Default Gateway
If your proxy server is configured for more than one default gateway, your clients might see the following error:
Connection timed out.
To correct this problem, ensure that your proxy server is configured to use only one default gateway and that it is configured only on the external network adapter. You should not configure more than one default gateway on the external adapter. Any internal network adapters of the proxy server should not be configured for a default gateway at all. If any one of these configurations is incorrect, your clients could receive the error above.
Requested Header Not Found
Your clients may receive the following error when connecting to a resource through the Microsoft Proxy Server:
Requested Header Not Found
-or-
401 Object Not Found
These errors could be the result of the following situations:
The object requested is not available on the server from which it was requested.
An authentication method on the Web server is not available.
The virtual memory on the proxy server is set too low.
If the object is truly not available, then the Web site administrator must add it in order for clients to access it. If there’s no authentication method set on the Web server, one must be configured in the WWW Service Properties dialog box. Finally, if the virtual memory is set too low on the proxy server, it must be increased. You should increase the minimum virtual memory setting to 20 MB above the recommended configuration.
For more information about the virtual memory problem, see Microsoft TechNet article Q164051 “Proxy Server Fails if Virtual Memory is Set Below Recommended Size.”
IPX-Clients
When you’re running an IPX-to-IP gateway on your internal LAN, several configuration problems may occur. Any of these problems could prevent your internal clients from properly accessing the proxy server and/or external network. Verify the following settings to ensure that your IPX clients will be able to connect to your proxy server:
Client internal network number is set to 00000000
Ensure that the proxy server and proxy clients are using the same frame type. If there are NetWare servers on the internal network, you can also set the proxy server and clients to Auto.
Ensure that IPX is disabled on the external adapter. If you disable IPX after installing proxy server, reinstall proxy server.
If there are no NetWare servers on the internal network, ensure that the proxy server has an internal network number (I.E. 44444444) and Frame Type (I.E. 802.2) set.
If there are no NetWare servers on the internal network, ensure that the proxy server has no internal network number set (I.E. 00000000).
For proxy clients that require both TCP/IP and IPX installed, click Force IPX via the WSP icon in the proxy client’s Control Panel. Otherwise, remove or disable TCP/IP on the proxy client machine.
Tip: Microsoft Proxy Server does NOT support 16-bit IPX clients. This includes all Windows 3.x and Windows for Workgroups IPX implementations, and any Windows 95 16-bit IPX clients.
Failure to Download Mspclnt.ini File
When clients are unable to refresh or download their Mspclnt.ini file, there’s some type of connection problem. This can be either a software access problem or a hardware connection problem. Verify physical network connectivity between the client and server. Then ensure that the client computer can connect to the Mspclnt share on the proxy server. You must also ensure that the proper access has been assigned to the Mspclnt shared directory. By default, the access is set for Everyone to have Read permission. You may also need to allow Guest access to your domain, if the Proxy Server and its clients aren’t part of the same domain.
Direct Connection to the Internet
Clients connecting directly to the Internet must disable the WinSock Proxy Client application. This can be done via the WSP icon in the Control Panel. Otherwise, they will have problems connecting to the Internet through direct connections. In addition, the clients Web browser must be configured not to use the proxy server when a direct connection is established.
Dual-boot WSP Proxy Configurations
If you are using a dual-boot configuration, you must install the WinSock Proxy client on all operating systems for which you require Internet access. Be sure that you specify a different client directory for each installation of the WSP client software for each operating system. If you do not, and the WSP client software installs over another operating systems WSP client files, you will most likely have connectivity problems when using the other operating system.
Domain Name for WFW
Windows for Workgroups (WFW) clients must have a domain name configured for the client logon. Otherwise, a user credentials dialog box appears whenever the WSP client application redirects an application call. For more information, see the Microsoft Proxy Server Documentation (Administration/Administering Clients/Configuring WinSock Proxy Client Applications).
Microsoft Outlook or Exchange Clients
If you have Microsoft Outlook or Exchange clients on your network that connect to an Internet Mail server client using IPX/SPX, you may need to change the MSPCLNT.INI. By default, the master copy of the MSPCLNT.INI file is located on the proxy server \Msp\client directory. Ensure that the settings for [Mapisp32] and [Exchange32] are set to Disable=0 and not Disable=1.
WSP Clients that Provide Services
As previously explained, if you have computers on your internal network that must provide services to the Internet or external network, you must configure a Wspcfg.ini file on those systems. The Wspcfg.ini file must be specially configured and placed in the directory where the executable for the service resides.
Stale Cache Data
Because the Web proxy service caches data, clients can get outdated information. This is especially important to remember when you’re troubleshooting client access. For example, if a client gets an access denied message via an HTTP error message displayed on their Web browser, the error page may still be cached on the proxy server when the client attempts to reconnect to the Web site. It’s also possible for the error page to be cached on their local Web browser. To test the connection, ensure that the client attempts to connect to a different Web page on the server in question. You may decide to turn off caching on the proxy server when you’re troubleshooting complex or time-consuming problems.
Disk Space
All four of the proxy server logs have the ability to stop the proxy server services when the disk is full. The individual proxy server services (Web, WinSock, Socks) can stop themselves when they run out of room to log additional information. The Packet Filter log can shutdown all of the proxy server services when it fills up.
Authentication Type
If your Web server requires Windows NT Challenge/Response authentication, you can only use Internet Explorer clients. Netscape Navigator and other Web browsers don’t support Windows NT Challenge/Response authentication. Access attempts by other browsers fail when Windows NT Challenge/Response is the only available authentication type. For maximum compatibility, allow Anonymous and/or Basic Authentication to your Web site.
Slow Performance
The WinSock Proxy service redirects all calls to the proxy server for any address that’s not listed in the Msplat.txt file or the client’s locallat.txt file. If you find that it takes a long time for a client to connect to an internal network address, check the Msplat.txt file on the proxy server to ensure that all internal IP addresses are listed. Ensure that the client has a recent copy of the Msplat.txt from the proxy server. If there are any internal network addresses that shouldn’t be listed in the master LAT (on the proxy server), but must be used by the local client, configure a locallat.txt file.
SECURITY ISSUES
Previously, we have covered several different items that concerned securing your internal network and proxy server. One of the most significant items mentioned was to disable IP forwarding on the proxy server. When IP forwarding is enabled, clients can bypass all of the proxy server security measures.
Another significant security mechanism is the Alerting feature. You can set alerts to warn you about the following events:
Rejected Packets
Protocol Violations
Disk Full
By default, Alerts are posted to the System Log in the Event Viewer. You can also configure the alert warnings to be emailed to you. When there’s a security violation on your network, you can also use all of the proxy server service logs to see if you can determine what type of connections occurred around the time of violation.
UNABLE TO CREATE PACKET FILTER
When attempting to configure a packet filter, you may receive a message that packet filtering cannot be configured because the computer does not have an external adapter. If you have two network cards in your system, chances are that they’re both configured for the same IP subnet. The proxy server immediately identifies this and determines that you have no external adapter. Before you can configure a packet filter, you must configure one of the network cards to operate on a different segment. If you decide to use a Dial-Up adapter as your second network card, you must install RAS before you’ll be able to configure a packet filter.
RAS AND RRAS ISSUES
You should be aware of a few issues when using or installing RAS and RRAS on your proxy server computer. This section examines Event Viewer messages that concern RAS and RRAS; also, we revisit some RRAS installation issues that were mentioned earlier.
RAS Events
There are two errors concerning RAS that you might find in the Event Viewer:
136 — Proxy dialout connection failed
142 — A dialout to the Internet failed
Obviously, both errors indicate that there was a failure when the proxy server attempted to dial out. The first error (136) indicates a potential problem with the Auto Dial and/or RAS settings. The second error (142) indicates that the ISP is unavailable, or if you have a Proxy chain, it can mean that there’s a failure with an upstream server.
Disable IP Forwarding
When you install the Routing and Remote Access Service, IP forwarding is automatically enabled. If IP forwarding is enabled on the proxy server, clients can bypass the security measures on the proxy server. Therefore, you should disable IP forwarding on the proxy server computer after installing RRAS. Check Microsoft TechNet or the support site (http://www.microsoft.com/support) article “Using Proxy Server with Routing and Remote Access,” Q169548, for more information.
RRAS HotFix
You will need the RRAS HotFix if you want to use proxy server and RRAS on the same computer. This Hotfix is included in Windows NT Service Pack 4.
SUMMARY
When you encounter problems, it’s best to troubleshoot them using a structured approach. You should first be sure to gather all of the symptoms of any problem you encounter. Then, appropriately define the problem and generate potential solutions. Test your potential solutions until you find the best solution for the problem. Document the problem and solution when you’re finished.
There are several installation errors that you may encounter. Mspdiag.exe can help you determine and predict many of these installation and configuration errors. Many of the installation errors can be avoided if you are sure to log on with administrative access before attempting to install the product. Also, ensure that your computer meets all of the software and hardware requirements necessary to properly install the Microsoft Proxy Server. One major item is to ensure that you have plenty of hard disk space and an NTFS partition available for the Web cache.
Client installation usually only fails when there’s a network connectivity problem or if standard files or paths aren’t available. For example, if the client installation program can’t download the LAT or Mspclnt.ini file, the installation will produce errors. Additionally, errors occur if the proxy client installation program is unable to configure your Web browser. Luckily, the Web browser can be configured manually after the installation of the WinSock Proxy client.
Many of the errors that occur because of configuration errors with the Microsoft Proxy Server will be logged in the Event Viewer. You can check the Event Viewer to get additional information on several configuration errors, including those that occur with any of the proxy server services, logs, RAS, and packet filtering. When a security violation occurs you can also check the proxy service logs and the Packet Filter log to see what was happening during the time of the violation. Remember, any of the proxy server service logs and the packet filtering log have the ability to shutdown proxy server services when they run out of disk space.
Array and chain synchronization errors are often indicative of account authentication errors. The array and chain members must have identical authentication methods configured to properly transfer their synchronization information.
Client access errors could be caused by many different situations. Both the proxy server and the service provider can restrict client access. Clients can be denied access based on IP address, domain name, user identification, protocol, packet filter, domain filter, or permission restrictions (for example, NTFS security) placed on the file system or object requested.
When troubleshooting it’s important to remember which requests are redirected and which are not. For example, name resolution requests are redirected if the name resolution provider IP addresses do not appear in the LAT. However, tracert and ping utilities don’t get redirected because they operate below the application layer.
Shortcut Guide to SQL Server Infrastructure Optimization With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Continuous Data Protection and Recovery for Exchange Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Tips to Managing Messaging Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Solving PST Management Problems In this white paper, read about the top PST issues and how to administer local/network PST files.
Are You Litigation Ready? Collecting and processing electronic data for e-discovery can be time-consuming and expose a business to significant legal risks. Get prepared with this free white paper
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
KVM over IP Solutions Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro
Register
