requirements for Proxy Server 2.0
486 or higher
24MB RAM (with Intel
32MB RAM (with RISC
10MB free hard drive
5MB required minimum
free hard drive space for caching. (Although it is
recommended you have 100MB + 0.5MB per client)
NT Server 4.0 with
Service Pack 3 installed.
be used to install Proxy Server.
/r - Reinstall Proxy
/u - Uninstall Proxy
/k "keynumber" -
Specifies the CD Key
2.0 is added into the MS Management Console (Internet
Service Manager) administration
software can be installed through the
//servername/mspclnt share and running SETUP.EXE, or
by connecting to http://servername/msproxy and
running the installation program.
- Log file displaying problems found during client
items are installed with the client software
WinSock Proxy client
MSPCLNT.INI - Contains
client configuration information.
MSPLAT.TXT - Contains
the Local Address Table.
cache space allocation is 100MB + .5MB free disk space per
setting for cache is 100MB when the drive has at least 150MB
free hard drive space.
only be performed on an NTFS partition. It cannot be
performed on a FAT partition.
To convert a
FAT partition to NTFS to allow caching, use the CONVERT.EXE
requiring authentication or SSL connections will not be
All objects are cached. Cached objects will be
removed after their TTL has expired. Objects will then be
re-cached only when a client accesses that site
Frequently requested objects are retrieved from
the Internet by the proxy server when the TTL of the object
in cache is getting ready to expire.
Updates are more
important - Lowers cache performance to keep popular pages
Equal importance -
Balances cache performance with cache updates.
Fewer network accesses
are more important (more cache hits) - Provides best cache
user response is more important - Saves less cache, but
updates what is saved very frequently. Causes more users
to access data from the Internet rather than
importance - Balances cache performance with cache
network accesses are more important - Allows least amount
of Internet traffic and will not update cache as
To limit the
size of cache objects, use expired objects in the cache, or
change an object's TTL, set the proper options in the page
accessed through the Web Proxy Service Properties window by
clicking the Caching tab, then click Advanced.
List of specific URLs that are in the cache. You
can edit the cache list in the Web Proxy Service Properties
window by clicking the Caching tab, Advanced, then click
(Local Address Table)
Contains IP addresses of the internal network and IP address
of the proxy server.
Contains the Local Address Table. The master copy of this
file is stored on the server, and can be downloaded to
- Custom LAT for clients that need access to network ranges
not specified in the MSPLAT.TXT You can
construct the list of internal IP addresses by clicking
IP ranges from your network to specify addresses of clients
that will be connecting throught the proxy
IP ranges can
be changed in the individual service's properties by
clicking the Local Address Table
(Cache Array Routing Protocol) and Multiple Proxy
Multiple proxy servers are configured in an array to provide
a single logical cache. These servers communicate with each
other, so that each server knows the exact contents of the
other servers. This disallows cache
Uses HTTP to
CARP can be
implemented on clients using PAC - Proxy Auto-Config
use an array membership list. They use TTL to determine when
to check for active servers, and maintains the list of
active servers in the array membership list.
is used to maintain the array membership list. List includes
TTL until next check, URL to receive array information for a
remote manager, and load factors for each server.
server will query array for a new table when TTL
routing Requests are forwarded from a downstream proxy or
array to an array of upstream proxies when they cannot be
serviced. One hop is performed in each array before being
forwarded to the next level.
One member of the array will answer a request
received by another member of the array, when it is
determined that they are the highest scoring proxy (through
Computes list of available servers and the URL to
determine which proxy server in the array to
how to connect to the array.
To view the
array membership table, input the following URL into your
The list you
will receive will resemble the following:
192.168.0.1 80 http://server1:80/array.dll MSProxy/2.0
7521 Up 100 150
server2 192.168.0.2 80
http://server2:80/array.dll MSProxy/2.0 7521 Up 100
describes the information for server1
URL for array.dll
Version of Proxy Server
Number of seconds in current state
Current state (up or down)
Load factor of server
Routing tab of the proxy's properties, you can configure
Upstream routing to automatically forward client requests to
the Internet or to another proxy server or array.
Routing tab of the proxy's properties, check the Enable
backup route box and insert the proper parameters to
automatically forward requests to the Internet or another
proxy server or array in case the first upstream choice is
the array can be enabled to resolve proxy requests within
the array prior to routing the client to an upstream server
or array. This allows load balancing within the
can be administered through the Internet Service Manager and
through the command line.
installs counters into Performance monitor to enhance and
troubleshoot more efficiently.
administer Proxy server, you must have the same version of
client software installed on your system as the server you
are connecting to.
REMOTMSP - Used to
remotely configure and administer Proxy Server, including
starting and stopping services, backing up and restoring
proxy information, and managing server arrays.
WSPPROTO - Used to
remotely edit service protocol definitions.
services from the command line
Web - NET STOP|START
WinSock - NET
Socks - NET STOP|START
W3SVC or use Remotmsp.exe
parameters are backed up to a text file in the C:\MSP\CONFIG
directory, unless otherwise specified.
To perform a
backup, go to the Properties field of any proxy service,
click the Service tab, then click Server
Backup. Select the directory you would like to backup to
and click OK.
To perform a
restoration, go to the Properties field of any proxy
service, click the Service tab, then click Server
Backup. Select whether to perform a Partial or Full
Restore, then specify the directory that the backup was
placed in and click OK.
Partial Restore -
Method is a non-computer specific restore; Items such as
array membership and logging information will not be
Full Restore - Method
is a computer specific restore; All items are restored.
unauthorized access to your network from external users
Disable IP forwarding
in TCP/IP section of the Control Panel/Network
Do not add external
addresses to the LAT.
Deny listening on
inbound service ports.
Anonymous - Any user
is able to access the site.
Basic - Login and
Password are necessary to access the site.
challenge/response - Uses current login information to
allow/disallow access to site. Only available in same or
Challenge/response will only work properly with IE
3.0 and later. When a non-IE browser accesses a
challenge/response site, access will be denied.
Web proxy and WinSock proxy properties screens, you can
choose which users/groups are able to access the Internet
through particular protocols. Permissions must be assigned
separately to each protocol.
covers only FTP, Gopher, Secure and Web protocols. The web
protocol covers HTTP and HTTPS protocols. The secure
protocol covers protocols setup to use secure
covers many protocols including HTTP, HTTPS, FTP, Telnet,
Gopher, IRC, RealAudio, POP3, SMTP, and others.
have been assigned permissions to a protocol, they then have
access to the Internet through those specified ports. For
example, when a user is assigned permission to use HTTP,
they then have access to the Internet through port
To assign or
revoke permissions for users to other protocols, highlight
the user and click Copy to or Remove From,
select the proper protocol, and click OK.
allows Unlimited Access to be specified. This allows
all users full access to all ports on that defined in the
WinSock proxy service.
protocols can be edited, or new protocols can be added, to
customize or create ports that are needed for certain
application communications. Protocols can also be defined to
only allow outbound or inbound access.
uses the Identification protocol and IP addresses to
service depends on the Web proxy service to be running. If
the Web proxy service stops, the Socks proxy service also
does not support IPX/SPX.
permissions can be moved change the orders of the listed
permissions can have functions matched to specified port
Socks can be
set to deny or allow access from specific IP ranges, domain
names, or all users. Options for this can be set to
settings are defined by the following determiners
Not equal to
Greater than or equal to
Less than or equal
For example, you can choose to
deny access to any port greater than 80 by specifying
Deny in the Action box, GT in the Port box,
and 80 in the Port number field.
example is portrayed in the following graphic
all clients from geocities.com to access anything in
cramsession.com through port 80.
Identification (Identd) protocol - Provides a false
user name to servers that block MS Proxy clients, to allow
them to access the server's services. Is installed by
running IDENTD.EXE --INSTALL. Is run through the NET
command: NET START|STOP IDENTD.
filtering is used to grant or deny client access to certain
checkbox next to Enable Filtering to allow
You can grant
or deny access to
Single computer - Must
specify the IP address of a specific system. Can click the
ellipsis button next to the IP field, and specify a DNS
name. It will then return the IP address of that DNS
Group of computers -
Must specify the IP address and subnet mask of the
Domain - Must specify
the domain name to grant or deny access to.
Must have an
external network interface before this can be enabled. If
using a modem or ISDN adapter as the external network
interface, you must have RAS Auto Dial setup. Only the
external network adapter will provide packet filtering.
filtering on packets, addresses and
types will be blocked, except for those specified in the
Proxy server can send alerts for
events through the Event Viewer, log files or
only be enabled when packet filtering is enabled.
Alerts can be
Rejected packets -
Notifies you when numerous packets are being rejected in
high rates. Rates can be set to alert you when rejected
packets occur at a certain frequency. High frequency rates
can mean an attack is taking place.
Protocol violations -
Notifies you when packets or frames are dissimilar from
the typical protocol structure.
Full disk drive
warnings - Notifies you when disk drive that holds the
service or packet logs is full.
proxy server services requests made to an internal web
server. It will serve as a "firewall" by only letting
visitors through one port to retrieve the information.
hosting can be enabled to allow multiple web servers to be
contacted through the reverse proxy server.
reverse proxy support, under the Publishing tab of the proxy
service properties panel, click the Enable Web publishing
box. There are three options available
Discarded - All web
server requests will be discarded.
Sent to the local web
server - All requests will be sent to the default web
Sent to another web
server - All requests are sent to a specific web
To create a
reverse host route, click Add. In the Path field, insert the
URL to be routed. In the URL field, insert the URL of the
internal web server that will service this
are stored in the C:\WINNT\SYSTEM32\MSPLOGS\ directory by
- Web Proxy service log
- WinSock Proxy service log
- Socks Proxy service log
- packet filters
yymmx; yy=year, mm=month,
xx=day/week/month of log.
Logging to a
text file takes considerably less resources than logging to
An OBDC driver
must be installed on the proxy server to be able to log to a
A DSN (Data
Source Name) must be added to describe which server or
database file you are writing to.
Included with Proxy Server. Tool to create SQL tables for
proxy server logging.
does not support IPX on Windows 3.x clients.
clients cannot use the WinProxy service, but can use the
Socks and Web services.
clients must have the Novell Client 32-bit IPX stack
installed in order use IPX through the proxy
URL for clients to get the array routing script is
Exchange clients from connecting to Internet POP3 servers,
put DISABLE=1 under the [EXCLNT32] header in the MSPCLNT.INI.
the WinSock proxy client application download the
MSPCLNT.INI file every time the client system is restarted,
and every six hours after the last refresh.
Contains server proxying information pertaining to the local
client. It will never be overwritten by the server. This
file contains application-specific settings for each WinSock
capable of using the following connection protocols
call back security to either the calling number or to a
specified, non-changing number.
RAS for NT 4.0
supports multilink (the use of more than one modem to
achieve higher transmission speeds). Multilink cannot
be used with callback security unless there are two
(or more) ISDN modems configured on the same phone
NetBEUI as the default network protocol, but can also use
TCP/IP and IPX/SPX. TCP/IP will need to be used if you are
using programs that utilize the Windows Sockets (Winsock)
interface over the RAS services.
Allow any authentication including clear text
This will allow RAS to use a number of password
authentication protocols including the Password
Authentication Protocol (PAP) which uses a plain-text
password authentication. This option is useful if you
have a number of different types of RAS clients, or to
support third-party RAS clients.
Require encrypted authentication
This option will support any authentication used
by RAS except PAP.
Require Microsoft encrypted authentication
This option will only make use of Microsoft's CHAP
(Challenge Handshake Authentication Protocol). All
Microsoft operating systems use MS-CHAP by
Require data encryption
This option will enable the encryption of all data
sent to and from the RAS
RAS will write
to a log file which can be used for troubleshooting RAS
services. In order to enable RAS to write to the log, you
have to enable it in the Registry.
Auto Dial is
used to automatically dial-up to the Internet when a client
is attempting to gain Internet access through the Proxy
Server with RAS Auto-dial capabilities.
phonebook entry to your ISP will need to be created to allow
Auto Dial to work. Credentials can be setup to set the user
name and password used to connect with the ISP.
When Auto Dial
is configured for the first time, or if settings are
cleared, the services will need to be restarted before
settings can take effect.
Name Services) - Used to resolve DNS host name to an IP
(Windows Internet Naming Service) - Used to resolve NetBIOS
computer name to an IP address.
HOSTS - File
which contains mappings between DNS host names and their IP
File which contains mappings between NetBIOS computer names
and their IP addresses.