Module 7: Implementing Proxy Servers and Firewalls

Download Report

Transcript Module 7: Implementing Proxy Servers and Firewalls

Module 7: Microsoft
Proxy Server 2.0 As a
Solution for Internet
Connectivity
Overview

Introducing Proxy Server

Designing a Functional Proxy Server Solution

Securing a Proxy Server Solution

Enhancing a Proxy Server Design for Availability

Optimizing a Proxy Server Design for Performance

Organizations connect to the Internet to provide Internet
access to users on the private network, and to allow
users on the Internet access to private network
resources. The Internet connectivity solution must
prevent unauthorized users from accessing private
network resources.
Microsoft Proxy Server 2.0 (Proxy Server) provides
solutions to Internet connectivity requirements for
Microsoft® Windows® 2000 networks. Proxy Server is a
group of services that is not included with Windows
2000 but runs on Windows 2000.
At the end of this module, you will be able to:

Evaluate Proxy Server as a solution for Internet connectivity.

Evaluate and design a functional Proxy Server solution for baseline
Internet connectivity.

Select appropriate strategies to secure a Proxy Server solution.

Select appropriate strategies to enhance Proxy Server availability.

Select appropriate strategies to improve Internet connectivity
performance.

Note: Throughout the module, Proxy Server with initial
capitalization is used to indicate the Microsoft Proxy Server 2.0
product. When proxy server appears without initial capitalization, it
indicates a computer that is providing proxy services.
Introducing Proxy Server

Design Decisions for a Proxy Server Solution

Features of Proxy Server

Integration Benefits

Proxy Server connects private networks to the Internet,
while also protecting private network resources from
unauthorized users. Proxy Server supports the essential
requirements for any Internet connectivity design, and
provides additional features to enhance the security,
availability, and performance of the Internet connectivity
solution.
To design an Internet connectivity solution based on
Proxy Server, you must:

Identify the design decisions that influence a Proxy
Server solution.

Identify how the features provided by Proxy Server
support the design requirements for Internet
connectivity.

Identify the benefits provided by integrating Proxy
Server with other services in Windows 2000.
Design Decisions for a Proxy Server Solution
Internet
Private
Network
Proxy
Server

Secure Internet and Private Network Access Required?

Routed or Non-routed Network?

Number of Resources Shared with Internet?

Number of Locations?

By using Proxy Server, your design decisions for an
Internet connectivity solution must be based on the
security requirements, the network configuration, the
number of Internet-exposed resources, and the number
of geographically distributed locations of the
organization. Proxy Server is an appropriate solution for
Internet connectivity if:



Internet and private network access is restricted on a
user-by-user basis or on a resource-by-resource basis.
A number of private network resources need to be
shared with Internet-based users.
The private network encompasses multiple geographic
locations.
Features of Proxy Server
Internet
Private
Network
Proxy
Server
Screened
Subnet A

Isolate the Private Network

Restrict Internet and Private Network Traffic

Cache FTP and HTTP Requests

Integrate Into Existing Networks
Screened
Subnet B

To incorporate Proxy Server into your network design,
you need to identify how the features of Proxy Server
support the Internet connectivity requirements
Isolating the Private Network

Proxy Server enhances the security of an organization
by isolating the private network from the Internet, and
acting as an intermediary in the exchange of traffic
between the Internet and the private network. With the
private network isolated, you can reduce the number of
required public addresses by selecting a private
addressing scheme.
Restricting Internet and Private Network Traffic

Proxy Server allows you to restrict the traffic between
the Internet and private network so that you can limit the
access of private network users to Internet-based
resources, and limit Internet user access to private,
network-based resources.
Features of Proxy Server

You can use Proxy Server to restrict the traffic between
the Internet and the private network by:




Granting Internet access to authorized users.
Establishing filters that forward or discard IP packets
based on the IP address, protocol number or TCP/UDP
port number.
Intercepting inbound Uniform Resource Locater (URL)
requests and determining whether the requests must be
forwarded to a private network resource.
Using screened subnets to provide the required level of
network security.
Caching FTP and HTTP Requests

Proxy Server intercepts File Transfer Protocol (FTP) and
Hypertext Transfer Protocol (HTTP) Internet requests for
Web objects and saves the retrieved Web objects in a
local cache. When private network users request
Internet-based resources, Proxy Server checks the local
cache to see if the equest is stored there. If the request
is found in the local cache, the Web object is retrieved
from the local cache and no Internet request is
necessary.
Integrating into Existing Networks
If integrated into existing networks, Proxy Server:

Supports both Windows Sockets (WinSock) and nonWinSock clients on a variety of client operating
systems.

Supports integration with the Active Directory™
directory service accounts in Windows 2000 to provide
single logon access for users on Windows-based
computers.

Supports IP and Internetwork Packet
Exchange/Sequenced Packet Exchange (IPX/SPX)
protocols on private networks so that IP and IPX/SPXbased clients can access the Internet through Proxy
Server.
Integration Benefits
IPSec
Routing and Remote
Access
Active
Directory
Authentication
and IPSec Tunnels
Demand-Dial Connections,
IP Filters, and VPN Tunnels
User Account Authentication
Proxy Server

Proxy Server integrates with other networking services
to take advantage of their features. The integration of
these features requires you to include additional
technologies (such as virtual private network (VPN)
tunnels that are used for authentication and data
encryption) in the design.

The following table describes the benefits of integrating Proxy
Server with other networking services.
Proxy Server integrates with To
Internet Protocol Security
(IPSec)
Provide Proxy Server authentication and
the encryption of data transmitted
between locations over public networks.
Routing and Remote Access Provide support for nonpersistent
connections by using specified demanddial connections.Reduce undesired
traffic by using specified IP Filters.
Active Directory
Provide Kerberos version 5 protocol and
user account support so that
authentication occurs when specified.
Designing a Functional Proxy Server Solution

Placing Proxy Server Within a Network

Integrating Proxy Server into the Existing Network

Determining Proxy Server Client Requirements

Discussion: Designing a Proxy Server Solution

There are a few essential decisions that you need to
make for an Internet connectivity solution, so that you
can derive the specifications for the Proxy Server
design. After these essential decisions are established,
you can optimize the Internet connectivity solution by
adding security, availability, and performance
enhancements to your design.

The essential decisions for your Proxy Server design
include:



Where to place Proxy Server within a network so that
network traffic is localized without compromising
security.
Which IP address, persistence, data rate, and security
router interface characteristics affect the integration of
the router into the existing network.
How the private network clients will access the proxy
server, and the software that the clients will use to
access the proxy server.
Placing Proxy Server Within a Network
Screened
Subnet
Internet
Branch
Office
Web
Server
Proxy
Server
Central
Office
Proxy
Server
Screened
Subnet
Branch
Office
Demand-Dial
Proxy
Server

Proxy Server Within the Private Network

Proxy Server at the Edge of the Private Network

You must place Proxy Server between the network
segments so that network traffic is localized and
security is maintained. To improve performance, you
can place Proxy Server so that Web objects are cached
for an entire organization, a location within an
organization, or a network segment within an
organization.
Proxy Server Within the Private Network
Place Proxy Server within the private network so that:

Web objects are cached for network segments within an
organization to reduce private network traffic.

Screened subnets are created within the private
network, thereby protecting confidential data.

Network packets can be exchanged between dissimilar
network segments, such as between an Ethernet
network segment and an asynchronous transfer mode
(ATM) network segment.
Proxy Server at the Edge of the Private Network
Place Proxy Server at the edge of the private network so
that:

Users on the private networks can access the Internet.

Web objects are cached for the entire organization.

The private network is isolated from the public network,
thereby protecting confidential data.

Network packets can be exchanged between the private
network segments and public network segments, such
as between an Ethernet private network segment and an
Integrated Services Digital Network (ISDN) public
network segment.
Integrating Proxy Server into the Existing Network
Screened
Subnet
Internet
Branch
Office
Web
Server
Proxy
Server
Central
Office
Proxy
Server
Screened
Subnet
Branch
Office
Demand-Dial
Proxy
Server

Interface Address and Subnet Mask

Interface Data Rate and the Persistence

Depending on the size of the network, your network
design can include a number of proxy servers. Each
proxy server in the network design must have at least
one interface, although most proxy servers have more
than one. For each proxy server interface, you must
describe the interface characteristics so that the proxy
server can be integrated into the existing network.
Note: Specify one interface in the proxy server if the
design requires only Proxy Server caching or if Proxy
Server provides IPX to Transmission Control
Protocol/Internet Protocol (TCP/IP) translation.
Selecting the Interface Address and Subnet Mask

When selecting the proxy server interface address and
subnet mask, remember that:



Each proxy server interface requires an IP address and
subnet mask.
The IP address assigned to the proxy server interface
must be within the range of addresses that are assigned
to the network segment that is directly connected to the
interface.
The subnet mask assigned to the proxy server interface
must match the subnet mask that is assigned to the
network segment that is directly connected to the
interface.
Selecting the Interface Data Rate and the Persistence

Each proxy server interface connects to a private or
public network segment. These network segments can
be persistent or non-persistent. In addition, the data
rates for these network segments can vary
considerably. You need to specify the data rate and
persistence for proxy server interfaces so that the proxy
server can connect to private and public network
segments.
Interfaces that connect to private network segments

Private network segments are based on local area
network (LAN) technologies that are persistent interface
connections. The data rate of the private network
segment is determined by the LAN technology, such as
100 megabits per second (Mbps) data transfer rate for
100 Mbps Ethernet.
Interfaces that connect to public network segments

Public network segments are based on LAN and
demand-dial technologies that can be persistent or nonpersistent. Public network segments that appear to
Proxy Server as LAN interfaces are persistent, and the
data rate is determined by the LAN technology.
Public network segments that appear as demand-dial
interfaces are nonpersistent, and the data rate is
determined by the underlying technology. An example of
this would be a 56-Kbps dial-up modem connection that
supports a maximum data rate of 56 Kbps.
Interfaces that connect to public network segments ...

If the public network segments are based on LAN
technologies, you include demand-dial interfaces in
your solutions, such as a VPN connection over a digital
subscriber line (DSL) connection. Include a demand-dial
interface in your design if:


An exchange of credentials is required to perform
authentication, such as VPN tunnel authentication.
Charges, such as ISDN connection charges, are
accumulated if the public network segment is active.
Interfaces that connect to public network segments ...

To connect to another location across the Internet, one
solution is to specify a VPN tunnel over a DSL network
segment. In this case, you will need to include the
following interfaces in your design:


A LAN interface that supports the persistent DSL
network segment.
A demand-dial interface to perform the authentication
required by the VPN tunnel.
Determining Proxy Server Client Requirements
Private
Network
All Traffic
Using Proxy
Server Client
Internet
HTTP/FTP Traffic
Using IE 5.0
Proxy
Server
SOCKS
Client
UNIX

Specify Private Network IP Address Ranges

Select Software for Connecting to Proxy Server

You determine the Proxy Server client requirements so
that you can specify the private network address ranges
and select the appropriate software for connecting to
Proxy Server.
Specifying Private Network IP Address Ranges

You must identify the IP address ranges within the
private network so that you can specify these address
ranges in the Proxy Server design. Proxy Server clients
can then determine if the destination IP address in an IP
packet must be sent directly to the private network
destination, or forwarded to the proxy server.

The IP address ranges that you specify are stored in the
local address table (LAT) file on the proxy server. When
requests are sent to the proxy server, the proxy server
uses the LAT to determine if the request is within the
private network or on the Internet.
Specifying Private Network IP Address Ranges …

For computers on the private network that do not have Proxy
Server client software, you need to specify the IP address of the
proxy server's private network interface as the default gateway.
Because the proxy server is the default gateway for the computer,
all requests that are not on the computer's local subnet are
forwarded to the proxy server. The proxy server forwards the
request to the Internet.

When the computers on the private network have Proxy Server
client software installed, they have a local copy of the LAT file. The
Proxy Server clients use their local copy of the LAT file to
determine if requests are within the private network, or on the
Internet. Private network requests are sent directly to the
destination within the private network. Internet requests are sent to
the proxy server.
Selecting Software for Connection to Proxy Server

You can specify that the private network interface of the
proxy server is the default gateway entry for computers
on the private network. If you specify the proxy server
as the default gateway, the private network traffic
increases because all traffic destined for other subnets
in the private network is forwarded first to the proxy
server and then on to the final destination.

To prevent the unnecessary private network traffic,
specify that the private network computers be
configured with software to forward traffic to the proxy
server if the final destination is the Internet.

The following table lists the software options for private network
computers and the reason to include the options in your design.
Select
If you need to support
Microsoft Internet
Explorer 5.0
HTTP and FTP traffic only. Any operating system that includes
Internet Explorer 5.0.Packet filters and domain filters for
filtering traffic.
All IP protocol traffic. Any operating system that supports the
WinSock standard. Packet filters and domain filters for
filtering traffic. IPX/SPX-based private networks.
All IP protocols supported by the SOCKS applications. UNIX,
Macintosh, or operating systems that run SOCKS-compatible
applications. SOCKS rules, Protocol rules, and IP packet filters
for filtering traffic.
Proxy Server client
SOCKS
No client software
All IP protocols. Any operating system with the default
gateway configured to send Internet traffic to the proxy server.
Protocol rules, and IP packet filters for filtering traffic.
Discussion: Designing a Proxy Server Solution
Montreal
Calgary
Vancouver
Winnipeg
Toronto

As you create Internet connectivity solutions, you need
to translate information relating to the solution into
design requirements.
The following scenario describes the current network
configuration of a legal firm that specializes in patent
and copyright law.
Scenario

A legal firm specializes in patent and copyright law. At
each geographic location, legal assistants within the
firm conduct research for the firm's partners on
potential patent and copyright infringements. The
majority of the research is conducted by searching the
Internet for these potential infringements.

The central office for the firm is in Montreal, where the
firm has a T1 connection to the Internet. With the
exception of the Vancouver branch office, all other
branch offices are connected directly to the Montreal
office by using a 56-Kbps connection. The Vancouver
branch office is connected through Calgary to the
Montreal central office.
Securing a Proxy Server Solution

Restricting Access to Internet Resources

Determining the Number of Screened Subnets

Restricting Traffic with Packet Filters

Restricting Outbound Traffic with Domain Filters

Restricting Inbound Traffic with Web Publishing

The security of a Proxy Server design is measured by
the ability of the design to prevent unauthorized access
to data transmissions and private network resources.
Proxy Server enhances the security by isolating the
private network from the Internet and restricting traffic
between the private network and the Internet.
To secure a Proxy Server solution, consider:

Restricting access to the Internet.

Providing access to private network resources by using
screened subnets.

Restricting IP traffic by using IP packet filters.

Restricting IP traffic by using domain filters.

Enabling access to private network resources by using
Web Publishing.
Restricting Access to Internet Resources
Private
Network
Proxy
Server
Internet
Active
Directory
Active
Directory
Proxy
Server
Private
Network
Internet
Local
Accounts

Networks Based on Active Directory

Networks Not Based on Active Directory

You can restrict access to Internet resources on a userby-user basis, with users defined in Active Directory, or
as local user accounts on member servers.
Networks Based on Active Directory

If your network design includes Active Directory, you
can grant access to users and groups in Active
Directory. Proxy Server is integrated with Active
Directory to provide single logon access to the Internet.

The following table lists the users and groups to which you can
grant access, and why you would choose to grant access to that
user or group.
Grant
Permission to
To enable access to Proxy Server for
Everyone
All users, including unauthorized users, when the
Windows 2000 Guest account is enabled.
Active Directory
Groups
Members of a group.
Active Directory
Users
Specific users granted permission on an individual
basis.

Although not typically a best practice, you would enable
the Guest account if your Proxy Server design is
integrated in a highly heterogeneous network. If you
enable the Guest account, you allow anonymous access
to the users whose accounts do not exist in Active
Directory.
Note: You can provide single logon access for users in
heterogeneous networks by using products such as
Services for UNIX, Client Services for NetWare, or
Services for Macintosh.
Networks Not Based on Active Directory

If your network design is predominantly composed of
other operating systems, such as UNIX or NetWare, or
you are not including Active Directory in the design, you
can specify that Proxy Server be installed on a standalone Windows 2000-based computer. The stand-alone
Windows 2000-based computer has local users and
groups that you can use to grant Proxy Server access.
Networks Not Based on Active Directory …

If the network consists of other operating systems, such
as UNIX or NetWare, you can specify that the:


Other operating systems replicate the user accounts to
the Windows 2000-based computer running Proxy Server.
For example, in a network that is based on Novell
Directory Services (NDS), you would specify that NDS
users and groups must be replicated to the proxy server
by using Novell software.
Guest account on the proxy server is enabled and granted
Proxy Server access, thereby allowing anonymous access
to the proxy server.
All users on the private network are granted access, and
you are unable to restrict Proxy Server access on a userby-user or group basis.
Determining the Number of Screened Subnets
Internet
Proxy
Server
Internet
Proxy
Server
Screened
Subnet A
Proxy
Server
Screened
Subnet C
Screened
Subnet A
Screened Subnet B
Proxy
Server
Screened
Subnet B

Multiple Interfaces or Multiple Servers

Hierarchical Screened Subnet Designs
Screened
Subnet C

In its simplest form, a certification hierarchy consists of a single
CA. Large organizations typically require multiple CAs due to the
large number of services and applications requiring certificates.
Multiple CAs are arranged in a hierarchy with clearly defined
parent/child relationships.

In a CA hierarchy, each parent CA certifies the child CAs below it.
The CA at the top of a hierarchy is called the root authority or root
CA. The child CAs of the root CAs are called subordinate CAs. The
root CA is used only to sign subordinate CA certificates and the CA
certificate for the root CA itself. Below the subordinate CAs are
issuing CAs that issue certificates directly to users and computers.

A certificate trust list (CTL) is a set of certificates that the
administrator determines to be trustworthy. The CTL defines the
certification path from the issuing CA up to the root CA. For a client
authentication certificate to be used successfully, a CA listed in the
CTL must issue the certificate.
Multiple Interfaces or Multiple Servers

You can define multiple screened subnets by using multiple private
network interfaces in a Proxy Server, using multiple proxy servers
with a single interface, or using a combination of both. The following
table lists the methods for establishing multiple screened subnets,
along with the reasons to select each method.
Select this
method
To establish a screened subnet if the
Multiple
interfaces
System resources of the proxy server are not
saturated.Organization requires a centralized
administration model.
Multiple servers
Performance for the screened subnet needs to be
maximized.Organization requires a decentralized
administration model.
Hierarchical Screened Subnet Designs

In designs that require more than one screened subnet
created by multiple proxy servers, you place the proxy
servers in a hierarchy. Specify hierarchical screened
subnet designs to:



Delegate the administration of the screened subnets.
Specify broad security requirements at the top of the
hierarchy, such as the security requirements for an entire
organization.
Specify stronger security requirements lower in the
hierarchy, such as the security requirements for a
department or application.
Restricting Traffic with Packet Filters
Central
Office
Internet
Web
Server
Private
Network
Proxy Outgoing
Server
Incoming

Packet Filter Restrictions

Packet Filter Criteria
Proxy
Server
Proxy
Server
Partner
Network

To ensure a secure network, you must prevent traffic
between the private network and the Internet. You can
prevent traffic by specifying Proxy Server packet filters.
Proxy Server packet filters affect the SOCKS proxy, Web
proxy, and WinSock proxy. You can create a
combination of Proxy Server packet filters to addresses
any security requirement.
Packet Filter Restrictions

Proxy Server packet filters are layer two filters that
affect the IP traffic received by Proxy Server. These
filters specify which IP packets are forwarded or
rejected by Proxy Server. Proxy Server packet filters
restrict:

Traffic for all Proxy Server services.

Both inbound and outbound traffic.


Internet access to private network resources, such as
servers.
Private network user access to Internet-based
resources, such as partner networks or Web sites.
Packet Filter Criteria

You can create Proxy Server packet filters by specifying the source
or destination IP address range and the protocol number of the
packets to be filtered. To address any security requirement, you can
create a combination of filters by specifying multiple filters for each
interface.

You can base your packet filter design on a single criteria or any
combination of the following:

Direction

Protocol ID

Local port

Remote port

Local host IP address

Remote host IP address
Direction

The direction of the traffic that the filter must affect. You
can specify traffic inbound to the private network,
outbound for the Internet, or moving in both directions.
Protocol ID

The IP protocol ID for the filter. You can specify TCP
protocol ID, Internet Control Message Protocol (ICMP)
protocol ID, or any protocol ID.
Local port

The TCP or UDP port number for the source if the packet
originates from the private network, or the destination if
the packet originates outside the private network. You
can specify any port number, a specific port number, or
a range of unknown port numbers.
Remote port

The TCP or UDP port number for the source if the packet
originates outside the private network, or the
destination if the packet originates inside the private
network. You can specify any port number, a specific
port number, or a range of unknown port numbers.
Local host IP address

The IP address of the computer on the private network
that exchanges IP packets with the remote computer on
the Internet. Typically, this is the IP address of the proxy
server. You can specify the default proxy server IP
address, a specific IP address assigned to a proxy
server interface, or the IP address of a computer on the
private network.
Remote host IP address

The IP address of the remote computer on the Internet
that exchanges IP packets with the computer on the
private network. You can specify any IP address from
the Internet, or the IP address of a specific computer on
the Internet.
Restricting Outbound Traffic with Domain Filters
Central
Office
Internet
Web
Server
Private
Network
Proxy Outbound
Server
Proxy
Server

Grant or Deny Access with Exception

Domain Filter Criteria
Proxy
Server
Partner
Network

You can restrict private network traffic to Internet
resources by specifying Proxy Server domain filters.
Proxy Server domain filters affect the SOCKS proxy,
Web proxy, and WinSock proxy. You can add multiple
domain filters to create a combination that meets the
security requirements of any organization.
Granting or Denying Access with Exception

You can specify the default behavior of Proxy Server
domain filters to grant access to all Internet sites, or to
deny access to all Internet sites. You can then build a
list of Internet sites that are the exception to the default
behavior.
As a result, you can specify Proxy Server domain filters
to:


Reject packets specified in the criteria of the filter and
forward all others.
Forward packets specified in the criteria of the filter and
reject all others.
Domain Filter Criteria

Define Proxy Server domain filter criteria to restrict
traffic based on the security requirements of the
organization. For example, if an organization wants to
restrict access to a specific Web site by name, define a
Proxy Server domain filter that is based upon the
domain name of the Web site.
Domain Filter Criteria …
The following table lists the criteria upon which you can base your
Proxy Server domain filter, and when you would specify that criteria in
your design.

Filter on
If you want to restrict access for
Single computer A specific computer on the Internet by using the IP
address of the computer
Group of
computers
A range of IP addresses on the Internet by using an
IP address and subnet mask to specify the range.
Domain
A specific domain name, independent of the IP
address, by specifying the fully qualified domain
name (FQDN) for the domain.

Note: Your Proxy Server domain filter can only be based on one of the
criteria listed in the table above.
Restricting Inbound Traffic with Web Publishing
Private
Network
Internet
Web
Publishing
Web
Server
Proxy
Server

Use the Default – All Requests are Discarded

Define Web Publishing Mapping
Remote
User
Restricting Inbound Traffic with Web Publishing

To restrict inbound traffic, you can enable access to
HTTP or FTP servers that are located in the private
network by using the Web Publishing feature of Proxy
Server. If you include Web Publishing in your solution,
Proxy Server examines inbound Internet-based requests
and:


Forwards the requests to HTTP or FTP servers within
the private network.
Discards the request.
Use the Default-All Requests Are Discarded

You can specify how Web Publishing reacts when an
inbound request is received and does not match any of
the Web Publishing criteria. You can specify that Web
Publishing either:




Ignore all requests and send no response.
Forward all requests to the default Web site on the proxy
server.
Forward all requests to a specific Web site.
Note: The default behavior for Web Publishing is to
discard any Internet-based requests to Web servers
located within the private network.
Defining Web Publishing Mapping

You can define Proxy Server Web Publishing mappings
that override the default behavior of Web Publishing.
For each Web Publishing mapping, you can specify the:

Inbound URL that Proxy Server uses to identify requests
that are exceptions to the default behavior of Web
Publishing.

URL within the private network where the request is to
be forwarded.

For example, you could create a Web Publishing
mapping that would forward all requests for
http://www.nwtraders.msft to
http://sales.nwtraders.msft.
Enhancing a Proxy Server Design for Availability

Enhancing Availability for Outbound Client Requests

Enhancing Availability for Inbound Client Requests

You can enhance the availability of the Proxy Server
solution by including proxy arrays, round robin DNS
entries, and Network Load Balancing in your design.
Consider specifying multiple servers running Proxy
Server to:


Enhance the availability for outbound client requests
from the private network to the Internet.
Enhance the availability for inbound client requests from
the Internet to the private network.
Enhancing Availability for Outbound Client Requests
Internet
Private
Network
Outgoing
Requests
Proxy
Array

Same Domain, Site, and Proxy Array Name

Web Object Distribution and Failover

Proxy Arrays with Only One Proxy Server

You can enhance the availability for client outbound
requests by using proxy server arrays. Proxy arrays
distribute Web content across all of the proxy servers in
the array so that if a server fails, the remaining servers
in the array will continue to service client requests.
Proxy Server client requests are sent to the array and
then routed to the appropriate proxy server within the
array.
Specifying the Same Domain, Site, and Proxy Array
Name

Establish proxy arrays by specifying which proxy
servers make up the array. All members of the array
must:

Belong to the same Active Directory domain and site.

Have the same proxy array name specified.
Providing Web Object Distribution and Failover

When a proxy server within an array fails, the cached
Web content stored on the failed server is lost. Other
proxy servers within the array automatically retrieve the
lost Web content.
By specifying that multiple proxy servers belong to the
same array, you can:

Distribute the Proxy Server Web content cache.

Provide immediate failover in the event of a failure.
Specifying Proxy Arrays with Only One Proxy Server

A proxy array can be specified with only one proxy
server to:


Allow the Proxy Server configuration information to be
stored in Active Directory.
Establish an array that you can extend in the future.
Enhancing Availability for Inbound Client Requests
Internet
Private
Network
Proxy
Array
DNS Entries
DNS
Server
nwtraders.msft x.y.z.1
nwtraders.msft x.y.z.2
nwtraders.msft x.y.z.3
Inbound
Requests

Multiple Proxy Servers

Network Load Balancing on Each Proxy Server

Round Robin DNS Entry for Each Proxy Server

You can enhance the availability for Proxy Server
inbound requests by using a combination of multiple
proxy servers and round robin DNS entries or Network
Load Balancing.
Specifying Multiple Proxy Servers

To enhance the availability of an Internet connectivity
solution, you can specify additional proxy servers. If
one server fails, the remaining servers will continue to
respond to inbound requests for private network
resources.
Specifying Network Load Balancing on Each Proxy
Server

You can add Network Load Balancing to each of the
computers running Proxy Server that are responsible
for responding to inbound requests for private network
resources. All of the proxy servers belong to the same
cluster and share a common IP address known as the
cluster IP address.
Specifying Network Load Balancing on Each Proxy
Server …

The following sequence describes the process of a
remote client accessing a private network resource:
1.
The Internet-based remote client requests IP address
name resolution from the DNS server.
2.
The DNS server returns the cluster-primary IP address
as the IP address.
3.
The remote client sends an inbound request to the
Network Load Balancing cluster.
4.
The proxy servers in the Network Load Balancing
cluster evaluate the request, and one of the proxy
servers responds to the request.
Specifying a Round Robin DNS Entry for Each Proxy
Server

Specify a round robin DNS entry for each of the
computers running Proxy Server that is responsible for
responding to inbound requests for private network
resources. When an Internet-based client queries a DNS
server for the IP address of the organization, the round
robin DNS process distributes the Internet-based
requests across multiple proxy servers.

For example, three proxy servers make up a proxy array
called proxyarray.msft. Each of the servers in the array
has a unique IP address, so you need to specify an Atype resource record for each server as follows:
proxyarray.msft IN A 10.0.0.1
proxyarray.msft IN A 10.0.0.2
proxyarray.msft IN A 10.0.0.3

When a query is made for the proxy array, the DNS
server responds in a round robin order of the IP
addresses.

In the preceding example, the first client request is
answered with the addresses ordered 10.0.0.1, 10.0.0.2,
and 10.0.0.3. The next client request for the same
information is answered with the order rotated to
10.0.0.2, 10.0.0.3, followed by 10.0.0.1. The rotation
process continues until requests for the same-type
resource records have been rotated to the top of the list.
Optimizing a Proxy Server Design for Performance

Selecting the Proxy Server Cache Method

Organizing Proxy Servers Hierarchically

Distributing IP Traffic Across Multiple Proxy Servers

Discussion: Enhancing a Proxy Server Solution

You can optimize the performance of a single Proxy
Server by upgrading the computer hardware or by
running only Proxy Server on the computer. If your
design includes multiple computers running Proxy
Server, you can optimize the performance of your
Internet connectivity solution by specifying that the
multiple proxy servers:



Select either the passive or active Proxy Server cache
method.
Are organized hierarchically to take advantage of the
local Proxy Server cache.
Distribute inbound and outbound client requests by
using proxy arrays, round robin DNS entries, or Network
Load Balancing.
Selecting the Proxy Server Cache Method
Active Caching - Update Cache When Requested and
Automatically Update Cache
Proxy
Server
Request
Updates
Internet
Private
Network
Update
Objects
Proxy
Server
Passive Caching - Update Cache When
Requested
Internet
Private
Network

Use the Default—Active Caching

Use Passive Caching to Conserve System Resources
Selecting the Proxy Server Cache Method

You can improve the performance for private network
Proxy Server clients accessing Internet-based Web
objects by using Proxy Server caching. Proxy Server
caching intercepts requests for Internet-based Web
objects, and stores a copy of the objects on a local
drive on the proxy server for subsequent requests.

Select the Proxy Server cache method based on criteria such as space
availability and whether the cached Web object is an up-to-date version
of the Web object. The following table lists the Proxy Server caching
methods, the criteria for determining when content is removed from the
cache, and when to select each caching method.
Use
To remove content based on the
If you want to
Activecaching
Selected parameters such as HTML
header information, age, and URL.
Reduce Internet traffic while
conserving disk space.
Passivecaching Date and time of the most recent
access, so that Proxy Server can
determine which content to overwrite
first.

Use less processor
overhead than active
caching, while consuming
more disk space.
Tip: You can estimate the Proxy Server cache size by specifying 100
MB of common cache and adding 0.5 MB for each Proxy Server client
on the private network.
Using the Default-Active Caching
Using the Default-Active Caching


By enabling the Proxy cache service, you can select
active caching as the default. Just like passive caching,
active caching retrieves Web objects when the clients
request the objects. Active caching automatically
updates the Web objects from the Internet based on:

The number of requests for a Web object.

How frequently the Web object changes.
Active caching automatically updates Web objects in the
cache when the processor utilization of the computer
running Proxy Server is low. Proxy Server updates during
low processor utilization so that active caching does not
affect the response time for Proxy Server clients.
Using Passive Caching to Conserve System
Resources
Using Passive Caching to Conserve System
Resources

When you disable active caching, the Proxy cache
service uses passive caching. Passive caching retrieves
Web objects only when the clients request the objects.
As the Web object is passed through to the user, the
Proxy cache service determines if the Web object is
cacheable and stores the object in the cache
accordingly.
Note: To cache Web content, you must store the Web
content cache on an NTFS file system partition.
Organizing Proxy Servers in a Hierarchy
Proxy
Array
Central
Office
Internet
Cache
Cache
Cache
Proxy
Server
Cache
Branch
Office
Cache
Proxy
Array
Cache
Branch
Office

Access Local Web Objects to Improve Performance

Route Requests to Another Proxy Server or Internet

You can improve the performance for Proxy Server
client requests by organizing multiple proxy servers in a
hierarchy, and by using Proxy Server caching. Define
the hierarchy by using a proxy array to connect to the
Internet and by using individual computers running
Proxy Server or proxy arrays at remote locations.
Accessing Local Web Objects to Improve
Performance

By placing proxy servers or proxy arrays at remote
locations to manage cached Web objects, you increase
the performance for the Proxy Server clients within the
same location.

Proxy Server clients access cached Web objects within
the same location to reduce the utilization of:



Wide area network (WAN) connections between
locations within an organization.
The Internet connection for the organization.
Note: Include a proxy array at remote locations if the
number of users, or need for availability, requires
additional proxy servers.
Routing Requests to Another Proxy Server or the
Internet

If a Web object is not cached on a proxy server or proxy
array within the same location, specify that the request
be forwarded to the proxy array connected to the
Internet.
Routing Requests to Another Proxy Server or the
Internet …

When the Web object is cached on the proxy array
connected to the Internet, the object is retrieved from
the cache:
1.
Through the proxy server or array at the remote
location.
2.
Then sent to the Proxy Server client.
Routing Requests to Another Proxy Server or the
Internet …

If the Web object is not cached on the proxy array
connected to the Internet, the object is retrieved from
the Internet:
1.
Through the proxy array connected to the Internet.
2.
Through the proxy server or array at the remote
location.
3.
Then sent to the Proxy Server client.
Distributing IP Traffic Across Multiple Proxy Servers
Private
Network
Internet
Proxy Array
with Network
Load
Balancing
DNS Entry
nwtraders.msft x.y.z.1
DNS
Server
Inbound
Requests

Proxy Arrays for Outbound Client Requests

Round Robin DNS Entries for Inbound Client Requests

Network Load Balancing for Inbound Client Requests

You can optimize the performance of a Proxy Server
solution by distributing IP traffic across multiple proxy
servers, and by using round robin DNS entries, proxy
arrays, or Network Load Balancing. Select the
appropriate method for load-balancing IP traffic by
determining if the:

Direction of the IP traffic is inbound or outbound.

Load-balancing method distributes IP traffic
dynamically or statically.

The following table lists the criteria for selecting the method of
optimizing Proxy Server performance, and specifies if the method
meets the criteria.
If you need to support
Proxy
arrays
Round robin Network Load
DNS
Balancing
Inbound traffic (Internetbased requests)
No
Yes
Yes
Outbound traffic (private
network-based requests)
Yes
No
No
Dynamic/static load balancing Dynamic Static
Dynamic
Proxy Arrays for Outbound Client Requests

Proxy arrays distribute cached Web content across the
proxy servers within the array. By distributing the
cached Web content, the Proxy Server client Web
content requests are load balanced. Select proxy server
arrays to:


Improve the performance of Internet access for Proxy
Server clients.
Provide industry standard proxy server support to
interact with third-party products such as any SOCKScompatible client.
Round Robin DNS Entries for Inbound Client
Requests

Specify a DNS A-type resource record for each
computer running Proxy Server. The resource records
include the same DNS domain name with the IP address
for each respective proxy server. By returning the IP
address of a different proxy server for each request,
Internet-based client requests are load balanced. Select
round robin DNS entries to:


Improve the performance of private network access for
Internet clients.
Provide the improvement in performance without using
Network Load Balancing.
Network Load Balancing for Inbound Client Requests

Specify a DNS A-type resource record for the proxy
servers in the same Network Load Balancing cluster.
The resource record includes the DNS domain name
and the IP address of the Network Load Balancing
cluster. The remote client sends an inbound request to
Network Load Balancing, the proxy servers in the
Network Load Balancing evaluate the request, and one
of the proxy servers responds to the request. Select
Network Load Balancing to:


Improve the performance of private network access for
Internet clients.
Provide dynamic load balancing across the proxy
servers in the Network Load Balancing cluster.
Discussion: Enhancing a Proxy Server Solution
Montreal
Edmonton
Vancouver
Calgary
Winnipeg
Toronto

After you have provided a basic Internet connectivity
solution to an organization, you need to examine the
security, availability, and performance requirements for
the solution.
The following scenario describes the requirements for
enhancing the Proxy Server design of a legal firm.
Scenario

Six months after the initial installation, the legal firm has
completed the conversion of the Edmonton branch
office to a TCP/IP-based network. The Edmonton branch
is connected to the Montreal central office through the
Calgary branch office.
You have been hired to evaluate the current network for
the legal firm. After your evaluation, you reach the
conclusion that the connections between locations are
saturated.
Lab A: Designing a Proxy Server Solution
Objectives
After completing this lab, you will be able to:

Evaluate a scenario and determine the design
requirements for a Proxy Server solution.

Design a Proxy Server solution for the given scenario.
Prerequisites
Before working on this lab, you must have:

Knowledge of Proxy Server features and functionality.

Knowledge of strategies that can be used to enhance
the security, availability, and performance of the Proxy
Server solution.
Exercise 1: Designing a Proxy Server Solution

In this exercise, you are presented with the task of
creating a Proxy Server design solution for a domestic
airline. This airline has three types of airports and one
regional reservation center. You are assigned to a hub
airport. You will design a Proxy Server solution that
supports the organization's Internet connectivity
requirements.
You will record your solution on the specific Design
Worksheet. Review the scenario, the design
requirements, and the diagram. Follow the Design
Worksheet Instructions to complete the Design
Worksheet.
Scenario

A U.S. domestic airline is converting their existing
reservation and ticketing system from a mainframe
solution to a solution based on Windows 2000. As the
director of information services, you are responsible for
the transition from the mainframe solution to the
Windows 2000-based solution.
The airline has three regional reservation centers that
provide telephone-based reservations and customer
support. The three regional reservation centers also
provide the human resource and administration
resources for each region
Scenario …

The airline services 60 airports within its service routes. The
types of airports serviced by the airline are:

Hub airports: Located in metropolitan cities, these airports can be
a connecting point to final destinations. These airports have a
travelers club that provides Internet access, and printing and fax
services to the customers. Hub airports have the largest number
of computers used by customer service agents and the baggage
handling staff.

Full service airports: Located in larger cities that are final
destinations, these airports are frequented by larger aircraft.
Some of these airports have a travelers club that provides
Internet access, and printing and fax services to the customers.
Full service airports have fewer computers than the hub airports
for customer service agents and the baggage handling staff.

Shuttle airports: Located in smaller cities that are final
destinations, these airports are frequented by smaller commuter
aircraft. These airports have the minimal number of computers for
customer service agents and the baggage handling staff, and are
the smallest of the airport types.
Design Requirements

By examining existing documentation, and conducting
interviews with the airline personnel, you have
established the design requirements that must be
achieved. Make sure your solution meets or exceeds
these requirements.
Applications

The domestic airline uses a number of applications to conduct the day-to-day
operations. Your solution must provide:



Support for a mission-critical Web-based application that manages customer
reservations, ticketing, baggage handling, and baggage tracking.
Support for a mission-critical Web-based application that allows customers to
make reservations and purchase the tickets over the Internet.
Private network access to all shared folders and Web-based applications from
the central and regional offices.

Internet access from the regional offices and the airports.

Active Directory as the directory services for the airline.


Proxy Server response times such that the application response time is not
reduced. Pilot tests on approved proxy servers indicate that each proxy server
can support no more than 1,200 hosts while providing performance within
given application response times.
Support for all mission-critical applications to be available 24-hours-a-day, 7days-a-week.
Connectivity

The applications used by the domestic airline require
connectivity between the regional offices and airport
offices. Your solution must provide:


Support for the airports to connect to the regional
reservation centers by using dedicated connections over
the Internet.
Isolation of the regional reservation centers and the
airports from the Internet.
Design Worksheet Instructions
To complete the Proxy Server Design Worksheet, you need to:

Assign a name to the Windows 2000-based server that will run
Proxy Server. Use the name when specifying options. Record this
under Server name.

On the subnet, decide where you will place the Windows 2000based server that runs Proxy Server. Record this under Server
placement.

Explain your reasons for the placement of the proxy server. Record
this under Reason for placing server.

Select the Proxy Server and Proxy Server client-specific options
required for your solution. Record this under Networking service
options.

Explain the reason why you added the Proxy Server-specific
options to the Proxy Server design. Record this under Reason for
specifying option.
Review

Introducing Proxy Server

Designing a Functional Proxy Server Solution

Securing a Proxy Server Solution

Enhancing a Proxy Server Design for Availability

Optimizing a Proxy Server Design for Performance