remote computer on the Internet. Typically, this is the IP address of the proxy server. You can specify the default proxy server IP address, a specific IP address assigned to a proxy server interface, or the IP address of a computer on the private network.

Remote host IP address

The IP address of the remote computer on the Internet that exchanges IP packets with the computer on the private network. You can specify any IP address from the Internet, or the IP address of a specific computer on the Internet.

Restricting Outbound Traffic with Domain Filters

Grant or Deny Access with Exception

Domain Filter Criteria

PrivateNetwork OutboundProxy

Server

CentralOffice

Internet ProxyServer

ProxyServer

PartnerNetwork

WebServer

You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters. Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy. You can add multiple domain filters to create a combination that meets the security requirements of any organization.

Granting or Denying Access with Exception

You can specify the default behavior of Proxy Server domain filters to grant access to all Internet sites, or to deny access to all Internet sites. You can then build a list of Internet sites that are the exception to the default behavior.As a result, you can specify Proxy Server domain filters to:

Reject packets specified in the criteria of the filter and forward all others.

Forward packets specified in the criteria of the filter and reject all others.

Domain Filter Criteria

Define Proxy Server domain filter criteria to restrict traffic based on the security requirements of the organization. For example, if an organization wants to restrict access to a specific Web site by name, define a Proxy Server domain filter that is based upon the domain name of the Web site.

Domain Filter Criteria …

The following table lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.

Filter on If you want to restrict access for

Single computer A specific computer on the Internet by using the IP address of the computer

Group of computers

A range of IP addresses on the Internet by using an IP address and subnet mask to specify the range.

Domain A specific domain name, independent of the IP address, by specifying the fully qualified domain name (FQDN) for the domain.

Note: Your Proxy Server domain filter can only be based on one of the criteria listed in the table above.


Use the Default – All Requests are Discarded

Define Web Publishing Mapping

Internet

RemoteUser

Web Publishing

ProxyServer

WebServer

PrivateNetwork


To restrict inbound traffic, you can enable access to HTTP or FTP servers that are located in the private network by using the Web Publishing feature of Proxy Server. If you include Web Publishing in your solution, Proxy Server examines inbound Internet-based requests and:

Forwards the requests to HTTP or FTP servers within the private network.

Discards the request.

Use the Default-All Requests Are Discarded

You can specify how Web Publishing reacts when an inbound request is received and does not match any of the Web Publishing criteria. You can specify that Web Publishing either:

Ignore all requests and send no response.

Forward all requests to the default Web site on the proxy server.

Forward all requests to a specific Web site.

Note: The default behavior for Web Publishing is to discard any Internet-based requests to Web servers located within the private network.

Defining Web Publishing Mapping

You can define Proxy Server Web Publishing mappings that override the default behavior of Web Publishing. For each Web Publishing mapping, you can specify the:

Inbound URL that Proxy Server uses to identify requests that are exceptions to the default behavior of Web Publishing.

URL within the private network where the request is to be forwarded.

For example, you could create a Web Publishing mapping that would forward all requests for http://www.nwtraders.msft to http://sales.nwtraders.msft.


Enhancing Availability for Outbound Client Requests

Enhancing Availability for Inbound Client Requests

You can enhance the availability of the Proxy Server solution by including proxy arrays, round robin DNS entries, and Network Load Balancing in your design. Consider specifying multiple servers running Proxy Server to:

Enhance the availability for outbound client requests from the private network to the Internet.

Enhance the availability for inbound client requests from the Internet to the private network.

Enhancing Availability for Outbound Client Requests

Same Domain, Site, and Proxy Array Name

Web Object Distribution and Failover

Proxy Arrays with Only One Proxy Server

Internet

PrivateNetwork

OutgoingRequests

ProxyArray

You can enhance the availability for client outbound requests by using proxy server arrays. Proxy arrays distribute Web content across all of the proxy servers in the array so that if a server fails, the remaining servers in the array will continue to service client requests. Proxy Server client requests are sent to the array and then routed to the appropriate proxy server within the array.

Specifying the Same Domain, Site, and Proxy Array Name

Establish proxy arrays by specifying which proxy servers make up the array. All members of the array must:

Belong to the same Active Directory domain and site.

Have the same proxy array name specified.

Providing Web Object Distribution and Failover

When a proxy server within an array fails, the cached Web content stored on the failed server is lost. Other proxy servers within the array automatically retrieve the lost Web content.

By specifying that multiple proxy servers belong to the same array, you can:

Distribute the Proxy Server Web content cache.

Provide immediate failover in the event of a failure.

Specifying Proxy Arrays with Only One Proxy Server

A proxy array can be specified with only one proxy server to:

Allow the Proxy Server configuration information to be stored in Active Directory.

Establish an array that you can extend in the future.

Enhancing Availability for Inbound Client Requests

Multiple Proxy Servers

Network Load Balancing on Each Proxy Server

Round Robin DNS Entry for Each Proxy Server

nwtraders.msft x.y.z.1nwtraders.msft x.y.z.2nwtraders.msft x.y.z.3

Internet

ProxyArray

PrivateNetwork

DNSServer

DNS Entries

InboundRequests

You can enhance the availability for Proxy Server inbound requests by using a combination of multiple proxy servers and round robin DNS entries or Network Load Balancing.

Specifying Multiple Proxy Servers

To enhance the availability of an Internet connectivity solution, you can specify additional proxy servers. If one server fails, the remaining servers will continue to respond to inbound requests for private network resources.

Specifying Network Load Balancing on Each Proxy Server

You can add Network Load Balancing to each of the computers running Proxy Server that are responsible for responding to inbound requests for private network resources. All of the proxy servers belong to the same cluster and share a common IP address known as the cluster IP address.

Specifying Network Load Balancing on Each Proxy Server …

The following sequence describes the process of a remote client accessing a private network resource:

1. The Internet-based remote client requests IP address name resolution from the DNS server.

2. The DNS server returns the cluster-primary IP address as the IP address.

3. The remote client sends an inbound request to the Network Load Balancing cluster.

4. The proxy servers in the Network Load Balancing cluster evaluate the request, and one of the proxy servers responds to the request.

Specifying a Round Robin DNS Entry for Each Proxy Server

Specify a round robin DNS entry for each of the computers running Proxy Server that is responsible for responding to inbound requests for private network resources. When an Internet-based client queries a DNS server for the IP address of the organization, the round robin DNS process distributes the Internet-based requests across multiple proxy servers.

For example, three proxy servers make up a proxy array called proxyarray.msft. Each of the servers in the array has a unique IP address, so you need to specify an A-type resource record for each server as follows:

proxyarray.msft IN A 10.0.0.1proxyarray.msft IN A 10.0.0.2proxyarray.msft IN A 10.0.0.3

When a query is made for the proxy array, the DNS server responds in a round robin order of the IP addresses.

In the preceding example, the first client request is answered with the addresses ordered 10.0.0.1, 10.0.0.2, and 10.0.0.3. The next client request for the same information is answered with the order rotated to 10.0.0.2, 10.0.0.3, followed by 10.0.0.1. The rotation process continues until requests for the same-type resource records have been rotated to the top of the list.


Selecting the Proxy Server Cache Method

Organizing Proxy Servers Hierarchically

Distributing IP Traffic Across Multiple Proxy Servers

Discussion: Enhancing a Proxy Server Solution

You can optimize the performance of a single Proxy Server by upgrading the computer hardware or by running only Proxy Server on the computer. If your design includes multiple computers running Proxy Server, you can optimize the performance of your Internet connectivity solution by specifying that the multiple proxy servers:

Select either the passive or active Proxy Server cache method.

Are organized hierarchically to take advantage of the local Proxy Server cache.

Distribute inbound and outbound client requests by using proxy arrays, round robin DNS entries, or Network Load Balancing.


Use the Default—Active Caching

Use Passive Caching to Conserve System Resources

Active Caching - Update Cache When Requested andAutomatically Update Cache

Private Network

ProxyServer

Internet

RequestUpdates

UpdateObjects

Private Network

ProxyServer

Internet

Passive Caching - Update Cache When Requested


You can improve the performance for private network Proxy Server clients accessing Internet-based Web objects by using Proxy Server caching. Proxy Server caching intercepts requests for Internet-based Web objects, and stores a copy of the objects on a local drive on the proxy server for subsequent requests.

Select the Proxy Server cache method based on criteria such as space availability and whether the cached Web object is an up-to-date version of the Web object. The following table lists the Proxy Server caching methods, the criteria for determining when content is removed from the cache, and when to select each caching method.

Use To remove content based on the If you want to

Activecaching Selected parameters such as HTML header information, age, and URL.

Reduce Internet traffic while conserving disk space.

Passivecaching Date and time of the most recent access, so that Proxy Server can determine which content to overwrite first.

Use less processor overhead than active caching, while consuming more disk space.

Tip: You can estimate the Proxy Server cache size by specifying 100 MB of common cache and adding 0.5 MB for each Proxy Server client on the private network.

Using the Default-Active Caching

Using the Default-Active Caching

By enabling the Proxy cache service, you can select active caching as the default. Just like passive caching, active caching retrieves Web objects when the clients request the objects. Active caching automatically updates the Web objects from the Internet based on:

The number of requests for a Web object.

How frequently the Web object changes.

Active caching automatically updates Web objects in the cache when the processor utilization of the computer running Proxy Server is low. Proxy Server updates during low processor utilization so that active caching does not affect the response time for Proxy Server clients.

Using Passive Caching to Conserve System Resources

Using Passive Caching to Conserve System Resources

When you disable active caching, the Proxy cache service uses passive caching. Passive caching retrieves Web objects only when the clients request the objects. As the Web object is passed through to the user, the Proxy cache service determines if the Web object is cacheable and stores the object in the cache accordingly.

Note: To cache Web content, you must store the Web content cache on an NTFS file system partition.

Organizing Proxy Servers in a Hierarchy

Access Local Web Objects to Improve Performance

Route Requests to Another Proxy Server or Internet

CentralOffice

BranchOffice

Internet

BranchOffice

ProxyArray

CacheCache

CacheCache

CacheCache

CacheCache

ProxyServer

ProxyArray CacheCache

CacheCache

You can improve the performance for Proxy Server client requests by organizing multiple proxy servers in a hierarchy, and by using Proxy Server caching. Define the hierarchy by using a proxy array to connect to the Internet and by using individual computers running Proxy Server or proxy arrays at remote locations.

Accessing Local Web Objects to Improve Performance

By placing proxy servers or proxy arrays at remote locations to manage cached Web objects, you increase the performance for the Proxy Server clients within the same location.

Proxy Server clients access cached Web objects within the same location to reduce the utilization of:

Wide area network (WAN) connections between locations within an organization.

The Internet connection for the organization. Note: Include a proxy array at remote locations if the

number of users, or need for availability, requires additional proxy servers.

Routing Requests to Another Proxy Server or the Internet

If a Web object is not cached on a proxy server or proxy array within the same location, specify that the request be forwarded to the proxy array connected to the Internet.

Routing Requests to Another Proxy Server or the Internet …

When the Web object is cached on the proxy array connected to the Internet, the object is retrieved from the cache:

1. Through the proxy server or array at the remote location.

2. Then sent to the Proxy Server client.

Routing Requests to Another Proxy Server or the Internet …

If the Web object is not cached on the proxy array connected to the Internet, the object is retrieved from the Internet:

1. Through the proxy array connected to the Internet.

2. Through the proxy server or array at the remote location.

3. Then sent to the Proxy Server client.

Distributing IP Traffic Across Multiple Proxy Servers

Proxy Arrays for Outbound Client Requests

Round Robin DNS Entries for Inbound Client Requests

Network Load Balancing for Inbound Client Requests

Internet

PrivateNetwork

DNSServer

DNS Entry

InboundRequests

nwtraders.msft x.y.z.1

Proxy Arraywith Network

Load Balancing

You can optimize the performance of a Proxy Server solution by distributing IP traffic across multiple proxy servers, and by using round robin DNS entries, proxy arrays, or Network Load Balancing. Select the appropriate method for load-balancing IP traffic by determining if the:

Direction of the IP traffic is inbound or outbound.

Load-balancing method distributes IP traffic dynamically or statically.

The following table lists the criteria for selecting the method of optimizing Proxy Server performance, and specifies if the method meets the criteria.

If you need to support Proxy arrays

Round robin DNS

Network Load Balancing

Inbound traffic (Internet-based requests)

No Yes Yes

Outbound traffic (private network-based requests)

Yes No No

Dynamic/static load balancing

Dynamic Static Dynamic

Proxy Arrays for Outbound Client Requests

Proxy arrays distribute cached Web content across the proxy servers within the array. By distributing the cached Web content, the Proxy Server client Web content requests are load balanced. Select proxy server arrays to:

Improve the performance of Internet access for Proxy Server clients.

Provide industry standard proxy server support to interact with third-party products such as any SOCKS-compatible client.

Round Robin DNS Entries for Inbound Client Requests

Specify a DNS A-type resource record for each computer running Proxy Server. The resource records include the same DNS domain name with the IP address for each respective proxy server. By returning the IP address of a different proxy server for each request, Internet-based client requests are load balanced. Select round robin DNS entries to:

Improve the performance of private network access for Internet clients.

Provide the improvement in performance without using Network Load Balancing.

Network Load Balancing for Inbound Client Requests

Specify a DNS A-type resource record for the proxy servers in the same Network Load Balancing cluster. The resource record includes the DNS domain name and the IP address of the Network Load Balancing cluster. The remote client sends an inbound request to Network Load Balancing, the proxy servers in the Network Load Balancing evaluate the request, and one of the proxy servers responds to the request. Select Network Load Balancing to:

Improve the performance of private network access for Internet clients.

Provide dynamic load balancing across the proxy servers in the Network Load Balancing cluster.

Discussion: Enhancing a Proxy Server Solution

Vancouver

Montreal

Winnipeg Toronto

Calgary

Edmonton

After you have provided a basic Internet connectivity solution to an organization, you need to examine the security, availability, and performance requirements for the solution.

The following scenario describes the requirements for enhancing the Proxy Server design of a legal firm.

Scenario

Six months after the initial installation, the legal firm has completed the conversion of the Edmonton branch office to a TCP/IP-based network. The Edmonton branch is connected to the Montreal central office through the Calgary branch office.

You have been hired to evaluate the current network for the legal firm. After your evaluation, you reach the conclusion that the connections between locations are saturated.

Lab A: Designing a Proxy Server Solution

Objectives

After completing this lab, you will be able to:

Evaluate a scenario and determine the design requirements for a Proxy Server solution.

Design a Proxy Server solution for the given scenario.

Prerequisites

Before working on this lab, you must have:

Knowledge of Proxy Server features and functionality.

Knowledge of strategies that can be used to enhance the security, availability, and performance of the Proxy Server solution.

Exercise 1: Designing a Proxy Server Solution

In this exercise, you are presented with the task of creating a Proxy Server design solution for a domestic airline. This airline has three types of airports and one regional reservation center. You are assigned to a hub airport. You will design a Proxy Server solution that supports the organization's Internet connectivity requirements.

You will record your solution on the specific Design Worksheet. Review the scenario, the design requirements, and the diagram. Follow the Design Worksheet Instructions to complete the Design Worksheet.

Scenario

A U.S. domestic airline is converting their existing reservation and ticketing system from a mainframe solution to a solution based on Windows 2000. As the director of information services, you are responsible for the transition from the mainframe solution to the Windows 2000-based solution.

The airline has three regional reservation centers that provide telephone-based reservations and customer support. The three regional reservation centers also provide the human resource and administration resources for each region

Scenario …

The airline services 60 airports within its service routes. The types of airports serviced by the airline are:

Hub airports: Located in metropolitan cities, these airports can be a connecting point to final destinations. These airports have a travelers club that provides Internet access, and printing and fax services to the customers. Hub airports have the largest number of computers used by customer service agents and the baggage handling staff.

Full service airports: Located in larger cities that are final destinations, these airports are frequented by larger aircraft. Some of these airports have a travelers club that provides Internet access, and printing and fax services to the customers. Full service airports have fewer computers than the hub airports for customer service agents and the baggage handling staff.

Shuttle airports: Located in smaller cities that are final destinations, these airports are frequented by smaller commuter aircraft. These airports have the minimal number of computers for customer service agents and the baggage handling staff, and are the smallest of the airport types.

Design Requirements

By examining existing documentation, and conducting interviews with the airline personnel, you have established the design requirements that must be achieved. Make sure your solution meets or exceeds these requirements.

Applications

The domestic airline uses a number of applications to conduct the day-to-day operations. Your solution must provide:

Support for a mission-critical Web-based application that manages customer reservations, ticketing, baggage handling, and baggage tracking.

Support for a mission-critical Web-based application that allows customers to make reservations and purchase the tickets over the Internet.

Private network access to all shared folders and Web-based applications from the central and regional offices.

Internet access from the regional offices and the airports. Active Directory as the directory services for the airline. Proxy Server response times such that the application response time is not

reduced. Pilot tests on approved proxy servers indicate that each proxy server can support no more than 1,200 hosts while providing performance within given application response times.

Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week.

Connectivity

The applications used by the domestic airline require connectivity between the regional offices and airport offices. Your solution must provide:

Support for the airports to connect to the regional reservation centers by using dedicated connections over the Internet.

Isolation of the regional reservation centers and the airports from the Internet.

Design Worksheet Instructions

To complete the Proxy Server Design Worksheet, you need to:

Assign a name to the Windows 2000-based server that will run Proxy Server. Use the name when specifying options. Record this under Server name.

On the subnet, decide where you will place the Windows 2000-based server that runs Proxy Server. Record this under Server placement.

Explain your reasons for the placement of the proxy server. Record this under Reason for placing server.

Select the Proxy Server and Proxy Server client-specific options required for your solution. Record this under Networking service options.

Explain the reason why you added the Proxy Server-specific options to the Proxy Server design. Record this under Reason for specifying option.

Review






Module 7: Microsoft Proxy Server 2.0 As a Solution for Internet Connectivity.

Documents

Transcript of Module 7: Microsoft Proxy Server 2.0 As a Solution for Internet Connectivity.