I've had quite a bit of experience with MS Proxy Server, plus five weeks
worth of Microsoft's support time!
MS Proxy Server does NOT act as a gateway, nil, non, zilch, nyet. Though
the blurb talks about packet filtering, it is not a packet filter as I
understand the term. To quote MS, the packet filtering "is only applied to
the external interface". Go figure what that means.
Put simply, you cannot route normal IP through the Proxy Server machine,
assuming IP forwarding is turned off, otherwise there's little point in
loading the Proxy Server software anyway. You have to configure your hosts
as clients to the Proxy Server.
For web access (http and ftp download) this can be done easily in the
configuration options of major web browsers such as MSIE and Netscape
Navigator. When the user requests "www.something.com" the browser
transparently sends the request to the Proxy, which looks in its cache or
fetches the page as necessary, then returns it to the browser. This works
OK, and can be quicker than direct fetches. The important thing to note is
that the browser only talks to the Proxy, it never reaches beyond it.
For other Internet applications, such as Telnet and the FTP program, or
mail systems, on a Windows-based system you need to configure the host as a
Winsock Proxy client. Winsock is fairly simple to configure. Again, it
intercepts IP system calls, and directs them at the Proxy Server, which
does the actual work, so the host never goes beyond the Proxy.
Unix-based hosts need to use the SOCKS client. This works in much the same
way as Winsock. However, I have found it more difficult because
documentation is sparse. Applications need to be "socksified", written in
such a way that the normal calls are replaced by calls on the Proxy.
Socksified applications are fairly freely available, but I am unaware of
any method for establishing whether what you already have is socksified or
not, other than using a sniffer, and I am always loath to change something
unless I really need to. However, the point is that the application only
ever talks to the Proxy Server.
MS Proxy Server has various security mechanisms which control who can use
which protocol, and to/from which machine. Their implementation of packet
filtering is part of this; you can allow DNS (UDP on port 53) only to
machine X, but that machine still has to be a SOCKS or Winsock proxy
client. It is NOT like Linux's controllable IP forwarding.
I have not followed this thread, so I do not know what the original
question was, but if you are having problems with MS Proxy Server, it is
highly likely because you misunderstood what it does, as I did, and several
of Microsoft's support experts. That's why it has taken five weeks to get
MS Exchange X.400 email working through the Proxy Server!
Neil
On Thursday, October 08, 1998 9:44 AM, Joao Campos
[SMTP:jcampos@icat137.icat.fc.ul.pt] wrote:
> Glynn Clements wrote:
>
> > > I`m running Linux on a 100mb network, isolated fom the exterior by a
> > > gateway (MS, I think).
> >
> > A gateway, or a proxy?
>
> It's MS Proxy Server.
>
> > > I`ve setted the default route to the IP of the gateway.
> >
> > This is sufficient if the `gateway' is a gateway, but not if it's a
> > proxy.
>
> I think MS Proxy server acts like both of them, because when I boot up my
> machine in NT I can ssh, telnet an *JDBC* outside. With ftp and http
there
> is no problem, because the browser is configured, but everything else
fails.
>
> Should I point out some specific port on the gateway, or giving the IP
> address is just enough?
>
> What else should I do?
>
>
> Thank you very much
>
>
> Joao Campos
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.rutgers.edu
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu