CIS 454

Local Area Network

California State University, Los Angeles Spring 2000

INSTALLING AND SETTING UP A PROXY SERVER

BY: Donald Parungao Liksun (Sam) Lo Zongyang (Nancy) Liu Maochen Chang
CIS 454 SPRING 2000, CSULA DR. N. GANESAN

BRIEF INTRODUCTION

PRESENTATION OVERVIEW:
Basic Concepts Different Implementations for Proxy Server Sample Case Hardware and Software Planning Implementation and Setup of Proxy Server Conclusion Contacts, Research Sources, and Credits

BASIC CONCEPTS

What is a Proxy Server?

A Proxy Server is a medium in which users within the LAN can gain access to the Internet efficiently and much more securely.

How does Proxy Server Work?

Proxy Server works in two different ways:
1. It can act as a cache that is setup to improve the access speed to the Internet 2. It provides firewall security through which all the transmission pass through the server
7

1. Proxy Server as a Cache

Basic Concept of Internet Transmission:
HTTP-response HTTP-ack HTTP-response HTTP-ack

Web Server
HTTP-request HTTP-response
Reads Destination Address

INTERNET
Reads Destination Address

LAN
HTTP-request HTTP-response

As you can see Transmission Speed here is not very efficient The restriction is due to the distance the transmission packet has to travel Imagine if you the user requests for a larger web files 8

1. Proxy Server as a Cache ... (contd)

Web Pages

Web Pages HTTP-response

Web Pages HTTP-response

Web Server

INTERNET

Proxy Server
HTTP-request

LAN
HTTP-request

Therefore the length of distance in which the transmission travels in this example is greatly reduced
Therefore Proxy Server set up as a Cache significantly increases the transmission speed
9

2. Proxy Server as firewall

HTTP-response

HTTP-response

HTTP-response

Web Server
HTTP-request

INTERNET

Proxy Server
HTTP-request

LAN
HTTP-request

False Source Address

This way, it adds extra protection by hiding the source address This is good especially for unwanted intrusion Also, as a firewall, proxy server provides control over information that are going out of the LAN especially if its addressed to an unauthorized destination
10

Different Implementations
for Proxy Server

11

Different Implementations for Proxy Server

Dual-Home Host Screened Hosts Screened Subnetwork Reverse Proxy

SOURCE http://home.netscape.com/proxy/v3.5/using/index.html

12

Dual-Homed Host
Dual-homed host has two network interfaces, one connects to internal LAN, one to internet Dual-homed host firewall architecture acts as a software router providing secure connectivity Proxy in conjunction with dual-homed host provides a complete firewall solution In addition to caching, proxy server brings fine-grain filtering and virus scanning

Proxy Server Implemented With a Dual-Homed Host Firewall

SOURCE

13

http://home.netscape.com/proxy/v3.5/using/index.html

Drawback of Dual-Homed Host

When security is breached on single host machine... It could jeopardize the whole network However, it is desirable for small office on a budget or an organization that do not require redundant security measures

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

14

Screened Hosts
A screened host consists of a router deployed in front of a server The router provides packet-filtering and restrict inbound access to the internal network A screening router could support multiple hosts Proxying allows network traffic to gain internet access through the router

Proxy Server Implemented Behind a Screening Router

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

15

Drawback of Screened Hosts

If the router fails, a security is loss However, screened hosts architecture is appropriate for small to mediumsize intranets requiring a simple, yet effective security solution

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

16

Screened Subnetwork
A screened subnetwork consists of multiple routers sandwiching a nonsecure network This subnetwork is commonly referred to as Demilitarized Zone (DMZ) Proxy in DMZ allows access to both internal and external network through the routers Neither internal and external traffic can pass through without the help of proxy server The screened subnetwork is a popular choice for large organizations with heavily trafficked Security is critical and therefore redundancy is imperative

Proxy Server Implemented in a DMZ Between Two Screening Routers

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

17

Reverse Proxy
Is independent of firewall architecture, one may want to implement reverse proxy Reverse proxies are generally in one of two configurations:
1. Server Stand-in 2. Load Balancing

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

18

1. Server Stand-In
In server stand-in mode, proxy receives requests for a web server protected behind the firewall Server stand-in prevents direct, unmonitored access of internal resources from outside Proxy server acts like a virtual server mirror and provides replication only Contents of the secure server will be replicated in the proxy server cache

Proxy Server Implemented in Reverse Mode as Stand-In for a Web Server

SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

19

2. Load Balancing
Multiple reverse proxy servers can be used to balance the load on an overtaxed server Load balancing helps the host machine handle highvolume requests while reducing the impact on overall performance

Multiple Proxy Servers Implemented in Reverse Mode to Balance the Load on a Web Server
SOURCE
http://home.netscape.com/proxy/v3.5/using/index.html

20

SAMPLE CASE

21

Company: Resource One International

RECENT ISSUES
Has recently implemented a web server for ecommerce Therefore, security has become a serious concern

Therefore, an appropriate proxy server must be implemented for the new e-Commerce infrastructure
22

CURRENT I.S.INFRASTRUCTURE
Web Server Network Server President

Hub

Router

INTERNET
CSR Lead

Hub

23

HARDWARE & SOFTWARE

PLANNING

24

Analysis of the Current I.S.

The following are determined:
The server currently being used by the Network Manager is running under Window NT Server Operating System The clients Windows 98

Therefore, an additional server will be needed for the actual Proxy Server A Proxy Software Program needed must therefore run in Microsoft Windows NT environment
25

Proxy Software Planning Choice: Microsoft Proxy Server 2.0

Features:
Security:
Enables you to configure many security features in order to protect your network from unwanted inbound connections Has ability to dynamically filter both inbound and outbound packets (based on protocol or IP addresses) Has ability to notify you by email if a protocol violation occurs

Web Caching capabilities Manageability:

No need to create user accounts in both the Win NT and Proxy Server Instead, users can access Proxy Server by using regular old Win NT accounts

Microsoft Management Console (MMC) capabilities:

Can manage multiple Proxy servers from within a single instance of the MMC
SOURCE http://www.microsoft.com/proxy http://www.elementkjournals.com/ewn/9909/ewn9991.htm

26

Minimum Requirements
Processor = Intel 486/33 MHz or faster RISC-based RAM = 24 MB for the Intel platform; 32MB for the RISCbased platform Partitions = NTFS (if you want to enable WEB caching) HD space needed (of Proxy Server Installation) = 125MB for Intel platform; 160 MB for the RISC-based platform HD space needed (for Web Caching) = 100MB, plus 0.5 MB per user Connectivity = Modem, ISDN, ADSL, or dedicated leased line connection to the internet Operating System = Windows NT Server 4.0 with Service Pack 3 or Later Other software = Microsoft Internet Information Server 3.0 or later Microsoft TCP/IP

SOURCE

27

http://www.elementkjournals.com/ewn/9909/ewn9991.htm

(Hardware) Server Unit Planning

Choice: Dell Precision Workstation 220
Server Unit Specifications: Processor = Pentium III 600 MHz RAM = 256MB PC800 ECC RDRAM (1 RIMM) HD = 36GB Ultra 160/M SCSI (10000 rpm) 8ms Trans Rate Controller Card (for HD) = Ultra 160/M SCSI Floppy Drive = 3.5 1.44MB CD-ROM = 20/48X IDE Operating System (Pre-Installed) = MS Windows NT 4.0 w/ Service Pack 5 (Separate CDs) Modem = V.90 56K Data/Fax PCI for Win NT Video Card = Diamond Viper V770D, 32MB Peripherals (Included in Package): Monitor = 17 Dell (model: M781 P) Mouse = Logitech First Mouse (2 buttons w/scroll) Services (Include in Package):
3yr Next Business Day On-Site Parts & Labor
SOURCE http://www.dell.com/us/en/bsd/products/series_precn_workstations.htm

28

(Hardware) Network Interfaces & Wirings

Choice: LinkSys EtherFast Swictched 10/100 Network Interface Card
Package Contents:
2 EtherFast 10/100 LAN Cards w/ Wake-On-LAN Capabilities 2 Wake-On-LAN Wires EtherFast 5-Port 10/100Mbps Auto-Sensing Switch (not needed, but could be used for future fault tolerance design) AC Power Adapter 2 Category 5 Network Cables (15 each) Internet LanBridge software package from Acotec Program Disks User Guide and Registration Cards 5-Port 10/100 Switch Delivers High Bandwidth Performance to Every PC on network (each ports adjusts to 10BaseT or 100BaseTX speeds at Half or Full Duplex) LAN Card have full backward compatibility w/ Plug-andPlay and Win 95/98 motherboards Works w/ all major networking software including Win NT 4.0 and Linux Can be attached to more PCs, Hubs, or Switches at any time Perfect for Sharing a cable modem, DSL, or any Internet connection types 5 year limited warranty Free (M-F 8-5et) Technical Support and OnLine available

Features:

SOURCE
http://www.linksys.com/products/product.asp?prid=13&grid=12

29

Estimated Project Cost

$ 3,407 $ 110 $ 599 $ 200 ------- Subtotal = $ 4,261 ------- Total Estimated Project Cost = $ 4,500 Server Unit Cabling and wiring Proxy Software Other Purchasing Costs = = = =

30

IMPLEMENTATION & SETUP

OF PROXY SERVER

31

IMPLEMENTATION OBJECTIVES:
1. Planning where to put the Proxy Server 2. NIC card installation in the server unit 3. Proxy program installation

32

1. Planning where to Implement the new Proxy Server Unit

Then, the Proxy Server will be placed between the router and the LAN
Hub Web Server Network Server President

H
The Proxy Server architecture employed here will be screening the inbound transmission behind the router

Router

INTERNET
Ethernet Switch

CSR Lead

First, the new switch will be installed

H
Hub

33

2. Installation of EtherFast 10/100 LAN Card

Make sure that Windows NT Server Operating System has been installed correctly Turn off your PC and any peripheral equipment attached to it and remove the power cord Open the computer cover and locate the PCI expansion slot(s) Insert the EtherFast LAN cards into the PCs PCI slot and secure (or into the Master for older systems) If system has Plug-n-Play capabilities, it will self configure otherwise assign an unused IRQ and I/O address for the new NIC installed (see systems user guide) Plug one of the Cat 5 UTP wires to the RJ45 port of the card and one of its end to the switch
SOURCE: LINKSYS.COM (Acrobat Reader Format)
ftp://ftp.linksys.com/pdf/fensk05manual.pdf

34

2. Installation of EtherFast 10/100 LAN Card (contd)

Plug the second wire to the another RJ45 port of the switch and the other end, to the router Install the NIC card driver using the NT 4.0 setup (make sure you install the TCP/IP protocol) Insert the driver floppy disk and go to the Control Panel/Network Icon and install the correct driver provided in the driver disk to HD When NT asks you for the media type (cabling)choose the AUTODETECT option and default setting = 256 for TRANSMIT THRESHOLD Click CONTINUE When NETWORK window reappears, click on BINDINGS tab
SOURCE: LINKSYS.COM (Acrobat Reader Format)
ftp://ftp.linksys.com/pdf/fensk05manual.pdf

35

2. Installation of EtherFast 10/100 LAN Card (contd)

Click on the PROTOCOLS tab and select your settings Do the same for SERVICES tab Click CLOSE Restart the system Then check device status in NETWORK NEIGHBORHOOD

SOURCE: LINKSYS.COM (Acrobat Reader Format)

ftp://ftp.linksys.com/pdf/fensk05manual.pdf

36

Now, we are ready to install Microsoft Proxy Server 2.0 Program...

37

3. Pre-Installation of Proxy Server 2.0

1. Install Microsoft Windows NT 4.0 operating system (not needed) system already preinstalled with these OS 2. Install Microsoft Windows NT 4.0 Service Pack 3 (included in the Package) 3. Install Microsoft Internet Explorer 4.01 Service Pack 2 (included in the Windows NT 4.0 Option Pack CD that came w/ the package) 4. Install Microsoft Windows NT 4.0 Option Pack CD 5. Install the Proxy Server 2.0 CD
SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

38

3. MS-Proxy Server 2.0 for Windows NT Deployment

Start the installation from CD-ROM by running the Setup utility in the Proxy server folder Type CD key in the text boxes, and then click OK Next Verify the folder in which you want to install Proxy Server
In figure A, choose whether you want to install all or only some of the available options, including Proxy Server, the Administration Tool, and the Proxy Server Documentation

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

When youre ready, click Continue Setup must stop your Internet Information Services 39 before it can install Proxy Server

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Configure your servers cache setting, as shown in Figure B.

In figure B, setup default 100 MB of disk space on your servers NTFS partition. Microsoft recommends the servers cache to 100 MB, plus 0.5 MB for each user.
SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

40

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

In figure C, specify IP addresses

Once youve entered your internal IP addresses, Click OK to continue

Youll now see the Client Installation/Configuration shown in Figure D

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

41

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Figure D: Client/Installation/Configuration configure your Proxy server clients.

Proxy Server uses your server name to create a setup script for installing the Proxy Client software on your client. By default, setup script to identify your server by its name(such as, SERVER) rather than its IP address. Click OK to next, as shown in Figure E.
SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

42

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Figure E: you must enable access control for the WinSock Proxy and Web Proxy Services if you want to control users access to your Proxy server

Click OK to accept the settings and close this message box. At this point, Proxy Server is on your server. When the installation is complete, click OK.
SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

43

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Configuring Proxy Server: youll want to specify which protocols you want to enable through the Proxy server. You configure Proxy Server by opening the MMC utility from the Microsoft Proxy Server. As shown in Figure F Figure F: The MMC displays the Socks Proxy, Web Proxy, and WinSock Proxy Services .

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

44

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Configuring the Web Proxy Service: At a minimum, you need to configure your servers Web Proxy and WinSock Proxy Services to specify clients permission and the protocols.

To configure users permissions, begin by selecting the protocols you want to enable to users to use on your server from the Protocol dropdown list. Next, click Edit to display the Permissions dialog box; Click Add to display a list of groups and users from your servers domain. Figure G: You can configure which of your domains users can access the Proxy server.

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

45

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Configuring the WinSock Proxy Service: Display WinSock Proxy Services Properties dialog box by right-click on the Winsock Proxy Service in the left pane of the MMC. Select the Permissions tab, choose to assign permissions to users for each of the protocols, or you can choose the Unlimited Access option, as shown in Figure H. For example, if you want to give all of users access, you should choose the Unlimited Access protocol and grant permissions to the group Everyone, as shown in Figure I.

Everyone

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

46

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

If, you dont want all user to have access to all protocols, choose the individual protocols you do want them to use from the Protocol dropdown list. Then, grant access to the Windows NT user or group that you want to use these specific protocols.

User 1 User 8 User 25

SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

47

3. MS-Proxy Server 2.0 for Windows NT Deployment (contd)

Next thing we need to do is to install the Microsoft Windows NT 4.0 Service Pace 5 CD that came with the package Insert the CD and follow direction for auto install Next, insert the Proxy 2.0 Service Pack 1 and do the same... Now, the server is completely deployed and ready to function Then, youll need to configure the clients by logging on at the clients computer Connect to the Mspclnt share on the Proxy Server Double-click on Setup.exe to start the client software installation on your computer
SOURCE: http://www.elementkjournals.com/ewn/9909/ewn9991.htm

48

And, thats all there is to it...

Now, lets recap the steps we did

49

Recap
1. 2. 3.

The server unit is installed into the network The network interface card is installed The proxy server software is deployed by the following:
We made sure that Microsoft Windows NT 4.0 operating system is properly installed in the server unit We then installed the MS Windows NT 4.0 Service Pack 3 Then we installed MS Internet Explorer 4.01 Service Pack 2 We installed MS Windows NT 4.0 Option Pack Then we installed MS Proxy Server 2.0 program Then the Windows NT 4.0 Service Pack 5 Finally, we installed the Proxy 2.0 Service Pack 1 The client computers are configured
50

CONCLUSION

51

Proxy Server
Again, a Proxy Server is a medium in which users within the LAN can gain access to the Internet efficiently and much more securely It functions in two different ways: as a cache and as a firewall

It can also be implemented in different ways: as a dual-home host, as a screened host, as a screened subnetwork, and as a reverse proxy

52

THE END

53

We would like to thanks the following sources that made this project possible:
Dr. N. Ganesan, Cal State Los Angeles
http://ganesan.calstatela.edu

Cisco Systems
http://www.cisco.com

3com
http://www.3com.com

Microsoft Corporation
http://www.microsoft.com

Dell Computers
http://www.dell.com

LinkSys
http://www.linksys.com

And the following sites were basic concepts of Proxy Server are obtained:
http://home.netscape.com/proxy/v3.5/using/index.html

54

For more information:

To visit this site to see this entire presentation again http://members.tripod.com/salmonhead101 8

55