Microsoft KB Archive/174922

= Proxy Server 2.0 Release Notes =

Article ID: 174922

Article Last Modified on 9/29/2006

-

APPLIES TO


 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q174922



********************************************************************** Microsoft(R) Proxy Server 2.0 Release Notes September 1997 (c)1997 Microsoft Corporation. All rights reserved.

Please review this entire document before you install Microsoft Proxy Server version 2.0. It contains important information about installing and using Proxy Server, and it supplements the on-line documentation that is installed with the product.

=
========================================================= CONTENTS

=
=========================================================


 * Software Requirements
 * Internet Information Server Fix
 * Internet Explorer 3.02, Script Routing & NTLM
 * Internet Explorer 3.x, NTLM, & SSL
 * Display Not Synchronized When Viewing Documentation On-Line
 * Installing Internet Information Server 4.0 With Proxy Server
 * Proxy Server With Single Network Adapter Configuration
 * Client Configuration Dialog Box
 * Starting and Stopping the Socks Proxy Service
 * NetBIOS Packet Filtering Issues
 * WinSock Proxy Domain Filters
 * Enabling Passive FTP For Web Proxy
 * Server Proxy Issues For Using Exchange With DNS
 * Packet Filtering Slows Performance if server uses Identd
 * Additional Notes On Configuring Packet Filters
 * Administering Arrays
 * Registry Entries for Arrays
 * Registry Entry for Disabling Socks Proxy
 * Remote Use Of System Services With WinSock Proxy
 * Setting Autodisconnect for Auto Dial
 * Web Browsers That Support SOCKS v4.3 Do Not Proxy DNS Lookups
 * Using Routing and Remote Access Service (RRAS)
 * Logging to an Access Database
 * Acknowledgments

=
========================================================= SOFTWARE REQUIREMENTS

=
=========================================================

The following components must already be installed on the server computer before you install Proxy Server 2.0:


 * Microsoft Windows NT(R) Server version 4.0 or later
 * Microsoft Internet Information Server version 3.0 or later
 * Service Pack 3 or later for Microsoft Windows NT Server 4.0

=
========================================================= INTERNET INFORMATION SERVER FIX

=
=========================================================

There is a bug in Microsoft Internet Information Server Version 3.0 that can cause the Web service to abnormally terminate. You should download and install the software fix on any computer that runs IIS and/or Microsoft Proxy Server. You can use your browser to connect to:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/iis-fix/

For more information on this IIS issue, read the Q143484.txt file. For information on how to download and install the fix, read the readme.txt file.

=
========================================================= INTERNET EXPLORER 3.02, SCRIPT ROUTING AND NTLM

=
=========================================================

When using Proxy's routing script with Internet Explorer version 3.02, NTLM authentication does not work properly. This is fixed in IE version 4.0.

=
========================================================= INTERNET EXPLORER 3.X, NTCR, & SSL

=
=========================================================

When using some versions of Internet Explorer version 3.x with Micro- soft Proxy Server, NTCR authentication does not work properly when accessing secure web sites (https://...). Please check IE information on the Microsoft Corporation Web page, or Microsoft Knowledge Base, etc. for an update on this issue.

=
========================================================= DISPLAY NOT SYNCHRONIZED WHEN VIEWING DOCUMENTATION ON-LINE

=
=========================================================

Occasionally when viewing the on-line documentation, you may detect problems with the display topics being unsynchronized with a selected topic in the contents view. This problem has been reported during some installations, particularly where "Index" mode is used to view the table of contents. If you detect this problem, reselecting the topic appears to resolve the problem and refresh the display correctly.

To reselect a topic and refresh the display:

1. Click a topic in the table of contents, then click "Display". 2. In "Topics Found", double-click the topic.

Note: As an option, you may redisplay a topic in "Topics Found" by clicking it once and then clicking "Display."

=
========================================================= INSTALLING INTERNET INFORMATION SERVER 4.0 WITH PROXY SERVER

=
=========================================================

Note: The information provided in this section is current for installing and using the Beta 3 release of Microsoft Internet Information Server (IIS) 4.0 with Microsoft Proxy Server. For possible changes between Beta 3 and the final release of IIS 4.0, review final release notes for IIS 4.0.

>>> Upgrading to IIS 4.0 with Microsoft Proxy Server 1.0

Before installing IIS 4.0, you must upgrade from MSP 1.0 to MSP 2.0. You can upgrade and install MSP 2.0 using an in-place upgrade directly over your previous installation of MSP 1.0. There is no need to uninstall MSP 1.0 prior to upgrading. In addition, MSP maintains prior server configuration settings, such as Access Control Lists (ACLs) and other settings, after the upgrade to MSP 2.0 is completed. >>> Upgrading to IIS 4.0 with Microsoft Proxy Server 2.0

Once you upgrade to use IIS 4.0 on a server computer running MSP 2.0 and IIS 3.0, you will need to run MSP 2.0 setup again. This rein- stallation is needed because IIS 4.0 installs Microsoft Proxy Server as a global ISAPI filter for all Web servers. Repeating MSP 2.0 setup configures Microsoft Proxy Server correctly, as a non-global filter of the IIS default Web service for the local server computer (or "localhost").

There is no need to uninstall MSP 2.0 prior to upgrading to IIS 4.0. Also, MSP 2.0 maintains prior settings, such as Access Control Lists (ACLs) and other configuration settings when in-place reinstallation of MSP 2.0 is completed.

>>>Verifying Authentication Settings After IIS 4.0 is Installed

After you have upgraded to IIS 4.0, you should verify that "Password Authentication" settings are maintained and correctly configured as you have chosen to use them in IIS 3.0.

For IIS 3.0, "Password Authentication" properties are set using the Internet Service Manager (ISM). To view or modify these settings using ISM, do the following:

1. Double-click the computer name next to the "WWW service."

2. Under "Password Authentication", note which methods are selected for use in authenticating users. The methods that can be option- ally set include either "Allow Anonymous", "Basic (Clear Text)", or "Windows NT Challenge/Response". 3. Click "OK" or "Cancel" to close this dialog.

For IIS 4.0, "Password Authentication" properties are set through use of Microsoft Management Console (MMC). To view or modify these settings using MMC, do the following:

1. From the Start menu, select "Programs"-->"Microsoft Proxy Server" -->"Microsoft Management Console" 2. In MMC, double-click the IIS root folder in the scope pane on the left to open and expand its contents.

3. Double-click "Default Web Site" to open and expand its contents.

4. Double-click "SCRIPTS" to open and expand its contents.

5. Click "Proxy".

6. Right-click and select "Properties".

7. Click the "Directory Security" tab.

8. In "Password Authentication", click "Edit".

9. Verify password authentication settings are set correctly as     previously configured for IIS 3.0 in the previous procedure using ISM. Note: If you have Windows NT 4.0 Option Pack installed, you may also open the IIS management console as described in step 1 using a     the following alternate shortcut: From the Start menu, select "Programs"-->"Windows NT 4.0 Option      Pack"-->"Microsoft Internet Information Server"-->"Internet       Service Manager"

=
========================================================= PROXY SERVER WITH SINGLE NETWORK ADAPTER CONFIGURATION

=
=========================================================

You can run Microsoft Proxy Server on a computer with only a single internal network adapter, such as for a chained downstream configura- tion or a caching-only configuration. Since such a computer has a single IP address, the following considerations apply:

disable access control for the WinSock Proxy service if the Proxy Server computer is connected to the Internet.
 * Packet filtering cannot be enabled.
 * It is advised that you either disable the WinSock Proxy service, or

=
========================================================= CLIENT CONFIGURATION DIALOG BOX

=
=========================================================

There is a check box in the "Client Configuration" dialog box that is missing from the product's online documentation. This check box can be used to determine whether or not Web browsers use the Configuration URL to automatically download a client configuration script. The check box is "Configure Web browsers to use Automatic Configuration", and is located under "Automatically configure Web browser during client setup." By default, this feature is disabled.

In addition, the client configuration file, Mspclnt.ini, has an entry "Set Browsers to use Auto Config" in the [Common] section to support this feature.

=
========================================================= STARTING AND STOPPING THE SOCKS PROXY SERVICE

=
=========================================================

In the on-line documentation, under "Administration"-->"Setting Server Parameters"-->"Configuring Auto Dial" -> "Restarting Services", the following command-line syntax is invalid:

NET STOP | START SPSVC for the Socks Proxy service

Proxy Server's Web Proxy and Socks Proxy run within the WWW service of IIS. To stop or start these proxy services, use:

NET STOP | START W3SVC

=
========================================================= NETBIOS PACKET FILTERING ISSUES

=
=========================================================

By default, packet filtering is not enabled when Microsoft Proxy Server is installed. Where packet filtering is enabled, this section details recommended configuration options for secure and reliable operation of the proxy server depending on your need to allow or restrict NetBIOS traffic on the server's external network interface.

With packet filtering enabled on Microsoft Proxy Server, several pre- defined filters for NetBIOS are provided for your use. Depending on your need to support NetBIOS traffic on the server's external network interface, you may choose among the following ways to configure WINS client and NetBIOS packet filtering options for Microsoft Proxy Server:

work, the WINS client should be disabled in bindings for the server's external network adapter card. In addition, the prede- fined NetBIOS filters should NOT be activated. the WINS client can remain enabled by default in bindings or be   disabled as needed. In addition, where NetBIOS must be supported on the external network, activate the predefined NetBIOS filters for the following reasons:
 * If NetBIOS traffic is not used or supported on the external net-
 * If NetBIOS traffic is used and supported on the external network,

interface, activate the predefined "NetBIOS (WINS client only)" filter to provide secure filtering of NetBIOS traffic by Microsoft Proxy Server between the internal and external networks. work interface, NetBIOS traffic is securely blocked from entering the internal network. This policy is in effect regard- less of whether NetBIOS predefined filters are activated. However, if the NetBIOS predefined filters are not activated, the packet filter driver will detect any NetBIOS broadcast packets on the external network that are received on the server's external adapter card as a possible attack on the proxy server. Consequently, it will log each of these packets and possibly generate an alert. This results in system overhead, and reduction in the usefulness of the logging & alerting features. To avoid this situation, you can activate the "NetBIOS (All)" predefined packet filter to stop logging of these NetBIOS packets when NetBIOS traffic is expected on the external network.
 * Where the WINS client is enabled for the server's external network
 * Where the WINS client is disabled for the server's external net-

=
========================================================= WINSOCK PROXY DOMAIN FILTERS

=
=========================================================

In the on-line documentation, under "Administration"-->"Setting Security Parameters"-->"Domain Filters", the following note is incorrect:

"To control WinSock Proxy access to Internet sites, create a filter   for both the domain and the IP address of the site. When a WinSock    application attempts to access an Internet site, it first converts    the domain name to the IP address, and then tries to access the    site by using the IP address. When the default filtering policy is    set to "Denied", the filters (which allow access) must be created    for both the domain name and IP address in order for access to that    site to succeed."

To control WinSock Proxy access to Internet sites, you only need to create a filter for the domain name. It is no longer necessary to create an additional domain filter for the IP address of an Internet site.

=
========================================================= ENABLING PASSIVE FTP FOR WEB PROXY

=
=========================================================

FTP service can use two possible types of communication between the FTP server and its clients: passive FTP mode and non-passive FTP. Some FTP servers do not support both types.


 * How "non-passive"(or traditional) FTP works

In "non-passive" FTP, the client connects to the server making a control channel. For each data operation, the client tells the server how to connect back to it, specifying the parameters for the data connection (data port, transfer mode, representation type, and structure). The server then uses these parameters to make the data channel.

This type of FTP communication is the same as the model for FTP specified in the Internet standard draft for FTP (RFC 959) and has been traditionally used on all TCP/IP networks in the past.

"Non-passive" FTP is required for all FTP service implementations and is by default the mode of FTP communication used by the Web Proxy service in Microsoft Proxy Server versions 1.0 and 2.0.


 * How Passive FTP differs from "Non-passive" FTP

Passive FTP differs from "non-passive" FTP in that the client is responsible for making all connections with server, including the initial connecting request and subsequent data channel connections. In this way, passive FTP provides some additional security to the client against malicious attack by an FTP server.

Because passive FTP is used on some recently implemented FTP servers on the Internet, Microsoft Proxy Server 2.0 provides support through the Windows NT Registry to enable the Web Proxy service to use passive FTP mode if it is needed. You may also need to support passive FTP for the following reasons:

from the FTP server.
 * You are using a firewall that cannot allow an inbound connection

simpler to configure where passive FTP is used.
 * You are using third-party FTP applications. Some applications are

To enable Web Proxy support for passive FTP mode, the following reg- istry key can be modified. The entry name, data type, and supported values are as follows:

entry is 1, which uses Sendport (or "non-passive") FTP as the default transfer mode for FTP proxy. If the entry is changed to 0, the Web Proxy service will support FTP proxy with servers that use passive FTP mode. Otherwise, the value should be left to its default value of 1.
 * NonPassiveFTPTransfer is type REG_DWORD. The default value for this

This entry is installed by Microsoft Proxy Server to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM \CurrentControlSet \Services \W3proxy \Parameters

You should exercise caution when making any changes to the Windows NT Registry.

Note: Passive FTP support is not an issue for the WinSock Proxy service which supports both passive and "non-passive" modes of FTP.

=
========================================================= SERVER PROXY ISSUES FOR USING EXCHANGE AND DNS

=
=========================================================

Server proxy allows you to place a server, such as Microsoft Exchange Server using the Internet Mail Connector (IMC) on your private network behind Microsoft Proxy Server. With this configuration, an Exchange Server can provide Internet mail service by using the WinSock Proxy client and relying on features of Proxy Server 2.0 for protection. In addition, the Exchange Server computer will not require an additional registered Internet IP address.


 * How Server Proxy Works

The WinSock Proxy Client allows you to bind services or applications to the external network interface of the server computer running Microsoft Proxy Server. Once a service or application is bound on the external network interface, it is then available to hosts on the Internet. The proxy server will then "listen" for connections on behalf of the service or application.

For example, if you bind an internal SMTP/POP mail server to the proxy server, mail clients or SMTP servers on the Internet would be able to contact this mail server by connecting to the proxy server's Internet IP address. To remote computers on the Internet, these services will appear to be running on the proxy server computer.


 * Setting Up Server Proxy for Exchange Server

>>>To set up server proxy for Exchange Server 5.0:

1. Install and configure Microsoft Proxy Server.

2. Install and test the WinSock Proxy (WSP) Client on the Exchange Server computer by running a WinSock client application.

Once the WSP Client is working, additional settings are required for server proxy on the Exchange Server. In most cases, you should create specific and local Wspcfg.ini files (instead of    making changes in Mspclnt.ini) for the Exchange Server since these settings will not need to be globally applied to all WSP Client users on your network. 3. Place the Wspcfg.ini file in the directory where the application *.Exe file is installed. Note: Since Exchange Server has more than one .exe file for Inter- net mail and each EXE needs to be bound to the proxy, more than one Wspcfg.ini file will be needed. 4. Create a Wspcfg.ini file for use with the Exchange SMTP service. Add the information below to Wspcfg.ini and place this file in the directory where Msexcimc.exe is located. [MSEXCIMC] ServerBindTcpPorts=25 Persistent=1 KillOldSession=1 Note: The SMTP port (25) on the Exchange Server will then be bound to the proxy server's port 25. 5. Create a second Wspcfg.ini file for the Exchange store (Store.exe). Add the information below to this Wspcfg.ini and place the file in    the directory where Store.exe is located.

[STORE] ServerBindTcpPorts=110,119,143 Persistent=1 KillOldSession=1 Note: Additional ports, such as ports 119 and 143 shown above, can be listed since Store.exe provides Network News Transfer Protocol (NNTP) on port 119, POP mail on port 110, etc. 6. If dynamic packet filtering is enabled (recommended), the proxy server will dynamically open all necessary ports when they are requested. No special configuration is needed. 7. Stop and start the Exchange services or reboot the Exchange Server for the new settings to take effect. 8. You should now be able to contact the Exchange server by connect- ing to the proxy server's Internet IP address using SMTP, NNTP, or   POP.
 * Configuring DNS for Server Proxy with Exchange Server

1. Verify that any MX and A resource records used by remote mail servers on the Internet refer to the IP address for the proxy server's external network adapter and not the internal IP    address of the Exchange Server or SMTP server itself. For example, if your registered Internet domain name is    "mydomain.com", and your internal Exchange server uses a DNS host name of "exchange1", you would need to use an MX, or mail ex- changer, record to provide other Internet hosts the name of your internal Exchange server. In this case, an MX record added in    the "mydomain.com" zone could provide this information as follows: mydomain.com IN MX 10 exchange1.mydomain.com You would then need to create an A, or address, record for "exchange1.mydomain.com" that uses an external IP address of the proxy server. If the external IP address of your proxy server were 127.34.56.89, you would add the following A record to the "mydomain.com" zone: exchange1.mydomain.com      IN A 127.34.56.89 In addition, you can add or create a PTR, or pointer, record to    the "mydomain.com" zone to provide reverse lookup. A valid PTR record to do this would be: 89.56.34.127.in-addr.arpa  IN PTR exchange1.mydomain.com 2. The Exchange/SMTP server computer must be configured to resolve external (Internet) names by directly accessing an 'external' DNS server.

Specify a DNS server on the DNS server search listing of your Exchange/SMTP server computer that can resolve Internet DNS addresses. This DNS server can be a server located on your network, located on your Proxy Server gateway computer, or located externally on    the Internet. The IP address of this DNS server must be listed on the same machine running Exchange Server that is used to route mail from your network to the Internet. You may assign the DNS server's IP address to the Exchange Server using either static or dynamic assignment. For static assignment, set the IP address by adding it to "DNS Service Search Order" in    TCP/IP Protocol Properties. For dynamic assignment, configure your DHCP server to provide this address by way of the standard DHCP assigned option code 6 (DNS Server List) to your Exchange Server machine. (Note: if your Exchange Server uses DHCP to obtain its    IP address, you should reserve this address with the DHCP server     for permanent assignment to the Exchange Server computer.)

=
========================================================= PACKET FILTERING SLOWS PERFORMANCE IF SERVER USES IDENTD

=
=========================================================

If packet filtering is enabled, outbound access to servers (SMTP, FTP, IRC, etc.) can suffer slow performance if the remote server on the external network is running the Identification protocol (Identd) service.

To correct performance problems in this situation, activate the pre- defined "Identd" packet filter on Microsoft Proxy Server.

=
========================================================= ADDITONAL NOTES ON CONFIGURING PACKET FILTERS

=
=========================================================

The "Local Host" selection box in Packet Filter properties is used to select the local host computer that will exchange packets with a remote host computer. When configuring the "Local Host" selection box in the Packet Filter properties dialog box, please note the following:

Proxy Server computer to exchange packets, click "Specific Proxy   IP" and enter 0.0.0.0 for the IP address.
 * To allow any IP address assigned to an external interface of the

selected, the IP address entered in this field should be excluded from the proxy server's Local Address Table (LAT). For more information on how to change the LAT, see "Administration" -->"Setting Server Parameters"-->"Changing the LAT" in the on-line documentation.
 * Also, if the "Internal computer" field in the same dialog is

=
========================================================= ADMINISTERING ARRAYS

=
=========================================================

You should only administer one member of an array at a time. This ensures that array synchronization performs correctly and is simpler from an administrative standpoint.

=
========================================================= REGISTRY ENTRIES FOR ARRAYS

=
=========================================================

There are two registry keys for Proxy Server that you can create that are not documented. These keys can be used to change the default ping timeout value and the number of communication attempts used in an array. The entry names, data types, and default values are as follows:

is absent is 3.
 * MaxPingTries is type REG_DWORD. The default value when this entry

absent is 500 (milliseconds).
 * PingTimeout is type REG_DWORD. The default value when this entry is

You can create these entries using the Registry Editor. The entries must be installed to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM \CurrentControlSet \Services \Mspadmin \Parameters

You should exercise caution when making any changes to the Windows NT Registry.

=
========================================================= REGISTRY ENTRY FOR DISABLING SOCKS PROXY

=
=========================================================

The following registry key can be modified for Microsoft Proxy Server to disable the Socks Proxy service if Socks service is not used on your network.

The entry name, data type, and supported values are as follows:

entry is 1, which is enabled. A value of 0 indicates the service is disabled. If the entry is changed to 0, the Socks Proxy service is fully dis- abled on the server computer. Microsoft Proxy Server will not start the Socks Proxy service automatically at system boot. Also, the service cannot be started manually using Microsoft Proxy Server ad- ministrative tools (such as Internet Service Manager or Remotmsp.exe) until the value is reset to a value of 1.
 * SocksServiceEnabled is type REG_DWORD. The default value for this

This entry is installed by Microsoft Proxy Server to the following Windows NT Registry key path:

HKEY_LOCALMACHINE\SYSTEM \CurrentControlSet \Services \W3proxy \Parameters \Socks

You should exercise caution when making any changes to the Windows NT Registry.

=
========================================================= REMOTE USE OF SYSTEM SERVICES WITH WINSOCK PROXY

=
=========================================================

In general, most Windows NT system services are disabled from remote use by WinSock Proxy when Microsoft Proxy Server is installed. If you are attempting to proxy a system service application, you may have problems establishing a remote WinSock Proxy connection if the service was started prior to the NtLmSsp service during system boot.

If you are attempting to use a Windows NT system service to access the Internet or another external network, be sure that the NtLmSsp service is started first. You may either adjust the order in which the service starts automatically during system boot to start after the NtLmSsp service has started, or manually start the service after the boot process is complete and the NtLmSsp service has already started.

Another solution is to use the SC.EXE utility included in the Windows NT Resource Kit to make the service that you want 'remoted' be dependent on the NtLmSsp service:

To create a service dependency, use the following command: SC \\MyMchineName CONFIG MyServiceName DEPEND= ntlmssp (don't omit the space after the =)

To query a service dependency: SC \\MyMachineName QC MyServiceName

=
========================================================= SETTING AUTODISCONNECT FOR AUTO DIAL

=
=========================================================

When using either Remote Access Service (RAS) or Routing and Remote Access Service (RRAS) for automated dial-up with Auto Dial, the following procedure should be used for applying dial-up connection settings that determine when a connection automatically disconnects after remaining idle.

To set autodisconnect properly for a RAS or RRAS phonebook entry:

1. Locate the phonebook file (typically, this file is located in    %SystemRoot%\System32\Ras\Rasphone.pbk) and open it using a     text editor, such as Notepad.

2. Find the section specific to the dialing entry used for Auto Dial connection by Microsoft Proxy Server. (Note: each section in    the phonebook file has a separate heading in the form of     [Phonebook Entry].) 3. Find the value for "IdleDisconnectSeconds". In most cases, the value is typically set to 0. Increase the value to a number of    seconds of your choosing that will be used to timeout and automatically disconnect if the line remains idle. 4. Check to see if an option for "OverridePref" is included in the dialing entry section. If this option exists, set the value to 4. (Note: if this value does not exist, do not add it.) 5. Save the file, Rasphone.pbk, and close your text editor application. Note: There is no need to reboot after applying the previous changes. RAS or RRAS will use your revised settings the next time dialing occurs.

In general, it is recommended that you disable WINS client bindings for the dial-up adapter when using Auto Dial with Microsoft Proxy Server. If you require the use of NetBIOS on the dial-up adapter and decide not to disable bindings on the dial-up adapter for WINS client, you will also need to stop the computer's Browser service.

To stop the Browser service, use the following two commands:

NET STOP BROWSER NET CONFIG SRV /HIDDEN

Also, you will need to disable the Computer Browser to prevent the service from restarting when the computer is rebooted.

To disable the Computer Browser service:

1. Open Control Panel, select Services. 2. Click "Services." 3. Select "Computer Browser" from the list of services. 4. Click "Startup." 5. In "Startup Type", click "Disabled", then click "OK." 6. Click "Close."

=
========================================================= WEB BROWSERS THAT SUPPORT SOCKS V4.3 DO NOT PROXY DNS LOOKUPS

=
=========================================================

In the on-line documentation, under "Administration"-->"Administering Clients"-->"Configuring Web Proxy Client Applications", the following note text is incorrect:

"Note: The Socks Proxy service supports the SOCKS 4.3a standard, which specifies name resolution. Web browsers do not use this feature. They require instead that name resolution of Internet addresses is avail- able on the client computer. If you are running a Web browser as a Socks client on a non-Windows client platform, you need to provide a DNS proxy server to your clients for name resolution. The DNS proxy server resolves names by forwarding client requests to a server on the Internet."

It should be corrected to read:

"The Socks Proxy service supports the SOCKS 4.3a standard, which specifies name resolution. Many Web browsers, including Microsoft Internet Explorer 3.02 and 4.0 and Netscape Navigator 3.0 do not use this feature. Instead, these browser applications, when configured to use a Socks server, require that DNS name resolution of Internet addresses be available on the client computer."

"If you are running one of these Web browser applications as a Socks client on a non-Windows client platform, you need to provide a DNS server for these clients to use for their resolution of external DNS names. In this situation, there are two possible methods for implementing DNS service for these clients:"

"1) Install a DNS server, such as Microsoft DNS Server, on the proxy      server computer. You can then configure TCP/IP or DNS properties     on your Socks client machines to point at the internal IP address     of the proxy server as one of the their listed DNS servers. This      is the recommended configuration for providing DNS service to      Socks clients on your internal network." "2)  As an alternative, you may point Socks clients towards a DNS      server on your internal network that has been enabled to provide      forwarding to the Internet for DNS name resolution.  This config-     uration is not recommended as it requires that Microsoft Proxy      Client software first be installed on your internal DNS server,      and may require additional reconfiguration of your internal DNS      server to use forwarding to an external DNS server on the Inter-     net."

=
========================================================= USING ROUTING AND REMOTE ACCESS SERVICE (RRAS)

=
=========================================================

Routing and Remote Access Service (RRAS) can be used along with Micro- soft Proxy Server to provide a secure enterprise internetworking solution.

>>> Required RRAS hotfix

In order to run RRAS and Proxy Server v2.0 on the same computer, you must install a required RRAS hotfix. This hotfix resolves issues associated with reliable, secure, integration between RRAS and Proxy.

In order to run RRAS and Proxy Server v2.0 on the same computer, you must install a required RRAS hotfix. This hotfix resolves issues associated with reliable, secure, integration between RRAS and Proxy.

To download the corrected file connect to:

http://www.microsoft.com/downloads/details.aspx?familyid=EB1993D6-EF01-44ED-9D1A-21F9B4689BC2&displaylang=en

>>> Recommended configurations

This section addresses several common configurations and outlines recommended configurations for interworking both RRAS and MSP 2.0 on your network.


 * Departmental server running RRAS and MSP 2.0

A departmental server on an internal network (typically with only one network interface) should have packet filtering turned off.


 * Edge server connecting to the Internet running RRAS and MSP 2.0

This configuration involves the MSP 2.0 server computer using either two network adapters (one for internal interface, one for the external interface). For the internal interface, a network adapter card is needed. For the external interface, either a network adapter card or a modem can be used.

An edge server in this configuration should have MSP packet filtering turned on with MSP 2.0 predefined packet filters activated with no additional custom packet filters configured.


 * Edge server with "Extranet" or barrier LAN segment

An edge server in this configuration requires a third network adapter to be installed on the MSP 2.0 server computer to interface to the Extranet LAN segment (sometimes referred to as a DMZ network). The Local Address Table (LAT) on the server must not include IP addresses used on the Extranet LAN.

Typically, routing is enabled between the external network and the Extranet LAN, and computers on the Extranet network with registered IP addresses can communicate directly with Internet computers. RRAS can be used to configure routing for each Interface.

All communication between the Extranet LAN and the internal network

should be done using Microsoft Proxy Server services (Web Proxy, WinSock Proxy, Socks Proxy). Where this configuration is applied, WinSock servers can also be remoted by means of configuration in the Wspcfg.ini file using application-specific settings.

For more information on configuring these settings, see "Administration"-->"Administering Clients"-->"Configuring WinSock Proxy Client Applications" in the on-line documentation.

Note: As an alternative, you can use RRAS instead for communication between the internal LAN and the Extranet LAN segments. This can be done by way of "Enabling IP Forwarding", eliminating the need to use MSP 2.0 services for proxy communication. However, this configuration is not preferred.

=
========================================================= Logging to an Access Database

=
=========================================================

In the on-line documentation, under "Administration"-->"Configuring Logs"-->"Logging to a Database", there is an error in the description of creating an Access Table. Here are the updated instructions:

Creating an Access Database Table

You can use the database template files, Msp.sql and Pf.sql, to create a database table in Microsoft SQL Server or Microsoft Access. In order to create a database table in Microsoft Access using a database template file, implement the following procedure:

1. Rename the database template file with a TXT file extension and open the file in a text editor, such as Microsoft Notepad. The database template files are located in: %systemroot%\help\proxy\misc. 2. Start Access and open the database you previously created for Proxy Server logging. 3. On the "Queries" tab, click "New" to create a new query.

4. In the "New Query" dialog box,, click "Design View", and then click "OK." 5. Click close on the "Show Table" dialog.

6. Click "SQL View" on the View menu, and then delete any text pre- sent in "Query." 7. Copy and paste the entire contents of the file previously opened in Notepad in "Query", click "Save" and then click "OK." 8. Double-click the query you just saved. Click "Yes" in any pop-up message boxes.

Rename the Access table to use it with a particular Proxy Server service.

=
========================================================= ACKNOWLEDGMENTS

=
=========================================================

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft. Permission to print one copy for personal use is hereby granted if your only means of access is electronic.

Microsoft may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property rights except as expressly provided in any written license agreement from Microsoft.

(c)1997 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Additional query words: readme.txt

Keywords: kbreadme KB174922

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.