Article: Q256145
Product(s): Microsoft Windows NT
Version(s): NT:4.5; winnt:2.0,4.0,4.5
Operating System(s):
Keyword(s): kbenv kbtool
Last Modified: 18-JUL-2002
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft BackOffice Server 4.5
- Microsoft BackOffice Small Business Server version 4.5
- Microsoft Proxy Server version 2.0
- Microsoft Windows NT Server version 4.0
-------------------------------------------------------------------------------
SUMMARY
=======
This article describes how to use the Microsoft Network Monitor Tools and agent
provided with Windows NT and Small Business Server to determine how to configure
protocol definitions and custom packet filters for Proxy Server.
MORE INFORMATION
================
Protocol definitions are necessary for some client applications to function
properly through Proxy Server. Custom static packet filters are necessary for
applications that must run on the server. Network Monitor is useful when the
application does not provide documentation containing port numbers and
configuration information.
To determine the necessary custom configuration for an application to communicate
through Proxy Server, you need to do the followng five procedures in this order
(these procedures are explained in detail later in this article):
1. Determine whether the application uses Winsock or Web Proxy.
2. Install Network Monitor on the Proxy Server.
3. Capture and analyze the network traffic to determine the needs of the
application.
4. Configure the necessary protocol definitions or static custom packet filters.
5. Test the application.
Determine Whether the Application Uses Winsock or Web Proxy
-----------------------------------------------------------
Many applications provide support for use with a Proxy Server. A good example of
this is Microsoft Internet Explorer. Internet Explorer can be configured to use
a Proxy Server through the connection settings in Internet Options. Applications
that are configured to use a proxy server use the Web Proxy to communicate
through the Proxy. These applications should require only that the proper Proxy
Server information be entered in order for the Web Proxy to handle the
application's requests.
Applications that have no feature to use a Proxy Server may also be able to
communicate through Proxy Server. These applications use the Proxy Server's
Winsock Proxy. In order for this to work properly, the application must use
Winsock for communication and the client computer hosting the application must
have the Winsock Proxy Client properly installed. To install the Winsock Proxy
Client on a Proxy Server's client computer, follow these steps:
1. Run Setup.exe from the \\<servername>\mspclnt share, or use the browser
to go to http://<servername>/msproxy.
2. After the Winsock Proxy Client installation is complete, open a command
prompt.
3. Change directories to the \mspclnt folder, usually at c:\mspclnt.
4. Type the following command
chkwsp32 /f
and then press ENTER.
If the Winsock Proxy Client is installed and communicating properly with the
Proxy Server, you receive the following message:
Client control protocol version MATCHES the server Control protocol
For applications that run on the Server, see the "Custom Packet Filters" section
later in this article.
Install the Network Monitor Tools and Agent on the Proxy Server
---------------------------------------------------------------
1. Right-Click Network Neighborhood, and then click Properties.
2. On the Services tab, click Add.
3. Click "Network Monitor Tools and Agent", and then click OK.
4. Close the Network Properties dialog box, and restart the computer when
prompted.
NOTE: The full version of Network Monitor ships with Microsoft Systems Management
Server (SMS). SMS is included with Microsoft BackOffice. For additional
information about Network Monitor, click the article number below to view the
article in the Microsoft Knowledge Base:
Q148942 How to Capture Network Traffic with Network Monitor
Capture Network Traffic from the Client Computer
------------------------------------------------
1. Click Start, point to Programs, point to Administrative Tools, and then click
Network Monitor.
NOTE: If you use the version of Network Monitor that is included in SMS,
start Network Monitor this way: click Start, point to Programs, point to
Network Analysis Tools, and then click Network Monitor.
2. On the Capture menu, click Networks.
3. Double-click the server's internal network interface.
4. To start the capture, click the Play button on the toolbar, or click Start on
the Capture menu.
5. Attempt to connect to the Internet using the Client application from the
Client computer.
6. Once the attempt fails from the Client computer, stop the capture: click the
Stop button on the toolbar, click Stop on the Capture menu.
7. To view the capture, click the "eyeglasses" button on the toolbar, or click
Display Captured Data on the Capture menu.
NOTE: On exceptionally busy networks, you may have to click Buffer Settings
on the Capture menu, and increase the amount of memory used for the buffer to
make sure you do not lose any packets.
Analyze Network Traffic
-----------------------
The following is an example of a Network Monitor trace that was used to determine
Protocol Definitions for a Winsock Application. Network Monitor interprets the
TCP header information and displays it as follows:
TCP: ....S., len: 0, seq: 28201-298201, ack: 0, win: 8192, src: 1124 dst: 443
The following is a brief description of each header component:
TCP = Type of Frame
S = SYN flag, used at the beginning of the connection setup to establish sequence and acknowledgement numbers.
len = Header length, Data offset
seq = Sequence number, used to indicate the sequence number corresponding to the first octet in this segment or frame.
ack = acknowledgement number, significant only if the Ack flag is set
win = TCP Window size
src = Source Port
dst = Destination Port
Configure Protocol Definition
-----------------------------
Because the sample frame above shows the application making a request to the
Destination, TCP port 443, from the Source, TCP port 1124, the Protocol
Definition would be configured as follows:
Protocol Name: CustomApp
Initial Connection: Port 443
Type: TCP
Direction: Outbound
Port Ranges for subsequent connections:
Port: 0
Type: TCP
Direction Inbound
In this case, because the request was made to port 443, the reply would be sent
back from port 443 to the originating port of 1124. The resulting configuration
includes Port Ranges for subsequent connections to allow reply traffic from the
external server. To configure the Protocol Definition described in the example
above, follow these steps:
1. Click the Protocols tab in the Winsock Proxy Service Properties dialog box.
2. Click the Add button.
3. Type the protocol name.
4. Choose the port type and direction.
5. Under port ranges for subsequent connections, click Add.
6. Fill in the Port Range fields, and then select the type and direction.
7. Click OK until you return to the Microsoft Management Console, and then stop
and restart the Winsock Proxy.
NOTE: A port range setting of 0 for inbound connections indicates Port_Any, which
allows the server to select the port from the range 1024-5000.
Configure Custom Static Packet Filters
--------------------------------------
Custom static packet filters are only required if the application resides on the
server. A static packet filter is one that has been manually configured. Once a
Static Packet Filter is enabled for a particular port, that port is open to
anyone on the External Interface. The fewer ports and services open on the
External Interface, the fewer the chances of external attacks. For more
information about Security, see the following Web site:
http://www.microsoft.com/security
If a Network Monitor trace is necessary to determine port numbers for an
application running from the server, use the method described in the "Capture
Network Traffic from the Client Computer" section earlier in this article. Be
sure to select the external interface for the Proxy Server in step 3.
If an application must be run on the Proxy Server, configure a custom static
packet filter:
1. In the Winsock Proxy Server Properties dialog box, click the Security button.
2. In the Security dialog box, on the Packet Filters tab, click Add.
3. Click Custom Filter and define the custom filter.
a. Select the protocol to use.
b. Select the direction of packets that this filter will apply to.
c. Select the port on the Proxy Server that the application will use.
d. Select the port on the remote host that the application will use.
NOTE: If the application uses a fixed port for outbound packets, and a dynamic
port for inbound packets, it may be necessary to define two filters, one for
each direction.
4. To select the local host computer that will exchange packets with a remote
host computer, under Local host, do one of the following:
- To allow the default IP address for each external interface of the Proxy
Server computer to exchange packets, click "Default Proxy external IP
addresses".
- To allow a specific IP address for an external interface of the Proxy
Server computer to exchange packets, click Specific Proxy IP, and type a
valid IP address.
- To allow a specific internal computer behind Proxy Server to exchange
packets, click Internal computer, and type a valid IP address.
5. To allow a specific Internet (remote) host computer to exchange packets,
under "Remote host", click "Single host" and type a valid IP address. Or, to
allow any Internet (remote) host computer to exchange packets, click "Any
host".
6. Click OK.
Additional information can be found in Requests for Comments (RFCs) at the
following Web site:
http://www.rfc-editor.org
The RFCs form a series of notes about the Internet, and discuss many aspects of
computer communication, networking protocols, procedures, programs, and
concepts.
The Internet Assigned Numbers Authority documents protocol numbers and assignment
services at the following Web site:
http://www.iana.org
Microsoft provides third-party contact information to help you find technical
support. This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact information.
Additional query words: netmon SBS Internet firewall
======================================================================
Keywords : kbenv kbtool
Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbAudDeveloper kbBackOfficeSearch kbProxyServSearch kbSBServSearch kbBackOfficeServ450 kbSBServ450 kbProxyServ200
Version : NT:4.5; winnt:2.0,4.0,4.5
Issue type : kbinfo
=============================================================================