Ports Required by Proxy Server 2.0 Located in a DMZ (285082)

MORE INFORMATION

Proxy Server 2.0 can be used inside a perimeter network to publish data (using server proxying) from Web sites that are physically located behind the internal firewall on the perimeter network that protects a corporate network. When you configure Proxy Server to do this, User Datagram Protocol (UDP) ports between 1025 and 5000 must be open on the internal firewall of the perimeter network. If these ports are not open, external client computers are not able to access the Web sites.

You can create a perimeter network by using two firewalls. A server that is running Proxy Server can be located inside the perimeter network (between the two firewalls). For additional information, click the article number below to view the article in the Microsoft Knowledge Base: You can use Proxy Server to publish Web sites using the server proxying functionality. This method is recommended when Secure Sockets Layer (SSL) is involved. The Web servers on which the Web sites reside can be located behind the internal firewall of the perimeter network. In this case, traffic flows from the Internet, through the external firewall, through the Proxy Server-based server, through the internal firewall, and finally to the Web server. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Typically, when you use server proxying, you must install the Winsock Proxy (WSP) client on the internal Web server. External Internet clients access the Web sites that are located on the internal Web server by using Proxy Server. This configuration provides an extra tier of protection for the Web server, because external clients cannot access the Web server directly.

If you are the administrator of a firewall, you may want to configure the internal firewall of the perimeter network to restrict the range of ports that it allows incoming traffic through. If this firewall does not allow traffic through UDP ports 1025 to 5000, external Internet clients may no longer be able to access the Web sites that are located behind the firewall.

To use server proxying, you must install the WSP client on the internal Web server. The WSP client on the Web server communicates with the proxy server that is server proxying it. When you start the Web server, the WSP client is initialized. The Mspclnt.ini file is used to determine the behavior of the WSP client.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: The WSP client on the Web server chooses an ephemeral UDP port to communicate with the proxy server (by default, between 1025 to 5000). This ephemeral range can be increased, but not reduced. By default, the proxy server listens on UDP port 1745 for WSP client communication. The WSP client on the Web server needs to access UDP port 1745 on the proxy server, therefore, the internal firewall of the perimeter network must allow outbound connections that use UDP port 1745.

The proxy server must be able to communicate with the internal Web server on whatever ephemeral port that the WSP client on the Web server binds to. Because this port can be any number between 1025 and 5000, the internal firewall of the perimeter network should not be configured to filter any incoming traffic that is destined to ports in this range.

You must configure bi-directional communication between the proxy server and the WSP client on the Web server. When an external Internet client sends a request to the proxy server that is destined for an internal Web server, the proxy server performs a port mapping procedure.

For example, an external Internet client uses source port 1426 and 1427 to connect to port 443 on a server that is running Internet Information Services (IIS), that is located behind the internal firewall of a perimeter network. In this example, the proxy server maps port 1426 to port 1205 and maps port 1427 to port 1208. Then the proxy server sends a port mapping announcement to the internal IIS server to inform it about each port mapping. The proxy server then sends this announcement to UDP port 1041 on the IIS server. In this case, port 1041 is the ephemeral port that the WSP client chose when it initialized on the IIS server. Then the IIS server responds to the port mapping announcement and reports to the proxy server if the mapping was accepted. The IIS server sends this response back to UDP port 1745 on the proxy server. When the proxy server receives a successful response, it connects to port 443 on the IIS server by using the mapped source port. The IIS server responds to the mapped source port, and then the proxy server sends the response back to the client on its original source port.

If the inbound UDP ports 1025 to 5000 are blocked on the perimeter network's internal firewall, the proxy server still tries to send the port mapping announcement to UDP port 1041 on the IIS server. Because the firewall is blocking incoming traffic on this port, the mapping announcement does not reach the IIS server. The proxy server continues to send the mapping announcement every two seconds, but it does not get a response from the IIS server, because the announcement never reaches it. Because the proxy server does not get a response from the IIS server that indicates that the mapping was accepted, it does not try to connect to port 443 on the IIS server and the client's original request is not fulfilled.

To tighten the security on the internal firewall of the perimeter network when you restrict UDP ports, restrict incoming traffic on the internal firewall by Internet protocol (IP) address instead of by port. For example, create a filter that only allows traffic from the proxy server through the perimeter network's internal firewall, on any port in the 1025 to 5000 range. This filter allows incoming traffic on any port that has a source address that matches the proxy server's address, and blocks all other traffic.