From: Volker Tanger [mailto:[EMAIL PROTECTED]]
>
> Greetings!
>
> I always was told (by the official proxy experts of MS
> Germany) that one can
> only restrict the access to the proxy server itself.
This is true, because Proxy server actually does what it's name implies - it
proxies all traffic from the internal network. In that sense, all traffic
is generated by the proxy server and so packet filtering only applies to the
proxy server itself.
The thing you are missing is the 'Winsock Proxy' component which is a hack
installed on the clients which turns all your socket APIs into RPCs onto the
Proxy Server itself. This is very different to the way a normal firewall
behaves and means it is a Windows only client solution.
> But I
> checked back with MS
> KB - and it seems that there is some "normal" packet
> filtering. Some questions
> here:
>
> * Has IP forwarding/routing to be anabled?
No - this should be disabled, or you are subverting the whole point of Proxy
Server.
> * Is that filtering standard packet filtering - using the
> machine only as
> router?
> Or does that work only as filter for the HTTP or Socks proxy?
The machine is not a router. The packet filtering works for all traffic to
the Proxy Server, including HTTP, Socks and Winsock proxies.
> * The filter is configured in HTTP proxy menus - but is
> dependant on which
> part(s)
> of the proxy running? IIS? Socks?
It is dependant on Proxy Server being installed. The packet filtering is
implemented as a layered device driver which sits underneath the TCP stack.
If you shut down the services then the external ethernet card effectively
goes dead.
> * How to configure more than 2 NICs? You only can
> configure the directions
> "IN", "OUT" and "BOTH" which indicates, that not.
You can't. This is a big failing of Proxy Server - no DMZ. A NIC is
classed as either inside the firewall or outside the firewall.
> * What happens if the HTTP and/or socks proxy stops?
> Will the rules stop to
> filter
> (letting all through), stop to forward (blocking
> connection) or work on
> normally?
The packet filter is independant of the above two services. I believe it is
dependant on the 'Microsoft Proxy Server Administration' service running and
will stop allowing packets through if this service is stopped.
Regards,
John Wiltshire
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
