WinProxy 1.3

User's Manual

  version 1.1 , October 16, 1996

WinProxy © 1996 Martin Viktora                Martin RubasAuthentication and cache management use MD5 algorithm.Derived from RSA Data Security, Inc. MD5 Message-Digest Algorithm.

All product names mentioned herein are the trademarks of their respectiveowners.

1.Introduction2.About WinProxy, how does it work ?3.Basic Information   3.1 System requirements   3.2 Installation4.Configuration   4.1 Proxy Server   4.2 Cache   4.3 Gateway   4.3.1 Telnet gateway   4.3.2 Ftp gateway   4.3.3 SMTP gateway   4.3.4 POP3   4.3.5 News   4.4 SOCKS server and DNS   4.5 Dial up   4.6 Users management   4.7 Security5. TCP/IP Configuration   5.1 IP addresses   5.2 DNSA Multisegment Networks

   1.Introduction

    This document is intended for WinProxy users.It describes WinProxy, its method of operation and configuration details.We will be changing this manual as we add new information. The latest versionwill always be available on the web. If there are inaccuracies or insufficientinformation in this manual, please let us know. We welcome your suggestions.
Our Address is: winproxy@winproxy.net

  2.WinProxy :- Method of Operation

    A proxy server allows many computers on a localarea network Internet access from a single point. A proxy server also providesa firewall, a computer placed between the local area network and the Internet.Firewalls provide protection from the open nature of the Internet. Commonlyfirewalls turn off packet routing on the host preventing access throughthe IP network layer. Attacks based on IP spoofing cannot reach the localarea network. Communication through the firewall requires one of the following:-

  Proxy server

  Gateway

  SOCKS server

    These are programs running on the firewall hostthat connected directly to the Internet or Intranet. Computers on the localarea network access the Internet indirectly through the firewall/proxyhost.

    For computer Ato connect to computer B, it must connectto computer C first. After this connection is established Asends C a request to connect to B. Data exchange betweenA and B is now possible. C can relay data betweenA and C without any conversion, or provide protocol transformations.

    Computer C cancheck authorization of the request, using predefined rules. This providescontrol over user access to the Internet services.

      A proxyserver introduces other interested features :

• The need for a single IP address
  The computers on the local area network can have any IP address. Anactual Internet IP address is needed only for computer C. For example:
  A local area network with one computer connected to the Internet via adial-up link (modem) or
  A local area network with one computer having two network interfaces (e.g.ethernet cards). One interface is connected to the local area network whilethe second is connected to a public access segment.

• Use of a shared cache
  Computer C can store data in shared cache. Repeated requestsare retrieved from the cache instead of from the original sites. It conservesline bandwidth while decreasing response times.

   3.Basic Information

3.1 System requirements

Operating system :

    Windows 95 or Windows NT with the TCP/IP protocolinstalled (see TCP/IP Configuration).

Hardware :

    WinProxy requires the basic hardware configurationfor the given operating system with sufficient disk space for a cache.With larger numbers of users and larger caches, requirements for memory,disk, processor speed and line bandwidth will also increase.

     We recommend the following as a minimum:

• 5 users: 20 MB cache, 486 66Mhz processor with 8 MB RAM
• 10 users: 80 MB cache, Pentium 60Mhz processor with16 MB RAM
• over 10 users: dedicated NT Server or NT workstation with a low load,Pentium 120 MHz with 32 Mb RAM

3.2 Installation and file descriptions

    Download the WinProxy archive from the Internetand extract the files within to a temporary directory. Run SETUP.EXEfrom this directory. Set the destination directory in which you wantto install WinProxy to and select Install.

    If your are installing on Windows NT and youhave Administrator privileges, you can install WinProxy with service support.WinProxy can then be run both as a common application and as a service.As a service it can be set to start automatically when NT starts, allowingthe proxy to be used by other workstations even when noone is logged inon the host. Use the Services icon in the Control Panel toset the WinProxy service to run when the host starts.

    Once the files are copied you will be askedto create a Program Manager group. The group will be named WinProxy andwill include the version number. If you installed WinProxy with servicesupport then this group will be common to all users.

    WinProxy installs the following files :

winproxy.exe	- Application
proxy.pac	- autoconfiguration file (needs to be edited if you plan to use it)
config.htm	- on-line help for configuration
readme.txt	- basic information

  WinProxy creates a subdirectory called cache andthe followingfiles:

• error.log is a text file containing information on errors detectedby WinProxy. This file is overwritten each time Winproxy starts.
• access.log is a text file with every WinProxy request recorded.Each record contains the remote host name, the date and time of the request,and the requested URL.
• status.log is a binary file containing internal data neededfor cache management.
• status.log.bak is a binary file kept as a back-up for status.logfile

Important : If you delete or otherwise damage the status.logfile WinProxy will not operate until you delete the contents of the cachedirectory also.

   4.Configuration

   For WinProxy to work, the TCP/IP protocol must beinstalled on all computers. For TCP/IP LAN installation instructions read5. TCP/IP Configuration before continuing. Please notethat this is different to installing TCP/IP for a dial-up adapter.

   WinProxy is configured using web pages using a browser.Open your browser and ask for http://host:3129/admin as a URL, wherehost is the TCP/IP name of the computer running WinProxy. You needa browser that will show framed documents. For configuration, there areonline help pages available.

    Winproxy provides the following functions :

  proxy server for the HTTP, HTTPS, FTP and GOPHER protocols

  a shared cache for all these protocols

  gateway for the Telnet, FTP, SMTP, NEWS and POP3 services
  SOCKS server and DNS forwarder

  dial-up connections on demand

  user and group management with access restrictions

  secure local area network access to the Internet

    Each item represents a subsystem within WinProxy.The behavior of these subsystems is controlled by values set on the WinProxyconfiguration pages.

    Important:  For convenience we will callthe computer running WinProxy ProxyHost, representing the DNSname or IP address of the computer that is running WinProxy.We will also assume that WinProxy is being run on a computer with accessto the Internet via either a dial-up line or a second ethernet interface.

4.1 Proxy Servers

  Setting up WinProxy

    A proxy server provides users on a local areanetwork with Internet access services such as WWW, FTP and GOPHER fromtheir browsers. Normally WinProxy listens for requests on port 3128. Thisdefault value can be changed on the Network,field Proxy Port.
    If your ISP runs a proxy server on fast machinewith a big cache and you have a high-speed connection you can set it asa parent proxy on the General page.All requests will be retrieved through this server.
    Your browser will need to be configured for usewith WinProxy. Below are some sample configurations for popular browsers:

  Setting up clients

Netscape Navigator

1. Select the menu items Options->Network Configuration->Proxies
2. choose Manual Proxy Configuration
3. push the View button
4. Enter the proxy host computer name for the HTTP, FTP, GOPHER and SecurityProxy fields. The port number to use is 3128.

   Alternatively, use an autoconfiguration file. Thelocation for this file is set on the Generalpage.You can find a template of this file in directory in which WinProxywas installed. Edit this file and enter the name of the computer that hostsWinProxy. Choose Automatic Proxy Configuration in your NavigatorProxy Dialog Box and set the field Configuration Location (URL)to ProxyHost:3129/autoconfig.

NCSA Mosaic

1. Select the menu items Options->Preferences->Proxy
2. Enter the proxy host computer name for the HTTP, FTP, GOPHER and SecurityProxy fields. The port number, 3128 is entered following a colon as partof the name (e.g. ProxyHost:3128)

MS Internet Explorer 3.0

1. Select the menu items View->Options->Connections
2. For the Windows 95 version, press the Proxy button
3. Enable the check box for Use the same proxy for all protocols.
4. Enter the proxy host computer name and port number in the space provided.

4.2 The Cache

    Data collected by the proxy server from theInternet and passed to browsers on the local area network can be storedin a shared cache. If the same, or another browser on the network, requiresthe same information it is retrieved from the cache. Since the cache ison a local computer this is far quicker than accessing the Internet.

  Setting up Cache Parameters

    The size of the cache can be set on the Cachepage. This value is the maximum size in Megabytes. After reaching thislimit garbage collection is performed with the oldest objects deleted first.The cache is reduced by this garbage collection to 85 percent of the maximumsize.
    Values for Max.HTTP Size, Max.FTP Size and Max.GOPHER Size determine the maximum size of objects stored in the cache forthese protocols. Larger objects are passed through without being cached.Do no set the value for FTP too high as a big archive file will purge manysmaller HTTP objects.
    If you don't wish to cache stored data turn cachingoff by unckecking the Enable Caching box.
The other two check boxes determine what to do when the user breaks a connectionby using the browser stop button or by selecting a new page before thecurrent page has been completely loaded. If option Continue Abortedis checked, WinProxy will continue loading pages into the cache. With thisoption enabled it is easy to build up a large number of concurrent connectionswhile skipping between pages. If the check box Keep Aborted is checkedWinProxy will store incomplete objects (pages).

  Time To Live

    Values on the Time-To-Livepage determine the number of days that objects (web pages) are keptin the cache. Any requests for objects older than this are reloaded fromthe Internet. TTL can be set the for individual protocols and/or forindividual URLs. To specify individual URLs use the TTL Advancedsection. Each entry is of the form days@url, where url can includeasterisks to specify a group of related URLs.
   Examples :
12@*www* sets a cache life of 12 days for all objects with a URL containingwww (all World Wide Web pages).
2@ftp://*.zip sets a cache life of 2 days for all objects downloadedvia FTP with an extension of .zip

4.3 Gateways

4.3.1 Telnet gateway

    The Telnet protocol allows users on a localarea network to connect to an arbitrary host on the Internet and to workwith it in remote mode. It is usually used to connect to UNIX machines,assuming a user has an account on that machine. To use Telnet through WinProxyturn the Telnet Gateway check box in the Networkpage on. Telnet gateways listen on port 23. This value can be changed inthe Port field. To use a Telnet gateway run a telnet client and connectto the computer ProxyHost first. You will then be challenged toenter the name of the host you wish connect to.

4.3.2 Ftp gateway    

    FTP (File Transfer Protocol) is a protocol usedto transfer files between computers. The WinProxy Ftp gateway allows userson the local area network to access ftp servers on the Internet. If youplan to use an FTP gateway, activate the Ftp Gateway check box onthe Network page. Normally Ftp gatewayslisten to port 21. This value can be changed in the Port field.
    To use the Ftp gateway, run a ftp client and connectto the computer hosting WinProxy first. At the username:prompt type user@host where host is the machineyou want to connect to and user is an account name (e.g.anonymous@ftp.bestsite.com).
    You can also use WS_FTP. To set WS_FTP: set theHost Name to the computer ProxyHost in the Firewall informationand the Firewall type to USER with no logon. If you direct WinProxy touse different port for the Ftp gateway, than set this in the Port field.

4.3.3 SMTP gateway

    SMTP (Simple Mail Transfer Protocol) is a protocolused on the Internet to transfer e-mail. The SMTP gateway allow users tosend e-mail from computers on the local area network to the Internet.

  Setting up WinProxy

    On the Networkpage set the field SMTP Server to the name or IP address of the computeryou use as your SMTP server. This name is usually provided by your ISP.All e-mail data will be sent to this server for delivery.

  Setting up clients

    There are many client programs to send and receivee-mail from the Internet. Generally you have to enter the address of aSMTP server. Set this name to the computer ProxyHost.

Pegasus mail for Windows

1. Select the menu items File->Network Configuration
2. Change the SMTP host entry

Netscape Navigator

1. Select the menu items Options->Mail and News Preferences->Servers
2. Change the Outgoing Mail (SMTP) Server entry

MS Explorer 3.0 - Internet Mail

1. Select the menu items Mail->Options->Server
2. Change the Outgoing Mail (SMTP) entry

MS Exchange

1. Select the menu items Tools -> Services
2. Choose Internet Mail and push the Properties button
3. Change the Internet Mail server entry
4. Enter your Account name and Password

    Note: The Internet Mail Server will be usedfor both sending and receiving e-mail. If you need to send e-mail throughdifferent server, enter it into the field under Advanced Options.

4.3.4 POP3

    The POP3 protocol is used for e-mail transferfrom remote mail-boxes. These boxes are usually placed at your ISP. Whenusers connects to their ISPs they can download their e-mail via POP3. APOP3 gateway allows users on local network to receive e-mail via POP3 protocol.

  Setting up WinProxy

    Usually an ISP places the SMTP server on thesame machine as the POP3 server, so WinProxy uses the computer you enteredas the SMTP server on the Network page as the default POP3 server. If someusers have e-mail boxes on different POP3 servers, these can be added usingthe WinProxy POP Servers configurationpage.

  Setting up clients

Note: Your ISP should provide a username and password for your e-mailaccount. Username is usually the part of your e-mail address beforeô@ô.

Pegasus mail for Windows

1. Select the menu items File->Network Configuration
2. enter ProxyHost to the field POP3 host
3. enter your username in the field Username
4. enter your password in the field Password

Netscape Navigator

1. Select the menu items Options->Mail and News Preferences->Servers
2. enter ProxyHost in the field Incoming Mail (POP) Server
3. enter you username in the field POP user name

MS Explorer 3.0 - Internet Mail

1. Select the menu items Mail->Options->Server
2. enter ProxyHost in the field Incoming Mail (POP3)
3. enter your username in the field POP account
4. enter your password in the field password

MS Exchange

     See SMTP gateway.

4.3.5 News

    News gateways provide users on a local areanetwork with access to USENET News services. To enable the News gatewayenter the name or IP address of your News host on the Networkpage. In the news-reader client program set ProxyHost as the Newsserver.

4.4 SOCKS Server and DNS

   If you wish to use WinProxy as a SOCKS server (V4),check this box on the Network page.The default SOCKS server port of 1080 can be changed in the entry SOCKSport field. If you plan to use SOCKS, you will probably need to set theDNS server. Enter the name or the IP address of an Internet DNS server.WinProxy will forward DNS requests to this host.

4.5 Dial-up connections

    WinProxy can establish dial-up connections toyour Internet provider. There are three ways to initiated a connection:

• Manually - using the WinProxy web page
• On Demand - connection is initiated when a DNS name isunknown on the local area network or the destination host is unreachable.
• Scheduled Dial - connections are made at defined intervals

     Note: If Dial On Demand is on andyou type wrong DNS name for a local computer, WinProxy dial up your ISPto look on the Internet for the name. It can look as if connections wereinitiated without reason.

    Configuration for a dial-up connection can beset on the WinProxy Dial page. Testdirect dial-up before trying it with WinProxy.

1. choose the desired RAS connection name from the list provided.
2. enable or disable automatic connection
3. set the timeout value in the Hang up After field. If no trafficoccurs on the line for this period of time the connection will automaticallybe closed.
4. enter your user name and password in the fields Username andPassword for the connection selected in (1) above.

   Note : If your ISP does not support PAPor CHAP authentication protocol and you have to connect to your ISP througha Terminal window, try the following:

• Windows NT 3.51 - create a log-on script suitable for your connection.A template is in WINNT35\system32\ras\switch.inf file. If you have anyproblems, contact your ISP.
• Windows 95 - enter the required information in the Terminal windowon the computer ProxyHost.
• Windows 95 - you can also create log-on script for this operatingsystem. See the WinProxy home page for details.

4.6 User management

    WinProxy supports managementof users and groups of users. These are used to determinate restrictionsfor selected services. Please refer to the on-line help for more detailedinformation.

4.7 Security

    If you are concerned about security, the WinProxyfirewall will provide peace of mind. Today's trend is not to use directconnectivity where it is not absolutely necessary. With WinProxy you caneasily build an effective Firewall. You must also turn off packet routingon ProxyHost. This is not necessary for Window 95 as it doesn'thave routing capabilities.

   If packet routing is turned off, the only way in to yoursystem from the Internet is to use a service running on the firewall host.To disallow possible intruders accessing your system through WinProxy,set the address of the secure Interface. This is an IP address of a networkinterface (network card) which can be considered as secure. Usually thisthe IP address of your computer in the local area network The address ofthe secure interface can be set on Generalpage in the field Secure Interface. If you host is multihomed youcan enter a list of IP addresses separated by semicolons.

   5.TCP/IP Configuration

    TCP/IP must be correctly configured on the computerProxyHost and on all computers that will access the Internet throughWinproxy.

     ProxyHost must run on a computer usingWindows NT or Windows 95. The computers that will access the Internet throughWinProxy can use any operating system supporting TCP/IP (Windows, Unix,Macintosh, VMS, ...).

     If TCP/IP is not installed, either:

1. ask your system administrator to install it or
2. install it yourself according to following directions

     Let's consider a local area network with fourcomputers. The (Netbios) names of these computers are : Chris, Eric, Jackand Allan. Computer Jack is used to connect to the Internet via a modem.These computers use Windows 95, Windows NT and Windows 3.1.

5.1 IP addresses

     All computers in a TCP/IP network require aunique IP address. An IP address is 32 bit number. For convenience it iswritten as decimal numbers with each byte separated by a dot in formata.b.c.d .

     The document RFC 1597 recommends that selectionof addresses for LANs be taken from a private address space. The organizationIANA has reserved three blocks of addresses to be used in private networks.The first block is a single class A network address, the second block isa set of 16 contiguous class B network addresses, and the third block isa set of 255 contiguous class C network addresses.

The addresses are :

• Class A : 10.0.0.0 - 10.255.255.255
• Class B : 172.16.0.0 - 172.31.255.255
• Class C : 192.168.0.0 - 192.168.255.255

     These addresses are not used anywhere in theInternet.

     We will use class C for our example (a networkof up to 255 computers). Let's select a network address 192.168.1.0 . Thefollowing table shows IP addresses of our computers :

     To set these addresses for each operating systemuse the following instructions:

1. Windows 95 and Windows NT 4.0
2. From the Start button, select Settings -> Control Panels-> Network
3. Select TCP/IP protocol. If this protocol is not in the list,select Add -> Protocol -> Add. From the list presented,select Microsoft as the vendor and then the network protocol TCP/IP.
4. Select Properties and the IP address sheet. Enable theoption Enter the IP address
5. In the IP address field enter the address from the table. Forthe subnet mask field enter the value 255.255.255.0 . Press OKto complete the installation. Insert your Windows 95 diskettes or CDon request.
6. Enter the same IP address for the Default Gateway
7. Restart the computer
   
   Windows NT 3.51

1. From Program Manager, group Main select Control Panelthen the Network icon
2. From the list Installed Network Software select TCP/IP protocoland push Configure. If the TCP/IP protocol is in the list, skipto point 4.
3. Press Add Software. From the Network Software list selectTCP/IP Protocol and related components, Insert installation disks.After the necessary files have been loaded, press OK in NetworkSettings dialog.
4. In the IP address field enter the value from the table. Forthe Subnet Mask field enter 255.255.255.0 . Press OK to completeinstallation.
5. Restart computer


Windows 3.1

TCP/IP protocol is not a part of this operating system. To run TCP/IPyou require an external TCP/IP implementation such as Microsoft TCP/IPor Trumpet Winsock. Configuration details are documented with these packages.The Microsoft TCP/IP drivers are available at the Microsoft anonymous ftpsite under the name WFWT32.EXE. The Microsoft ftp site can be accessedfrom www.microsoft.com uner theheading free software

     Now you can use TCP/IP on your local area network.To test it, run the ping utility from a command prompt. Youshould be able to reach the other computers on the LAN.

Try : C:\WINDOWS>ping 192.168.1.1 C:\WINDOWS>ping 192.168.1.3C:\WINDOWS>ping 192.168.1.3C:\WINDOWS>ping 192.168.1.4 

Note : At this point you can only use IP addresses. Inall places in this document where you are asked to enter the computer nameProxyHost you would have to use the IP address of computer Jack: 192.168.1.3 . To give the computers names, follow the instructions below.

5.2 DNS

     Because IP addresses are difficult to typeor remember, TCP/IP networks provide a means to assign names to the IPaddresses. Names in TCP/IP networks are organized using a Domain Name Systemor DNS. These names can be different from the Netbios names (the namesyou can see as "Network Neighbors" in Windows 95 or NT 4).
     Each IP address can be assigned one nameand, optionally, several aliases. There are two ways for computers to translateDNS names back into IP addresses.

1. through a DNS server
2. using static tables located on each computer on the local area network

    DNS servers are used in large networks withdedicated server computers. Because our sample network is small we willuse static name tables. We will assign DNS names that are the same as theNetbios names.

     The TCP/IP software reads a text file calledhosts on the local computer to find DNS names. This fileis in different directories, depending on which operating system is used:

Windows 95	\Windows
Windows NT	\WINNT\SYSTEM32\DRIVERS\ETC
Windows 3.1	\ETC

    Each line of this file contains a record ofthe form:

IP_address DNS_name [aliases] 

     Lines beginning with a # are used for comments.Edit this file with a text editor such as NotePad.

     Our sample file would look like :

# file hosts# this file translate DNS names into IP addresses#127.0.0.1       localhost       192.168.1.1     chris     winproxy192.168.1.2     eric     192.168.1.3     jack    192.168.1.4     allan   # end if hosts file 

     This file can be copied to the correct directoreson all the computers.

     Now you can use DNS names for the computerson the local area network You should be able to ping other computers usingtheir names.

Try : C:\WINDOWS>ping chris C:\WINDOWS>ping ericC:\WINDOWS>ping jackC:\WINDOWS>ping allan

     Now you can use chris everywhere youwere asked for ProxyHost.

   A.Multisegment networks

    This appendix explainsa problem which often appears on multisegment networks when used with adial-up connection. For convenience let's consider following picture :

   There are two networks; the first network has address192.168.1.0, the second 192.168.2.0. The networks are interconnected bya router which IP addresses of 192.168.1.1 and 192.168.2.1. Computer192.168.1.3 is used to connect to the Internet.
     In this example we will refer to the computersby their IP addresses. ProxyHost would be 192.168.1.1 .
     The problem is that the computers uses adefault route to reach the other network. The default route points to theappropriate router interface. At the moment when computer 192.168.1.3 connectsto the Internet, the default route is overwritten and points to the Internetgateway. Now computer 192.168.1.3 can't "see" computers on 192.168.2.0network. As a consequence computers from the 192.168.2.0 network can'tconnect to the computer 192.168.1.3.

    To overcome this, replace the default routewith a normal one in the routing table. On computer 192.168.1.3 type thefollowing command at a command prompt:

c:\>route ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.1 

   If a packet appears destined for the 192.168.2.0 networkwith netmask 255.255.255.0 it is sent through the router with IP address192.168.1.1. Use switch -p under Windows NT to make this route persistentbetween system boots. For Windows 95, add this command to your AUTOEXEC.BATfile.

   After this command computer 192.168.1.3 will "see"computers on the network 192.168.2.0.