Technical SupportSkip Navigation
border

Conferences and Events | Online Resources | Programs | Security | Services | Shared Network | Technical Support | Training
About MOREnet | Contact Us | Search | MyMOREnet Login | Collaboration Matrix


Home » Technical Support » Networks and Workstations » Network Configuration » Microsoft Servers » Microsoft Proxy Server Advanced Configurations
Proxy Server Page Topics

Introduction

Web Server Behind the Proxy Server

SMTP (mail) Server Behind the Proxy Server

Web or Mail Server on the Proxy Server

Appendix A: Sample Wspcfg.ini Files for SMTP Servers Behind a Proxy Server

Figures

Reverse Web Proxy diagram

Publishing Address dialog box

Default Web Site Properties dialog box

SMTP Behind Proxy diagram

Web Server on a Proxy Server diagram
 
Networks and Workstations Links

Domain Name System (DNS)

Internet Connection Support

Network Design and Planning

Network Installation and Configuration

Troubleshooting

Utilities

Workstations


Return to:

Networks and Workstations Home

Tech Support Home
 
Spacer Graphic

Microsoft Proxy Server Advanced Configurations

Introduction

Microsoft Proxy Server provides a variety of "firewall" services including Packet Filtering, Circuit-Level Gateways and Application Proxying. The first Microsoft Proxy Server document, Installation and Configuration Guide for Microsoft Proxy Server 2.0, focused on the basic features of the Proxy Server but the configuration described provides a minimal amount of security and will not accommodate everyone's needs. The following document was designed to provide a general explanation of some of the advanced features, followed by suggested implementations for specific configurations. For the Proxy Server to be effective the administrator must configure packet filtering, access control and types of authentication.

In addition to the configuration of these components this document will address some issues with WINS, DNS, DHCP and IIS4 related to specific configurations.

Packet Filtering

Proxy Server supports two types of packet filtering on the public interface: dynamic and static. By default, packet filtering is disabled until a public interface (one that is not in the Local Address Table) has been defined. If packet filtering is not enabled, any packet can pass through the public interface of the proxy server and all ports are vulnerable. When a public interface is defined, filtering may be enabled.

Dynamic Filtering (automatic)

Dynamic filtering opens ports as needed for proxied services such as SMTP, POP3, etc., and closes the ports when the session is finished. Proxy Server determines which packets are allowed to pass through to the circuit and application level services. Enabling dynamic packet filtering is recommended by Microsoft and seems to work transparently. Protocols, ports and addresses do not have to be defined.

By default, when dynamic filtering is enabled, certain static filters are automatically enabled as well, such as ICMP and DNS. Both of these protocols need static filters to work properly in the proxy environment. When you enable dynamic filtering on the Proxy Server, you can see the predefined static filters in a window as "exceptions" to dynamic filtering.

Static Filters (manual)

Static filters are defined for non-proxied services and are considered exceptions to dynamic filters. These are sometimes necessary if services that require access from both public and private networks reside on the proxy server. Since dynamic filtering is designed for proxy requests only, applications that reside on the server itself (such as a browser) may need to have static filters defined.

Some filters are predefined by protocol and others may need to be custom designed. For custom designed filters the administrator must define the source and destination ports and the type of session (TCP vs. UDP). Static filters take precedence over the proxy server configuration and control public packet access to ports according to their own configuration.

Back to Top

Access Control

Access control can be defined for specific protocols for each service. For each protocol you can choose users and groups from the NT domain who will be allowed to access these protocols through the service. For example, all domain users could have access to the WWW protocol through the Web Proxy Service. Any user who could not be authenticated to the domain would be denied access.

Web Proxy

Web Proxy access control can be configured for four protocols; WWW, FTP, Gopher and Secure (SSL connections). FTP and Gopher are enabled for read access; WWW and Secure are enabled for full access. If access control is enabled, WWW must be configured for groups and users or the Web Proxy will not work at all. If access control is not enabled, anyone behind the firewall or within the local address table can use the Web Proxy Server.

Winsock Proxy

Access control for the Winsock Proxy Server can be determined for several protocols, including SMTP client, FTP, Telnet, IRC and many others. By default, when access control is enabled it must be defined for each protocol and all other access is denied. There is a special category named "unlimited access". If this is configured for a group of domain users, they will have access to all protocols defined for the Winsock Proxy Service. For example, you could assign unlimited access to the group "Administrators".

SOCKS Proxy

SOCKS Proxy is controlled a little differently. SOCKS is actually built into applications and is not protocol specific. Access control is defined for networks and port ranges with deny and allow actions.

Authentication

Once you have configured access control for your domain users, how will they authenticate? Most users on the local area network (LAN) will be logged into the domain already, so the proxy clients will not need to re-authenticate. NT Challenge and Response is the most secure type of authentication but is only supported by Microsoft applications.

Back to Top

Configuring a Web Server Behind the Proxy Server

Microsoft Proxy Server has a specific component called "Reverse Web Proxy" designed to accommodate Web Proxy Servers on an intranet. Reverse Web Proxy simply sends incoming requests to the appropriate server as shown in Figure 1.

Figure 1. Reverse Web Proxy
Figure 1. Reverse Web Proxy

A Web Proxy Server behind a firewall will typically have a private IP number. All requests to and from the Web server are translated to the public IP number of the proxy server.

Back to Top

Configuration

From the Windows Start menu,

  1. Select Programs
  2. Select Microsoft Proxy Server.
  3. Select Microsoft Management Console.
  4. Right click on Web Proxy Server
  5. Select Properties.
  6. Select the Publishing tab. (Figure 2)

    Figure 2. Publishing Address
    Figure 2. Publishing Address

  7. Check Enable Web publishing.
  8. Click on sent to another web server.
  9. In the box to the right enter the private address of the actual Web server and port 80.
  10. Click OK and go back to the Microsoft Management Console.
  11. Right click on default web site
  12. Choose Properties.
  13. Click on the Web Site tab. (Figure 3)

    Figure 3. Default Web Site Properties
    Figure 3. Default Web Site Properties

  14. For the IP address choose (All Unassigned).

This configuration should allow Web requests to pass through the proxy server to the Web server and back. Dynamic packet filtering will work with this configuration.

Note: Do not configure static packet filters for HTTP on Proxy Server.

Back to Top

Configuring an SMTP (Mail) Server Behind the Proxy Server

To configure an SMTP mail server behind Microsoft Proxy Server, the Winsock Proxy Client is used to bind port 25 of the mail server to port 25 of the Proxy Server. This is accomplished by adding lines to the Wspclnt.ini file on the mail server for each executable file that the mail server utilizes. Each mail service (POP, SMTP etc.) then binds to port 25 on the server to "listen" for requests.

Note: This is a proprietary configuration that can only exist between Microsoft Proxy Server and the Winsock Proxy Client. This configuration cannot be used for a Macintosh, Unix or Novell server.

Before You Begin

DNS registration must be thought out very carefully. The Mail Server must be officially registered to the IP number of the Proxy Server. The actual name of the Mail Server that corresponds to an address record or mx record for the server must reside on the Mail Server. This is an issue specific to the Windows environment and must be configured correctly.

Figure 4 SMTP Behind Proxy
Figure 4. SMTP Behind Proxy
Sample DNS Record for Figure 4

Disrict.k12.mo.us Mx=mail.district.k12.mo.us
Mail.district.k12.mo.us A=207.160.135.1


Installation and Configuration

  1. Identify the Mail Server executable files and their locations within the directory structure. Appendix A shows typical directory locations for EMWACS, Exchange and Mercury 32.
  2. Using a DOS-based text editor, create a file named Wspcfg.ini to bind the executable programs to the corresponding ports on the Proxy Server. Appendix A shows sample files for Microsoft Exchange, EMWACS and Mercury 32. Once this file has been created, save it to the directory in which the executable files are located.
  3. Install the Winsock Proxy Client on the Mail Server
    Refer to MOREnet's basic Installation and Configuration Guide for Microsoft Proxy Server 2.0 for instructions on installing Winsock Proxy Client on a Windows NT Mail Server.
  4. Enable the service and reboot the machine.
  5. Go to Microsoft Management Console on the Proxy Server
  6. Choose Winsock Proxy Service.
  7. Right click on Winsock Proxy Service to pull up the Properties box.
  8. Click on Current Sessions to see if the Mail Server is connected via the Winsock Proxy Client.
  9. Start the NT mail services on the e-mail server, if they do not start automatically.
  10. Test to see if the Mail Server is binding by telnetting to port 25 of the Proxy Server.
  11. Test both internal and Internet mail services by sending e-mail to users.

Back to Top

Configuring a Web or Mail Server on the Proxy Server

Figure 5. Web Server on a Proxy Server
Figure 5. Web Server on a Proxy Server

A Web or mail server should only be run on a proxy server if absolutely necessary. Services that are run on the same machine as the proxy server require static packet filters to function properly. Static filters override dynamic and could cause a security risk on your server. Microsoft Proxy Server is no longer able to examine the nature of those packets allowed to pass in and out on certain ports.

In general, to configure services on the Proxy Server do the following:

  1. Enable dynamic packet filtering.
  2. Configure static packet filters to the necessary ports.
    • SMTP - 25
    • POP - 110
    • WEB - 80
  3. Determine ports for any necessary services.
  4. Set DNS records to the public interface of the Proxy Server.

Appendix A: Sample Wspcfg.ini Files for SMTP Servers Behind a Proxy Server

EMWACS

The Wspcfg.ini file typically goes in the directory C:\Winnt\System32\EMWACS and contains the following information:

[smtprs]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1

[smtpds]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1

[pop3s]
ServerBindTcpPorts=110
Persistent=1
KillOldSession=1

MS Exchange 5.5

MS Exchange 5.5 requires a Wspcfg.ini file in two different locations.

In the same directory as Msexcimc.exe, place a Wspcfg.ini file with the following content:

[MSEXCIMC]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1

In the same directory as Store.exe, place a Wspcfg.ini file with the following content:

[Store]
ProxyBindTcpPorts=110,119,143
Persistent=1
KillOldSession=1

Mercury32 for Windows NT

In the same directory as Mercury.exe, place a Wspcfg.ini file with the following content:

[mercury]
ServerBindTcpPorts=25,110
Persistent=1
KillOldSession=1

Back to Top
 
border
Copyright ©2002 MOREnet. All rights reserved. Reviewed November 26, 2002.
Contact techsupp@more.net. DMCA and other copyright information.
Site Information: Copyright, accessibility, privacy and other information about this site.
PageMinder: Receive an e-mail notice when this page updates.

Search MOREnet  Advanced Search