发信人: edge()
整理人: reynolds(2001-02-07 12:51:19), 站内信件
|
原文在http://www.cyberramp.net/~rickbao/70-88note.htm
这就是我说的看了后傻子都能过的那篇文章
你是不是MCSE+I的最后一门呀
70-88 Proxy 2 Note
SPT/OnlineDoc | Trancender | Exam Cram | BrainDump | Edge Exam | Scene
rio
SPT and OnlineDoc
3 services: Web proxy, Winsock proxy, Sock Proxy.
Filtering at IP packet layer: block or enable reception of certain pac
ket types through certain ports.
Installation
Hardware Req.: Intel 486+, Alpha. 24MB Ram, RISC. 32MB. 10M HD; 100M+0
.5 per client; 2 NICs.
Software Req.: NT4, SP3+, IIS3+, TCP/IP
Minimum total size of NTFS partition space on proxy server à 5 MB.
Minimum RAM size for the low-volume network is 32M.
Minimum req. for proxy server that support 300~2000 clients à P133, 6
4M, 2~4 G HD. Each proxy server - P166/64M can handle 2000 clients.
32M for 1-300 clients, 64M for 300-2000 clients.
Min Ram for each proxy server in array - 64M.
1 proxy for 2000 users for large business. 1 proxy for 1000 for ISP wi
th simultaneous dial-up connections.
After Server installation
msp folder was created at proxy server
3 proxy services were installed and added to ISM (Internet Service Man
ager) window.
a cache drive (default 100M) is created on an NTFS partition.
Server's c:\msp\clients will be shared as mspclnt. Under that, there i
s a webinst folder.
On-line document is in Proxy server's \\%systemroot%\help\proxy folder
3 Proxy server performance monitor counters are installed - Web proxy
server cache, web proxy server service, winsock proxy server
Web based installation: http://server_name/msproxy, it displays the fi
le c:\msp\client\webinst\default.htm.
After client installation
Client's winnt\winsock.dll is replaced by Remote Winsock from winsock
proxy client, and renamed as winsock.dlx.
Add WSP Client icon in Control Panel
LAT file - msplat.txt is copied to client's c:\mspclnt\msplat.txt, aft
er c:\mspclnt folder was created.
mspclnt.ini is copied to client's c:\ (check)
To disable using proxy server from client, uncheck "enable winsock pro
xy client" in client's Ctrl-Panel\WSP Client, then reboot.
To remove proxy client from client machine, start - Program - Microsof
t Proxy Client - Uninstall.
locallat.txt:
Custom LAT file, create locallat.txt, put IP address pair, save it in
client's c:\mspclnt.
locallat.txt: used by winsock proxy client, it check for msplat.txt, t
hen locallat.txt to determine which IP address are local. Web proxy an
d Socks proxy services don't use it.
Each time client's Winsock proxy apps looking for IP, it checks for th
e maplat.txt and locallat.txt. If internal, connect directly; if exter
nal, it go through Winsock proxy service.
Web Proxy Services
Winsock Services
Sock Proxy Services
support HTTP, FTP, and Gopher, no Telnet
support all OS and platform internally
support TCP/IP on LAN.
Secure IP aggregation - multiple PCs in single IP.
Disk caching
CERN-proxy compliance
Caching HTTP, FTP object.
Data encryption using SSL.
Log info. of client req.
Support windows socket 1.1 compatible standard. (apps).
Support TCP/IP, IPX/SPX on LAN.
Secure IP aggregation
NT Challenge/Response authentication between client and server.
Control in/outbound access by port, protocol, user, group.
Filtering access by domain name, IP, and subnet mask.
Blocking intruder.
Log info. of client req.
Data encryption using SSL.
Compatibility with Windows, Mac, Unix.
Support TCP/IP on LAN
support all OS and platform internally
Can be used for HTTP, FTP, Gopher, Telnet.
Support SOCKS 4.3 standard
Support Identification protocol, ie. Identd Simulation sevices
Use IP authentication to establish comm channel
Log info. of client Sock req.
Internal & External NIC
Do not put default gateway on internal NIC.
Internal NIC's IP should be in LAT, External NIC's IP should not be in
LAT. To prevent Internet users from access your internal network: dis
able IP farwarding, disable web publishing, and remove external IP fro
m LAT.
If external IP is in LAT, internet users can bypass proxy to get to in
ternal network, but internal users can’t get out.
An external NIC is required to enable packet filtering.
If no default gateway specified in external NIC à client access Inter
net fail, regardless whether or not the object is in web proxy cache.
Socks protocol define 2 operations: Connect and Bind
Proxy Properties setting API includes:
services permissions protocols caching routing publishing logging
Web Proxy x
x
x
x
x
x
Winsock Proxy x
x
x
x
Socks Proxy x
x
x
To backup Proxy server, choose Web Proxy, service, server backup, spec
ify the backup directory, default is c:\msp\config, file name will be
mspyyyymmdd.mpc, such as msp19990121.mpc, an ASCII file. To restore, i
n same place, choose server restore, then specify the backup file name
.
Trancender
TestA: 6, 11, 19, 20, 41, 44, 49, 50, 53, 56, (62, 63, 64)
TestB: 2, 15, 16, 18, 19, 23, 24, 32, 33, 38, 48, 50, 59, 62, 63, 66
TestC: 8, 10, 11, 19, 31, 32, 34(mapping),
1 license for 1 Proxy server, no license needed for clients.
IIS/Proxy password authentication: 1. allow anonymous; 2. basic (clear
text); 3. windowsNT Challenge/Response (NTCR)
If 1 disabled, and browser does not support NTCR, it automatically use
2, ask for login/password
If 2 enabled, it always ask for login/password
If 2 disabled, it does not display "access denied" even access attempt
failed.
If access control enabled, and you don't have permission on a protocol
, browser display login/password. Access denied after several (usually
3) attempts of the same account.
If only 3 enabled, and browser is not NTCR compliant, it attempts to u
se 2, and ask for login/pwd. If 2 enabled and login/pwd wrong, it deny
. If 2 disabled, no error displayed even access failed.
In pure NT environment, no Socks service needed. If ask for most frequ
ent accessed URL, enable web proxy and winsock proxy logging.
Famous TCP/IP ports:
FTP-21 (control) FTP-20 (data transfer) HTTP-80 HTTP-S-443
IRC-6667 DNS-53 ICQ-4000 POP3-110
NNTP-119 SMTP-25 Telnet-23 Finger-79
RealAudio-7070/7075 VDOLive-7000 WhoIs-43 Net2Phone-6801
AOL-5190 Echo-7 MS-NetShow-1755 MSN-569
IMAP4-143 LDAP-389 Gopher-70
Only winsock proxy services window has protocol tab.
Binding issue:
bind TCP to External NIC, TCP + whatever protocol (IPX/SPX, NetBEUI, e
tc.) in internal NIC of proxy server.
If Proxy server’s TCP port change from 80 to 300, client’s browser n
eed to be manually changed, clients need to rerun setup.
If 1 T1 for 1000 clients, each client will get 1.54k bps speed. If 1 I
SDN BRI for 100 clients, each client get 1.28k=1280 bps speed. 750 use
rs with full web access require 7875kbps.
If IP forwarding is enabled, domain filtering won’t work. Client’s T
CP set proxy’s internal IP as default, then can access filtered domai
n.
Netscape use HTTP protocol and secure protocol from proxy through web
proxy. Secure protocol use TCP port 443, that used by HTTPS.
Multiple proxy servers' log in a central place à SQL server.
Automatic configuration script on IE: IE3.02 à view, options, advance
. IE 4.x à view, internet options, connection, configure.
CARP - cache array routring protocol is used for making route decision
within an array. Browsers that is not CARP aware, such as IE 3.02, ca
n be configured to use client configuration script. Client req. route
to array, from an array member to another array member. Total hop is 2
. (Q37)
Install RAS after Proxy, will enable IP forwarding by default, disable
it. BTW, configure RAS to dial out only.
Proxy 2.0 does not support Novell Netware 16 bit cients.
For best web site respond, enable cache filter for that site, enable a
ctive caching.
PerfMom & Counter:
Determine if it needs to add another proxy server à PerfMon - Maximum
users - plan for 2000 user per proxy.
Current Average Milliseconds/request - if it is high, either too many
users, or proxy computer is slow.
Array Bytes Total / sec - shows volume of network traffic between a pr
oxy server and other array members.
To detect insufficient memory problem - Network interface: bytes total
/ sec
Output Queue Length – if more than 2, (and still bandwidth available)
, then NIC is the bottleneck (BT25).
to view local disk objects à run diskperf -y and reboot. The user sho
uld be in local admin group.
Proxy server performance baseline à during typical load period
If Cache Hit Ratio too low (say, 40%), increase the content cache size
. (BT49)
Total Actively Refreshed URL counter – the number of cached URLs that
have been automatically refreshed from the secure internet sites.(BT5
2)
Which PerfMon counter is used to find how many times URLs have been re
freshed à Totally Actively Refreshed URLs.
Find out current connection users (using winsock proxy) in PerfMon? à
1. active session counter. 2. current session button (user session di
alog box) in IMS.
If perf mon show everything ok, how to improve perf. à Increase amoun
t of content cache size.
To create notification/alerting for dropped packets à performance mon
itor.
Maintain a log of all accessed URLs in SQL server:
In proxy server, add ODBC driver
Create system DSN for the database, specify system DSN name in logging
tab of proxy server
Create table in SQL server. Specify table name in login tab of proxy s
erver.
Provide logon ID and password on the logging tab of proxy server
For other e-mail clients to bypass proxy server and dial up to ISP, wi
nsock proxy should be disabled in the client machine.
User can access http://www.audlt.com/, because IP farwarding is not di
sabled, he specify ext. NIC’s IP in browser. (AT25)
Hierarchical caching - chain proxys. distributed caching - array proxy
s.
Packet filtering:
Recommend to enable both dynamic packet filtering check box and enable
filtering of IP fragments check box.
When enable packet filtering, all TCP packets are rejected except thos
e specified in the exception list.
All TCP packets are: DNS lookup, ICMP all outbound, ICMP ping respond,
ICMP ping query, ICMP src quench, ICMP timeout, ICMP unreachable, PPT
P call, PPTP receive, SMTP, POP3, Identd, HTTP server, HTTPS server, N
etBIOS (wins client only), NetBIOS (all).
Packet filtering does not support user-level permissions, but Access c
ontrol does. Packet filtering - from Web proxy service tab, choose sec
urity, then in packet filters tab of security window. Access control i
s in permissions tab of web proxy service properties window.
Packet filtering is disabled by default when proxy was installed, you
must first configure auto dial before you enable packet filtering.
A packet filter can be established for a packet type, datagram, or pac
ket fragment.
VPNs are supported in conjunction with the RRAS service update for Win
dows NT server. RRAS PPTP server listens to TCP port 1723. When RRAS i
s running on a proxy server computer with packet filtering enabled, ad
min must enable the predefined PPTP Receive filter.
You have main and branch office LAN, in main office you have packet fi
ltering enabled + RAS, in branch there is a PPTP client, both network
use RRAS and PPTP, how to configure packet filtering? (AT27) à enable
predefined PPTP receive filter; enable predefined PPTP call filter.
Proxy Security:
Enable access control, assign all uses appropriate permissions.
Disable the external ports that used for RPC listening - no RPC from I
nternal hosts. à deny listening on inbound service ports.
Disable all unnecessary services such as Wins client or server service
on external NIC
Disable IP forwarding - prevent communicate between internal hosts and
Internet hosts.
Enable dynamic packet filtering - reduce exposure of external ports of
proxy to Internet.
*Exch & Proxy: Use Exch Server internally handle clients e-mailing, wi
th Proxy
Enable all branch clients to access Main office's Exchange server - In
the branch office's proxy server, edit c:\msp\client\mspclnt.ini, in
[exchng32] and [mapisp32] section, make sure Disable=0.
Disable all branch clients to access Exch server - Disable=1 (0=no, 1=
yes) Example, to prevent Exchange clients to make external connection,
change c:\msp\client\mspclnt.ini file in Proxy server, in [exchng32]
or [mapisp32] section, make Disable=1.
Enable only one branch client to access Main office's Exchange server
- make a custom wspcfg.ini file in the user's computer (on the Exch se
rver), the file will override the disable=1 setting in the mspclnt.ini
file. à wspcfg.ini override mspclnt.ini.
To enable a server application that runs in internal network to receiv
e requests from Internet à create Wspcfg.ini file and save it in the
apps's directory. (AT16)
To enable internal Exch server provide internal users e-mail connectiv
ity through proxy server: (CT62)
1. Internet Mail service must be installed on the Exch. Server, and co
nfigure to use DNS for message delivery.
2. Winsock proxy client program must be installed on the Exch. Server.
(add proxy client in Exch server computer)
3. Bind the SMTP port on Exch Server to TCP port 25 (SMTP client port)
, on the External NIC of Porxy server, to do this, create a wspcfg.ini
that contains ServerBindTcpPorts=25 line, and place it in the same di
rectory of the file - msexcimc.exe, by default the location is: \exchs
rvr\comect\msexcimc\bin directory of Exch. Server.
4. Add IP of exch server in LAT.
5. ISP's DNS server should be configured to point to Proxy server when
query to Exchange server
Multiple exch server, use IMS in exch services, to enable internal use
rs to send/receive mail from Net à choose 2
Add ext. IP of proxy in each exch server
Add DNS server for Inet + MX resource record + resource record specify
proxy server as mail server.
POP3 (port 110) is only used by clients to retrieve messages from E-Ma
il servers. (such as outlook à cyberramp)
Only one port (either inbound or outbound) can be specified for init c
onnection in a protocol definition.
Proxy should configure to allow only inbound and outbound connections
to TCP port 25, to prevent external e-mail clients to connect to Exch
server. SMTP (client) protocol that uses outbound TCP port 25 is prede
fined on Proxy server.
*Caching:
Cache expiration policy – Passive Caching
Updates are more important (more update checks) – maintains the most
recent cache data and downloads the web page most frequently, more dow
nload but latest info. - Fresh
Equal important – balances the freshest cache data and the best cache
performance
Fewer network access are more important (more cache hits) – provides
the quickest user response and the most cache hits, fewer download, fa
ster retrieve. - Fast
Enable Active Caching – Active Caching
Faster user response is more important (more pre-fetching) – performs
more internet retrievals and provides the freshest cache data for use
rs - Fresh
Equal important – balances the need for current cache data and the be
st response rate for users
Fewer network accesses are more important (less pre fetching) – provi
des the latest internet traffic and the oldest cache data stored on th
e server. - Fast
Passive caching is on demand basis, most popular
Enable active caching will let the proxy server request the informatio
n before it receives a request form the local clients, thus speeding u
p access for the clients.
Caching à only web proxy service has
Minimum cache size = 100M + 0.5 * #of clients
To make sure the URL is most recently à disable caching. This is not
recommended, better enable caching, then set cache filtering with neve
r Cache filtering status for the URL. Web Proxy - Caching - Advanced -
Cache Filters - Add - Filtering status. (If disable caching, no URL w
ill have cache, if set cache filtering, you can specify only one URL w
ith "never cache" and still allow the rest URLs with caching.
What tool should you use to gather information that is useful for impr
oving the cache hit ratio on a proxy server? à web proxy service log,
not PerfMon.
If suspect caching errors, such as caching stop, check the event viewe
r.
Increase web access:
add more proxy computers to proxy array
allocate more space for caching on proxy servers
upgrade communication link between proxy servers and Internet (ISP)
To provide faster access to a Dept. add a proxy server for the Dept.'s
subnet.
After upgrade IIS 3 to IIS4 in proxy2 machine, proxy needs to reinstal
l. No need to uninstall first, just install at the top of the existing
proxy.
To remotely monitoring Proxy servers, you need to have same version of
client software in your system.
Proxy utilities:
remotmsp.exe utility: in proxy server's c:\msp folder
remote stop/start proxy services
remote backup/restore proxy config
setting proxy configuration remotely
with custom script (AT), can schedule to do remote backup/restore stuf
f.
wspproto.exe utility:
used to remotely edit service protocol definitions
stop/start proxy services:
net stop|start w3svc - web proxy
net stop|start wspsvc- winsock proxy
net stop|start spsvc- socks proxy
mpklog.exe - the tool that included in proxy server to create SQL tabl
es for proxy server logging.
Win 3.x clients cannot use the Winsock Proxy service, but can use the
Socks and Web services.
Reduce cache space 600à 500M, then restart web proxy service to take
effect, no need to reboot.
If client use win95 FTP apps to download stuff from web, it uses Winso
ck proxy; if he use IE/NN (CERN-compliant web browser), it use Web pro
xy.
Proxy server does not support NetBEUI.
A CERN compliant web browser that use web proxy does not depend on Win
sock proxy information such as LAT and locallat.txt.
Only internal IP address range should be in LAT à IP address in local
lat.txt could be not in the internal IP.
To monitor the user actions on the internal web server, enable logging
for internal IIS server.
In proxy server, the effective permission for a user is the combine pe
rmission of every group the user belongs to.
The winsock proxy services uses only NTCR authentication, it does not
support Basic authentication.
If LAT do not have either internal or external IP à error "none of th
e server's IP addresses are internal" occur.
The following DHCP options should be configured to allow internal user
s to browse entire internal network. (CT64):
1. 44 - Wins/NBNS servers
2. 46 - WINS / NBT node type
3. Router
a firewall between proxy server and clients, firewall only pass TCP po
rt 80, which protocols can you use for Internet access (BT2) à HTTP,
HTTPS, FTP, Gopher only (no POP3, NNTP, SMTP).
Exam Cram
Memorize role and location of the LATs; different between array and ch
ain; the type of security supported by each service.
Routing tab, aggressive caching box?
Binary representation of number 216 à 11011000, use calculator
CIDR representation of class B network is /16, for class C is /24.
Using the class system, the valid IP address assigned by InterNic for
class A is x.0.0.0; for class B is x.y.0.0; for class C is x.y.z.0.
Reverse proxy and reverse hosting combine with IIS create a secure Web
publishing environment.
Array:
Array member contains a script, written in Javascript, which tells cli
ents how to connect to the array.
To view the effective load factor and the status of a member of an arr
ay à http://servername/array.dll?Get.Info.v1
The default URL for clients to get the array routing script: http://se
rvername/Array.dll?Get.Routing.Script
Multiple proxy servers and one T1 line, best configure is put each T1
in one proxy server, both servers in an array, then configure upstream
route on the other proxy server computers to point to the route.
Proxy array update each other, proxy chain don’t. Upstream and downst
ream proxy servers do not update each other in a chained environment.
Chain proxy à hierarchical structure; Array proxy à peer-to-peer-typ
e configuration
Issues for proxy arrays:
array members not communicate with each other
numbers of array too much
multiple administrators making changes
Array provides better performance, better load balancing and better fa
ult tolerance, but keep the same bandwidth and security. Exp. install
2nd proxy server and configure array, what would be increased? (choose
2) - Latency; Reliability; Bandwidth; Perf. (Answer: Reliability and
Perf.)
Hashing is the mathematical algorithm used to determine which array me
mber will provide the cache area for an Internet URL when retrieved.
Proxy array replication/synchronization rule: All parameters which are
not computer-specific will be replicated.
In a proxy server array, (CT67)
information that replicated to all proxy array members are: (also doma
in filter, web caching, LAT)
Web proxy service access control information (security info)
Winsock proxy service protocol definitions
SOCKS proxy service permissions
Information that are not replicated to all proxy array members are:
Web proxy service cache directory location
Packet filters, filter alerts and logging information
You and another admin are changing parameters in different array membe
rs, he save the changes, you don’t, you get "refresh or overwrite" me
ssage. If both of you save the stuff, you get "Synchronizing now or ca
ncel" message.
TCP use connection-oriented communication, which is stream-oriented co
mmunication.
Access Control:
Control outbound access à port filtering
Control outbound access à access control in winsock proxy, permission
s, and choose protocol
Control inbound access à packet filtering (and install proxy server i
n its own domain)
To enable access control, you need to disable anonymous access.
To improve access time for sites that are updated and accessed weekly
à set TTL%=50% in Web proxy service properties page, caching tab, adv
anced cache policy page.
A socket number is created by combining the computer’s IP address wit
h the TCP or UDP port being used.
All proxy server services share domain filtering keys, alerting keys,
and logging values. Caching values apply only to the Web Proxy service
.
Calculate network capacity à #of users * bandwidth per user * 1.4 à
(allow 40% grow)
Define domain filter à domain name or IP address, not host name or Ne
tBIOS name
Permissions can be granted on a protocol basis to users and groups for
only web proxy and winsock proxy.
Keep alive packets are used to retain a connection to a remote server
so that subsequent requests do not go through the resolution process.
Event viewer source name for cache events: WebProxyCache
Grant web access to a local group à web proxy, permission, enable acc
ess control, add group under www protocol.
(??-To evenly distribute clients across all array members on LAN à ma
ke CNAME resource record with the same name and IP address of each arr
ay member.)
BrainDump
400 users and 2 T1 lines, to balance req. à array with 2 proxy server
s, one T1 on each. Another example: 2 T1s, 2 proxy à connects 1 T1 to
each proxy, establish array.
How to make a list of most frequently accessed sites: enable logging f
or either Web + Winsock or Web + Socks
You can’t use wildcards (*) in domain filtering, not even a doc in fr
ont of domain. à AT31, BT15. Exp. *.moom.com à wrong! Moon.com à ri
ght.
Prevent Unix client from access IRC à deny access TCP port 6667 from
within Sock services properties. à AT26
Anything to monitor from external NIC à network moniter; anything rel
ated to internal LAN à Perf. Mon
CARP servers in LAN in array, IE client use automatic configuration sc
ript to find URL à 1 hop. If IE client not using automatic configurat
ion script à 2 hops. à AT37
Optimize user access to www.trans.com/* à create cache filter, set it
to always cache. à AT43 à web proxy service, caching, advanced, cac
he filters (advanced cache policy), add.
Content caching feature is only supported by Web proxy service.
Retrieve latest version of URL requested à disable cache.
To prevent internet users from using nbtstat command to get NetBIOS ca
che of your system
1. enable packet filtering;
2. Disable/unbind all NetBIOS services from the external NIC.
3. Disable unnecessary services such as RAS, Server, etc.
Alerting:
To get notify of numerous packets being rejected in high rate à use a
lerting (Rejected packets item)
To get alerted when proxy server running packet filtering is dropping
packet à proxy server security dialog box, alert tab, create alert fo
r rejected packets. Proxy server alert or notify on 3 events à from w
eb proxy, security, alerting tab.
1. HD full;
2. Packets are rejected by proxy server;
3. Protocol violation occur.
If enable automatic configuration in the clients, the kind of files be
ing downloaded is à Javascript
Check to make sure the content of the cache is optimally configured à
Cache Hit Ratio - make sure the current cache size is good.
All proxy service services can use autodial.
To enable cache objects during less busy hours à enable active cachin
g.
Winsock support both TCP and UDP.
Unix and Mac machines use both Web and Socks services.
*Improve Cache Hit Ratio
ensure the most popular objects are cached.
Enable fewer network access are more important (more cache hit)
Increase TTL
Increase cache size
Specify the limit of number of cache
Want to log to a DB the packet filtering log and web proxy log, (choos
e 2)
Create one table for both
Create a DSN
2 proxies, A and B. A has upstream route to B, how to configure if B f
ail à configure backup router to Dial up. Enable connection to web in
case upstream server fail in chain proxy scenario à web services pro
perties, routing, enable backup route, use Direct connection. (AT21)
12 LANs connect via backbone and proxy array, perf is slow à install
12 proxy servers and configure then with direct connection to the Net.
(or point to the array )
A belongs to group X and Y, group X allows FTP while group Y not, can
A FTP? à yes
Client changed mspclnt.txt but not working next day why? à server ref
reshes the clients file and overwrote it.
To get smaller Cache size, increase or reduce TTL setting for URLs?
The Edge Exam (same as 30% real test questions)
how many host IDs must you allow for when you define the subnet mask f
or the network:
one for each router interface; one for each network adapter installed
on each host
2 windows socket dll: winsock.dll, and wsock32.dll
Protocols
Application protocols: Telnet, FTP, SMTP
Transport protocol: TCP/IP, IPX/SPX (not NetBIOS)
Network protocols: RIP, IP, ICMP
Gopher and FTP use TCP, NetShow, RealAudio use UDP.
Network protocol provides addressing and routing functions.
What services can you use if you have MAC, Unix and Windows in your ne
twork?à both web and socks proxy, but not winsock proxy, because wins
ock proxy is only compatible with windows platform.
FTP manager:
FTP manager, default time out à 15 min (900 sec); default max connect
ions à 1000 (NT 3.51 only support 20)
Its advance tab limits access to FTP server in 2 ways: Source systems,
and Network utilization.
Its messages tab offers 3 options: welcome message, exit message, maxi
mum connection message.
By default, the log file is in \winnt\system32\proxylogs, but it could
be in \inetpub\proxylogs, and \winnt\logs, a SQL DB, or anywhere Admi
n like.
Proxy can not be managed through HTML.
To support SQL (inbound port 1433, outbound port 5000~32767) à winsoc
k server services, protocol, protocol definition, specify port 5000~32
767. Specify winsock proxy port range between 5000 and 32767 is recomm
ended.
To prevent large files from being stored in the cache, set a size limi
t on cached objects. (only web proxy has cache tab) à web proxy, cach
ing, advanced, limit size of cached objects to xx kb.
To find out what sites the users are visiting, enable web proxy loggin
g. This usage can include basic (regular) and detailed (verbose) info.
Regarding site access. By default, logging files are in c:\winnt\syst
em32\msplogs. There are following logs:
PFyymmdd.log Packet filtering log – web proxy, security, logging
W3yymmdd.log Web proxy log – web proxy, logging
WSyymmdd.log Winsock proxy log – winsock proxy services, logging
SPyymmdd.log Socks proxy log – socks proxy services, logging
Default log name: w3yymmdd.log, or wsyymmdd.log
Proxy server will block out a site based on either the IP address or t
he name.
If proxy server configure to allow anonymous authentication, you still
need to add IUSR_systemname user account in the permission tab of web
proxy service properties dialog box, to allow everyone to access publ
ic web.
Which of following are functions of proxy: (choose 3 out of 4)
address translation
web page caching
security
line printer daemon (wrong!)
What features would you expect to find in Microsoft proxy server? (cho
ose all answers)
Access authority
Event logging
Integration
Gateway services
Protocol translation
The DOD model, different from OSI model, come with four layers:
DOD model
OSI model
process/application application, presentation, session
host-to-host transport
internet network
network access data link and physical
You want all clients to access the Net through proxy server by name, y
ou use DHCP to give Wins address to all clients, what else you give to
client? à Option 46: WINS/NBT node type.
Which would you want to cache via proxy server à text and graphic hom
epage data.
Only win95 use both 16 bit and 32 bit winsock dll.
To install proxy, run setup.exe, not install.exe.
Proxy server config – Internal 172.16.10.169 255.255.255.192; Externa
l 172.16.10.2255.255.255.0, what IP range should be in LAT à 192.168.
10.128192.168.10.191
DNS and proxy
Using DNS to provide load balancing of multiple proxy servers: (Round
Robin fashion)
Your network use DNS, what to do to allow clients to access web throug
h web proxy services à specify DNS server IP in Proxy server. Add loc
al DNS server IP in Proxy server
Multi proxy using DNS à for each array member, create separate A reso
urce records containing array's DNS name and separate IP address for e
ach member. (CT4)
If you are running 3 proxy servers, each one should have a separate DN
S record created. à round robin approch. (T87)
Users can’t access remote URL but can access local ones à specify DN
S in proxy server.
Configure web browsers and winsock proxy client to point to proxy serv
er using DNS name.
Add an A record on DNS table to map the DNS name to the IP addresses o
f internal NIC of each proxy server.
Assign the same DNS name to all proxy servers, add an A record in DNS
table for each internal IP of each proxy server.
Round Robin: Each proxy server should have at least one entry. Single
DNS name that serviced by multiple computers, each has its own IP addr
ess.
In winsock proxy properties dialog box, compiles a weekly report à sp
ecify automatically open new log check box and choose weekly. (T55)
IP forwarding can be enabled and disabled at TCP/IP configuration, and
from the router.
Issues for multiple proxy server scenario:
Issues: Servers do not communicate; security setting are different in
servers; cache is different between servers
Not issues: Clients are win95; clients using DNS.
Proxy server does not communicate with each other unless configured in
an upstream/downstream array configuration. Proxy servers communicate
with each other using CARP – cache array routing protocol.
Install a proxy server on each department LAN and configure them to us
e the proxy server array on the backbone.
When PPTP filtering is enabled, no other packets are processed, this i
s why PPTP filtering is typically not used. So don’t install PPTP on
the proxy server machine.
Auto Dial:
Auto dial utility: adialcfg.exe, used to schedule dialing hours of ope
ration.
Setup proxy autodial to ISP: 1. Create DUN phone book entry; 2. Add al
l ISP dial address pool in LAT.
Configure autodial in proxy server services and specify ISP account cr
edentials.
After auto dial installed, 3 services need to be restarted: WWW, WinSo
ck proxy, Web proxy.
Secure a one-NIC-one-Modem proxy à 1. disable IP farwarding, 2. Disab
le Wins client
All proxy services can use the on-demand dialing service to access the
Internet.
5 key components that can bottleneck a proxy server: HD, Mem, Network,
CPU, cache.
If a slow network, or cache too small, the data transmission rates and
# of users that can use the proxy server at a time will be affected.
Proxy server can not fine turn itself in internally controlled switche
s.
To speedup web browsing on work related sites, create a cache filter f
or those domain and set Always Cache.
The setting of more cache hits will cause objects in the cache to have
the max available TTL. This means that a cached object will be availa
ble on the proxy server for a longer period of time. The setting of Mo
re Pre-Fetching will cause a larger % of popular cached objet to be up
dated. (T110)
IPX:
Proxy server does not support IPX clients running win 3.1 and WfW (onl
y Win95 & NT). It does not support 16-bit IPX client drivers for Win95
, you should install either MS drivers (TCP/IP) or Novell 32 bit drive
rs. Win95 clients need to install Novell client 32-bit IPX stack to be
able to use IPX through proxy server.
To allow IPX clients to use winsock proxy service to access the net, s
pecify NetBIOS name of the proxy server in Client Installation/Configu
ration dialog box during proxy server setup.
Web proxy service is the only one that come with caching capability, W
insock and Socks services don’t support. Clients running only IPX won
’t support caching because they use winsock proxy server for web acce
ss.
IPX gateway on proxy server is enabled by default
All information that is delivered through the IPX gateway is converted
by proxy server except: data in the massage
By default, clients will check with the server or updated configuratio
n info. Including LAT every 6 hours.
If NetBEUI is bound to both network adapters in multi-homed system à
error "machine name of proxy server already in used".
Unix computer only use web proxy not winsock proxy, that’s why it can
’t get Real Audio (no UDP).
If you add internet web server’s IP to locallat.txt but not configure
LAT, client using browser will use web proxy services to access intra
net.
Scenerio
Require
Answer
Make the web site appear to both internal and Internet Put web server
in internal network, enable web publishing, configure mapping to web s
erver.
Protect web servers from Internet attack Enable dynamic packet filteri
ng; add HTTP (port 80) predefined filter (this is static packet filter
ing)
Minimize network traffic on web server; Enable caching; configure con
tent caching - always cache the content of web site.
minimize the number of client requests that will received Configure cl
ient's web browser to use proxy server for local addresses - take adva
ntage of content cache.
Require
Answer
Provide internal user with Internet access
Internet connection must be automatically established as needed Create
RAS phone book; specify phone book entry with ISP's phone number; spe
cify logon credentials (on the credential tab, not in phone book entry
); enable autodial
Disable Remote access autodial manager in Ctrl-Panel, services;
Disable "Enable auto-dial by location" in user preferences for the pho
ne book entry.
When connection failed, auto re-established Enable redial on link fail
ure in User preference for the phone book entry.
Specify the appropriate number of redial attemptes and the time betwee
n redial attempts.
Connection must be terminated when no activity for 10 min Type 600 sec
onds in the Idle seconds before hanging up filed.
--
“对,告诉你们吧,我就是恐龙,”我大声说,“一条名副其实的恐龙!你们要是没见过恐龙,那就看看我吧!?BR>
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.99.33.185]
|
|