Proxy Functionality


Proxy Overview
The Sambar Server proxy functionality allows many computers on a local network to connect to the Internet from a single (dynamic) IP address. The Sambar Server proxy also provides limited firewalling of the local network systems from the Internet. Note: Attacks based on IP spoofing can penetrate the Sambar Server proxy (in a limited fashion). Packet routing must be used in addition to the Sambar Server to prevent access through the IP network layer.

The Sambar Server proxy functionality includes the following:

  • Proxy server for HTTP, HTTPS, FTP (via HTTP)
  • Gateway for SMTP, POP3 and IMAP4
  • IP address security filtering of connections
  • Remote-proxy utilization (ISP caching proxy)

If your ISP provides a high-performance caching proxy which you wish to take advantage of, the Sambar Server proxy can be configured to utilize your ISP's proxy for HTTP and HTTPS requests. The Remote Proxy configuration entry can be used to directy Sambar Server proxy requests via your ISPs proxy. Remote Proxy must be left blank if you are not using your ISPs proxy. The Remote Proxy feature is not available for FTP at this time.

Lastly, the Sambar Server proxy provides no caching. All HTTP requests are passed through without interpretation or modification. There are presently no plans to implement a caching engine; I believe the benefits of "sophisticated" cache engines are overrated. Furthermore, as web content becomes more dynamic and Secure Sockets Layer sessions become more prevalent, the advantage of proxy server caching is correspondingly diminished. Lastly, I believe web site operators have valid concerns about copyright violations (since caching requires copying the content) and the ability to accurately monitor hit rates when caching proxies are placed between the user and site.

TCP/IP Configuration
To use the Sambar Server proxy functionality, all hosts must be configured with TCP/IP. In addition, DNS and network routing must be properly configured among machines. Contact your System Administrator or network consultant with questions on network setup.

Client/Browser Configuration

Netscape Version 4

  1. Open the Netscape Communicator Web Browser.
  2. Select the Edit menu.
  3. Select the Preferences menu item.
  4. Click on the plus (+) in front of the Advancced tree control.
  5. Click the Proxies item.
  6. Select Manual Proxy Configuration radio button and click the view button.
  7. Type <your machine> in the HTTP Proxy: field and 80 in the port field.
  8. Type <your machine> in the Security Proxy: field and 80 in the port field.
  9. Type <your machine> in the FTP Proxy: field and 80 in the port field.
  10. Type <your machine:80> in the No Proxies for: field.
  11. Click the OK button to close the dialog box

Netscape Version 2 & 3

  1. Open the Netscape Navigator Web Browser.
  2. Select the Options menu.
  3. Select the Network Preferences menu item.
  4. Click the Proxies tab.
  5. Select Manual Proxy Configuration radio button and click the view button.
  6. Type <your machine> in the HTTP Proxy: field and 80 in the port field.
  7. Type <your machine> in the Security Proxy: field and 80 in the port field.
  8. Type <your machine> in the FTP Proxy: field and 80 in the port field.
  9. Type <your machine:80> in the No Proxies for: field.
  10. Click the OK button to close the dialog box
For Netscape Version 2 only:

  1. Open the Options menu.
  2. Select the Save Options menu item.

Microsoft Internet Explorer Version 3

  1. Open the Microsoft Internet Explorer Web Browser.
  2. Open the View menu.
  3. Select the Options menu item.
  4. Click on the Connection tab.
  5. Select Connect through a proxy server.
  6. Click on the Settings button.
  7. Type the following settings in the Servers section:
    HTTP:   <your machine> 	Port:	80

    Leave all other field blank.

  8. Click the OK button to close the Proxy Settings dialog box.
  9. Click the OK button to close the Options dialog box.

Lastly, if your clients are using the Sambar Proxy Server as well as the Sambar HTTP Server, they must configure the No Proxy for: field of their browser to the Sambar HTTP Server, port 80.

Mail

SMTP, POP3 and IMAP4 messages can be forwarded to their respective servers via the Sambar Server. The Sambar Server must first be configured with the appropriate Internet servers (via the browser-based administration interface). Once configured, your mail client must be configured to contact the Sambar Server for SMTP, POP3 and/or IMAP4 requests. In essence, your client mailer believes that the Sambar Server is its mail server (while mail is transparently forwarded via the Internet to the real server (typically on your ISPs machine.

The Sambar Server does not act as a native SMTP server. SMTP is not suitable for dial-up lines because computers working as SMTP servers must have a permanent/full-time connection to the Internet to receive e-mail (dynamic IP addresses are not appropriate), and SMTP servers are responsible for message delivery including store and forward should be destination be unreachable for some period. If these obstacles can be overcome, Sambar Technologies hopes to provide SMTP support in a future release.

POP3 Proxy Options

The POP3 Enhanced mode allows users to over-ride the default POP3 proxy configured in the Sambar Server with one of their own choosing. When enhanced mode is enabled, users can modify their POP3 username to append the # symbol followed by the POP3 server to which their mail request should forwarded.

So by default, if the Sambar Server POP3 Proxy Server is set to smtp.ix.netcom.com, then a proxy user with an email username of billybob would be directed to the smtp.ix.netcom.com mail server. If however, you wished to override the mail server and connect to an alternate server (i.e. mail.meer.net), you would configure your mail client with the following username:

billy-bob#mail.meer.net

With the above configuration, when the POP3 Proxy receives the mail request from billy-bob, it will direct the request to the mail.meer.net server rather than the default POP3 server.

Important: In the above example, billy-bob#mail.meer.net will be used as the default return address unless you specify the correct one in your mail client. Make sure to configure your return address as your actual e-mail address>.

Dial-on-Demand
The Sambar Server can establish dial-up connections to your ISP via the Dial-on-Demand feature. If configured, the server attempts to connect to your ISP when an outbound connection is attempted from the Sambar Server (typically during proxy use).

The dial-on-demand configuration allows the user to configure the RAS entry, username, and password to use when connecting via the RAS interface. In addition, a timeout period is defined allowing the dial-up connection to be dropped after a fixed period of inactivity. Note: This feature has only be tested to work with PPP connections.

security.ini

The HTTP proxy server includes IP security filtering. By default, this security filtering restricts HTTP proxy access to IP addresses in the range 140.175.165.0 to 140.175.165.255. You will receive a FORBIDDEN message if you attempt to connect via the HTTP proxy server from a machine other than one in this range. You should change the [proxyaccept] filter to one appropriate for the machines that will be accessing it.

FTP Proxy

When a browser is told to use a server/port for FTP proxy, it bundles its FTP request in an HTTP stream and forwards it on to the proxy. The browser expects all communication with the proxy to take place in HTTP/HTML. The proxy then translates the request into FTP commands. So the communcation looks like:

browser --> [http + ftp header] PROXY --> [ftp] FTP-Server

When no proxy is specified, the browser issues FTP commands directly to the server:

browser --> [ftp] FTP-Server

This differs from the HTTP proxy stream which is a "simple" passthrough mechanism:

browser --> [http + proxy header] PROXY --> [http] HTTP-Server

In the HTTP proxy case, only the initial proxy header directive is manipulated and then a virtual circuit is formed between the browser and the server for all subsequent communication. The stream ends when either side fails to communicate within the Network Read Timeout duration configured in the server.

In the FTP proxy case, the server must translate HTML requests into FTP requests (effectively writting an FTP client for the middle tier). This is considerably more complex code and more error prone.

Bridge Proxy

The Bridge Proxy included with the Sambar Server is a relatively simple mechanism to map TCP traffic from one network to another. The Bridge proxy can be configured to listen to traffic destined for a specified TCP port (i.e. 8080) and then forward all requests to the same TCP port of the Bridge Server specified in the config.ini file. For example, to telnet from a machine on one side of the Sambar Server to a remote machine on the other side of the "firewall", you could use the Bridge Proxy to connect the session:

Bridge Port = 23
Act As Bridge Proxy = true
Bridge Server = www.remotehost.com

With the above configuration, you would telnet to the machine on which your Sambar Server is running and it would automatically forward your request to www.remotehost.com.

telnet sambarserver <--> Sambar Server <--> Telnet Daemon
localhost sambarserver www.remotehost.com

In fact, the NNTP, SMTP, POP3 and IMAP4 proxies operate exactly as the Bridge Proxy does -- for ease of installation and configuration, these three bridge proxies are set aside for various mail protocols. (Note: The FTP proxy does not operate in this manner; it must interpret the FTP protocol).

The Bridge Proxy can be used to trace client/server connections by configuring the Trace Bridge property in the config.ini file to true. See the Bridge Proxy Debugging documentation for details on using the Bridge Proxy for debugging.

© 1998 Sambar Technologies. All rights reserved. Terms of Use.