Download 1. Placing Proxy Servers in the Network Design

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

Internet Watch Foundation wikipedia , lookup

Unix security wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Proxy server wikipedia , lookup

Transcript 
Chapter 6, Proxy Server in Internet and Intranet Designs
|1|
Chapter 6 Overview
A.
B.
C.
D.
Designs That Include Proxy Server
1.
Identify the requirements and constraints for creating a Proxy Server
design.
2.
Understand the relationship between Proxy Server and Microsoft
Windows 2000.
3.
Understand the role of Proxy Server in the Windows 2000 architecture.
4.
Determine when it’s appropriate to use Proxy Server in a networking
design.
Essential Proxy Server Design Concepts
1.
Determine where to place proxy servers in your design.
2.
Configure each proxy server interface.
3.
Set up the LAT for each proxy server and its clients.
4.
Determine the best way to connect each client computer to the proxy
servers.
Data Protection in Proxy Server Designs
1.
Identify the ways Proxy Server can protect inbound and outbound
network traffic.
2.
Use Proxy Server to protect private network resources from inbound
Internet traffic.
3.
Use Proxy Server to protect outbound data traffic.
Proxy Server Design Optimization
1.
Learn strategies to increase network availability for both inbound and
outbound traffic.
2.
Learn strategies to increase the data transmission rate for inbound and
outbound traffic.
Chapter 6, Lesson 1
Designs That Include Proxy Server
|2|
1.
Proxy Server 2.0 and Windows 2000
A.
B.
C.
Proxy Server 2.0 provides Internet connectivity for IP- and IPX-based
networks.
You purchase Proxy Server as a separate product.
Proxy Server is a group of services that runs on Windows 2000.
1.
Proxy Server uses IP in Windows 2000 to communicate with the private
network and the Internet.
2.
You can use Proxy Server to assign permissions to Active Directory–
based groups and users.
3.
Proxy Server uses NTFS partitions to store locally cached Web objects,
such as HTML pages or FTP files.
|3|
2.
Proxy Server Design Requirements and Constraints
A.
B.
|4|
3.
Proxy Server Design Decisions
A.
B.
C.
D.
E.
4.
2
Base design decisions on your organization’s requirements and
constraints.
Decide what technologies and protocols each proxy server will support.
1.
Types of connections (persistent or nonpersistent)
2.
Types of Proxy Server clients
3.
Connection methods
a.
T1
b.
Public Switched Telephone Network (PSTN)
c.
Integrated Services Digital Network (ISDN)
d.
Digital Subscriber Line (DSL)
e.
X.25
Decide which dynamic routing protocols or manual routing tables each
router will support.
Determine how you will use multiple connections and multiple proxy
servers to improve availability and performance.
Determine how you will filter network traffic.
Internet Connectivity Designs
A.
B.
|5|
Collect design requirements and constraints before creating your
design.
Base design decisions on those requirements and constraints, including
1.
Amount and confidentiality of data transmitted through the proxy server
2.
Private network resources that need to be accessible to Internet-based
users
3.
Plans for future network growth
4.
Characteristics of existing proxy servers, including
a.
The protocols that the private network uses
b.
Proxy server placement
c.
Wide area network (WAN) connections used
d.
Response times for applications that access resources through proxy
servers
5.
Network availability requirements (uptime)
C.
D.
Most of the networks you design will include Internet connectivity.
Internet connectivity designs provide
1.
Internet access for private network users
2.
Private network access for Internet-based users
In Internet connectivity designs, a proxy server replaces a firewall.
You can use Proxy Server features to increase the security of your
design by
1.
Preventing unauthorized access to private network resources
2.
Allowing only authorized users to access Internet resources
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
3.
4.
5.
6.
|6|
5.
Web Content Caching Designs
A.
B.
C.
D.
|7|
6.
Automatically performing network address translation between the
private network and the Internet
Supporting public and private IP addressing schemes
Caching Web content locally, thus reducing network traffic and
improving Internet access performance
Providing Internet connectivity over any network interface that
Windows 2000 supports
You can create Web content caching designs to improve performance
on networks that have existing firewalls that provide security between
the private network and the Internet.
A Web content caching design improves Internet access performance
but does not provide additional security.
With Web caching, the proxy server first checks for the presence of the
requested URL content in its cache rather than automatically sending
each request to the Internet server.
1.
From a client computer, a user types or enters a URL to access a Web
page.
2.
The URL request is forwarded to the proxy server.
3.
The proxy server checks the local cache to determine whether the URL
content is already cached.
a.
If the URL content is already cached, the proxy server returns it to
the client computer, and the process is complete.
b.
If the URL content not cached, the proxy server requests it from the
Internet server.
4.
The Internet server returns the URL content to the proxy server.
5.
The proxy server returns the content to the client computer and places
the content in the local cache.
Each proxy server in a Web content caching design must
1.
Manage at least one NTFS partition, which must be large enough to
store frequently accessed Web content
2.
Include at least one network adapter
3.
Be capable of connecting over the network interfaces used in your
design
IPX to IP Gateway Designs
A.
B.
C.
IPX to IP gateway designs let you provide Internet connectivity or
simple IP connectivity to IPX-based private networks.
You can use Proxy Server to connect IPX-based private networks to the
Internet.
Proxy Server’s IPX to IP gateway feature translates URL information
from IPX packets to IP packets, and vice versa.
1.
From a client computer on the private network, a user types or enters a
URL to access an Internet resource (Web page).
2.
IPX forwards the client computer’s URL request to the proxy server.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
3
3.
D.
E.
The proxy server receives the request and moves the URL request from
the IPX packet to an IP packet.
4.
The proxy server forwards the repackaged URL request to the Internet
server.
5.
The Internet server returns the Web content to the proxy server.
6.
The proxy server receives the response from the Internet server and
moves the URL request from the IP packet to an IPX packet.
7.
The proxy server forwards the URL response to the client computer.
Each proxy server in an IPX to IP design must
1.
Meet all Internet connectivity design requirements
a.
Simple IPX to IP gateway services require only one network
interface.
b.
Two network interfaces are required if you also want to provide
Internet connectivity security.
2.
Use the appropriate protocol (IPX or IP) to communicate with each
network segment
In an IPX to IP gateway design, install the Proxy Server client software
on each IPX-based computer that accesses Proxy Server.
Chapter 6, Lesson 2
Essential Proxy Server Design Concepts
|8|
1.
Placing Proxy Servers in the Network Design
A.
B.
|9|
2.
Determining Proxy Server Interface Specifications
A.
4
Place proxy servers according to your organization’s requirements.
1.
For Internet connectivity, place the proxy server between your private
network and the Internet.
2.
For Web content caching, place the proxy server inside your private
network so that it is local to the users who request Web content.
3.
For Internet connectivity and Web content caching, use two proxy
servers:
a.
One between your private network and the Internet
b.
One inside your private network so that it is local to the users who
request Web content
You might want to position the proxy server in a parallel location to the
IP routers to
1.
Load balance network traffic
2.
Forward HTTP and FTP traffic through the proxy server, and forward all
other IP traffic through the router
Each proxy server needs at least one network interface.
1.
To provide Web content caching or IPX to IP gateway services, specify
only one network interface.
2.
To provide Internet connectivity, specify at least two network interfaces.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
B.
|10|
3.
Specifying the Proxy Server LAT Information
A.
B.
C.
D.
|11|
4.
Specify the following for each interface in each proxy server in your
design:
1.
Connection type (persistent or nonpersistent)
2.
IP configuration information for all interfaces connected to IP network
segments
a.
IP address
b.
IP subnet mask
3.
IPX configuration information for all interfaces connected to IPX
network segments
a.
IPX network number
b.
IPX frame type
Proxy servers and proxy server clients use the LAT information to
determine if the destination IP address resides in the private network.
The LAT must contain a list of all IP address ranges in the private
network.
You can create and update the LAT automatically or manually.
1.
Automatically create the LAT using local Windows 2000 IP
configuration information, including
a.
Windows 2000 IP routing information
b.
IP configuration of local network interface adapters
2.
Manually enter LAT information by specifying an entry for each IP
network number that exists in the private network.
When Proxy Server clients install the client software, a copy of the LAT
is automatically downloaded to the client machine.
1.
On client computers, automatic installation and management of LAT
information is only available when the client software is installed.
2.
Proxy Server client is the only method that allows automatic installation
and management of LAT information.
Selecting the Proxy Server Client Support
A.
B.
C.
Proxy Server supports a variety of client operating systems.
Determine which client operating systems your design will support.
Determine the types of Proxy Server you will provide:
1.
The Windows Proxy Server client supports Windows 2000 and
Microsoft Windows Me as well as IPX to IP gateways. This method
redirects all IP traffic through Proxy Server.
2.
Microsoft Internet Explorer 5.0 supports any operating system that
includes Internet Explorer 5.0. This method redirects only HTTP and
FTP traffic through Proxy Server.
3.
SOCKS supports UNIX, Macintosh, and other operating systems that
use the SOCKS standard.
4.
Default gateway supports any operating system by configuring the
default gateway setting to redirect all nonlocal traffic to the proxy server.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
5
D.
|12|
Provide Proxy Server support for each client operating system used in
your design.
1.
For Windows 2000, select Proxy Server client software, Internet
Explorer 5.0, or default gateway support.
2.
For Windows Me, select Proxy Server client software, Internet Explorer
5.0, or default gateway support.
3.
For Macintosh clients, select SOCKS, Internet Explorer 5.0, or default
gateway support.
4.
For UNIX systems, select SOCKS, Internet Explorer 5.0 (if your version
of UNIX supports it), or default gateway support.
Chapter 6, Lesson 3
Data Protection in Proxy Server Designs
1.
Identifying Proxy Server Data Protection Methods
A.
B.
C.
D.
|13|
|14|
2.
Protecting Private Network Resources
A.
6
If you use Proxy Server to provide Internet connectivity, you need to
protect your organization’s data.
1.
Protect private network resources from unauthorized users.
2.
Restrict user access from your private network to Internet resources, if
necessary.
If you use Proxy Server to provide Web content caching only, use
firewalls or other security methods to provide network security.
Any proxy server that provides security must contain at least two
network interface adapters to separate the private network from the
Internet.
You can use a combination of methods to protect your organization’s
data.
1.
Packet filters method
a.
Protects inbound and outbound traffic
b.
Uses the criteria you specify for all types of IP traffic to restrict both
inbound and outbound traffic
2.
Web publishing method
a.
Protects inbound traffic
b.
Restricts inbound traffic based on the requested URL
3.
Domain filters method
a.
Protects outbound traffic
b.
Restricts outbound traffic by a single IP address, a range of IP
addresses, or a fully qualified domain name (FQDN)
4.
User authentication method
a.
Protects outbound traffic
b.
Restricts outbound traffic to authenticated users only
If you use Proxy Server to provide Internet connectivity, protecting your
private network resources is your top security concern.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
B.
C.
|15|
D.
|16|
E.
Base design decisions on your organization’s security needs.
To protect private network resources, restrict inbound traffic using one
or both of these methods:
1.
Packet filtering
2.
Web publishing
For Proxy Server packet filtering, base traffic restriction criteria on any
combination of IP header information.
1.
Direction
a.
Specifies the direction of the IP traffic, relative to the Proxy Server
network interface
b.
For maximum security, restrict the inbound traffic on the Proxy
Server interface connected to the Internet. The Proxy Server does not
even receive IP packets.
2.
Protocol ID
a.
Specifies the IP ID for inbound traffic
b.
Use the protocol ID to restrict traffic based on applications or specific
services.
3.
Local port
a.
Specifies the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) port number within the private network
b.
For inbound traffic, the local port number is the destination port
number.
c.
Allows you to restrict access to a specific port number or range of
port numbers
4.
Remote port
a.
Specifies the TCP or UDP port number on the Internet
b.
Allows you to restrict access from a specific port number or range of
port numbers
5.
Local host IP address
a.
Specifies the IP address of a computer on the private network
(usually the IP address of the Proxy Server connected to the Internet)
b.
Allows you to restrict traffic to any IP address within the private
network
6.
Remote host IP address
a.
Specifies the IP address of a computer on the Internet
b.
Allows you to restrict inbound traffic to a specific range of IP
addresses
Use Proxy Server’s Web Publishing feature to allow Internet users to
access Web and FTP server resources in your private network.
1.
By default, Proxy Server discards all inbound URL requests to access
Web and FTP servers in the private network.
2.
Redirect specific URL requests to Web and FTP servers within the
private network by adding each URL to the Web Publishing list.
3.
For inbound URL requests not specified in the Web Publishing list,
Proxy Server responds in one of the following ways:
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
7
a.
b.
c.
|17|
3.
Restricting Access to Internet Resources
A.
B.
C.
|18|
D.
|19|
E.
|20|
F.
8
Discards the request
Redirects the request to the default Web site on the computer where
Proxy Server is installed
Redirects the request to any Web site on the private network
If you use Proxy Server, you might also want to restrict private network
user access to the Internet.
Base design decisions on your organization’s security needs.
You can restrict outbound traffic to the Internet using one or all of these
methods:
1.
Packet filtering
2.
Domain filtering
3.
User account authentication
Proxy Server packet filters restrict traffic based on IP header information.
1.
Base traffic restriction criteria on any combination of IP header
information.
2.
Use the same process as that for restricting inbound traffic, except that
you specify outbound in the Direction criteria for the packet filters.
Proxy Server domain filters restrict Internet access to specific IP
addresses or FQDNs.
1.
Filter requests based on
a.
An IP address; use to specify a single computer or a cluster of IP
addresses
b.
A range of IP addresses; use for more than one computer
c.
A fully qualified domain name (FQDN); use to specify resources
supported by an organization
2.
Build a list of Internet sites in your domain filters.
3.
Specify how domain filters will respond to requests to the listed Internet
sites.
a.
Reject all packets to the listed Internet sites, and forward all other
packets.
b.
Forward all packets to the listed Internet sites and reject all others.
Proxy Server user authentication provides Internet access to
authenticated users on the private network.
1.
Assign access to users or groups in the Active Directory directory
service, or to any local user or group in a member server.
2.
Allow or disallow selected users or groups to transmit data to the
Internet through Proxy Server.
3.
Consider using Proxy Server packet filters or domain filters to restrict
the resources that can be accessed.
4.
If you grant Proxy Server access to all users, you also allow anonymous
users to transmit data through Proxy Server.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
Chapter 6, Lesson 4
Proxy Server Design Optimization
|21|
1.
Identifying Proxy Server Optimization Techniques
A.
B.
C.
2.
Optimizing Internet Access
A.
B.
|22|
Base optimization decisions on your organization’s requirements.
The direction of traffic (inbound or outbound) determines the
appropriate Proxy Server optimization method.
1.
Web content cache method
a.
Direction: outbound
b.
Improves performance by storing copies of Web content locally
2.
Proxy array method
a.
Direction: outbound
b.
Improves performance and reliability by distributing outbound traffic
and Web content cache across multiple proxy servers
3.
Network Load Balancing method
a.
Direction: inbound
b.
Improves performance and reliability by distributing inbound traffic
across multiple proxy servers
4.
Round robin DNS
a.
Direction: inbound
b.
Improves performance and reliability by distributing inbound traffic
across multiple proxy servers
Use any combination of these methods to optimize network
performance or reliability.
C.
D.
You can optimize your design to improve the availability and
performance of outbound requests and inbound responses.
To optimize Internet access traffic, you can use Web content caching
and proxy server arrays.
Proxy Server supports active and passive Web content caching
methods.
Active caching retrieves updates to cached Web content when the
processor utilization of the proxy server is low.
1.
Active caching is the default caching mode.
2.
You can also specify when to check for updated Web content based on
a.
HTML header information
b.
URL of the content
c.
Date and time of cached Web content files
3.
Active caching
a.
Reduces processor overhead and Internet traffic during peak periods
b.
Creates activity when client computers are not accessing the Internet,
which may increase connection costs
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
9
E.
Passive caching updates cached Web content when client computers
request the content.
1.
You can specify when to check for updated Web content, but passive
caching updates the content only when client computers request it.
2.
Passive caching
a.
Eliminates activity when client computers aren’t accessing the
Internet
b.
Can increase processor overhead and Internet traffic during peak
periods
F. Proxy Server supports proxy arrays.
1.
Cached Web content and network traffic are distributed across all proxy
servers in the proxy array.
2.
Using proxy arrays can improve performance by load balancing the
following across all proxy servers in the proxy array:
a.
Network traffic
b.
Disk access
c.
Processor use
3.
Using proxy array can improve reliability. When one proxy server in the
array fails for any reason, the remaining proxy servers in the array
continue to provide connectivity.
4.
When creating a proxy array
a.
You can assign the same proxy array name to multiple proxy servers
b.
You can add or remove proxy servers without affecting existing
proxy servers in the proxy array
c.
You do not need to configure client computers to use a proxy array
d.
If you have only one proxy server, you can still create a proxy array
for future use
e.
Proxy servers in the proxy array should have comparable memory,
processor, and disk storage capability
G. You can organize proxy servers and proxy arrays in a hierarchy to
further improve performance.
1.
The proxy server or proxy array at the top of the hierarchy provides
Internet access and connectivity to the network.
a.
Configure the proxy array with an upstream connection to the
Internet.
b.
All requests are forwarded to the Internet site.
2.
Other proxy servers and proxy arrays forward requests to the proxy
server or proxy array at the top of the hierarchy.
H.
You can combine these methods to optimize the performance and
reliability of Internet access traffic.
|23|
|24|
3.
Optimizing Private Network Resource Access
A.
|25|
10
B.
You can optimize your design to improve the availability and
performance of private network resource access.
To optimize private network resource access traffic, you can use
Network Load Balancing or round robin DNS.
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
C.
D.
|26|
Network Load Balancing
1.
Is included only in Microsoft Windows 2000 Advanced Server and
Microsoft Windows 2000 Datacenter Server
2.
Doesn’t run on proxy servers that run on other operating systems
3.
Balances traffic across all proxy servers in the network load-balancing
cluster
4.
Must be included in all Proxy Servers in the cluster. You must specify an
IP address for cluster use.
5.
Load balances all Proxy Server traffic sent to the cluster IP address
across all proxy servers in the cluster
6.
If a proxy server in the cluster fails for any reason, the cluster
automatically redistributes the traffic to the remaining proxy servers in
the cluster.
7.
Requires extra processor and memory resources on each proxy server
that runs it
Round robin DNS
1.
Statically load balances traffic across multiple proxy servers
2.
Works on all operating system platforms
3.
Create round robin DNS entries by specifying the same FQDN with
different IP addresses.
a.
The DNS server responds to the first query to the FQDN with the
first IP address in the list.
b.
The DNS server responds to the second query to the FQDN with the
second IP address in the list, and so on.
4.
Improves performance, but not availability, because it returns an error to
a request from a down proxy server rather than sending the request to the
next proxy server in the list
Chapter Summary
A.
B.
Proxy Server 2.0 provides Internet connectivity for IP- and IPX-based
networks.
1.
Provides Internet access for private network users
2.
Provides private network access for Internet-based users
3.
Can take the place of a firewall
4.
Improves performance through Web content caching
5.
Can connect IPX-based private networks to the Internet
Position proxy servers based on the organization’s requirements.
1.
Each proxy server needs at least one network interface.
2.
Proxy servers and proxy server clients use the LAT to determine IP
address location.
3.
Several methods are available to support proxy server clients.
a.
Windows Proxy Server client
b.
Internet Explorer 5.0
c.
SOCKS
d.
Default gateway
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
11
C.
D.
12
Protect the data if Internet connectivity is included.
1.
Packet filters
2.
Web publishing
3.
Domain filters
4.
User authentication
Several techniques can optimize Proxy Server performance and
availability.
1.
Web content caching
2.
Proxy array
3.
Network Load Balancing
4.
Round robin DNS
Outline, Chapter 6
Designing a Microsoft Windows 2000 Network Infrastructure
Related documents
iPod-Touch
iPod-Touch
07-Servers - dolinski.co.uk | home
07-Servers - dolinski.co.uk | home
Free Response Questions Climate Change Science
Free Response Questions Climate Change Science
Proxy servers - WordPress.com
Proxy servers - WordPress.com
The Great Firewall of China
The Great Firewall of China
Configuring Your Web Browser to Use the University of Otago Staff
Configuring Your Web Browser to Use the University of Otago Staff
The Internet and World Wide Web
The Internet and World Wide Web
How to Configure SMART to Work with a Proxy Server
How to Configure SMART to Work with a Proxy Server
Guidelines for database impact analysis
Guidelines for database impact analysis
Review Questions
Review Questions
JavaCloak: Reflecting on Java Typing for Class Reuse using Proxies
JavaCloak: Reflecting on Java Typing for Class Reuse using Proxies