Microsoft Proxy Server/IIS

Microsoft Proxy Server v2.0

Questions:

1) My Navigator Browser is not loading anything and the status bar is flashing rapidly.
2) I changed the IP address of the proxy server, and now nothing I do will allow browsers out.
3) I am getting timeouts while downloading large files.
4) My proxy is really slow and crashes alot.
5) How do I get client autoconfig to work with custom java scripts?
6) I keep getting errors when using the web interface to the Index Server.
7) Netscape refuses to authenticate against users in domains other than the proxy server's.
8) How can users change their own passwords?

Answers:

1) My Navigator Browser is not loading anything and the status bar is flashing rapidly.
The proxy server is only allowing NT challenge-response and Netscape cannot do that. You must allow basic authentication at the proxy server.

2) I changed the IP address of the proxy server, and now nothing I do will allow browsers out.
The proxy server is tied into all the other IIS services, including the WWW server and the Winsock Proxy (firewall?). The Winsock Proxy Server is configured with a LAT (Local Address Table) which defines internal addresses. If you renumber your internal interface to a number that is not in the LAT, the firewall? will assume you are external and not allow you access. Add your new internal IP network to the LAT.

3) I am getting timeouts while downloading large files.
If your Proxy Server is chained to an upstream virus scanner like VirusWall, you just may not be waiting long enough. The scanner spools the entire file, scans it, and them sends it on to you. Thus, you must wait. If the proxy server is timeing out, increase the timeouts:

\HKEY_LOCAL_MACHINE\SYSTEM\Current_control_set\Services\W3proxy\parameters
requesttimeout: change from 60s (x3c) to 300s (x12c)
sockettimeout: change from 120s to 900s or 1800s

4) My proxy is really slow and crashes alot.
    We have clients with 1000 users, NT 4.0, IIS 4.0, Proxy 2.0. The system crashes about once every 3 weeks. These are options.
    If you are running IIS4.0, go back to 3.0 for now. Microsoft acknowledges that IIS4.0 is a major problem for proxy 2.0.
    Also we have noticed that if you don't reboot and its under a heavy load, NT maxes out on CPU. So reboot often and
    the load will go down.

5) How do I get client autoconfig to work with custom java scripts?
a) In IIS configuration under "Web Proxy", choose "use custom script" and define the path to the autoconfig file (e.g., http://www.company.com/auto/proxy.pac). PS: I don't think this step is strictly necessary.
b) Place the script on your web server. The file should end with an extension (.pac is a good one) that is defined under MIME types as "application/x-ns-proxy-autoconfig" (CurrentControlSet\Services\InetInfo... look for Mimemap folder for IIS3. IIS4 is in the GUI). If you do not do this, Netscape will not work.
c) On the client (IE 3+ or navigator 4+ I know will work), configure the autoconfig URL as "http://www.company.com/auto/proxy.pac".

6) I keep getting errors when using the web interface to the Index Server.
Might be a permissions problem. A message like "template file can not be found in the location specified" means either there is no .htx file associated with the query file (.idq) or else you do not have correct access to the .htx file. The .htx file is in the directory you are searching (lets call it /folder) in a subfolder called _derived. The _derived folder must have full access by the Index Server (usually IUSR_<servername>), and the search directory /folder and all its subfolders must be readable by the user. If you are putting username-password on the directory, edit the /folder properties in MMC IIS 4.0 manager so that basic authentication is enabled and anonymous authentication is disabled. Note: someone could log in as IUSR_<servername>.

7) Netscape refuses to authenticate against users in domains other than the proxy server's.
Netscape Navigator/Communicator is authenticating users via basic authentication (cleartext). That works straight to the proxy server (its own domain), but authentication requests to remote domains require NT-Challenge Response. Create a local group and add the remote domain users/groups to it. Then, give the local group "log on locally" priviledges. Don't forget, you still must set up trust relationships between the domains.

8) How can users change their own passwords?
Users can do one of several things:
a) Change their NT passwords in Control Panel/Passwords. This only works if the user is logged into the NT domain that the IIS server uses.
b) Get a third party product, such as Password Manager.
c) If you have IIS 4.0, you can configure it to change passwords through the browser.
i) You MUST specify to NOT proxy the IIS server itself. The reason is that if you proxy everything, the authentication change is proxied as well (you are essentially authenticating 2x, and things become confused). That's what I get out of it, anyway.
ii) If that doesn't work, and you are still getting https: request errors (meaning you need SSL but don't have it), you can do one of 2 things: 1. get SSL (either make up a key with a certificate server, or go through verisign, etc) 2. edit c:/winnt/system32/inetsrv/iisadmpwd/aexp.htr (might want to make a backup). There is a single occurrence of https: in the file, change it to http:. Passwords will be changed in the clear, but hey, it is the internal network. I am not real sure if you can toggle SSL in other ways. This seems to work.

DISCLAIMER: This support site is provided as a FREE service to our customers. Every effort is made to ensure it is complete and accurate. However, due to changing versions, typos, different environments, etc. information may be inaccurate for your site. Note that we do not assume responsibility for any problems you might encounter using information provided in these pages. Please inform us of any problems you encounter we will make every effort to correct this information. Thank you.