MCSE STUDY GUIDE_ Proxy Server 2.0 Exam 70-88

Chia sẻ: Tran Nhu | Ngày: | Loại File: PDF | Số trang:25

lượt xem

MCSE STUDY GUIDE_ Proxy Server 2.0 Exam 70-88

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

A Proxy Server has one network card for the private internal network and it has another network adapter with which to connect to the Internet. This adapter may be another network card or it may be an ISDN adapter. The Proxy Server is the only computer in the network attached to both internal and external networks.

Chủ đề:

Nội dung Text: MCSE STUDY GUIDE_ Proxy Server 2.0 Exam 70-88

  1. Troy Technologies USA MCSE STUDY GUIDE Proxy Server 2.0 Exam 70-88
  2. Congratulations!! You have purchased one of the Troy Technologies USA MCSE Study Guides. This study guide consists of a selection of questions and answers very, very similar to the ones you will find on the official MCSE exam. All you need to do is study and memorize the following questions and answers.....and you will be ready to take the exam. Remember, we guarantee it! Average study time is 10 to 12 hours. Then you are ready. GOOD LUCK! Guarantee Should you use this study guide and still fail the appropriate MCSE exam, then send your original of the official score notice, along with your mailing address to: Troy Technologies USA 11134 Hunter Oaks San Antonio, TX 78233 We will gladly refund the full cost of this study guide. However, you are not going to need this guarantee if you follow the above instructions. Ó Copyright 1998 Troy Technologies USA. All Rights Reserved.
  3. Further Suggested Reading for Microsoft Certified System Engineer • Exam Cram, MCSE Windows 2000 Network: Exam 70-216 (Exam Cram) by Hank Carbeck, et al. Paperback (September 28, 2000) • MCSE Windows 2000 Accelerated Study Guide (Exam 70-240) (Book/CD-ROM package) by Tom Shinder (Editor), et al. Hardcover (October 6, 2000) • MCSE 2000 JumpStart: Computer and Network Basics by Lisa Donald, et al. Paperback (April 2000) • MCSE: Windows 2000 Network Infrastructure Administration Exam Notes by John William Jenkins, et al. Paperback (September 19, 2000) • Public Key Infrastructure Essentials: A Wiley Tech Brief - Tom Austin, et al; Paperback • Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure - Russ Housley, Tim Polk; Hardcover • Digital Certificates: Applied Internet Security - Jalal Feghhi, et al; Paperback • Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks - Naganand Doraswamy, Dan Harkins; Hardcover • A Technical Guide to Ipsec Virtual Private Networks - Jim S. Tiller, James S. Tiller; Hardcover • Big Book of IPsec RFCs: Internet Security Architecture - Pete Loshin (Compiler); Paperback • MCSE Windows 2000 Core 4 for Dummies: Exam 70-210, Exam 70-215, Exam 70-216, Exam 70-217
  4. Proxy Server Concepts The primary functions of Microsoft Proxy Server is to act as a gateway to and from the Internet. Clients connect to Proxy Server when they make a request for resources located on the Internet. Proxy Server gets the resource and returns it to the client. The Server can also allow selected computers or protocols to access the internal network. Since you are only presenting one IP address to the Internet, Proxy Server effectively hides your internal network. A Proxy Server has one network card for the private internal network and it has another network adapter with which to connect to the Internet. This adapter may be another network card or it may be an ISDN adapter. The Proxy Server is the only computer in the network attached to both internal and external networks. Microsoft Proxy Server consists of 3 different services: Web Proxy, WinSock Proxy, and SOCKS Proxy. Web Proxy Service The Web Proxy service runs as a service on a Windows NT Server. It runs as an extension to IIS 3.0 or higher. You must have IIS installed on your NT server in order for the Web Proxy service to run. Clients contact the Web Proxy service and it contacts other Web servers on behalf of the client and then relays the information back. The Web Proxy service supports Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) for computers on the local LAN. Caching The Web Proxy service maintains a local copy of HTTP and FTP objects on a local hard disk. This is called caching. Not all objects are cached. Some objects change frequently, even each time they are accessed, so caching them is a waste of processing time. Some objects have a security context and are not cached for security reasons. The Proxy Server performs two types of caching: Passive caching and Active caching. Passive Caching Passive caching is the method used most. It is also know as on-demand caching because it is available on demand when the client makes the request. In a network that does not have a Proxy Server, the client contacts the Web server on the Internet. The Web server responds to the request and sends the requested objects directly back to the client. Proxy Server sits in the middle of this process. The Proxy client contacts Proxy Server with the request. Proxy Server goes to the Internet with the request and retrieves the requested object. It caches that object. If you, or any other client, requests the object again, Proxy Server gets the object from the local cache rather than from the Web server on the Internet. In order to ensure that the cached information is still current, several techniques are used. One technique is to set an expiration time on the object. This expiration time is known as the time to live (TTL). When a client requests an object that is cached, Proxy Server checks the TTL to determine if the requested object is still valid. If the TTL has not expired, then the object is returned to the client. If the TTL has expired, then Proxy Server goes out to the Internet and retrieves the object and the TTL process begins again. 1
  5. In order to manage disk space, Proxy Server deletes older cached objects to make room for new ones when the disk becomes too full. Active Caching Active caching supplements passive caching. The intent of active caching is to maximize the probability that an object will be in local cache when the client requests the object from Proxy Server. To accomplish this, Proxy Server will automatically retrieve objects from the Internet. It chooses objects by considering such factors as: Frequency of request - Objects that are more frequently requested are kept in the cache. If the TTL on one of these objects expires, a new object is requested. Time-To-Live - Objects having a greater TTL are better to cache than objects with shorter TTLs. In other words, if an object has a short TTL and is seldom requested, it is not advantageous to cache it because the TTL will have expired by the time the next request arrives. Server Activity - Proxy Server seeks to cache more objects during times of low activity than it does during periods of high activity. WinSock Proxy Service The WinSock Proxy service works with Windows-based client computers. The WinSock Proxy service allows WinSock applications to run remotely. This service is a client/server process that runs only on Windows NT 4.0 Server running Proxy Server. It allows client applications to run as if they are directly connected to the Internet. Local Address Table (LAT) The function of the LAT is to define the IP addresses on the internal network. Network addresses not contained in the LAT are considered external addresses. The LAT entries are pairs of IP addresses. Each pair defines an address range. This address range can be an entire network ID or a single IP address. The LAT is built when you install Proxy Server. The LAT is generated from the Windows NT Server routing table. This method may not record all the addresses of the internal networks. You may have subnets that need to be added. There may also be external network addresses that need to be removed. It is important to remove external network addresses from the LAT. When you install the Proxy client, the Setup program installs a file named msplat.txt. This file is installed in the \mspclnt folder. The file contains the LAT. The contents of this file are identical to the LAT on the server. To keep this file consistent, the server regularly updates the msplat.txt file on the client. When a WinSock application needs to establish a connection using an IP address, the msplat.txt file is consulted to determine if the requested IP address is internal or external. If the address is listed in the msplat.txt file, then it is considered to be on the internal network and the connection with the resource is made directly. If the address is not listed, then it is considered to be on an external network and the connection is made through the Proxy Server. If the LAT at the server does not contain all of the internal network addresses, you can modify the msplat.txt at the client to include the other internal network addresses. However, these address modifications are lost when the server periodically sends the LAT update to the client. To overcome this, you can create a custom LAT for the client using a text editor. You add the additional address pairs that are on the internal network so that the client recognizes them as part of the internal network. You then 2
  6. save the file in the \mspclnt folder. The file must be named Locallat.txt. The WinSock client checks both files, if they are present, for local IP addresses. TCP/IP and IPX/SPX There are several important points you need to know about using TCP/IP or IPX/SPX protocols and the WinSock Proxy service. When you are using TCP/IP on your LAN and an application wants to communicate with a server, that server may be local or remote to the application. Based on the addresses contained in the LAT, the application can tell if the requested server is local or remote. If the address is local, the client forwards the request directly. If the address is not local, then the WinSock Proxy service is involved. If your LAN is running the IPS/SPX protocol, the scenario changes. In this case, the WinSock Proxy service is also acting as a protocol gateway. It converts the IPX/SPX protocol to the TCP/IP protocol and back again. Since you are not running TCP/IP, there is no LAT table to be downloaded to the WinSock Proxy client at installation time. Since there are no TCP/IP hosts on the local network, all attempts to connect to a TCP/IP host are considered requests for a remote host and are processed according to those rules. SOCKS Proxy Service The SOCKS Proxy service is a cross-platform mechanism used to establish secure communications between the server and non-Windows based clients like UNIX and Macintosh. This service allows for transparent access to the Internet using Proxy Server. This service does not support applications that use UDP, nor does it support the IPX/SPX protocol. Implementation Microsoft lists three environments to consider when implementing Proxy Server. The environments are: Small, Medium, and Large networks. Network Clients served per Proxy Server Small 1 - 200 Medium 201 - 2000 Large 2001 - higher Multiple Proxy Servers You configure multiple Proxy Servers in your organization to support two objectives: Redundancy and Load sharing. Having more than one Proxy Server allows you to have multiple gateways to the Internet. Designing a plan to share the load among the gateway computers is an important issue. You can configure this load sharing in several ways. They are: Load sharing using DNS Load sharing using WINS Load sharing using multiple Proxy Servers For clients using the Web Proxy service, you can configure the clients to use a specific Proxy Server or you can configure them to use all Proxy Servers. For clients using the WinSock Proxy service, you must configure them to use a specific Proxy Server. 3
  7. Load Sharing Using DNS DNS servers are responsible for providing host name-to-IP address resolution. Before the Web browser can establish the session with the Web server, it must have its IP address. If you are using multiple Proxy Servers, you can configure the DNS in such a way that it distributes the workload of the servers by supplying a different IP address for each successive request. When you have information that is accessed heavily by users and that information may be on three different Web servers. Clients access that information using the URL, but since the URL contains the host name and each of the three servers has a different host name, each client needs to specify a different URL. This is undesirable because you want all clients to specify a single URL. This process needs to be transparent to the user. The Microsoft DNS server supports a process known as round robin. This process balances the workload of the servers, in this case, the three Web servers. To do this, you must create an alias that points to multiple IP addresses. This alias record is a CNAME record entry in your DNS server file, DNS gives the client the IP address of the first host in the list. The DNS then moves that host to the bottom of the list. When the next request arrives, DNS gives the IP addresses of the second server, now at the top of the list, and moves that server name to the bottom of the list, and so on. In this manner, each host receives an equal share of client requests and the process is transparent to the user. Load Sharing Using WINS If you are using Windows and the TCP/IP protocol, then you should have at least one WINS server deployed. WINS is Microsoft’ implementation of an RFC NetBIOS Name server. WINS serves a similar, s but different function than DNS. DNS resolves FQDNs (Fully Qualified Domain Names) to IP addresses. WINS resolves NetBIOS names to IP addresses. All Microsoft operating systems rely on NetBIOS for their networking. You can use WINS in the same manner as you use DNS to share the load of your Proxy Servers. You create a static entry in your WINS server table for the Proxy Server alias and map it to multiple IP addresses. Load Sharing Using WinSock Proxy You install the WinSock Proxy client from a Proxy Server. The client then attaches to and uses the WinSock Proxy service of the Proxy Server from which the client was installed. To balance the workload of the WinSock Proxy services, configure each clients from a different Proxy Servers. This distributes the load among the Proxy Servers in the organization. Distributed Caching You can configure caching to be distributed among multiple Proxy Servers in the organization. This improves both the active and passive caching. You distribute the cached objects and provide for fault tolerance if one Proxy Server fails or becomes unavailable. Distributed caching is implemented by one of two methods, or by combining and using both methods: Chaining or Arrays. Chaining Using Proxy Server to route to another proxy server is a technique that involves a process called upstream routing. By configuring upstream routing, a Web Proxy client request can be routed to an upstream Proxy 4
  8. Server, to a Proxy Server array, or directly to the Internet. The term "upstream," from a data flow point- of-view, refers to being closer to the Internet. This technique is also known as chaining. You can also specify a backup route to use in the event that the upstream proxy server is unavailable. The backup route is fully functional and provides for automatic transfer transparently. From time to time, the primary route Proxy Server is queried to see if it is available. When the primary Proxy Server is available, the primary route is re-established automatically. Proxy Server Array An array is a group of Proxy Servers bound together by an array name. Proxy Servers in an array are administered as a single unit. Configuring an array provides for load sharing, fault tolerance, and easier administration. Arrays can be useful in Branch offices, Networks that are too large to be serviced by a single Proxy Server, and Consolidating multiple Internet connections. You must create an array. You do this from the Internet Service Manager (ISM). An array is common to all Proxy services. Each Proxy Server maintains a list of which members of the array are available and which members are not available. Each individual member in the array uses a hash to make routing decisions. A Hash is a mathematical algorithm used for routing decisions. The configuration for a single array member may be propagated and synchronized to all members of the array. The following parameters are propagated when auto-synchronization is enabled: Advanced caching options Client configuration files Domain filters LAT Logging information Publishing information Upstream routing options Web Proxy user permissions WinSock protocol definitions Cache Array Routing Protocol (CARP) Proxy Server 2.0 supports Cache Array Routing Protocol (CARP). This is an enhancement of the Internet Cache Protocol (ICP). The purpose of this protocol is to allow a proxy server to query other proxy servers to see if those servers have cached copies of requested objects before the proxy server goes to the Internet for the object. CARP expands on the ICP protocol in several ways. CARP uses a "queryless" hash-based algorithm. The hash-based routing results in the URL being resolved to the same Proxy Server. This means there is a single hop resolution for the requested object. CARP becomes faster the more Proxy Servers are added. This is because the location of each cached object is known within the array, unlike ICP, which must query for each requested object. CARP prevents multiple servers from caching the same object. This makes the CARP array much more efficient than an ICP array. Client Installation When you install Proxy Server, the Setup Wizard creates the \msp\clients folder. Client software utilities are installed in their respective folders. For example, the Alpha folder contains Alpha-specific files and 5
  9. the I386 folder contains the Intel-specific files. The Setup Wizard also shares the \msp\clients as a share called mspclnt. You have to install the WinSock client software on the client computers. The client setup program configures the computer to be a client of the WinSock Proxy service on the server where the setup was initiated. Also, as part of the installation, the Web browser is configured as a client of the Web Proxy service. You can start the client setup program using one of two techniques. You can connect to the UNC \\server_name\mspclnt and run the client setup program. Or, you can use a browser, such as Internet Explorer, point it to http://computer_name/msproxy, and click the Install WinSock Proxy 2.0 client. If you are installing the client on a Web server, the setup program stops the Web service while the installation is in progress. The Mspclnt.ini file contains configuration information about the client. This is a text file and can be edited with any text editor. By default, the client configuration file is downloaded to the client each time a client computer is restarted and is updated every six hours after an initial refresh. When a refresh occurs, the order of server share paths, listed in the [Master Config] section of Mspclnt.ini, is used to determine the location of updated configuration files. At least one entry must be present. Entries are tried in the order listed. Additional path listings are tried only in the event that preceding paths are not available. For Mspclnt.ini changes made on the server to be reflected on a client, you either have to manually update the WinSock Proxy client or wait for the client to be automatically updated. Keep in mind that if you change the client’ Mspclnt.ini file and want the changes to remain, you should also modify the file on the s server as well. Using Javascript When a Web browser client is started, you can specify that a client configuration script be downloaded to the client computer. This configuration script is written in JavaScript and is located on the Proxy Server computer for that client computer. Remember, every client contacts a specific Proxy Server. The script is downloaded to the browser on the client computer and is executed against every URL that the browser requests. The output of the script is an ordered list of Proxy Servers that is used by the browser to retrieve the object specified by the URL. This can reduce some of the routing work performed by the Proxy Server array. Access Control Outbound Access You can allow your clients complete access to the Internet or you can control what they access. Microsoft Proxy Server provides several methods for controlling outbound access. These methods allow you to configure as granular control as you require in order to determine what your clients can and cannot access on the Internet. There are three primary methods for configuring outbound access: Controlling access by Internet service, Controlling access by IP parameters, and Controlling access by TCP port. Internet Service One of the keys of security is to allow access to resources and services only by those who need them. In the context of Proxy Server, you limit specific services to only those users who need to use the service. You can set the access control permissions individually for the Web Proxy, WinSock Proxy, and the SOCKS 6
  10. Proxy services. You set the permissions from inside the ISM using the property sheet of the specific service. Web Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can then specify who can have access to the following protocols: WWW This is for access to HTTP protocol. FTP Read This is for access to FTP services. Gopher Gopher is a menu-based system used to supplement FTP. Secure This is the SSL service. If you have access granted, then you can use SSL security. WinSock Proxy Service - Use the Permissions Tab to “Enable Access Control”. You can specify “Unlimited Access” or you can specify who can have access to the following protocols: AlphaWorld, AOL, Archie, Echo, Enliven, IMAP4, IRC, Microsoft NetShow, MSN, NNTP, POP3, RealAudio, SMTP, Telnet, and VDOLive. Other protocols can be added with the WinSock Proxy service. SOCKS Proxy Service - You use the same procedure to set the permissions for using the SOCKS service. You get a dialog box you use to configure this service. The “source” specifies the origin of the request. You do this either by IP address and subnet, for a particular Internet Domain or for all computers. The “Destination” side is where you allow (or deny) the destination of the permitted entry. IP Parameters Proxy Server allows you to control access by specific IP parameters such as: IP address, IP subnet, and Internet domain name. This is done by enabling filtering and then specifying the appropriate IP address, subnet, or domain. When configuring this security, there are two methods you can use. You can grant access to everyone and then restrict access by denying certain IP addresses, subnets, or domains. Or, you can deny access to everyone and then grant access by exception by specifying the IP address, subnet, or domain. Just as with configuring access by Internet service, you can set these parameters for each individual Proxy Server. Port You can configure which port is used by the TCP and UDP protocols and thus control the access to the WinSock Proxy service. Proxy Server comes with a default set of protocol definitions. You can add your own protocol definitions or modify the definitions of the default protocols to suit your requirements. Proxy Server uses application service ports for the WinSock Proxy and SOCKS Proxy services. WinSock- based applications work through a network connection. Ports are used in combination with IP addressing to form socket connections. A socket is an endpoint in the communication process. The WinSock Proxy service can also redirect a listen() call. The implication of this is that Proxy Server can listen to Internet requests on behalf of your application. It then redirects the request from the Internet to your application. There is also a special setting called “Unlimited Access”. You can also enable access to inbound and outbound service ports selectively for users on your network. You do this through the ISM by selecting the WinSock property sheet and then selecting the Protocols tab. You can create definitions and modify existing protocol definitions. You can save these definitions and load them at a later date. You can save this file from one Proxy Server and load it at another Proxy Server. 7
  11. You may use any legal filename, including an extension. Proxy Server does not append the filename with an extension. It is saved as a text file. You can also create new protocol definitions in WinSock Proxy service properties for the purpose of controlling access. The following table summarizes the port parameters for the default protocols. You can modify the initial connection, specify TCP or UDP, and specify whether it is inbound or outbound. You can also set the parameters for subsequent connections, which do not have to be the same as the initial connection. Protocol Name Initial Outbound Connection Type Alpha World 5670 TCP AOL 5190 TCP Archie 1525 UDP DNS 53 UDP Echo (TCP) 7 TCP Echo (UDP) 7 UDP Enliven 537 TCP Finger 79 TCP FTP 21 TCP Gopher 70 TCP HTTP 80 TCP HTTP-S 443 TCP ICQ 4000 UDP IMAP4 143 TCP IRC 6667 TCP LDAP 389 TCP NetShow 1755 TCP MSN 569 TCP Net2Phone 6801 UDP NNTP 119 TCP POP3 110 TCP Real Audio 7070 TCP Real Audio 7075 TCP SMTP 25 TCP Telnet 23 TCP Time (TCP) 37 TCP VDOLive 7000 TCP Vxtreme 12468 TCP Whols 43 TCP Inbound Access There are some good site design and implementation guidelines that you can use to lessen the security risks when using Microsoft Proxy Server. Consider some of the following: Disable IP forwarding - Setting this parameter disables the forwarding of IP packets. 8
  12. Enable Access Control - This is the default during installation. Without access control enabled, you will not be able to set password authentication. This is considered unsecured. Local Address Table - The LAT details what addresses Proxy Server considers internal network addresses. This point is critical. Internal addresses have access to the internal network. Never put external addresses in the LAT. Disable Server Service - Consider disabling the Windows NT Server service on the Proxy Server system. This service provides file and print services to network clients. These services are not necessary for the Proxy Server or its clients to function adequately. If you choose not to disable the service, then make sure that any shares that you created have the proper permissions assigned to them. You should also use the NTFS file system because it greatly enhances security for this situation. Drive Mappings - Do not use drive mappings to connect to remote resources if you are running Proxy Server and IIS on the same server and you are publishing content. The issue with mapped drives that the drive letter designator could change and the resource will not be available. If you use the UNC syntax, this cannot happen. In addition, you are limited to the number of drive mappings you can have, based on the characters in the alphabet. Configuring the Client - Remove gateway references and DNS references from the IP parameters from the client computers. This prevents clients from bypassing Proxy Server to access the Internet. Don’ forget to t remove these parameters from your DHCP scope properties as well. Disable RPC ports - Ports 1024 through 1029 are used by TCP/IP services for remote procedure call (RPC) listening. You can disable all ports used for RPC listening on the external network interface. Then these ports are no longer visible to the Internet. You make these changes through the registry. The default installation configuration of Microsoft Proxy Server has the network fully secure from outside access by Internet users. Interestingly enough, if, during installation, you accept the defaults that enable access control, internal access to the Internet is also prevented. In other words, users inside cannot access the Internet and users outside cannot access the internal network. Access control is enabled at installation, but no users or groups are specified yet. The administrator must explicitly do this. This is true for both the Web Proxy and WinSock Proxy services. Controlling by Packet Type You can use Proxy Server to control access to the internal network using a technique known as packet filtering. With packet filtering enabled, Proxy Server accepts or denies packets based on packet type. You can also block packets originating from specific Internet hosts. Proxy Server supports both dynamic and static packet filtering. With dynamic packet filtering, designated ports are automatically opened for outgoing and inbound traffic. The ports are automatically closed after the session has been terminated. This minimizes the number of ports that are open at any time and minimizes the length of time a particular port is open. Dynamic packet filtering is automatic and requires no work on your part. Static packet filtering involves manually configuring the filter. You do this using ISM and the property sheet for the service. Encryption Proxy Server takes advantage of authentication and the security architecture of IIS. The Web Proxy service uses the same password authentication methods for client requests as those configured in the 9
  13. WWW service of IIS. These authentication methods include: Anonymous logon, Basic authentication, and Windows NT challenge/response authentication. Using challenge/response authentication with any Web browser other than Internet Explorer (IE) 4.0 might result in rejection of client configuration scripts (JScripts) or incorrect display of HTTP pages that use the Secure Sockets Layer (SSL). You should use basic authentication if you are using a Web browser other than IE 4.0. Basic authentication is sent clear text. If you use basic authentication along with SSL, then the user’ name and password are encrypted. SSL supports data encryption and authentication. Data s sent to and from a client using SSL is encrypted both ways. Proxy Server Dial-Up Proxy Server has a feature called AutoDial. This feature allows you to configure Proxy Server to automatically dial to your ISP, or dial back to your central location. Proxy Server uses RAS to establish the dial-up connection. AutoDial is event driven and makes the connection only when needed. Proxy Server autodials: When Web Proxy cannot find a requested object in cache For all client requests of WinSock For all client requests of SOCKS To support Proxy Server AutoDial, you must do the following: Install RAS. Make a phonebook entry. Configure the RAS service. Configure the AutoDial credentials. Set the AutoDial dialing hours. Stop and start the Proxy Server services. Installing Remote Access Service (RAS) In order to use Proxy Server AutoDial, you must install RAS and configure the services. You must also set up at least one phonebook entry. RAS can be installed during the Windows NT Server installation. RAS can also be installed at any time after the installation. After you have RAS installed, you need to do the following: Stop the Remote Access AutoDial Manager service. Disable the AutoDial Manager service. Stop and Start the Remote Access Connection Manager service. Make sure that the Connection Manager is set to automatic startup mode. You use Dial-Up Networking (DUN) to connect as a client through RAS. A phonebook entry is used to store the parameters necessary to connect to a remote network. Tools You can also administer Proxy Server using the command line. This is useful if you need to configure many Proxy Server computers identically using the same script. Two command-line utilities are installed during Proxy Server setup. RemotMsp - This utility helps you configure and administer a remote Proxy Server computer. 10
  14. WspProto - This utility adds, edits, and deletes the WinSock Proxy service protocol definitions. Web Administration Tool (WAT) - allows you to administer Proxy Server from your Web browser. WAT provides the same functions as ISM. To use WAT, you need a Web browser that supports JavaScript. You should be running at least Microsoft Internet Explorer (IE) 3.02, Netscape Navigator 3.0, or Netscape Communicator 4.04. In addition, your browser should be configured to enable cookies. You must install the WAT on a computer running Proxy Server. Web Publishing Publishing refers to placing objects (documents, images, etc.) on a Web server so they can be reached by anyone with access to the Web server. Of course, the concept of publishing applies to Intranet users as well as Internet users. Even if you are only publishing to employees on your internal network, there may be reasons why you do not want everyone to be able to connect to any server. One such reason could be that the server is located in an unsecured area of the building where potentially anyone could have access to it. So the techniques for securing your Web content against external forces can apply to internal forces as well. Proxy Server implements both reverse proxy and reverse hosting as a means of helping you publish to the Internet while not compromising network security. Reverse Proxy Reverse proxy is Proxy Server’ ability to process incoming requests to an internal HTTP server and to s respond on its behalf. This is the reverse of the normal process where the proxy takes a request from the internal network and passes the request to the Internet. With reverse proxy, Proxy Server takes the request from the Internet and responds to it in place of the internal Web server. Reverse Hosting Reverse hosting takes publishing to the next logical step. In reverse hosting, Proxy Server maintains a list of servers on the internal network that have permission to publish to the Internet. This enables Proxy Server to listen and respond on behalf of multiple servers that are located behind it. To the Internet client, this process is transparent. There is no evidence that the request passes through Proxy Server before being forwarded to the applicable Web server. Proxy Server merely redirects the incoming URL to the appropriate server. Packet Filtering Packet filtering occurs when Proxy Server intercepts incoming packets. Proxy Server evaluates packets before they are passed to higher levels in the protocol layers or to an application. Proxy Server gives you the ability to automatically apply predefined dynamic filters. Sometimes this is referred to as stateful filtering. Dynamic filtering occurs when Proxy Server evaluates which TCP/IP packet types are accessible to specific internal network services. With dynamic filtering enabled, Proxy Server is acting as a firewall. A firewall is a hardware/software product that acts as a barrier. Its purpose is to prevent entry into a network by unauthorized users, processes, or data. The security features of Proxy Server allow you to control the flow of traffic to and from the network. In addition to authenticating client requests. With packet filtering, you can: 11
  15. · Intercept packets destined to specific services on your Proxy Server computer. You can then either allow those packets through or block them. · Send an alert when dropped packets or suspicious events occur. You can either forward a record of alerts to a log file or send alerts through e-mail. You can configure packet filters to reject any type of packet and thereby prevent them from being processed through the Proxy Server. This provides a high level of security for your network. Packet filtering can block packets originating from specific Internet hosts. Packet filtering only applies to the external network adapter. The internal network adapter is not affected. Alerts Events that can compromise your system should be monitored. If such an event occurs, the server can be configured so that an alert is generated. Events for which you can generate alerts include: Rejected packets - Watches the external network interface for dropped IP packets. Protocol violations - Watches for packets that do not follow the allowed protocol structure. Disk full - Watches for failures caused by a full disk. If any of these events occurs, Proxy Server writes the event in the system log. Use the Windows NT Event Viewer to view the log file. An alert can also be sent as an e-mail message to a designated recipient. You must enable packet filtering first for alerting to be operational. Packet filter alerts may be stored in the dedicated log file used by Proxy Server. They may also be stored in an Open Database Connectivity (ODBC) database such as SQL Server. Monitoring Performance Proxy Server provides counters that you can use to monitor its performance and monitor how users are connecting. You can use Performance Monitor to view Proxy Server activity. Windows NT Server uses Performance Monitor for tracking computer performance and processes. When you use Performance Monitor, you actually monitor the behavior of its components. These components are known as objects. Examples of objects are the processor, memory, cache, hard disk, services, and other components. Each object has a set of counters that are unique to it. When Proxy Server is installed, several counter objects are installed into Performance Monitor. These objects contain all the performance counters that are used to monitor Proxy Server. Performance Monitor Performance Monitor can help determine where bottlenecks exist. A bottleneck is any place there is a system shortage or a resource shortage. All computer systems will have resource shortages. Alleviating one resource shortage may cause another area to show up as the bottleneck. You may then try to add more resources to shore up that area. You should monitor four categories of objects when monitoring the system and attempting to identify bottlenecks: CPU, Memory, Disk, and Network. 12
  16. When you install Proxy Server, an icon for Monitor Microsoft Proxy Server Performance is added. Clicking on this icon starts Performance Monitor with Msp.pmc. This file is a preconfigured Performance Monitor workspace. It already has the objects and counters installed so you do not need to configure Performance Monitor each time you want to monitor the same set of conditions. These counters are listed below: Counter Definition % Processor Time These counters monitor the time used by these two processes. They help you identify problem areas and indicate processor usage by the service. If they are increasing, install a faster processor. When these get to 100%, the system is at maximum capacity. Active Sessions This counter tells you how many people are using the server at one time. Cache Hit Ratio (%) This counter indicates what percent of requests the cache is serving by telling you how effective the caching is. The goal should be to increase this number. Requests/Second This counter displays the rate of incoming requests that have been made to the Web Proxy Server. Total Users This is a cumulative counter of the total number of users that have ever used the server. Current Users This counter indicates the number of users currently using the server. This helps to determine when it is convenient to stop the server. Maximum Users This is a cumulative counter that indicates the maximum number of users simultaneously connected to the server. Transaction Log Files Your log files let you know how your equipment is doing and how the organization uses the Internet. Log files are located in the subfolder specified in the Logging tab. The log files are ASCII text files. Logging to a text file is the default. However, if you prefer to save logs in a database, you can configure the Web Proxy and WinSock Proxy services to log information to a database instead. Proxy Server supports ODBC for logging service information to databases. Logging to any ODBC database is possible. It does not need to be a Microsoft database. Database logging increases the amount of time and resources needed by Proxy Server. You may want to consider logging to a text file and then importing the text file into the database as a means of enhancing performance. Writing log data to a database allows for data querying and reporting is enhanced. Log files are stored in one table. Each transaction generates one record in the table. The database can exist on a Proxy Server computer or on any other computer on your network. You must supply the following information to log to a database: ODBC Data Source Name (DSN) - This is the ODBC Data Source Name (DSN) for the database to which Proxy Server logs data. You configure this through the ODBC applet in Control Panel. Table - This is the name of a table in the database to which Proxy Server logs information. 13
  17. Questions Exam 70-88 1: Can you use wildcards like "*" in domain filtering? A: No 2: The users in your internetwork complain that they have very slow, or no cache response. What might you do to improve response time? A: You should require them to use the WEB PROXY in order to take advantage of the content caching. 3: If you have a client using a browser that cannot be automatically configured, how many (maximum) hops will a client have to a proxy array of 6 computers? A: two 4: Users complain that the only way to reach a site on the Internet is by entering its IP address. What could be wrong? A: There is no DNS server configured in the TCP/IP properties. 5: You have 3 locations SiteA, SiteB and SiteC and the connection between them is a T1 line, SiteA has a T1 connection and Proxy Array to the Internet, SiteB has a single proxy server and T1 connection to the Internet. You want to implement a Proxy server to location SiteC. How are you going to configure it? A: Primary route to SiteA, Backup route to SiteB 6: You have two Proxies, Proxy1 and Proxy2. Proxy1 is configured to have an upstream route to Proxy2. How can you configure it to work if Proxy 2 fails? A: In Web Service Properties, select Routing Tab, Enable Backup Route, select use Direct Connection. 14
  18. 7: Suppose you have a LAN running an old version of Proxy Server and you'd like to implement Proxy version 2.0. However, you want the same configuration. What should you do? (Choose 2) A: Use the Server Backup, on the Service tab. Use the Server Restore , on the Service tab. 8: You have a LAT, IP addresses for an external NIC, an internal NIC, and a gateway. Which source IP address will be redirected to the Internet. A: IP address of the external NIC 9: You have a network which consists of a proxy, a router, and your LAN. Your router is between your proxy and your LAN. The router is configured to allow only HTTP(port 80) to pass. If you use the web browser, which protocols can you use? (Choose 3) A: HTTP, HTTPS and FTP. 10: Which admin utility would you use for remotely administration of the proxy server? A: REMOTMSP 11: Which application would you use to administer the Proxy Server if you are logged on locally to the server itself? A: ISM 12: You have installed a Netscape Navigator or IE3.02 on a Unix machine. How can you enable Netscape to use the Web Proxy Service? A: Go to the Netscape, Options, Network Preferences, Proxies Tab, Manual Configuration button and find the SOCKS proxy line. Then specify the DNS name and specify the port number. 13: How would you make a list of the most frequently accessed sites by Windows clients? A: Enable logging on Web Proxy Service and WinSock Proxy Service 14: How would you make a list of the most frequently accessed sites by non-windows clients? A: Enable logging on Web Proxy Service and SOCKS proxy Service. 15: In your LAN you have 2 subnetworks. The first one is in the main office configured in an array with a T1 line to the ISP. the 2nd one is a single stand alone proxy at the branch that uses T1 to the ISP. You need to implement a new proxy. How will you achieve the best performance? A: Make the Primary connection to the main office and the back up connection to the branch. 16: What can you implement to prevent users from accessing certain Web sites? A: Domain Filtering. 18: You have UNIX, Win95, WinNT clients in your network. You want to prevent UNIX clients from accessing IRC. What's the best way to do it? A: In SOCKS Service Properties, deny access to TCP port 6667. 15
  19. 19: When monitoring your Proxy Server, what utility would you use to determine where the SMTP traffic is coming from? A: Network Monitor. 20: Suppose you have multiple proxy servers in your LAN, what must you do in order to collect information about all servers in one location? A: Configure the proxy to log to SQL server, and share it among all servers. 21: You have IE 3.02 installed on your Clients. It is configured with an automatic client configuration script. How would you disable it? A: Under the View, Options, Advanced tab on IE. 22: Suppose you have CARP servers in your LAN. In your clients you configure Internet Explorer to use Automatic Configuration. How many hop will there be to find the URL for Web browser requests? A: one 22: Your users frequently access a certain Web Page. What should you do to optimize the response time when internal users request this page? A: Create Cache Filter for this site and set the filter status to always cache. 23: What object counters would you check in Performance Monitor to determine whether you need to add more proxy servers to your array? A: Maximum Users Total Users 24: What should you do in order to retrieve the most recent version of a URL requested from the Internet? A: Disable cache. 25: The Administrator of your network attempted to view the hard disk counters in the performance monitor, but he can't see any counters although the disk is being accessed constantly. What should you do to solve the problem? (Choose 2) A: Run DISKPERF command. Restart the Proxy Server. 26: You have a problem in your LAN because users can not access remote URLs but they can access local ones. What is the best way to solve it? A: Specify DNS Server address on the Proxy Server. 16
  20. 27: How can you prevents external users from viewing NetBIOS names, in a case where a WINS server is installed on your LAN? A: Enable Packet Filtering Unbind all NetBIOS services from the external NIC for the proxy Disable unnecessary services such as RAS 28: How much cache will be needed on your Proxy Server for 500 users? A: 350 MB (( 100 + ( 500*.5 )= 100 + 250 = 350 )) 29: If you enable Automatic Configuration on the Clients browsers, what kind of files will be downloaded? A: Javascript. 30: What's the minimum Amount of RAM required for 2000 clients? A: 64 MB 31: What object would you use to see if the content of the cache is optimally configured? A: Cache Hit Ratio 32: How would you update cache objects during less busy hours? A: Enable active caching. 33: Which proxy services are used in UNIX-based and Macintosh Machines?? A: Web Service SOCKS Service 34: In your network you have Exchange servers on several computers in the internal Network, you have Internet Mail Service (IMS) in the exchange services. How should you configure the proxy server to enable internal users to send and receive emails from the Internet? (Choose 2) A: On each Exchange client, add the external IP of the proxy server. On each DNS server, Add a DNS Internet MX resource record and specify Proxy server as mail server. 35: When you look at the Performance Monitor, you have 0 in the disk queue, 1 in network queue and 40% CPU load. What action would you take? A: Increase the disk cache 36: User modifies there local proxy client configuration file which works until the next morning and then it is back to original configuration. Why? A: It gets overwritten at specified intervals with the servers copy 37: You have 3 different proxies in your LAN. There is only one DNS name ( pointing to the 3 IP’ of the Proxy servers. How are you going to distribute the clients evenly among the proxies? s 17



Đồng bộ tài khoản