Re: MS Proxy 2.0 is enough ?

[Robert Graham <robert_david_graham () yahoo com>]

I use MS-Proxy. Here are my experiences:

1. I use it on a 486/66 on a 416-Kbps Internet link with about 40
machines behind it. I've never seen it exceed 30% CPU utilization,
even when the link is maxed out by several concurrent people. In
theory, you can cluster them to support larger installations but I
have not experience with that.

2. I've installed the SMTP gateway from the Option Pack. This gateway
forwards-only (to a Linux SMTP/POP server). BTW, I chose RedHat Linux
over Exchange/NT because it was easier to get up an running for my
installation (in particular, with Microsoft, everything is an
operating system upgrade rather than an add-on, which gets tiresome
after a while). It was extraordinarily simple to set up the MS SMTP
gateway to perform exactly as I wanted it to (namely, act as a pure
proxy to/from Internet and not allow spammers to relay e-mail through
my machine).

3. The SOCKS support sucks. I don't know if this is a problem with
SOCKS specification, or just MSs implementation. But I have put a
Sniffer on the wire and localized my difficulties to SOCKS.

4. There is no FTP proxy that I can find. I've found lots of useful
FTP clients that support numerous types of FTP proxies, but the SOCKS
doesn't work as it should (see above).

5. Caching works correctly, but not work as well as it could. The
problem is that many sites do not set up their servers to cache well.
Thus, every time you visit a site, if your proxy server follows the
rules, it must re-download the content and graphics. Again, I've used
a Sniffer to verify the problem is on the servers. Maybe other proxies
will allow you to override the correct behavior (I've heard that squid
does).

6. I use the MS DNS server on the machine. You can't use the GUI to
configure reverse lookups on CIDR addresses, but you can get them to
work by editing the config files directly. They are in BIND format
anyway, so that's not a problem. (And, yes, you need reverse lookups
working correctly. I speant about two weeks talking to my ISP to
convince them that they needed to do something on their end to support
reverse lookups).

7. MS Proxy comes with packet filters. In fact, you can set up any NT
machine as a router with packet filters. As is usual with Win vs.
UNIX, the GUI configuration is really easy to configure things that
Microsoft expects you to do, but almost impossible to do exactly what
you want to do. I.e. if you use a source port of 53, you can port scan
the proxy machine easily, but otherwise it will look like a blackhole.

8. Logging is OK. The packet filter, web proxy, and SMTP logs are all
in roughly the same format, and you can often set other common
formats. But I've installed a network intrusion detection system on
the same box (again, even though its a 486, its only a 416-kbps line),
so I don't look at the log files as often as I should.

9. Microsoft's Web-server, IIS 4.0, is not an add on. Its an operating
system in its own right. It has its own registry separate from the
WinNT registry. Everything is written as an ISAPI subsystem within
IIS. As is typical (Win vs. UNIX), whereas you can easily get going
with the GUI, you don't have all the visibility to the internals that
you might want.

10. I haven't set up any VPN yet. I'm hoping to patch for the latest
PPTP and allow home users with cable modems to connect to the internal
network. It should work without too much hassle, but we'll see.

CONCLUSION: I'm happy with MS Proxy, which is to say that I'm no more
frusterated with it than the alternatives. Its performance and feature
are just fine, and will probably satisfy most people. Maybe WinGate
would be an easier to use solution, maybe an open source solution
would be cheaper and give me the increased visibility into the
internals that I want. But I work for a startup, and my job is coding,
not setting up computers, and I feel this solution matched my needs
pretty well. YMMV.

---David LeBlanc <dleblanc () mindspring com> wrote:
> At 09:19 PM 2/18/99 -0700, dreamwvr wrote:
> > hi,
> >   have you considered squid it is far better than m$ proxy by 
> > a long shot and will get you there more co$t effectively as well.
> > it is worth considering ...
>
> I hope that no one will turn this into a flamewar, and I know some
of the
> answer already, but just what are the areas that the denizens of
this list
> feel are the areas where other solutions are better than MS Proxy? 
Please
> do not get into open vs. closed source religeous issues, or pricing.
 I'm
> interested in purely technical reasons.  I have a need to use MS
Proxy for
> some things, so I'd like to make sure I understand all the tradeoffs.
>
>
> David LeBlanc
> dleblanc () mindspring com

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com