|
|
| Previous | Table of Contents | Next |
The Proxy Server works by acting on behalf of internal users and hiding those users and the network they are on from the Internet. Large internal networks can run multiple proxy servers to handle the traffic requirements of many users. Each proxy server can provide a path to the Internet for specific users or by screening for specific services.
The hardware configuration for Microsoft Proxy Server was already outlined earlier in the section, “Proxy Server Connections.” The dual-homed server configuration as pictured in figure 12.8 creates a virtual air gap between the Internet and the internal network so hackers can’t subvert lower layer systems and find their way through the system. Most important, routing should not be enabled between the two network interface cards in the system. This ensures that any traffic passing through the system is handled by the Proxy Server.
Proxy Server must be installed on a server that already has Microsoft Internet Information Server (IIS) installed. You cannot use IIS in this case to provide web services on the Internet but only as a foundation for the Proxy Server. The Proxy Server reconfigures IIS so that it does not listen to requests from the Internet but only from internal network clients. Microsoft does not recommend trying to configure the IIS/Proxy Server combination to publish information on the Internet. It should only be used to manage internal user access to the Internet.
Users can access the Proxy Server (and thus the Internet) through anonymous request. For more security, user authentication similar to that available in IIS is available. Once users are logged into an account, their access to Internet services can be controlled by permissions. Each Internet protocol such as HTTP and FTP is represented in the Proxy Server as an object in the system so that permissions can be granted for each server to user accounts. The best way to do this is to create groups and then grant the groups access to protocols.
Filtering provides a way to restrict what sites internal users can access on the Internet, based on an IP address, an IP subnet, or a domain name. Filtering is configured as follows:
The method you choose depends on whether the majority of sites are denied access or granted access and the number of sites in the exception list. Once the list is created, the list applies to all requests made by internal users to the Proxy Server. User level filtering is not yet available, but Microsoft recommends setting up different Proxy Servers with different access levels to the Internet, and then granting eligible users with access to those servers as appropriate.
Microsoft Proxy Server makes use of a LAT (Local Address Table) to define the systems on the internal network. The LAT is copied to client computers. When an application on the client attempts to establish a connection to an IP address, the LAT is referenced to determine whether the address is on the local network. If it is, a direct connection is made. If it is not, the request is forwarded to the Proxy Server. For security reasons, no external IP addresses should be included in the LAT.
In general, Microsoft Proxy Server provides an excellent tool for controlling internal user access to the Internet while preventing attacks from the Internet. It also provides a caching feature that can improve performance for users. For more information about Proxy Server and to download a trial copy, visit Microsoft’s web site at http://www.microsoft.com.
A directory service provides a way to store information about users, accounts, computer, and other resources in a hierarchical name space that includes containers. Readers familiar with X.500 naming systems or Novell Directory Services (NDS) will be familiar with these concepts. Windows NT Server Directory Service is Microsoft’s new technology for providing these advanced services in the Windows NT Server environment.
A typical hierarchical directory tree is pictured in figure 12.13. Here you can see that the divisions and departments of a company are broken up into organizational units (OU) in the tree’s hierarchy. An OU is a container that holds other OUs, user accounts, or representations of physical objects such as servers and printers.
)
Figure 12.13 Windows NT Directory Services organizes networks into hierarchical tree structures to make management easier.
In contrast, the older Windows NT domain system is a two-level structure that provides little flexibility for managing global organizations that are constantly changing. Account and security information is stored in a secure portion of the Registry with a flat, non-hierarchical structure. Compared to this older domain model, the new directory services model can be thought of as a “hierarchical tree of domains” with each OU representing a domain. At the same time, Windows NT Directory Services is backward-compatible with the traditional Windows NT domain model.
Hierarchical directory structures are ideal for tracking all the people and resources within an organization, no matter how large or global its operations. This structure makes it easy to group user accounts and resources even if those users and resources are spread out over large geographic areas. Geography is no longer a factor in network management.
Because of the hierarchical structure, administrators can be delegated to manage various branches of the directory tree. In other words, an administrator can be granted rights to create and manage users or groups within an OU. At the same time, administrators higher up in the directory tree can “watch over” all the lower level branches to ensure that administration is handled correctly.
Windows NT Directory Services can be viewed as a service provider as shown in figure 12.14. Note that each of the services shown accesses Directory Services for information related to users or processes on the network.
)
Figure 12.14 Windows NT Directory Services can provide naming, security, accounting, and other services to a variety of applications and services.
| Previous | Table of Contents | Next |