Troubleshooting Microsoft Proxy Server

Windows IT Pro

- Advertise

Troubleshooting Microsoft Proxy Server

Author:	Kurt Hudson
Published:	September 2000
Copyright:	2000
Publisher:	Windows IT Library

Abstract
This chapter explores some of the problems you may run into when working with Microsoft Proxy Server. Several troubleshooting topics are covered, including installation, configuration, error messages, security issues, and client access problems.

TROUBLESHOOTING THEORY

Various problems can arise on a computer network. Solving these problems can be as simple as locating an incorrectly configured component, or as complex as monitoring a network for weeks to locate and isolate an intermittent problem.

In general, the steps for troubleshooting a technical problem are

Monitor the problem or gather symptoms
Define the problem
Generate solutions
Test solutions
Document the problem and the solution

In a well-organized network and under ideal circumstances, the first step, monitoring, takes place long before problems arise. Monitoring your network when no known problem exists is often called establishing a baseline. Baselines are important because they represent the “normal” state of your network. It’s much easier to solve a problem if you know how your network should be behaving.

When you identify a problem (or a symptom of a problem), you should attempt to define it. You can define the problem as a simple statement initially, but that can grow quickly in scope. For example, if a user tells you that she cannot log on to the Web server, you might initially define the problem as “Susan cannot log on to the Web server.” If you attempt to solve the problem at this point, you might take a troubleshooting path that leads you to examine Susan’s computer and the connection between her computer and the Web server. However, if you later find that several other people cannot log on to the Web server, your troubleshooting approach may be quite different. It’s important, therefore, to define the problem as thoroughly as possible in the beginning.

When defining the problem, gather additional information from the following:

User observations
Windows NT Event Viewer
Proxy Server logs (Web, WinSock, Socks, and Packet Filter) for additional information when applicable
Historical data from past troubleshooting

Try to determine the following:

What are the observed problems?
What is the scope of the problem? Does it affect a single user/computer, a group of users/computers, or everyone?
How does the situation vary from normal conditions?
Is there any other problem/event occurring?

Such questions can help you define the problem, and once you have a problem statement, you can start investigating possible solutions. Try to locate the source of the problem, then test possible solutions. For instance, if several users cannot log on, you may first look at the server to ensure that there are no configuration errors and that its hardware is powered on and properly connected. However, if only a single user cannot log on, you may check the server to determine whether the user has been denied access or has been limited in some other way. You should also focus on the user’s hardware and his or her connection to the Internet Information Server.

Once you have found a solution for the problem be sure to document the problem and its solution for reference, which could be useful if you have to troubleshoot a similar problem in the future.

MSPDIAG.EXE

Microsoft Proxy Server 2.0 ships with a diagnostics utility that checks and verifies the following information:

Proxy Server version
Windows NT Server version 4.0 is installed
Internet Information Server (IIS) 3.0 or later is installed
Windows NT Service Pack 3 or later is installed
Valid IP addresses are assigned in the LAT
WWW Publishing Service is running
WinSock Proxy Service is running
Administrator privileges on the server computer
IP forwarding is disabled
Only default gateway specified
Mspclnt.ini file against the server computer’s configuration settings
DNS configuration
IPX configuration
SAP agent is installed when IPX/SPX is configured

On the Windows NT Option Pack CD-ROM, the Microsoft Proxy Server diagnostic (mspdiag.exe) utility is located in either the \MSP\Alpha or \MSP\I386 directory (choose the correct one for your processor platform). After installation, the mspdiag.exe is located in the \MSP directory. To run the utility, open a command prompt, change to the directory in which the executable is located, and type mspdiag.

INSTALLATION AND CONFIGURATION ISSUES

When you install Microsoft Proxy Server or a Proxy Client, a setup log is created. Both logs are placed on the C: drive of the computer on which they were installed. The Proxy Server log is named Mspsetup.log and the Proxy Client log is named Mpcsetup.log. You can open these logs with any text editor to determine what happened during the setup process. Additionally, if you call Microsoft or another support provider for Microsoft Proxy Server installation assistance, they may ask you to open the installation log. Figure 1 illustrates the Mpcsetup.log of a successful Proxy Client installation open in Notepad.exe.

Hardware Issues
You may see one of several hardware error messages during Microsoft Proxy Server installation. Table 1 describes messages and resolutions for hardware problems encountered during installation.

Software Issues
There are a variety of reasons that your Microsoft Proxy Server 2.0 software might not be able to install. Sometimes it’s missing files, directories, or pathnames that cause errors. For example, if you see the following error message:

Load of dynamic-link Library <filename> failed returning value.

You may have a missing file or the media you are using to install the software could be damaged. Essentially, the message is telling you that the setup program is unable to access a required file. Ensure that the file is available in the path from which you are installing and attempt to install again. If this doesn’t work, check to see if the installation media is bad. If so, contact your software vendor to obtain new installation media.

Another message you might see is:

Setup could not find the IIS virtual root Scripts directory

Ensure that the Scripts virtual directory is available. The default location is C:\InetPub\Scripts and it should be available as a virtual directory through the WWW Publishing Service. If not, create and share a Scripts virtual directory through the WWW Publishing Service and attempt to reinstall the Proxy Server.

Some of the more common errors arise from not logging on as an administrator or not meeting the software prerequisites. These errors are addressed in the following sections.

Software Requirement Violations
To install Microsoft Proxy Server 2.0, you must have the following software:

Windows NT 4.0 Server
Windows NT Service Pack 3.0 or later
Internet Information Server 3.0 or later

If you do not meet these requirements, you may see a variety of installation errors explaining that you have failed to meet the specific requirement. If you see this error:

WSAStartup failed. Error=errornumber.

You have a TCP/IP service error. You should check your TCP/IP configuration settings, and correct them if necessary. Then try reinstalling the proxy server. If that doesn’t work, try reinstalling TCP/IP, IIS, Service Pack 3.0, and proxy server.

Administrative Rights
You must have administrative access to install Microsoft Proxy Server on your Windows NT Server 4.0. You may see any of the following errors if you don’t have full administrative access to the server:

Proxy Server Setup requires administrative privileges
Either the logged on account is not permitted to modify the system file <filename>, or the file is locked by another application <Error number>
Setup cannot load protocols to the Registry <Error number>
Setup cannot delete the Registry entry <name>
Setup cannot open or create the Registry entry <name>
Setup cannot set the Registry value <name>

If you are logged on as an administrator, try stopping all Internet Information Server services manually. If you’re attempting to install from a network share, ensure that the installation file Proto.bin exists on the installation directory. If it’s not there, copy the file from the installation CD-ROM to your installation directory, then attempt to reinstall the server.

If you previously attempted to install Microsoft Proxy Server, you must ensure that all remaining files and Registry keys have been removed. You may also attempt to restore or repair the Registry from a previous backup. Once that’s been done, attempt to reinstall.

Client Installation Errors
You might encounter any of several installation errors when installing Microsoft Proxy Clients. Table 2 lists client installation error messages and recommended courses of action.

ERROR LOGGING

Windows NT Server and its related services send error messages to the System log in the Event Viewer when there’s a problem. Additionally, system error messages can appear as pop-up dialog boxes. In either case, the error messages have a format similar to the following:

Message error-number

The error number is a Windows NT error code number and the message is an explanation of the error number. Many of these errors are logged in the System log of the Event Viewer (Start, Programs, Administrative Tools, Event Viewer). Ensure that you’re checking the System log when looking for proxy server errors (on the Log menu, click System). Double-click errors to see the detailed explanations.

You can find Event Viewer message errors for the following Microsoft Proxy Server related components:

Web Proxy service
WinSock Proxy service
Socks Proxy service
Web Proxy log
WinSock Proxy log
Socks Proxy log
Packet Filter log
Web cache
RAS

The Microsoft Proxy Server Documentation has a list of Event Viewer error codes and descriptions concerning the preceding topics. To see the list, open the Microsoft Proxy Server Documentation (Start, Programs, Microsoft Proxy Server), then open the book Troubleshooting the Server, which is subordinate to the Administration book.

Web Proxy HTTP Errors
The Web proxy service can register errors in two ways. It can send them as HTTP messages to the Web browser or drop them into the Event Viewer. The HTTP messages that the Web proxy service produces are listed and described in Table 3.

Authentication Synchronization
The authentication types in the Web Proxy Service and the WWW Publishing Service between chained proxy servers and proxy arrays must match. If not, you may see the following error message:

Error 12201. A chained proxy server or array member requires proxy-to-proxy
authentication. Please contact your server administrator.

You must ensure that the authentication type in the Web proxy service (Routing tab) of the downstream server is identical to the authentication type in the upstream proxy server’s WWW Publishing Service.

IUSR_computername Account Synchronization
The IUSR_computername account that is used for anonymous access to the WWW service doesn’t replicate correctly between array and chain members. If you see an error message stating that the IIS authentication settings do not match, this could indicate such a problem. To correct it, configure Access Control to allow Everyone access to the supported protocols of the Web proxy service. This is necessary when you’re attempting to provide access to a Web proxy array, plan to allow “anonymous” access to the local IIS computer, or wish to authenticate users for client requests through the Web proxy server.

CLIENT ACCESS ISSUES

Clients might not be able to connect to certain resources for a variety of reasons. Some restrictions on users are intentionally applied; for example, Access Control measures such as Domain Filtering are intentional user access restrictions. However, sometimes users are unintentionally restricted from accessing certain resources due to configuration problems or accidental exclusion from a permission list.

In general, when a client cannot access a resource (and the restriction was not intentional), check the items listed and described in Table 4. The last column describes the type of client that can be affected by the problem: External means that only external client access is affected; Internal means that only internal client access is affected; Both means that both internal clients and external clients can be affected by the error.

Tracert and Ping
Since Ping and Tracert operate at the network and transport layers of the TCP/IP protocol stack, they aren’t redirected by the WinSock Proxy service. This means that these utilities don’t provide reliable connection troubleshooting information when working with a proxy server. Therefore, when troubleshooting connectivity to the proxy server, try Universal Naming Convention (UNC) connections to the Microsoft Proxy server (I.E. \\proxy2\mspclnt) or HTTP connections (http://proxy2/msproxy).

DNS Name Resolution
DNS lookups are redirected by the WinSock Proxy service to the proxy server. If you have an internal DNS server, you must be sure that its IP address is in the LAT file. Additionally, if you enter a domain name that doesn’t have any periods (.), it is considered internal by the proxy server.

FQDN Resolution Problems on Internal Network
If your proxy clients are unable to connect to Fully Qualified Domain Names (FQDN) on the local network (I.E. www.local.com), the WSP client settings may be misconfigured. To correct this problem, ensure that the Mspclnt.ini has all of the local domains listed. Open the Mspclnt.ini on the proxy server (C:\MSP\mspclnt.ini) and edit the [Common] section. Set LocalDomains equal to the names of the domains on your internal network. For example:

[Common]
LocalDomains=Local.com, test.com, servers.test.com

Secure Web Pages
Both the HTTP and HTTPS protocols are used to contact a Secure Sockets Layer (SSL) secure Web page. If you have set user access limitations, you must ensure that the user who must access secure Web pages has both HTTP and HTTPS access permissions. In addition, both the proxy server and application that the user is using must be configured to use the same ports to communicate with the secure Web site.

Page: 1, 2

ADS BY GOOGLE