Frank J. Derfler, Jr

How would you like to get faster access to Web pages, save money, and add security to your network simply by running some software? Web caching proxy servers can do all of those things for networks of any size. Briefly, a Web caching proxy server cruises the Web and examines pages that you and other users on your LAN have previously visited and that have been cached on the server. If a page has been modified, it stores the new version on a local drive. It can also use certain guidelines to hit links on that page to pull down related pages. This prevents your users from having to access the Internet for often-used resources, saving time.

The proxy server has great persistence and patience. It can examine and store thousands of Web pages, and when any local user on the LAN asks for a specific stored page, the page flies out of a local drive or cache without Internet transmission delays. The proxy server makes efficient use of any Internet connection, so you can save money by sharing one connection among many users and squeeze the maximum benefit from the links. Although a proxy server doesn't have the sophisticated flexibility of a firewall, it is an impermeable barrier between your network and the outside. Proxy servers are a perfect way to share new cable modem Internet connections among users, because they use only the single IP address the cable modem provides.

In this roundup, we examine four products: Microsoft Proxy Server 1.0, Netscape Proxy Server 2.5, WinGate 2.0 Pro, and WinProxy 1.1. The products from Microsoft and Netscape are powerful, flexible, sophisticated, and relatively complex. Microsoft's server requires Windows NT Server, while Netscape's can use Windows NT and many flavors of Unix. WinGate and WinProxy are less powerful and less expensive, and they run on Windows NT or Windows 95.

For our tests, we loaded Microsoft Proxy Server and Netscape Proxy Server on a Hewlett-Packard 100-MHz Pentium PC with 64MB of RAM. The PC was equipped with two 3Com 10Base-T network cards. One was attached to our test LAN, and the other to a Motorola Cyber SURFR cable modem and a Cisco 1604 router--both of which were connected to the Internet. As for WinGate Pro and WinProxy, we tested them on a Compaq 200-MHz PC that was set up like the Hewlett-Packard.

Web caching proxy servers are one category in a group of similar products, such as network firewalls and IP/IPX gateways. They're also closely related to the Internet access management products we reviewed in the May 6, 1997, Network Edition. Proxy servers probably won't exist as a separate product category in 18 months, but right now they're important and independent products. An example of the new breed of do-everything products is Novell's Border Manager, due out in the third quarter.

The table below compares Web caching proxy servers, firewalls, and IP/IPX gateways. Each type of product is unique in the definition of its primary job and in how well it does its secondary jobs. Like the IP/IPX gateways, the proxy servers offer a variety of Winsock and Socks capabilities (see "Caching Your Socks Off").

Proxy servers offer fast service and security, but they're also a good investment. You can recapture the initial cost of these products in a few months simply by reducing the number of ISP accounts you need. The initial cost hits the high end in the $500 to $900 range and the low end with WinProxy's $299 price, but there are other cost-of-ownership factors you should consider. If you can set up Windows 95 on a TCP/IP LAN, then you probably have the skills to set up the WinProxy product. If you're going to rely on the other products and you're not familiar with Windows NT Server and IP, you might need some training or help from outside consultants. Microsoft's Authorized Technical Education Centers offer a two-day course on Microsoft Proxy Server for less than $800, but the course has several prerequisites.

These products scale well. One Pentium 166, with 64MB of RAM running Windows NT, can cache for thousands of clients if you have the LAN infrastructure. Given infrastructure capacity considerations, administrators of segmented networks will cascade proxy servers so that only one corporate server hits the real Internet while the other proxy servers efficiently copy its files. Microsoft Proxy Server is the only product that doesn't allow cascading.

You'll also have to factor in a small initial effort spent on configuring each client browser to use a proxy server. It takes about 30 seconds per user, and individuals can do it with guidance from an e-mail message, but if you have a lot of clients, this is a consideration.

These proxy servers differ primarily in how many functions they provide and in their flexibility. For example, Netscape Proxy Server doesn't pass POP3 or SMTP messages, so you can't hide your e-mail server behind it. You're forced to set up a separate e-mail system with its own protected Internet gateway. Moreover, Netscape Proxy Server doesn't handle some of the special protocols from services such as AOL or RealAudio. But Netscape's product does come with a built-in virus protection feature. Both Microsoft and Netscape offer compatibility with some plug-in third-party lists of URLs such as Cyber Patrol and SurfWatch.

Networks never stand still, and management flexibility is key to using these products successfully. Both the Microsoft and Netscape products generate reports that provide useful information about the system's use. WinGate Pro and WinProxy log information, but it's more difficult to extract. Netscape Proxy Server offers auto-configuration for Netscape servers and browsers that works well if you make changes or have failures in a large network of cascaded proxy servers. Microsoft's excellent management capabilities are closely integrated with its BackOffice line.

These products give great value for little investment. They can add performance and security to networks of all sizes.

===================================

Steve Rigney

Though Web caching proxy servers have many benefits, they lose some of their appeal if you still have to load IP on every networked PC to get at the cached Web pages. But there is a way to use only IPX on the clients so you keep the security and administrative hassles of IP off your LAN. The IPX-transport technique involves using a software shim, which typically comes with an IPX-to-IP gateway and sits between the application and the network protocol software. Winsock shims are available for Windows, but what if you have Macintosh-, Unix-, or OS/2-equipped computers and don't want to run IP across the LAN? A cross-platform alternative to Winsock, called Socks, runs on many operating systems and allows you to connect clients to your proxy server without using IP or Winsock.

Socks is a circuit-level gateway that was developed in 1990 by David Koblas and has since been made available as an open standard in an Internet RFC. Socks runs at the TCP layer of the stack and, unlike Winsock, isn't dependent on the application conforming to specifics such as Windows. Socks proxies are different from application- or HTTP-layer proxies, because they simply pass packets through without knowing about the application (such as FTP, HTTP, and NNTP requests). This makes Socks proxy servers much faster than their application-layer counterparts. Microsoft Proxy Server and the Windows NT Server version of Netscape Proxy Server don't work with any version of Socks, but WinGate Pro and WinProxy 1.1 include Socks, Version 5.

Socks actually comes in two versions--Versions 4 and 5. Version 5 has the same capabilities as Version 4, plus added security and some other added features. Version 5 provides authentication using user names and passwords, plus higher security methods, such as Kerberos and SSL. Version 5 also acts as a proxy for UDP connections in addition to TCP. In addition, Socks, Version 5, lets you use DNS naming conventions and the new addressing format of IP, Version 6.

Though fairly easy to implement on your network, Socks does require you to make some basic configuration changes to your Internet software. For example, to use Socks with your Web browser, you must change the connection method from the application-layer HTTP to Socks. If you have lots of client PCs and don't want to spend days reconfiguring the TCP applications, you may want to consider AutoSocks, from Aventail (www.aventail.com). AutoSocks allows your existing Winsock applications and the Socks transport to talk to each other. AutoSocks intercepts Winsock communication requests issued from the application and processes those requests based on a set of rules. The rules decide whether a Winsock request is redirected to a Socks server out to the Internet or kept on the local intranet. With AutoSocks, you don't have to change the configuration of all your Internet applications.

===================================

Les Freed

A flexible multiprotocol proxy server for Windows 95, Windows NT Workstation, and Windows NT Server, WinGate 2.0 Pro provides a caching proxy service for HTTP clients and Socks Version 4 and Version 5 HTTP requests, as well as FTP, IRC, NNTP, POP3, Real- Audio, and telnet protocols. In addition, WinGate Pro has a Socks 5 proxy service for Socks-compatible applications, and it supports dial-up modem, ISDN, and direct LAN Internet connections. It can operate with static or dynamic IP addresses, so you don't need an ISP account with a fixed IP address. As with Microsoft Proxy Server and WinProxy, this feature lets you use WinGate Pro to share a normal dial-up ISP account among users on your LAN.

The product comes in two versions--Wingate Lite and WinGate Pro. WinGate Lite lacks the accounting, auditing, and user control features of WinGate Pro. It also doesn't support remote management or as many protocols as the Pro version. The price is on a scale ranging from a free one-user version up to a $700 unlimited-user version. We tested the full-featured, unlimited-user model running under Windows 95. You can download a free 30-day trial version on the Web from Deerfield Communications Co., WinGate's distributor.

Installing WinGate 2.0 Pro takes only a few minutes, though it's slightly more complicated to configure than the other products we tested. The documentation provided with the downloaded package isn't very detailed, but an excellent built-in help system more than makes up for the lack of printed documentation. The help system includes detailed information on configuring Internet applications for use with WinGate, and an included client configuration utility automatically configures popular Web browsers and e-mail programs as well.

The WinGate server runs as a service on Windows NT, Windows NT Workstation, and Windows 95 and is essentially invisible when running. GateKeeper, the user interface portion of WinGate Pro for configuration and management, runs as a separate program. The GateKeeper user interface has an Explorer-like tree structure, with a list of services in the right pane and a list of active connections in the left. The connections list changes dynamically as users access resources through the proxy server. This display quickly confirms that the server is working properly, and it also shows who is using the proxy server at any given moment. Once you've completed the initial installation, you can use GateKeeper's remote configuration feature to configure and monitor WinGate Pro from any PC on your LAN or even over the Internet.

The product includes a comprehensive suite of access control features. You can restrict a user's access by client IP address, protocol type, time of day, traffic counts, or time spent online. Extensive user-activity logging is provided, so you can monitor Internet usage for any or all users. Unlike the products from Microsoft and Netscape, however, it doesn't have preformatted reports.

We tested WinGate Pro with various Internet connections, including dial-up ISDN and modem connections, a cable modem, and an ISDN connection using an Ascend ISDN router. The caching HTTP server provided nearly instant retrieval of cached pages, and all of our test applications performed without a hitch.

WinGate 2.0 Pro. List price: 5 users, $250; 10 users, $450; unlimited users, $700. Deerfield Communications Co., Gaylord, MI; 800-599-8856, 517-732-8856; fax, 517-731-2642; www.deerfield.com.

===================================

Les Freed

At $299 (list), WinProxy, Version 1.1, is the least expensive product in our roundup. It runs on Windows 95, Windows NT Server, or Windows NT Workstation. And in case you want to go even cheaper, Ositis Software offers WinProxy Lite for $49.95 (list). The Lite version provides nearly identical functionality, but it is limited to only three simultaneous users.

Of the products we reviewed, WinProxy was one of the most flexible as well as the easiest to install and configure. Installation from the single floppy disk takes only a few minutes, and a configuration wizard walks you through each step of the process. In case your computers aren't already connected to the Internet, you'll need to install TCP/IP on each system, and you'll also need to assign each machine a unique IP address. In case you don't have any, WinProxy's manual provides a list of acceptable network addresses you can use. Once you've installed WinProxy, the program provides a detailed client configuration checklist.

WinProxy can use permanent or dial-up Internet connections and can operate with either a fixed or a dynamic IP address on the Internet gateway. We tested WinProxy both ways, first setting it up to share a Motorola cable modem on our test LAN. The cable modem provides a single, fixed IP address connection to the cable modem service provider. With WinProxy, we were able to use the cable modem connection from any workstation on our LAN at full cable modem speeds.

We also used WinProxy to share a dial-up ISDN connection to our ISP. Most dial-up ISP accounts assign a different IP address each time you connect; this posed no problem for WinProxy. Like Microsoft Proxy Server and WinGate Pro, WinProxy automatically dials the ISP as needed, and it then disconnects after a user-defined period of inactivity.

WinProxy's protocol support was the most complete of all the products we tested. It provides proxy services for DNS, FTP, HTTP, IMAP4, NNTP, POP3, and RealAudio, as well as Socks, Version 4. The HTTP proxy service can support incoming as well as outgoing HTTP requests, allowing you to use WinProxy as an incoming firewall to a Web server located on your own LAN.

As for other security measures, WinProxy lets you restrict Internet access to specific client PCs by IP address. You can further fine-tune your users' Internet access by restricting users to specific protocols. This allows you to provide just the protocols a user needs--Web and mail services, for example--while restricting FTP and Usenet access.

Similarly, WinProxy keeps a blacklist of forbidden IP addresses, domains, and networks. If a user attempts to access a host whose IP addresses are on the blacklist, WinProxy displays the error message Forbidden HTML in the user's browser. WinProxy doesn't have any built-in features to manage the blacklist, so you must add new entries to the blacklist file, using Notepad or a similar text editor. WinProxy also works with Solid Oak Software's CyberSitter.

As we went to press, Ositis announced Version 2.0 of WinProxy. This new version reportedly adds HTML caching, improved performance, and an improved Web-based administration interface as well. This means that you can now download a trial copy of WinProxy 2.0 from the Ositis Web site.

WinProxy, Version 1.1. List price: $299; with 1-year update subscription, $399; Lite (3-user) version, $49. 95. Ositis Software, Castro Valley, CA; 510-537-6676; fax, 510-537-6626; www.ositis.com. INSTALLATION AND CONFIGURATION are a painless experience with WinProxy.

-----------------------------------

===================================

===================================

===================================

What You Need to Get Started One computer with a working dial-up connection to an Internet Service Provider At least one other computer to connect to the first machine A network adapter for each machine Properly terminated network cable connecting each machine Proxy Server Software, such as WinGate from Qbik Software or WinProxy from Ositis Software. Both products are available on our Windows Shareware Collection.

The Proxy Server Concept Using special software, you can configure your Windows 95 machine with a dial-up connection as a proxy server (or gateway machine) that allows other Windows 95 machines that are connected via a LAN to access the Internet through the same phone connection. This will not work with a serial port connection. You must have network cards and an operating LAN in order to make this work.

A proxy server establishes the actual Internet connection, and the other machines on the LAN make requests for Internet resources of the proxy server. The proxy server then passes along the request to the Internet, receives the information requested, and then passes back this information to the machine on the LAN that requested it. You can still use the proxy server itself to access the Internet - it just doesn't need to pass the requested information back to anybody else!

About WinGate WinGate, developed by Adrien de Croy, is a cool little shareware program that allows you to set up a regular Windows 95 machine with an Internet connection as a proxy server. When the program was first developed (back in 1995), WinFiles.com used to have in-depth setup and configuration instructions for WinGate, because the instructions that came with the package were rather hard for many users to understand.

Since 1995, Qbik has continued development on WinGate, making it more powerful and much easier to install and configure. Therefore, rather than replicate the instructions provided by Qbik here, we've decided to provide a link to a distributor of WinGate. They have excellent instructions, support options, and download links available. You can access the WinGate pages here. ... http://www.deerfield.com/wingate/

About WinProxy WinProxy, developed by Ositis Software, is another great shareware proxy server that allows you to set up a regular Windows 95 machine with an Internet connection as a proxy server. WinProxy includes lots of great features, as well as an easy-to-use setup wizard to get you going quickly. It even has a tray icon for quick access to configuration options (which we happen to think is cool). You can access the WinProxy pages here. ... http://www.winproxy.com/

===================================

The long-awaited WinGate 3.0 release is now available! The latest in industry-leading proxy server firewall technology, WinGate 3.0 is a more powerful and easy to use Internet sharing solution. Check out a list of the new features and download a copy today!

WinGate 3.0: The Standard for Internet Sharing Home Users: be sure to check out the new WinGate Home version, specifically designed for the home user and home networking!

Home Users Two or more computers at home? Designed specifically for the home user, WinGate Home is so simple, anyone can use it!

Small Business WinGate is the standard Internet access sharing solution for small businesses. WinGate Standard and WinGate Pro provide a powerful and secure way to bring Internet access to your staff without the expense of dedicated Internet connections

Enterprise Even if your business already has shared Internet access, WinGate can help you get the most from your Internet connection. With advanced user management and firewall components, WinGate Pro lets you manage and protect your Internet conection for maximum productivity and security.

-----------------------

-----------------------

-----------------------