Home

Proxy Functionality

 


Proxy Overview
The Sambar Server proxy functionality allows many computers on a local network to connect to the Internet from a single (dynamic) IP address. The Sambar Server proxy also provides limited firewalling of the local network systems from the Internet. Note: Attacks based on IP spoofing can penetrate the Sambar Server proxy (in a limited fashion). Packet routing must be used in addition to the Sambar Server to prevent access through the IP network layer.

The Sambar Server proxy functionality includes the following:

  • Proxy server for HTTP, HTTPS, FTP (via HTTP)
  • Native FTP proxy
  • Gateway for SMTP, POP3 and IMAP4
  • IP address security filtering of connections
  • Remote-proxy utilization (ISP caching proxy)

If your ISP provides a high-performance caching proxy which you wish to take advantage of, the Sambar Server proxy can be configured to utilize your ISP's proxy for HTTP and HTTPS requests. The Remote Proxy configuration entry can be used to directy Sambar Server proxy requests via your ISPs proxy. In addition to the Remote Proxy configuration parameter, the Remote Proxy Port and Remote Proxy Authorization can be configured for forwarding requests. The Remote Proxy Authorization allows you to specify the username:password that should be forwarded for proxy Basic authentication. The Remote Proxy must be left blank if you are not using your ISPs proxy. The Remote Proxy feature is not available for FTP at this time.

Lastly, the Sambar Server proxy provides no caching. All HTTP requests are passed through without interpretation or modification. There are presently no plans to implement a caching engine; I believe the benefits of "sophisticated" cache engines will diminish as web content becomes more dynamic and Secure Sockets Layer sessions become more prevalent. Lastly, I believe web site operators have valid concerns about copyright violations (since caching requires copying the content) and the ability to accurately monitor hit rates when caching proxies are placed between the user and site.

Warning! The Sambar Server proxy does not function well on Windows 95. Due to bugs in the TCP/IP stack on this platform the server becomes unstable and stops responding to requests or crashes. It is recommended you upgrade to Windows 98 or NT.

TCP/IP Configuration
To use the Sambar Server proxy functionality, all hosts must be configured with TCP/IP. In addition, DNS and network routing must be properly configured among machines. Contact your System Administrator or network consultant with questions on network setup.

The Sambar HTTP Server and HTTP Proxy share the same port, so if the HTTP server is changed to run on a port other than 80, the HTTP Proxy will also run on this new port.

Client/Browser Configuration

Important: <your machine> refers to the machine on which the Sambar Server is installed.

Netscape Version 4

  1. Open the Netscape Communicator Web Browser.
  2. Select the Edit menu.
  3. Select the Preferences menu item.
  4. Click on the plus (+) in front of the Advancced tree control.
  5. Click the Proxies item.
  6. Select Manual Proxy Configuration radio button and click the view button.
  7. Type <your machine> in the HTTP Proxy: field and 80 in the port field.
  8. Type <your machine> in the Security Proxy: field and 80 in the port field.
  9. Type <your machine> in the FTP Proxy: field and 80 in the port field.
  10. Type <your machine:80> in the No Proxies for: field.
  11. Click the OK button to close the dialog box

Netscape Version 2 & 3

  1. Open the Netscape Navigator Web Browser.
  2. Select the Options menu.
  3. Select the Network Preferences menu item.
  4. Click the Proxies tab.
  5. Select Manual Proxy Configuration radio button and click the view button.
  6. Type <your machine> in the HTTP Proxy: field and 80 in the port field.
  7. Type <your machine> in the Security Proxy: field and 80 in the port field.
  8. Type <your machine> in the FTP Proxy: field and 80 in the port field.
  9. Type <your machine:80> in the No Proxies for: field.
  10. Click the OK button to close the dialog box
For Netscape Version 2 only:

  1. Open the Options menu.
  2. Select the Save Options menu item.

Microsoft Internet Explorer Version 3

  1. Open the Microsoft Internet Explorer Web Browser.
  2. Open the View menu.
  3. Select the Options menu item.
  4. Click on the Connection tab.
  5. Select Connect through a proxy server.
  6. Click on the Settings button.
  7. Type the following settings in the Servers section:
    HTTP:   <your machine> 	Port:	80
    

    Leave all other field blank.

  8. Click the OK button to close the Proxy Settings dialog box.
  9. Click the OK button to close the Options dialog box.

Important: Many users have reported problems using Microsoft Internet Explorer Version 4 with the Sambar Server proxy. Problems include "Bad Gateway" error messages and missing graphics. These problems are being debugged, but appear to be specific to IE4.X browsers.

Lastly, if your clients are using the Sambar Proxy Server as well as the Sambar HTTP Server, they must configure the No Proxy for: field of their browser to the Sambar HTTP Server, port 80. For Internet Explorer, the "bypass proxy servre for local internet addresses" should be turned on.

Proxy Filtering

If enabled via the config/config.ini, Proxy Word Filter, the HTTP Proxy can be used to block inappropriate sites via either the config/wordlist.ini word filter or the config/urllist.ini URL filter lists. These lists are loaded at server startup and are used to examine all HTTP proxy activity. The URL list may contain wild-card characters to match a broader range of URLs, i.e. http://www.playboy.com/*. In addition, the config/whitelist.ini can be used to allow access to sites that otherwise might match against the config/wordlist.ini.

One side-effect of enabling HTTP proxy filtering is that all HTTP requests sent through the proxy have the header Accept-Encoding stripped. As a result, servers that can send compressed content (currently, the Sambar Server and IIS) will not do so, allowing the resulting content to be word-scanned for inappropriate content.

Mail

SMTP, POP3 and IMAP4 messages can be forwarded to their respective servers via the Sambar Server. The Sambar Server must first be configured with the appropriate Internet servers (via the browser-based administration interface). Once configured, your mail client must be configured to contact the Sambar Server for SMTP, POP3 and/or IMAP4 requests. In essence, your client mailer believes that the Sambar Server is its mail server (while mail is transparently forwarded via the Internet to the real server (typically on your ISPs machine.

The Sambar Server can act as a native SMTP server, but SMTP is not suitable for dial-up lines because computers working as SMTP servers must have a permanent/full-time connection to the Internet to receive e-mail (dynamic IP addresses are not appropriate), and SMTP servers are responsible for message delivery including store and forward should be destination be unreachable for some period.

POP3 Proxy Options

The POP3 Enhanced mode allows users to over-ride the default POP3 proxy configured in the Sambar Server with one of their own choosing. When enhanced mode is enabled, users can modify their POP3 username to append the # symbol followed by the POP3 server to which their mail request should forwarded.

So by default, if the Sambar Server POP3 Proxy Server is set to smtp.ix.netcom.com, then a proxy user with an email username of billybob would be directed to the smtp.ix.netcom.com mail server. If however, you wished to override the mail server and connect to an alternate server (i.e. mail.meer.net), you would configure your mail client with the following username:

billy-bob#mail.meer.net

With the above configuration, when the POP3 Proxy receives the mail request from billy-bob, it will direct the request to the mail.meer.net server rather than the default POP3 server. In addition to over-riding the mail server, you can use the POP3 Enhanced functionality to over-ride the port number as well. This feature can be used with products such as Norton AntiVirus 2000 which must run on port 110. To use the Sambar Proxy Server with a product that runs on port 110, you would run the POP3 proxy on another port (POP3 Port) and use the POP3 enhanced to connect to the remote server on port 110.

billy-bob#mail.meer.net:110

Important: In the above example, billy-bob#mail.meer.net will be used as the default return address unless you specify the correct one in your mail client. Make sure to configure your return address as your actual e-mail address>.

Note: The enahnced POP3 proxy does not support the AUTH feature of POP3 or IMAP4. So mail authentication mechanisms will be rejected (relatively few mail servers use AUTH-based authentication).

Dial-on-Demand
The Sambar Server can establish dial-up connections to your ISP via the Dial-on-Demand feature. If configured, the server attempts to connect to your ISP when an outbound connection is attempted from the Sambar Server (typically during proxy use).

The dial-on-demand configuration allows the user to configure the RAS entry, username, and password to use when connecting via the RAS interface. In addition, a timeout period is defined allowing the dial-up connection to be dropped after a fixed period of inactivity. Note: This feature has only be tested to work with PPP connections.

Important! When using both the WWW server and the proxy server, make sure to configure your browser (using the browser's Manual Proxy Settings) to not use the proxy server when accessing local servers. This will prevent the server from auto-dialing out to the internet when only local pages are accessed.

security.ini

The HTTP proxy server includes IP security filtering. By default, this security filtering restricts HTTP proxy access to IP addresses in the range 140.175.165.0 to 140.175.165.255. You will receive a FORBIDDEN message if you attempt to connect via the HTTP proxy server from a machine other than one in this range. You should change the [proxyaccept] filter to one appropriate for the machines that will be accessing it.

FTP Proxy

The Sambar Server has three FTP features (which can be a bit confusing):

  • FTP browser-based proxy. This is for WWW browsers so that you can type: ftp://www.asite.com/. When configuring your client browser, the FTP browser proxy should be configured to the same port as the HTTP Proxy (port 80 by default).
  • FTP Server. This is off by default but can be used to upload files to the server (on port 21).
  • Native FTP Proxy. This is also off by default and also runs on port 21. Native (as opposed to browser-based) FTP Clients like CuteFTP can be configured to use the Sambar Server FTP Native Proxy to connect to sites on the internet (details below) using the username#remote-site proxy format. When the Sambar Server Native FTP Proxy sees a user request in this format, the request is directed to "remote-site" rather than the local FTP Server.

When a browser is told to use a server/port for FTP proxy, it bundles its FTP request in an HTTP stream and forwards it on to the proxy. The browser expects all communication with the proxy to take place in HTTP/HTML. The proxy then translates the request into FTP commands. So the communcation looks like:

browser --> [http + ftp header] PROXY --> [ftp] FTP-Server

When no proxy is specified, the browser issues FTP commands directly to the server:

browser --> [ftp] FTP-Server

This differs from the HTTP proxy stream which is a "simple" passthrough mechanism:

browser --> [http + proxy header] PROXY --> [http] HTTP-Server

In the HTTP proxy case, only the initial proxy header directive is manipulated and then a virtual circuit is formed between the browser and the server for all subsequent communication. The stream ends when either side fails to communicate within the Network Read Timeout duration configured in the server.

In the FTP proxy case, the server must translate HTML requests into FTP requests (effectively writting an FTP client for the middle tier). This is considerably more complex code and more error prone.

Native FTP Proxy

The Sambar server can proxy for FTP clients in addition to browser clients (as outlined in the section above). The native FTP proxy support allows FTP clients that can proxy using the USER user@host proxy capability.

The native FTP proxy operates by stripping the host from the USER login field and then connecting to the FTP server at that host site and acting as a proxy between the client and server. The FTP Host being connected to must run on port 21 and can use either standard or PASV transfers.

Bridge Proxy

The Bridge Proxy included with the Sambar Server is a relatively simple mechanism to map TCP traffic from one network to another. The Bridge proxy can be configured to listen to traffic destined for a specified TCP port (i.e. 8080) and then forward all requests to the same TCP port of the Bridge Server specified in the config.ini file. For example, to telnet from a machine on one side of the Sambar Server to a remote machine on the other side of the "firewall", you could use the Bridge Proxy to connect the session:

Bridge Port = 23
Act As Bridge Proxy = true
Bridge Server = www.remotehost.com

With the above configuration, you would telnet to the machine on which your Sambar Server is running and it would automatically forward your request to www.remotehost.com.

telnet sambarserver <--> Sambar Server <--> Telnet Daemon
localhost sambarserver www.remotehost.com

In fact, the NNTP, SMTP, POP3 and IMAP4 proxies operate exactly as the Bridge Proxy does -- for ease of installation and configuration, these three bridge proxies are set aside for various mail protocols. (Note: The FTP proxy does not operate in this manner; it must interpret the FTP protocol).

The Bridge Proxy can be used to trace client/server connections by configuring the Trace Bridge property in the config.ini file to true. See the Bridge Proxy Debugging documentation for details on using the Bridge Proxy for debugging.

To over-ride the port used by the Bridge Proxy when connecting to the bridge server, you can append a colon (:) followed by the new port to the Bridge Server definition (i.e. localhost:80).

TCP & UDP Proxies
For Pro Server users who need additional TCP or UDP port forwarding, the TCP Proxy and UDP Proxy directives can be used. The values of the TCP Proxy and UDP Proxy operate just as the Bridge Proxy does, except that the source and destination port must be the same.

TCP Proxy = www.test.com:9000 UDP Proxy = 999 www.test.com:69

The above directive cause the Sambar Server to establish a TCP listener on port 9000 and forward all TCP requests to port 9000 of the host www.test.com. The second directive results in the server establishing a UDP listener on port 999 and forward all UDP requests to port 69 of the host www.test.com.

© 1998-2000 Sambar Technologies. All rights reserved. Terms of Use.