Configuring Proxy Server - Editions ENI

iQsystem Support Document Proxy Server Configuration Below is a list of the critical items that must be considered when configuring a proxy server or firewall: o

The domain certiport.com needs to be accessible.

o

The following IP addresses 192.41.91.75, 192.41.91.73, and 206.81.137.18 need to have full access through ports 80 (HTTP) and 443 (HTTPS)

o

HTTP redirects needs to be permitted (these are all completed within the certiport.com domain). The information below is for your convenience and knowledge.

Recommend Proxy Configuration for iQsystem Compatibility This section does not describe a HOWTO: or a “recipe” for installing and configuring a Proxy Server. It does present the needed information for informed and experienced administrators to understand Certiport requirements, and under what environments Certiport systems have proven to be successful; thereby enabling administrators to intelligently change their systems as needed while maintaining their site requirements. This recommendation is derived from the Cooper & Lybrand Security Evaluation of Microsoft Proxy (available via MSDN). This standard offers a secure enough connection to satisfy all but the most paranoid customer, while retaining flexibility to work with a variety of different networks. This configuration is independent of further upstream or downstream security measures. This information has been proven – the results of which are duplicable. The recommendations presented below are laid out for non-MMC integrated versions of IIS Administration. Administrators familiar with IIS will be able to adapt these recommendations to MMC integrated versions of IIS Administration. These recommendations work with IIS2.0, IIS3.0, and IIS4.0. These recommendations supercede standards currently available in MOUS documentation.

Configuration:

Required Materials (Proxy Server): ¡ü

Windows NT Server – as STAND ALONE SERVER

¡ü

IIS 4.0

¡ü

NT Service Pack 6.a HIGH Encryption

¡ü

IE 5.5

¡ü

RIP or RAS or RRAS for dial-up and/or dynamic connections as needed

¡ü

TCP/IP Stack

¡ü

NTFS File System Required Materials (Local Client Hosts)

¡ü

MS Proxy Client – Recommended

¡ü

IE 5.5

¡ü

IE Settings set to high with cookies enabled (optional)

¡ü

IE Settings to Medium (recommended and default) Assumed: NT Server installed, IIS4.0, hardware, protocols, services, file system, and MS proxy. Points of Interest:

¡ü

Synchronizer opens a high port (1040 or above) on your client for communication

¡ü

http must be open for communication to port 80 destinations (certiport.com)

¡ü

https must be open for communication to port 443 destinations (certiport.com)

¡ü

Upstream security measures must reflect the above requirements

¡ü

Upstream security devices must not require re-authentication of the local host of origin (i.e. upstream devices accept the credentials of the authenticating downstream device)

¡ü

If using anonymous authentication it is recommended that you use the Default Username and Password as listed in the WWW Proxy Service Tab

¡ü

Transparent Proxy: Uncheck the Use Proxy Server setting on synchronizer. Please consult pages 28 and 29 of the User Manual for more client side details. Do not place any packet filtering restrictions on packets to or from www.certiport.com/ * (Logging is accepted) WinSOCK Service

¡ü

Enable Access Control – grant access to selective users/groups for each protocol

¡ü

Configure logging as verbose and to create a new log file each day WebProxy Service

¡ü

Internet Publishing not enabled

¡ü

Enable Access control – grant access to selective user/groups for each protocol WWW Service/Authentication

¡ü ¡ü

Configure the authentication Realm as dictated by your security requirements MOUS Software will work with transparent, anonymous, BASIC and NTCR authentication methods Basic Security

¡ü

Disable IP Forwarding (enabled by RAS and RRAS, please uncheck IP Forwarding)

¡ü

Only Internal IP ranges are listed in the Local Address Table

¡ü

Use NTFS Volumes

¡ü

Disable Caching (or, disable caching on www.certiport.com/*)

¡ü

Run only services that you need

¡ü

Unbind unnecessary services from your internal adapters

¡ü

Check permissions on network shares

¡ü

Enable Auditing

¡ü

Limit Administrator and Power-User membership

Advanced Security As the title suggests, these are advanced requirements. These requirements are not needed by our software to run. However, they demonstrate the ends to which we tested our software. Borrowing from the HP Bastion NT Hardening Scheme, these recommendations secure external ports and services. These techniques will not impede the operation of MOUS synchronization. These changes may impede operation if upstream authentication devices use SMB, NetBIOS, or other services and adapters bound to the standards modified below – it is assumed that the Proxy is the external machine. These recommendations can work with Microsoft's http publishing feature of MS Proxy (not to be confused with the *nix http publishing nome nclature). Step 1.

Disable Listening on Ports 137, 138, 139

Step 2.

Navigate to Networking Properties,

Step 3.

Select Bindings for all adapters

Step 4.

Disable WINS client for the external network interface. Net BIOS will not be accessible to the external NIC

Step 5.

Secure RPC on the external Network Interface

Step 6.

As the Administrator, run the regedt32 tool

Step 7.

Select the HKEY_Local Machine window

Step 8.

Navigate to System\CurrentControlSet\Services

Step 9.

Find the entry for your INTERNAL NIC and record the key name

Step 10.

Create a new key of RPC then expand

Step 11.

Create a sub key of Linkage then expand

Step 12.

Create a new sub-sub key of Bind as type REG_MULTI_SZ then expand

Step 13.

Create a new value to the name of your INTERNAL NIC. RPC will only bind to the adapters listed under the BIND key, as configured this is your INTERNAL NIC. This secures these ports on the external interface

Step 14.

Secure port 47 – Unsecured by Proxy

Step 15.

As the Administrator, run the regedt32 tool

Step 16.

Navigate to HKEY_LOCALMACHINE\System\CurrentControlSet\Services\W3Proxy\Paramaters

Step 17.

Select the RpcBindings value and change the value from 7 to 6

Step 18.

Close the local registry

Step 19.

Restart Server Potential Issues: Administrative Workstation will not authenticate through a proxy using the NT Challenge/Response authentication procedures. As per Software Development: Our software is currently not designed to use High levels of authentication security. We only support transparent, anonymous, and BASIC authentication realms. Workaround: We can open a security hole into a network through the proxy by adding an unsecured authentication realm as well as NTCR to the configuration requirements. This however will exclude many academic sites. -

As per Software Development: Our software has been made compatible with the NT/CR Authentication Scheme. This allows us to offer the highest realm of security available under IIS4.0

Editions ENI Customer Support 00 33 (0)2 51 80 15 06 [email protected]