Firewall Wizards mailing list archives
Re: MS Proxy 2.0 is enough ?
From: Robert Graham <robert_david_graham () yahoo com>
Date: Wed, 24 Feb 1999 15:20:42 -0800 (PST)
I use MS-Proxy. Here are my experiences: 1. I use it on a 486/66 on a 416-Kbps Internet link with about 40 machines behind it. I've never seen it exceed 30% CPU utilization, even when the link is maxed out by several concurrent people. In theory, you can cluster them to support larger installations but I have not experience with that. 2. I've installed the SMTP gateway from the Option Pack. This gateway forwards-only (to a Linux SMTP/POP server). BTW, I chose RedHat Linux over Exchange/NT because it was easier to get up an running for my installation (in particular, with Microsoft, everything is an operating system upgrade rather than an add-on, which gets tiresome after a while). It was extraordinarily simple to set up the MS SMTP gateway to perform exactly as I wanted it to (namely, act as a pure proxy to/from Internet and not allow spammers to relay e-mail through my machine). 3. The SOCKS support sucks. I don't know if this is a problem with SOCKS specification, or just MSs implementation. But I have put a Sniffer on the wire and localized my difficulties to SOCKS. 4. There is no FTP proxy that I can find. I've found lots of useful FTP clients that support numerous types of FTP proxies, but the SOCKS doesn't work as it should (see above). 5. Caching works correctly, but not work as well as it could. The problem is that many sites do not set up their servers to cache well. Thus, every time you visit a site, if your proxy server follows the rules, it must re-download the content and graphics. Again, I've used a Sniffer to verify the problem is on the servers. Maybe other proxies will allow you to override the correct behavior (I've heard that squid does). 6. I use the MS DNS server on the machine. You can't use the GUI to configure reverse lookups on CIDR addresses, but you can get them to work by editing the config files directly. They are in BIND format anyway, so that's not a problem. (And, yes, you need reverse lookups working correctly. I speant about two weeks talking to my ISP to convince them that they needed to do something on their end to support reverse lookups). 7. MS Proxy comes with packet filters. In fact, you can set up any NT machine as a router with packet filters. As is usual with Win vs. UNIX, the GUI configuration is really easy to configure things that Microsoft expects you to do, but almost impossible to do exactly what you want to do. I.e. if you use a source port of 53, you can port scan the proxy machine easily, but otherwise it will look like a blackhole. 8. Logging is OK. The packet filter, web proxy, and SMTP logs are all in roughly the same format, and you can often set other common formats. But I've installed a network intrusion detection system on the same box (again, even though its a 486, its only a 416-kbps line), so I don't look at the log files as often as I should. 9. Microsoft's Web-server, IIS 4.0, is not an add on. Its an operating system in its own right. It has its own registry separate from the WinNT registry. Everything is written as an ISAPI subsystem within IIS. As is typical (Win vs. UNIX), whereas you can easily get going with the GUI, you don't have all the visibility to the internals that you might want. 10. I haven't set up any VPN yet. I'm hoping to patch for the latest PPTP and allow home users with cable modems to connect to the internal network. It should work without too much hassle, but we'll see. CONCLUSION: I'm happy with MS Proxy, which is to say that I'm no more frusterated with it than the alternatives. Its performance and feature are just fine, and will probably satisfy most people. Maybe WinGate would be an easier to use solution, maybe an open source solution would be cheaper and give me the increased visibility into the internals that I want. But I work for a startup, and my job is coding, not setting up computers, and I feel this solution matched my needs pretty well. YMMV. ---David LeBlanc <dleblanc () mindspring com> wrote:
At 09:19 PM 2/18/99 -0700, dreamwvr wrote:hi, have you considered squid it is far better than m$ proxy by a long shot and will get you there more co$t effectively as well. it is worth considering ...I hope that no one will turn this into a flamewar, and I know some
of the
answer already, but just what are the areas that the denizens of
this list
feel are the areas where other solutions are better than MS Proxy?
Please
do not get into open vs. closed source religeous issues, or pricing.
I'm
interested in purely technical reasons. I have a need to use MS
Proxy for
some things, so I'd like to make sure I understand all the tradeoffs. David LeBlanc dleblanc () mindspring com
_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- MS Proxy 2.0 is enough ? Ferran Rebollar Cervello (Feb 17)
- Re: MS Proxy 2.0 is enough ? Riccardo Fontana (Feb 18)
- Re: MS Proxy 2.0 is enough ? cbrenton (Feb 18)
- Message not available
- Re: MS Proxy 2.0 is enough ? dreamwvr (Feb 19)
- Re: MS Proxy 2.0 is enough ? David LeBlanc (Feb 24)
- Re: MS Proxy 2.0 is enough ? dreamwvr (Feb 19)
- <Possible follow-ups>
- Re: MS Proxy 2.0 is enough ? rickshaw (Feb 19)
- Re: MS Proxy 2.0 is enough ? Robert Graham (Feb 25)