FAQ

BackHome

    This page contains answers to common questions that you'll come accross while using Microsoft Proxy Server 2.0 along with some tips and tricks that are useful and presented here as questions.

All material found here has been culled from the following newsgroups:
news://msnews.microsoft.com/microsoft.public.proxy and
news://msnews.microsoft.com/microsoft.public.proxybeta

  1. How do I setup Exchange Server behind Proxy 2.0 ?
  2. How do I setup Telnet Server behind Proxy 2.0 ?
  3. How do I setup Server Proxy for other applications ?
  4. Why do I get this ERROR "Proxy Reports: Software caused connection to abort when trying to access web site on proxy server" ?
  5. When I try to connect to an SSL page, I get three password prompts followed by "Access Denied".
  6. "An unexpected error has occured, please restart Internet explorer and try again"
  7. Default web page from proxy server is returned for most Web Proxy HTTP requests!
  8. How can I make my PPTP client connect through Proxy 2.0 to a PPTP server?
  9. DNS issues when using Server Proxy with Exchange

How do I setup Exchange Server behind Proxy 2.0 ?
In the following example, we will setup an Exchange 5.0 server behind a proxy server. POP clients and SMTP servers on the Internet will need to contact the proxy server on the appropriate port to communicate with the Exchange server.

1. Install and configure proxy server

2. Install and test the Winsock Proxy Client (WSP Client) on the Exchange server.

3. Once the WSP client is working, additional settings are required for server proxy. The settings will have to be added to the MSPCLNT.INI or a WSPCFG.INI file will have to be created. The preferred method is to create a WSPCFG.INI file since the settings in this file will not be global to all WSP Client users.

4. The WSPCFG.INI needs to be placed in the directory where the application .EXE file is installed. Since Exchange has more than one .EXE that needs to be bound to the proxy, more than 1 WSPCFG.INI file will be needed.

5. The first wspcfg.ini will contain the information needed for the Exchange SMTP service. Add the information below to wspcfg.ini and place this file in the directory where MSEXCIMC.EXE is located. The SMTP port (25) will be bound to the proxy server's port 25.

[MSEXCIMC]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1

6. The second wspcfg.ini is for the Exchange store (STORE.EXE) Notice that additional ports can be listed since STORE.EXE provides NNTP on port 119 and POP mail on port 110. Place this file in the directory where STORE.EXE resides.

[STORE]
ServerBindTcpPorts=110,119,143
Persistent=1
KillOldSession=1

7. If dynamic packet filtering is enabled (recommended), the proxy server will dynamically open all necessary ports when they are requested. No special filter configuration is needed.

8. Stop and start the Exchange services or reboot the Exchange server for the new settings to take effect.

9. You should now be able to contact the Exchange server by connecting to the proxy server's Internet IP address using SMTP, NNTP or POP.

10. Verify that your DNS MX records refer to the proxy server not the SMTP server itself.
Back to Top
How do I setup Telnet Server behind Proxy 2.0 ?
For Telnetd, create a WSPCFG.INI file with the following settings and place it in the directory where TELNETD.EXE resides:

[fingerd]
ServerBindTcpPorts=79
KillOldSession=1
Persistent=1

Remoting the Windows NT Simple TCP Services: If you are NOT using access control, simply create a WSPCFG.INI file with the following settings and place it in the %Windir%\system32 directory, reboot you NT client:

[tcpsvcs]
ServerBindTcpPorts=7,9,13,17,19
RemoteBindUdpPorts=7,9,13,17,19
KillOldSession=1
Persistent=1


If you ARE using access control create a WSPCFG.INI file with the following settings and place it in the %Windir%\system32 directory and follow the additional instructions:

[tcpsvcs]
ServerBindTcpPorts=7,9,13,17,19
RemoteBindUdpPorts=7,9,13,17,19
KillOldSession=1
Persistent=1
UseApplicationCredentials=1

(Note that the name of the flag UseApplicationCredentials will be changed in the release to ForceCredentials).

Create a local user account on the proxy server (PROXY1). In this example, the name of the user is 'SimpleTcp' and the password 'some'.

On the server that is running the Simple TCP/IP Services, store the credentials of this user account in the Local Security Storage, using CREDTOOL :

CREDTOOL -w -n tcpsvcs -c SimpleTcp PROXY1 some
Note, that tcpsvcs.exe is the name of the binary.

Finally, configure the protocols that the service is using (see cut and paste from the configuration file below):

[Chargen server TCP]
PrimaryPort=19,IN,TCP
User0=<PROXY1\SimpleTcp>
[Chargen server UDP]
PrimaryPort=19,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Daytime server TCP]
PrimaryPort=13,IN,TCP
User0=<PROXY1\SimpleTcp>
[Daytime server UDP]
PrimaryPort=13,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Discard server TCP]
PrimaryPort=9,IN,TCP
User0=<PROXY1\SimpleTcp>
[Discard server UDP]
PrimaryPort=9,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Echo server TCP]
PrimaryPort=7,IN,TCP
User0=<PROXY1\SimpleTcp>
[Echo server UDP]
PrimaryPort=7,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Quotd server TCP]
PrimaryPort=17,IN,TCP
User0=<PROXY1\SimpleTcp>
[Quotd server UDP]
PrimaryPort=17,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
Back to Top
How do I setup Server Proxy for other applications ?
Most Winsock applications should be able to take advanatage of server proxy. Some additional advanced settings may be required depending on your setup:

ProxyBindIp=[IP Address] - Use this if you have more than one IP address on the proxy server's external NIC. It also allows you to bind more than 1 instance of a port to the proxy. For example, if you have 5 FTP servers that you want to bind to port 21 on the proxy, you will need 5 IP addresses on the internet card on the proxy server. Each FTP server will use ProxyBindIp to bind to a single address. Example:

If you have 2 IP addresses: 123.123.123.123 and 123.123.123.124, you can use one of them for your services (POP and SMTP in this example):

ProxyBindIp=110:123.123.123.123, 25:123.123.123.123

The other address can be used by a second POP/SMTP server if needed!


ForceProxy=x - If you have WSP array you probably will wish that the same proxy server will be used for the same service. The outside world will always look for the same IP that is IP of the proxy server. Use the ForceProxy configuration option to force remoting via the same proxy server.
Example:

By name: ForceProxy=n:Myproxy
By IP: ForceProxy=i:152.51.18.2
For IPX: ForceProxy=x:00000077-000000000001


* If you want to configure a service behind the proxy, it is recommended to be dependent on NtLmSsp. NtLmSsp is NTLM Security Provider. This service is used by the WinSock proxy client. In the case that the service isn't running, the remoting will be disabled. You can make the service your are remoting dependent on NtLmSsp using the SC.EXE utility from the NT resource kit.

**** The following settings apply to proxy servers that have Access Control enabled ****
* Services like Exchange can use a USER account unlike most services which use the local SYSTEM account. This user account should be used in protocol permissions for the inbound connection on the proxy server

UseApplicationCredentials=1 - Some services can run only in the system account. In this case the configuration file should use UseApplicationCredentials flag (1=On 0=Off) and alternate credentials should be stored in the local security storage using CREDTOOL.EXE on
the client.

* A protocol must be defined for inbound traffic in the WSP protocol list. Give access to the user account that is used with the service. E.g. for SMTP you should define the SMTP server protocol (TCP 25 IN). Other protocols might be more complicated. E.g. FTP server protocol should look like TCP 21 IN, TCP 1025-5000 OUT.

* If you have array of MSP proxies, don't use the local user account. The permissions are replicated to all the servers in the array. For arrays use user accounts in the domain. It is best to add special accounts for server applications.

* The user account (local to proxy or domain account) should be configured with the password that never expired. If the password will expire, the service will not work through the proxy with no visible reason.
Back to Top
Why do I get this ERROR "Proxy Reports: Software caused connection to abort when trying to access web site on proxy server" ?
By default, Proxy 1.0 and Proxy 2.0 disable web publishing on the server which proxy is installed. This is done to minimize the number of services that are available for a hacker to attempt to exploit.

You can enable web publishing by opening the "publishing" tab in the Web Proxy service properties. Select "enable publishing" and "sent to local web server"
Back to Top
When I try to connect to an SSL page, I get three password prompts followed by "Access Denied".
If you are trying to connect to a secure SSL site through Web Proxy (using HTTPS://) you may be prompted for a password three times and receive an access denied message. This should only occur when using Microsoft Internet Explorer version 2.x and later in conjunction with Windows NT Challenge/Response authentication on the Proxy server.

More information as well as some workarounds can be found in the Knowledge Base article below:

http://www.microsoft.com/kb/articles/q170/6/66.htm
(Article # Q170666)
Back to Top
"An unexpected error has occured, please restart Internet explorer and try again"
This error may occur when you open explorer or attempt to connect to a web site with IE.

Cause: The Proxy auto configuration option is enabled in IE (View/Options/Advanced/Automatic configuration) and the proxy server is unreachable, or down.

Solution: Check client/server connectivity and verify that the web proxy service is configured and running correctly. Verify the LAT table includes all client addresses. You can also disable the proxy autoconfiguration by blanking out the URL box in the autoconfiguration dialog.
Back to Top
Default web page from proxy server is returned for most Web Proxy HTTP requests!
Cause: The Proxy auto configuration option is enabled in your web browser (in IE, these settings can be found in View/Options/Advanced/Automatic configuration) and the proxy server has access control enabled with no user permissions assigned.

Solution: Check the permissions tab in the Web Proxy service and make sure the appropriate users have access. Also, make sure the users have the 'log on locally" user right on the proxy server. Or simply disable access control.
Back to Top
How can I make my PPTP client connect through Proxy 2.0 to a PPTP server?
PPTP clients behind a proxy server will not pass through winsock proxy. To work around this, you can install PPTP client on the proxy server and connect (this is because you will bypass the proxy services). Note, if you are using packet filtering, you will have to enable the predefined filter for PPTP Client.

REASON: Proxy proxies Winsock applications that use TCP and UDP. PPTP client is a Winsock application that uses TCP to connect But it also uses RPC which is at a different layer in the client stack. Proxy will not recognize the RPC calls and this is what causes it to fail.
Back to Top
DNS issues when using Server Proxy with Exchange
We found problems with Exchange resolving DNS MX records for servers on the Internet. Here is the solution which can be added to the above instructions and the new instructions in the latest docs "Configuring Server Proxy Parameters"

1. On the Exchange server, in control panel network, configure TCPIP to use DNS. Note, winsock proxy will automatically proxy the DNS MX request. Unlike other WSP clients, you must configure this machine to use DNS. This is because the MX record is different than a regular GetHostByName.

2. If you have an Internal DNS server for local name resolution, use DHCP to configure for the internal server in addition to step 1. This will allow you to use two DNS server, one internal and one external to resolve names in both name spaces.
Back to Top
All products mentioned are registered trademarks of Microsoft Corporation.

Questions or problems regarding this web site should be directed to vinod@programmer.net.
Last modified: Saturday August 23, 1997.