From Mark Kaynor (mkaynor@daa.com)
I recently spent an inordinate amount of time setting up server proxying on MS Proxy Server 2.0 such that a Domino server or Notes client outside the proxy (the "external server") could replicate w/ and route Notes email to a Domino server inside the proxy (the "internal server"). Information was sparse and I had to glean bits and pieces from several, sometimes conflicting, sources of
information. I could have saved myself hours of frustration had I been able to find a document similar to this. No guarantees, but this should get one pointed in the right direction.
If problems occur, don't forget to check the event log on the internal server - the proxy client writes messages to the event log which can be very helpful during configuration and troubleshooting. BTW - both Domino servers are running v4.6.4 on NT 4.0, SP5., the proxy server in running on NT 4.0, SP3 w/ roll-up hotfix and Option Pack 4.
1) Obtain and install the Proxy Server hotfix - make sure to compare installed files date and size w/ those listed in the supplied "readme.txt" file after installation. MS tech support told me that setting up server proxying was pretty much futile w/o the hotfix. The file emailed to me was:
prxyfixpacki.zip 308,819 bytes 6/28/99 11:45a
2) To simplify the initial setup, temporarily disable Winsock Proxy Access Control if enabled. Clear the WinSock Proxy | Properties | Permissions | "Enable access control" checkbox.
3) Also temporarily disable Packet Filtering if enabled. Clear the WinSock Proxy | Properties | Service | Security | "Enable packet
filtering on external interface" checkbox.
4) Set proxy client configuration to connect to proxy via IP address. Select WinSock Proxy | Properties | Service | Client Configuration | Clients connect to Microsoft WinSock Proxy Server by | "IP Address" checkbox.
5) On the proxy server, disable default gateway and IP forwarding on internal NIC. Clear Control Panel | Network | Protocols | TCP/IP Protocol | IP Address | "Default Gateway" entry. Clear Control Panel | Network | Protocols | TCP/IP Protocol | Routing |
"Enable IP forwarding" checkbox.
6) Add port 1352 to the SSLPortListMembers list in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters (see Microsoft Knowledgebase article Q184028 <http://support.microsoft.com/support/kb/articles/q184/0/28.asp>. Run REGEDT32. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters. Open "SSLPortListMembers". Add 1352 twice to the list - it should end up looking something like:
443 443 563 563 1352 1352
7) Reboot the proxy server
8) Reinstall proxy client on internal server. Reboot internal server
9) Test client installation on internal server by running "chkwsp /f", located in the MS Proxy Client install directory (default is "c:\mspclnt"). Success = "Client control protocol version MATCHES the server control protocol."
10) Create and save WSPCFG.INI file on internal server in same directory as NSERVER.EXE ("C:\Notes", for example) as follows:
[Common Configuration] ServerBindTCPPorts=1352 Persistent=1 KillOldSession=0
11) Reboot internal server - proxy client on internal server should now bind to port 1352 on proxy server
12) Open CMD prompt, test proxy client connection using "ftp ftp.microsoft.com". Success = ability to logon anonymously to ftp.microsoft.com and do a directory listing
13) From the Internet <preferably from an entirely separate connection> try to telnet to port 1352 on the proxy server's external IP, eg.:
Start | Run | "telnet.exe"
Select "Connect"
Select "Remote system"
Port: 1352 <Windows Telnet defaults to Port: Telnet>
Address: <proxy server's external NIC IP address>
Success = after connecting, the "Disconnect" selection is available under main menu "Connect"
Disconnect, close Telnet
14) Create a "Local Area Network" TCPIP connection document on the external server (or client) that points to the internal Domino server name using the proxy server's external NIC IP address.
15) Remove all entries in "Web Proxy" section of current location document on external server (or client)
16) Open Notes client on external server and trace a connection to the internal server. "File | Tools | Preferences | Ports | Trace Connection", select internal server. If successful, go to step 20.
17) Stop external server Domino services <"quit" at Domino terminal> (we had an active dialup modem connection that was screwing up the ability of the internal server to bind to proxy server port 1352 - stopping the outside Domino service removed that conflict so we could test)
18) Reboot internal server - client should now successfully bind internal server to proxy server port 1352
19) Still having problems? Use "netstat -an" to review port bindings on proxy server, internal and external servers. Proxy server should show port 1352 bound to internal server's IP address. You can't continue past here until you can "see" the internal server from the external server via the proxy server's external IP address.
20) Restart external server Domino service and make sure everything works correctly.
To enable access control:
21) Create new user in "User manager for domains", as a member of the "Domain Users" group
22) Grant this user "Policy | User Rights| Log on locally", also in User Manager for Domains
23) Re-enable Access control on proxy server
24) Add new user to "Unlimited access" (for security reasons you should change this to a custom protocol later)
25) Open command prompt on internal server
26) Make "c:\mspclnt" your current directory (assumes default proxy client installation location)
27) Create credentials for nserver.exe, nrouter.exe, and nreplica.exe as follows:
credtool -w -n nserver -c NewProxyUser Domain Password credtool -w -n nrouter -c NewProxyUser Domain Password credtool -w -n nreplica -c NewProxyUser Domain Password
where NewProxyUser is the new user created in step 21, Domain is the NT domain to which the proxy server belongs, and Password is the password assigned to NewProxyUser. The credentials for each service can be checked by replacing the "-w" <write> in the above commands with "-r" <read>
28) Add the line "ForceCredentials=1" to the WSPCFG.INI file you created in step 9. e.g.:
[Common Configuration] ServerBindTCPPorts=1352 Persistent=1 KillOldSession=0 ForceCredentials=1
29) Reboot the internal server
30) Test that the outside and internal servers can still communicate correctly
To enable packet filtering
31) In WinSock Proxy Security, select "Enable packet filtering"
32) Add two custom filters as follows:
Protocol: TCP Direction: In Local port: Fixed, 1352 Remote port: Any Local host: Default Proxy Server external IP addresses Remote host: Single host, <external server IP>
Protocol: TCP Direction: Out Local port: Any Remote port: Fixed, 1352 Local host: Default Proxy Server external IP addresses Remote host: Single host, <external server IP>
33) Test that the external and internal servers can still communicate correctly