Concepts

The purpose of Proxy Server is fairly simple: to isolate your internal, private network from the outside, public Internet while still providing full access and functionality to your users who need to connect to the Internet. Sort of like a one-way glass mirror that lets you see out but doesn't let anyone see in.

Proxy Server maintains control of connectivity and isolates your internal network by having two (or more) completely separate physical connections—one to the Internet and one to your internal network. Each network is connected to a different network card on the proxy server, and all packets must pass through the Proxy Server software to get from one connection to the other.

The mechanisms that Proxy Server uses to achieve these aims are fairly straightforward. The following three basic techniques are used:

• Network address translation
• Packet filtering
• Caching

Let's briefly look at each technique and then learn how to install and implement Proxy Server in a Windows 2000 environment.

Network Address Translation

Network address translation (NAT) hides your actual IP address from machines beyond the device doing the translation. Using Proxy Server isn't the only possible way to perform NAT. Windows 2000 Server also performs basic NAT, as do many routers or other network devices. If all you need is address translation, you might do fine with the ability already built into Windows 2000 Server, but Proxy Server provides a full package that goes beyond simple translation. When you run Proxy Server or use another method to perform NAT, the IP addresses assigned to your internal workstations and servers don't need to be "real," official IP addresses but can be any IP addresses you want.

REAL WORLD  IP Address for Internal Networks

---

While in theory you could use any internal IP addresses you want to, you definitely should not use ones that belong to someone else. So how can you take advantage of NAT so that you don't need to have official IP addresses for every machine on your network? Simple—use the addresses specially assigned for this purpose.

Way back when folks were first deciding how to parcel out IP addresses (and long before anyone figured out how to do NAT), they decided that there would be a need for addresses that could be used for test networks or other situations that didn't require using the official addresses. So they created a special set of IP addresses called private network addresses, defined in RFC 1918, to provide class A, class B, and class C networks for test or other networks that will not be physically connected to the Internet.

These private network addresses allow you to have a much larger address space than would be possible if you had to stick to officially assigned addresses, while at the same time protecting the integrity of the Internet. If a machine with one of these addresses were to inadvertently connect to the Internet, it wouldn't cause a conflict with another machine on the Internet because these addresses are automatically filtered by routers.

The following addresses are designated for private networks that won't be directly connected to the Internet. They can, of course, be connected to the Internet via Proxy Server or another method that performs NAT.

10.0.0.0 through 10.255.255.255 (a single Class A network) 172.16.0.0 through 172.31.255.255 (16 contiguous Class B networks) 192.168.0.0 through 192.168.255.255 (256 contiguous Class C networks)

Proxy Server automatically includes these addresses in its local address table (LAT) when you initially install the program.

Another byproduct of using Proxy Server for address translation is that all the machines on your network appear to have the same single address to the outside world: the outside address of the proxy server itself. This is the only address that needs to have an official public IP address assigned to it, except for your router if that's how your connection is managed.

Packet Filtering

Since every packet that passes to or from the Internet and your internal network must first pass through the proxy server, Proxy Server is in a perfect position to act as a gatekeeper. With Proxy Server 2, Microsoft added the ability to filter packets, giving you many of the capabilities of a firewall. This packet filtering works by inspecting each packet to see which protocol is being used and whether it's a permitted connection.

When packet filtering is enabled, you can also restrict access to specific external sites or enable only certain external sites to be seen. In addition, some third-party Proxy Server plug-ins can add additional controls and functionality.

Caching

Every organization has certain sites that virtually everyone seems to go to regularly. Even sites that are fairly dynamic have a lot of information (like HTML documents, graphics files, and so on) on them that doesn't change often. Proxy Server can cache information from frequently accessed sites so that when users on the network connect to the site, much of the information is actually being delivered from the proxy server, not from the remote site. Caching improves the apparent speed of your connection to the Internet significantly, since it provides the information locally for some of the more popular sites, and—by reducing the traffic required to the Internet for those sites—it increases the available bandwidth for all other sites that users visit.

Proxy Server can use the slack times when few users are connected to the Internet to check frequently accessed sites to make sure that the information it has stored for that site is current. This monitoring helps to balance and smooth out the demand through your Internet connection, reducing costs and providing improved throughput during busier times because fewer pages and images will need to be downloaded.