Chapter 6, Proxy Server in Internet and Intranet Designs

|1| Chapter 6 Overview

A. Designs That Include Proxy Server

1. Identify the requirements and constraints for creating a Proxy Server design.

2. Understand the relationship between Proxy Server and Microsoft Windows 2000.

3. Understand the role of Proxy Server in the Windows 2000 architecture.

4. Determine when it’s appropriate to use Proxy Server in a networking design.

B. Essential Proxy Server Design Concepts

1. Determine where to place proxy servers in your design.

2. Configure each proxy server interface.

3. Set up the LAT for each proxy server and its clients.

4. Determine the best way to connect each client computer to the proxy servers.

C. Data Protection in Proxy Server Designs

1. Identify the ways Proxy Server can protect inbound and outbound network traffic.

2. Use Proxy Server to protect private network resources from inbound Internet traffic.

3. Use Proxy Server to protect outbound data traffic.

D. Proxy Server Design Optimization

1. Learn strategies to increase network availability for both inbound and outbound traffic.

2. Learn strategies to increase the data transmission rate for inbound and outbound traffic.

Chapter 6, Lesson 1

Designs That Include Proxy Server

|2| 1. Proxy Server 2.0 and Windows 2000

A. Proxy Server 2.0 provides Internet connectivity for IP- and IPX-based networks.

B. You purchase Proxy Server as a separate product.

C. Proxy Server is a group of services that runs on Windows 2000.

1. Proxy Server uses IP in Windows 2000 to communicate with the private network and the Internet.

2. You can use Proxy Server to assign permissions to Active Directory–based groups and users.

3. Proxy Server uses NTFS partitions to store locally cached Web objects, such as HTML pages or FTP files.

|3| 2. Proxy Server Design Requirements and Constraints

A. Collect design requirements and constraints before creating your design.

B. Base design decisions on those requirements and constraints, including

1. Amount and confidentiality of data transmitted through the proxy server

2. Private network resources that need to be accessible to Internet-based users

3. Plans for future network growth

4. Characteristics of existing proxy servers, including

a. The protocols that the private network uses

b. Proxy server placement

c. Wide area network (WAN) connections used

d. Response times for applications that access resources through proxy servers

5. Network availability requirements (uptime)

|4| 3. Proxy Server Design Decisions

A. Base design decisions on your organization’s requirements and constraints.

B. Decide what technologies and protocols each proxy server will support.

1. Types of connections (persistent or nonpersistent)

2. Types of Proxy Server clients

3. Connection methods

a. T1

b. Public Switched Telephone Network (PSTN)

c. Integrated Services Digital Network (ISDN)

d. Digital Subscriber Line (DSL)

e. X.25

C. Decide which dynamic routing protocols or manual routing tables each router will support.

D. Determine how you will use multiple connections and multiple proxy servers to improve availability and performance.

E. Determine how you will filter network traffic.

4. Internet Connectivity Designs

A. Most of the networks you design will include Internet connectivity.

B. Internet connectivity designs provide

1. Internet access for private network users

2. Private network access for Internet-based users

C. In Internet connectivity designs, a proxy server replaces a firewall.

|5| D. You can use Proxy Server features to increase the security of your design by

1. Preventing unauthorized access to private network resources

2. Allowing only authorized users to access Internet resources

3. Automatically performing network address translation between the private network and the Internet

4. Supporting public and private IP addressing schemes

5. Caching Web content locally, thus reducing network traffic and improving Internet access performance

6. Providing Internet connectivity over any network interface that Windows 2000 supports

|6| 5. Web Content Caching Designs

A. You can create Web content caching designs to improve performance on networks that have existing firewalls that provide security between the private network and the Internet.

B. A Web content caching design improves Internet access performance but does not provide additional security.

C. With Web caching, the proxy server first checks for the presence of the requested URL content in its cache rather than automatically sending each request to the Internet server.

1. From a client computer, a user types or enters a URL to access a Web page.

2. The URL request is forwarded to the proxy server.

3. The proxy server checks the local cache to determine whether the URL content is already cached.

a. If the URL content is already cached, the proxy server returns it to the client computer, and the process is complete.

b. If the URL content not cached, the proxy server requests it from the Internet server.

4. The Internet server returns the URL content to the proxy server.

5. The proxy server returns the content to the client computer and places the content in the local cache.

D. Each proxy server in a Web content caching design must

1. Manage at least one NTFS partition, which must be large enough to store frequently accessed Web content

2. Include at least one network adapter

3. Be capable of connecting over the network interfaces used in your design

|7| 6. IPX to IP Gateway Designs

A. IPX to IP gateway designs let you provide Internet connectivity or simple IP connectivity to IPX-based private networks.

B. You can use Proxy Server to connect IPX-based private networks to the Internet.

C. Proxy Server’s IPX to IP gateway feature translates URL information from IPX packets to IP packets, and vice versa.

1. From a client computer on the private network, a user types or enters a URL to access an Internet resource (Web page).

2. IPX forwards the client computer’s URL request to the proxy server.

3. The proxy server receives the request and moves the URL request from the IPX packet to an IP packet.

4. The proxy server forwards the repackaged URL request to the Internet server.

5. The Internet server returns the Web content to the proxy server.

6. The proxy server receives the response from the Internet server and moves the URL request from the IP packet to an IPX packet.

7. The proxy server forwards the URL response to the client computer.

A. Each proxy server in an IPX to IP design must

1. Meet all Internet connectivity design requirements

a. Simple IPX to IP gateway services require only one network interface.

b. Two network interfaces are required if you also want to provide Internet connectivity security.

2. Use the appropriate protocol (IPX or IP) to communicate with each network segment

E. In an IPX to IP gateway design, install the Proxy Server client software on each IPX-based computer that accesses Proxy Server.

Chapter 6, Lesson 2

Essential Proxy Server Design Concepts

|8| 1. Placing Proxy Servers in the Network Design

A. Place proxy servers according to your organization’s requirements.

1. For Internet connectivity, place the proxy server between your private network and the Internet.

2. For Web content caching, place the proxy server inside your private network so that it is local to the users who request Web content.

1. For Internet connectivity and Web content caching, use two proxy servers:

a. One between your private network and the Internet

b. One inside your private network so that it is local to the users who request Web content

B. You might want to position the proxy server in a parallel location to the IP routers to

1. Load balance network traffic

2. Forward HTTP and FTP traffic through the proxy server, and forward all other IP traffic through the router

|9| 2. Determining Proxy Server Interface Specifications

A. Each proxy server needs at least one network interface.

1. To provide Web content caching or IPX to IP gateway services, specify only one network interface.

2. To provide Internet connectivity, specify at least two network interfaces.

B. Specify the following for each interface in each proxy server in your design:

1. Connection type (persistent or nonpersistent)

2. IP configuration information for all interfaces connected to IP network segments

a. IP address

b. IP subnet mask

3. IPX configuration information for all interfaces connected to IPX network segments

a. IPX network number

b. IPX frame type

|10| 3. Specifying the Proxy Server LAT Information

A. Proxy servers and proxy server clients use the LAT information to determine if the destination IP address resides in the private network.

B. The LAT must contain a list of all IP address ranges in the private network.

C. You can create and update the LAT automatically or manually.

1. Automatically create the LAT using local Windows 2000 IP configuration information, including

a. Windows 2000 IP routing information

b. IP configuration of local network interface adapters

2. Manually enter LAT information by specifying an entry for each IP network number that exists in the private network.

D. When Proxy Server clients install the client software, a copy of the LAT is automatically downloaded to the client machine.

1. On client computers, automatic installation and management of LAT information is only available when the client software is installed.

2. Proxy Server client is the only method that allows automatic installation and management of LAT information.

|11| 4. Selecting the Proxy Server Client Support

A. Proxy Server supports a variety of client operating systems.

B. Determine which client operating systems your design will support.

C. Determine the types of Proxy Server you will provide:

1. The Windows Proxy Server client supports Windows 2000 and Microsoft Windows Me as well as IPX to IP gateways. This method redirects all IP traffic through Proxy Server.

2. Microsoft Internet Explorer 5.0 supports any operating system that includes Internet Explorer 5.0. This method redirects only HTTP and FTP traffic through Proxy Server.

3. SOCKS supports UNIX, Macintosh, and other operating systems that use the SOCKS standard.

4. Default gateway supports any operating system by configuring the default gateway setting to redirect all nonlocal traffic to the proxy server.

|12| D. Provide Proxy Server support for each client operating system used in your design.

1. For Windows 2000, select Proxy Server client software, Internet Explorer 5.0, or default gateway support.

2. For Windows Me, select Proxy Server client software, Internet Explorer 5.0, or default gateway support.

3. For Macintosh clients, select SOCKS, Internet Explorer 5.0, or default gateway support.

1. For UNIX systems, select SOCKS, Internet Explorer 5.0 (if your version of UNIX supports it), or default gateway support.

Chapter 6, Lesson 3

Data Protection in Proxy Server Designs

1. Identifying Proxy Server Data Protection Methods

A. If you use Proxy Server to provide Internet connectivity, you need to protect your organization’s data.

1. Protect private network resources from unauthorized users.

2. Restrict user access from your private network to Internet resources, if necessary.

B. If you use Proxy Server to provide Web content caching only, use firewalls or other security methods to provide network security.

C. Any proxy server that provides security must contain at least two network interface adapters to separate the private network from the Internet.

|13| D. You can use a combination of methods to protect your organization’s data.

1. Packet filters method

a. Protects inbound and outbound traffic

b. Uses the criteria you specify for all types of IP traffic to restrict both inbound and outbound traffic

2. Web publishing method

a. Protects inbound traffic

b. Restricts inbound traffic based on the requested URL

3. Domain filters method

a. Protects outbound traffic

b. Restricts outbound traffic by a single IP address, a range of IP addresses, or a fully qualified domain name (FQDN)

4. User authentication method

a. Protects outbound traffic

b. Restricts outbound traffic to authenticated users only

|14| 2. Protecting Private Network Resources

A. If you use Proxy Server to provide Internet connectivity, protecting your private network resources is your top security concern.

B. Base design decisions on your organization’s security needs.

C. To protect private network resources, restrict inbound traffic using one or both of these methods:

1. Packet filtering

2. Web publishing

|15| D. For Proxy Server packet filtering, base traffic restriction criteria on any combination of IP header information.

1. Direction

a. Specifies the direction of the IP traffic, relative to the Proxy Server network interface

b. For maximum security, restrict the inbound traffic on the Proxy Server interface connected to the Internet. The Proxy Server does not even receive IP packets.

2. Protocol ID

a. Specifies the IP ID for inbound traffic

b. Use the protocol ID to restrict traffic based on applications or specific services.

3. Local port

a. Specifies the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number within the private network

b. For inbound traffic, the local port number is the destination port number.

c. Allows you to restrict access to a specific port number or range of port numbers

4. Remote port

a. Specifies the TCP or UDP port number on the Internet

b. Allows you to restrict access from a specific port number or range of port numbers

5. Local host IP address

a. Specifies the IP address of a computer on the private network (usually the IP address of the Proxy Server connected to the Internet)

b. Allows you to restrict traffic to any IP address within the private network

6. Remote host IP address

a. Specifies the IP address of a computer on the Internet

b. Allows you to restrict inbound traffic to a specific range of IP addresses

|16| E. Use Proxy Server’s Web Publishing feature to allow Internet users to access Web and FTP server resources in your private network.

1. By default, Proxy Server discards all inbound URL requests to access Web and FTP servers in the private network.

2. Redirect specific URL requests to Web and FTP servers within the private network by adding each URL to the Web Publishing list.

3. For inbound URL requests not specified in the Web Publishing list, Proxy Server responds in one of the following ways:

a. Discards the request

b. Redirects the request to the default Web site on the computer where Proxy Server is installed

c. Redirects the request to any Web site on the private network

|17| 3. Restricting Access to Internet Resources

A. If you use Proxy Server, you might also want to restrict private network user access to the Internet.

B. Base design decisions on your organization’s security needs.

C. You can restrict outbound traffic to the Internet using one or all of these methods:

1. Packet filtering

2. Domain filtering

3. User account authentication

|18| D. Proxy Server packet filters restrict traffic based on IP header information.

1. Base traffic restriction criteria on any combination of IP header information.

2. Use the same process as that for restricting inbound traffic, except that you specify outbound in the Direction criteria for the packet filters.

|19| E. Proxy Server domain filters restrict Internet access to specific IP addresses or FQDNs.

1. Filter requests based on

a. An IP address; use to specify a single computer or a cluster of IP addresses

b. A range of IP addresses; use for more than one computer

c. A fully qualified domain name (FQDN); use to specify resources supported by an organization

2. Build a list of Internet sites in your domain filters.

3. Specify how domain filters will respond to requests to the listed Internet sites.

a. Reject all packets to the listed Internet sites, and forward all other packets.

b. Forward all packets to the listed Internet sites and reject all others.

|20| F. Proxy Server user authentication provides Internet access to authenticated users on the private network.

1. Assign access to users or groups in the Active Directory directory service, or to any local user or group in a member server.

2. Allow or disallow selected users or groups to transmit data to the Internet through Proxy Server.

3. Consider using Proxy Server packet filters or domain filters to restrict the resources that can be accessed.

4. If you grant Proxy Server access to all users, you also allow anonymous users to transmit data through Proxy Server.

Chapter 6, Lesson 4

Proxy Server Design Optimization

|21| 1. Identifying Proxy Server Optimization Techniques

A. Base optimization decisions on your organization’s requirements.

B. The direction of traffic (inbound or outbound) determines the appropriate Proxy Server optimization method.

1. Web content cache method

a. Direction: outbound

b. Improves performance by storing copies of Web content locally

2. Proxy array method

a. Direction: outbound

b. Improves performance and reliability by distributing outbound traffic and Web content cache across multiple proxy servers

3. Network Load Balancing method

a. Direction: inbound

b. Improves performance and reliability by distributing inbound traffic across multiple proxy servers

4. Round robin DNS

a. Direction: inbound

b. Improves performance and reliability by distributing inbound traffic across multiple proxy servers

C. Use any combination of these methods to optimize network performance or reliability.

2. Optimizing Internet Access

A. You can optimize your design to improve the availability and performance of outbound requests and inbound responses.

B. To optimize Internet access traffic, you can use Web content caching and proxy server arrays.

|22| C. Proxy Server supports active and passive Web content caching methods.

D. Active caching retrieves updates to cached Web content when the processor utilization of the proxy server is low.

1. Active caching is the default caching mode.

2. You can also specify when to check for updated Web content based on

a. HTML header information

b. URL of the content

c. Date and time of cached Web content files

1. Active caching

a. Reduces processor overhead and Internet traffic during peak periods

b. Creates activity when client computers are not accessing the Internet, which may increase connection costs

E. Passive caching updates cached Web content when client computers request the content.

1. You can specify when to check for updated Web content, but passive caching updates the content only when client computers request it.

1. Passive caching

a. Eliminates activity when client computers aren’t accessing the Internet

b. Can increase processor overhead and Internet traffic during peak periods

|23| F. Proxy Server supports proxy arrays.

1. Cached Web content and network traffic are distributed across all proxy servers in the proxy array.

2. Using proxy arrays can improve performance by load balancing the following across all proxy servers in the proxy array:

a. Network traffic

b. Disk access

c. Processor use

3. Using proxy array can improve reliability. When one proxy server in the array fails for any reason, the remaining proxy servers in the array continue to provide connectivity.

4. When creating a proxy array

a. You can assign the same proxy array name to multiple proxy servers

b. You can add or remove proxy servers without affecting existing proxy servers in the proxy array

c. You do not need to configure client computers to use a proxy array

d. If you have only one proxy server, you can still create a proxy array for future use

e. Proxy servers in the proxy array should have comparable memory, processor, and disk storage capability

|24| G. You can organize proxy servers and proxy arrays in a hierarchy to further improve performance.

1. The proxy server or proxy array at the top of the hierarchy provides Internet access and connectivity to the network.

a. Configure the proxy array with an upstream connection to the Internet.

b. All requests are forwarded to the Internet site.

2. Other proxy servers and proxy arrays forward requests to the proxy server or proxy array at the top of the hierarchy.

H. You can combine these methods to optimize the performance and reliability of Internet access traffic.

3. Optimizing Private Network Resource Access

A. You can optimize your design to improve the availability and performance of private network resource access.

|25| B. To optimize private network resource access traffic, you can use Network Load Balancing or round robin DNS.

C. Network Load Balancing

1. Is included only in Microsoft Windows 2000 Advanced Server and Microsoft Windows 2000 Datacenter Server

2. Doesn’t run on proxy servers that run on other operating systems

3. Balances traffic across all proxy servers in the network load-balancing cluster

4. Must be included in all Proxy Servers in the cluster. You must specify an IP address for cluster use.

5. Load balances all Proxy Server traffic sent to the cluster IP address across all proxy servers in the cluster

6. If a proxy server in the cluster fails for any reason, the cluster automatically redistributes the traffic to the remaining proxy servers in the cluster.

7. Requires extra processor and memory resources on each proxy server that runs it

D. Round robin DNS

1. Statically load balances traffic across multiple proxy servers

2. Works on all operating system platforms

3. Create round robin DNS entries by specifying the same FQDN with different IP addresses.

a. The DNS server responds to the first query to the FQDN with the first IP address in the list.

b. The DNS server responds to the second query to the FQDN with the second IP address in the list, and so on.

4. Improves performance, but not availability, because it returns an error to a request from a down proxy server rather than sending the request to the next proxy server in the list

|26| Chapter Summary

A. Proxy Server 2.0 provides Internet connectivity for IP- and IPX-based networks.

1. Provides Internet access for private network users

2. Provides private network access for Internet-based users

3. Can take the place of a firewall

4. Improves performance through Web content caching

5. Can connect IPX-based private networks to the Internet

B. Position proxy servers based on the organization’s requirements.

1. Each proxy server needs at least one network interface.

2. Proxy servers and proxy server clients use the LAT to determine IP address location.