The Permissions tab in the WinSock Proxy Service Properties dialog box also contains an Enable access control check box, as Screen 3 shows. By default, Proxy Server 2.0 enables this option. I strongly recommend that you do not disable access control. If you do, all WinSock Proxy clients can access the Internet, which is equivalent to giving the clients anonymous access.
At the top of the Protocol list in Screen 3 is Unlimited Access. I recommend that you do not select this option, because it overrides WinSock domain packet filtering. In other words, if you give users or groups unlimited access, they can access all the protocols and all the ports (including any ports that you haven't defined in the protocol configuration) on the server.
Web publishing tips. When you install IIS, IIS automatically starts three services: WWW, FTP, and Gopher. If you plan to publish to the Web, you need to disable the FTP and Gopher services on IIS for maximum security. Clients can continue to FTP through the browser but they will not be able to use the FTP software. You don't need to disable the WWW service because Proxy Server 2.0, by default, prevents publishing to the Internet through the WWW service.
Before you enable Web publishing, you need to make sure your network is properly set up. I recommend that you install IIS on a second machine for Web publishing. Therefore, don't use the machine on which you installed Proxy Server 2.0 and IIS for Web publishing. (You don't need to install Proxy Server 2.0 on the second machine.) I also recommend that you install these two machines on a domain (e.g., WebPub) separate from your internal domains and create a one-way trust relationship in which the WebPub domain trusts all other corporate domains, as Figure 1 shows. You can restrict access to your LAN with this configuration, securing access to the Web servers for both intranet and Internet users. Plus, if you need to add proxy servers in the future, you can simply add them to the WebPub domain.
Alerting and logging tips. By default, Proxy Server 2.0 logs events in the System Log but doesn't send alert emails to administrators. You must manually configure the mail notification option. You can enable alerting only when you enable packet filtering. You can enable packet filtering only when you have a second network interface (such as an NIC) available. If you are using RAS in your proxy server, you can also use a dial-up adapter as the second network interface.
By default, Proxy Server 2.0 uses the Regular logging option, which means it logs events to a file or database on a daily basis. I recommend you change the frequency to Verbose, which means Proxy Server 2.0 records all available information in realtime. That way, you can view logs to confirm that you don't have any security loopholes. For example, suppose you just finished configuring Proxy Server 2.0 to stop users from accessing a certain site. If you have chosen Verbose, you can immediately check the log to see whether users are still accessing that site. If they are, you know that you need to correct your configuration parameters.
By default, Proxy Server 2.0 enables the Stop all services if disk full logging option. When the disk is full, the Web Proxy, WinSock Proxy, and SOCKS Proxy services stop as a security precaution. So if you don't want to miss any unauthorized accesses to your network, leave this option enabled. If you selected the Verbose logging option, be sure to check your free disk space frequently because the log fills up quickly.
An Extensible Solution
Proxy Server 2.0's many security and performance capabilities make it an important addition to Microsoft's BackOffice suite and possibly to your network. After you become familiar with Proxy Server 2.0's capabilities, you will discover new applications in various environments and appreciate its usefulness as a firewall solution and as a Web cache server. Because Proxy Server 2.0 is an extensible solution, you can even develop custom products or use third-party products to further enhance its usefulness.