|
|
This page contains answers to common
questions that you'll come accross while using Microsoft
Proxy Server 2.0 along with some tips and tricks that are
useful and presented here as questions. All material found here has been
culled from the following newsgroups:
news://msnews.microsoft.com/microsoft.public.proxy and
news://msnews.microsoft.com/microsoft.public.proxybeta
- How do I
setup Exchange Server behind Proxy 2.0 ?
- How do I
setup Telnet Server behind Proxy 2.0 ?
- How do I
setup Server Proxy for other applications ?
- Why do I
get this ERROR "Proxy Reports: Software
caused connection to abort when trying to access
web site on proxy server" ?
- When I
try to connect to an SSL page, I get three
password prompts followed by "Access
Denied".
- "An
unexpected error has occured, please restart
Internet explorer and try again"
- Default
web page from proxy server is returned for most
Web Proxy HTTP requests!
- How can I
make my PPTP client connect through Proxy 2.0 to
a PPTP server?
- DNS issues when using Server
Proxy with Exchange

In the following
example, we will setup an Exchange 5.0 server behind
a proxy server. POP clients and SMTP servers on the
Internet will need to contact the proxy server on the
appropriate port to communicate with the Exchange
server.
1. Install and configure proxy server
2. Install and test the Winsock Proxy Client (WSP
Client) on the Exchange server.
3. Once the WSP client is working, additional
settings are required for server proxy. The settings
will have to be added to the MSPCLNT.INI or a
WSPCFG.INI file will have to be created. The
preferred method is to create a WSPCFG.INI file since
the settings in this file will not be global to all
WSP Client users.
4. The WSPCFG.INI needs to be placed in the directory
where the application .EXE file is installed. Since
Exchange has more than one .EXE that needs to be
bound to the proxy, more than 1 WSPCFG.INI file will
be needed.
5. The first wspcfg.ini will contain the information
needed for the Exchange SMTP service. Add the
information below to wspcfg.ini and place this file
in the directory where MSEXCIMC.EXE is located. The
SMTP port (25) will be bound to the proxy server's
port 25.
[MSEXCIMC]
ServerBindTcpPorts=25
Persistent=1
KillOldSession=1
6. The second wspcfg.ini is for the Exchange store
(STORE.EXE) Notice that additional ports can be
listed since STORE.EXE provides NNTP on port 119 and
POP mail on port 110. Place this file in the
directory where STORE.EXE resides.
[STORE]
ServerBindTcpPorts=110,119,143
Persistent=1
KillOldSession=1
7. If dynamic packet filtering is enabled
(recommended), the proxy server will dynamically open
all necessary ports when they are requested. No
special filter configuration is needed.
8. Stop and start the Exchange services or reboot the
Exchange server for the new settings to take effect.
9. You should now be able to contact the Exchange
server by connecting to the proxy server's Internet
IP address using SMTP, NNTP or POP.
10. Verify that your DNS MX records refer to the
proxy server not the SMTP server itself.
For Telnetd, create a
WSPCFG.INI file with the following settings and place
it in the directory where TELNETD.EXE resides:
[fingerd]
ServerBindTcpPorts=79
KillOldSession=1
Persistent=1
Remoting the Windows NT Simple TCP Services: If you
are NOT using access control, simply create a
WSPCFG.INI file with the following settings and place
it in the %Windir%\system32 directory, reboot you NT
client:
[tcpsvcs]
ServerBindTcpPorts=7,9,13,17,19
RemoteBindUdpPorts=7,9,13,17,19
KillOldSession=1
Persistent=1
If you ARE using access control create a WSPCFG.INI
file with the following settings and place it in the
%Windir%\system32 directory and follow the additional
instructions:
[tcpsvcs]
ServerBindTcpPorts=7,9,13,17,19
RemoteBindUdpPorts=7,9,13,17,19
KillOldSession=1
Persistent=1
UseApplicationCredentials=1
(Note that the name of the flag
UseApplicationCredentials will be changed in the
release to ForceCredentials).
Create a local user account on the proxy server
(PROXY1). In this example, the name of the user is
'SimpleTcp' and the password 'some'.
On the server that is running the Simple TCP/IP
Services, store the credentials of this user account
in the Local Security Storage, using CREDTOOL :
CREDTOOL -w -n tcpsvcs -c SimpleTcp PROXY1 some
Note, that tcpsvcs.exe is the name of the binary.
Finally, configure the protocols that the service is
using (see cut and paste from the configuration file
below):
[Chargen server TCP]
PrimaryPort=19,IN,TCP
User0=<PROXY1\SimpleTcp>
[Chargen server UDP]
PrimaryPort=19,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Daytime server TCP]
PrimaryPort=13,IN,TCP
User0=<PROXY1\SimpleTcp>
[Daytime server UDP]
PrimaryPort=13,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Discard server TCP]
PrimaryPort=9,IN,TCP
User0=<PROXY1\SimpleTcp>
[Discard server UDP]
PrimaryPort=9,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Echo server TCP]
PrimaryPort=7,IN,TCP
User0=<PROXY1\SimpleTcp>
[Echo server UDP]
PrimaryPort=7,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
[Quotd server TCP]
PrimaryPort=17,IN,TCP
User0=<PROXY1\SimpleTcp>
[Quotd server UDP]
PrimaryPort=17,IN,UDP
SecondaryPorts=1025-5000,OUT,UDP;
User0=<PROXY1\SimpleTcp>
Most Winsock
applications should be able to take advanatage of
server proxy. Some additional advanced settings may
be required depending on your setup:
ProxyBindIp=[IP Address] - Use this if you have more
than one IP address on the proxy server's external
NIC. It also allows you to bind more than 1 instance
of a port to the proxy. For example, if you have 5
FTP servers that you want to bind to port 21 on the
proxy, you will need 5 IP addresses on the internet
card on the proxy server. Each FTP server will use
ProxyBindIp to bind to a single address. Example:
If you have 2 IP addresses: 123.123.123.123 and
123.123.123.124, you can use one of them for your
services (POP and SMTP in this example):
ProxyBindIp=110:123.123.123.123, 25:123.123.123.123
The other address can be used by a second POP/SMTP
server if needed!
ForceProxy=x - If you have WSP array you probably
will wish that the same proxy server will be used for
the same service. The outside world will always look
for the same IP that is IP of the proxy server. Use
the ForceProxy configuration option to force remoting
via the same proxy server.
Example:
By name: ForceProxy=n:Myproxy
By IP: ForceProxy=i:152.51.18.2
For IPX: ForceProxy=x:00000077-000000000001
* If you want to configure a service behind the
proxy, it is recommended to be dependent on NtLmSsp.
NtLmSsp is NTLM Security Provider. This service is
used by the WinSock proxy client. In the case that
the service isn't running, the remoting will be
disabled. You can make the service your are remoting
dependent on NtLmSsp using the SC.EXE utility from
the NT resource kit.
**** The following settings apply to proxy servers
that have Access Control enabled ****
* Services like Exchange can use a USER account
unlike most services which use the local SYSTEM
account. This user account should be used in protocol
permissions for the inbound connection on the proxy
server
UseApplicationCredentials=1 - Some services can run
only in the system account. In this case the
configuration file should use
UseApplicationCredentials flag (1=On 0=Off) and
alternate credentials should be stored in the local
security storage using CREDTOOL.EXE on
the client.
* A protocol must be defined for inbound traffic in
the WSP protocol list. Give access to the user
account that is used with the service. E.g. for SMTP
you should define the SMTP server protocol (TCP 25
IN). Other protocols might be more complicated. E.g.
FTP server protocol should look like TCP 21 IN, TCP
1025-5000 OUT.
* If you have array of MSP proxies, don't use the
local user account. The permissions are replicated to
all the servers in the array. For arrays use user
accounts in the domain. It is best to add special
accounts for server applications.
* The user account (local to proxy or domain account)
should be configured with the password that never
expired. If the password will expire, the service
will not work through the proxy with no visible
reason.
By
default, Proxy 1.0 and Proxy 2.0 disable web
publishing on the server which proxy is installed.
This is done to minimize the number of services that
are available for a hacker to attempt to exploit.
You can enable web publishing by opening the
"publishing" tab in the Web Proxy service
properties. Select "enable publishing" and
"sent to local web server"
If you are trying to
connect to a secure SSL site through Web Proxy (using
HTTPS://) you may be prompted for a password three
times and receive an access denied message. This
should only occur when using Microsoft Internet
Explorer version 2.x and later in conjunction with
Windows NT Challenge/Response authentication on the
Proxy server.
More information as well as some workarounds can be
found in the Knowledge Base article below:
http://www.microsoft.com/kb/articles/q170/6/66.htm
(Article # Q170666)
This error may occur
when you open explorer or attempt to connect to a web
site with IE.
Cause: The Proxy auto configuration option is enabled
in IE (View/Options/Advanced/Automatic configuration)
and the proxy server is unreachable, or down.
Solution: Check client/server connectivity and verify
that the web proxy service is configured and running
correctly. Verify the LAT table includes all client
addresses. You can also disable the proxy
autoconfiguration by blanking out the URL box in the
autoconfiguration dialog.
Cause: The Proxy auto
configuration option is enabled in your web browser
(in IE, these settings can be found in
View/Options/Advanced/Automatic configuration) and
the proxy server has access control enabled with no
user permissions assigned.
Solution: Check the permissions tab in the Web Proxy
service and make sure the appropriate users have
access. Also, make sure the users have the 'log on
locally" user right on the proxy server. Or
simply disable access control.
PPTP clients behind a
proxy server will not pass through winsock proxy. To
work around this, you can install PPTP client on the
proxy server and connect (this is because you will
bypass the proxy services). Note, if you are using
packet filtering, you will have to enable the
predefined filter for PPTP Client.
REASON: Proxy proxies Winsock applications that use
TCP and UDP. PPTP client is a Winsock application
that uses TCP to connect But it also uses RPC which
is at a different layer in the client stack. Proxy
will not recognize the RPC calls and this is what
causes it to fail.
We found problems with
Exchange resolving DNS MX records for servers on the
Internet. Here is the solution which can be added to
the above instructions and the new instructions in
the latest docs "Configuring Server Proxy
Parameters"
1. On the Exchange server, in control panel network,
configure TCPIP to use DNS. Note, winsock proxy will
automatically proxy the DNS MX request. Unlike other
WSP clients, you must configure this machine to use
DNS. This is because the MX record is different than
a regular GetHostByName.
2. If you have an Internal DNS server for local name
resolution, use DHCP to configure for the internal
server in addition to step 1. This will allow you to
use two DNS server, one internal and one external to
resolve names in both name spaces.
|