Before installing Microsoft Catapult Server, please review this entire chapter. It contains important information about installation requirements.
Hardware Requirements
Microsoft Catapult Server has the same hardware requirements as Microsoft Windows NT Server version 4.0. For more information, see the documentation for Windows NT Server version 4.0.
Software Requirements
The following must already be installed on the server computer before Microsoft Catapult Server can be installed:
The server computer can be configured as a member server, a primary domain controller (PDC), or a backup domain controller (BDC). However, for best performance it is recommended you install Catapult Server on a computer configured as a member server. For more information about member servers, PDCs, and BDCs, see your documentation for Windows NT.
Before You Install
Before you install, ensure that:
Note that you can choose to implement Catapult Server on a server that has only one network adapter card. This is useful when you are primarily interested in using the caching component of the Proxy service to support internal clients connecting to web servers on the internal network. For more information, see Appendix C, "Proxy Cache Configuration."
To remove a previous beta release
To configure the software for additional cards
If the server will be running the Proxy service, the network adapter card connected to the private network must be bound to TCP/IP. If the server will be running the RWS service, the network adapter card connected to the private network can be bound to TCP/IP, IPX/SPX, or both.
Server Security Checklist
Connecting computers to the Internet provides for some very powerful and useful scenarios. It becomes possible to communicate with millions of people and computers worldwide using the TCP/IP protocols. This broad flexibility imposes a degree of risk: Not only can you communicate with people and systems using the protocols that you choose, it is also possible for users to attempt to initiate communication with your systems.
Review the following list to learn how to take steps to reduce security risks.
Clearing the Enable IP Routing check box prevents unauthorized IP packets from infiltrating your network. The Enable IP Routing check box is located in the Advanced Microsoft TCP/IP Configuration dialog box. Access this through the Network application in Control Panel.
The Windows NT File System (NTFS) provides security and access control for your data files. You can limit access to portions of your file system for specific users and services by using NTFS. In particular, it is a good idea to apply Access Control Lists (ACLs) to your data files for any Internet publishing service.
The fewer services you are running on your system, the less likely a mistake will be made in administration that could be exploited. Use the Services application in Control Panel to disable any services not absolutely necessary on your system.
Use the Bindings feature in the Network application in Control Panel to unbind any unnecessary services from any cards connected to the Internet. For example, you might use the Server service to upload new images and documents from computers in your internal network, but you might not want users to have direct access to the Server service from the Internet. If you need to use the Server service on your private network, the Server service binding to any network adapter cards connected to the Internet should be disabled. The FTP Server service included with Windows NT should also be disabled or configured to ensure adequate security.
You can use the Windows NT Server service over the Internet; however, you should fully understand the security implications and comply with Windows NT Server licensing requirements issues. When you are using the Windows NT Server service you are using Microsoft networking — that is, the Server Message Block (SMB) protocol rather than the HTTP protocol — and all Windows NT Server licensing requirements still apply. HTTP connections do not apply to Windows NT Server licensing requirements.
If you are running the Server service on your Internet adapter cards, be sure to double-check the permissions set on the shares you have created on the system. It is also wise to double-check the permissions set on the files contained in the shares’ directories to ensure that you have set them appropriately.
You can enable auditing of NTFS files and directories on Windows NT Server by using the Windows Explorer. This is a useful mechanism to ensure that you have set the appropriate permissions on your shares.
By limiting the members of the Administrator group, you limit the number of users who might choose bad passwords.
User Manager for Domains provides a way for the system administrator to specify how quickly account passwords expire (forcing users to regularly change passwords), and other policies such as how many bad logon attempts will be tolerated before locking a user out. Use these policies to manage your accounts, particularly those with administrative access, to defend against exhaustive or random password attacks.
Although this may seem obvious, a stolen or easily guessed password is the best opportunity for someone to gain access to your system. Make sure that all passwords used on the system, especially those with administrative rights, have difficult-to-guess passwords. In particular make sure to select a good administrator password (long, mixed-case, alphanumeric password) and set the appropriate account policies. Passwords can be set by using Windows NT User Manager for Domains.
Connecting the Server to the Internet You need to select the hardware with which you will establish your connection to the Internet. Your options include:
Catapult Server can operate with a high-speed modem over an analog phone line with a 28.8 Kbps modem. This type of modem is generally connected to a serial port interface or installed within the computer running Catapult Server. Windows 4.0 NT's RAS controls the connection to the Internet provider. This connection can use a SLIP/PPP (Serial Line Interface Protocol/Point to Point Protocol) to connect to the Internet.
Proposed as a standard for switched high bandwidth telecommunications, ISDN has become a reality in more and more cities and communities. ISDN is the transport system that is used within the telephone network. If you have an ISDN line, you connect to the phone system with the same protocol that the phone system uses internally. There are two ISDN standards: ISDN BRI (Basic Rate Interface) and ISDN PRI (Primary Rate Interface). ISDN BRI service gives a choice of 64 Kbps (kilobits per second) or 128 Kbps digital service. ISDN PRI service gives a choice of service up to 1.544 Mbps (megabits per second).
As opposed to a standard phone line, which allows only one direct connection at a time, ISDN can run several voice and data channels simultaneously. ISDN is digital, so it can operate at much higher speeds with greater accuracy than analog phone lines. Microsoft promotes the use of ISDN through its Web pages, which can direct you to an ISDN provider in your area or you can call your local phone company for more information. Generally, ISDN lines come with an installation and usage fees. An ISDN line can be a choice for a small or mid-sized company. It can also be of value to a single user who wants a faster Internet connection.
A T1 line is another standard for high bandwidth transmission. T1 is a standard connection used by large organizations or high-volume network users to connect networks at very high speeds. A T1 line is similar to an ISDN line in that it allows multiple simultaneous channels each one running a session. The difference is scale. A T1 line can run at 10 times the speed of an ISDN BRI line. A T1 is generally expensive, but costs are coming down. T1 technology is typically used by large organizations that do high-bandwidth data communications between remote sites. A variant of T1 called 64 Kbps Dedicated Digital Line service is available. This is sometimes called fractional T1 service because a 64 Kbps dedicated digital line is equal to one-twenty-fourth of a full T1 line.
Note that the caching capability of Catapult Server reduces connection bandwidth demands.
A typical analog modem runs at 14.4 or 28.8 Kbps modem. These speeds are adequate for a single user connecting to the Internet from a workstation and they may serve a networked Server gateway, but you should closely pay attention to your users.
As ISDN network service becomes more affordable, ISDN modems are becoming more prevalent and less costly. An ISDN modem dials the ISDN access number and maintains that connection. Microsoft Windows NT and Windows 95 are fully compatible with ISDN modems for which there are Windows standard drivers.
A router is a hardware device that connects one network to another. The router usually functions on the network as a peer to other networked devices such as workstations and servers. Under TCP, the router can have its own network IP address or network name under IPX/SPX. The router then becomes responsible for maintaining the dial out connection to the ISP — typically an ISDN or T1 connection. If you want to create a site with multiple gateways on your LAN, you can establish a router connection, then network the router to a LAN multiplexer.
A computer running Windows NT Server or other computer connects to the Internet by using the Serial Line Interface Protocol (SLIP) or Point to Point (PPP) protocol. The important thing to know and understand if you are new to the Internet but familiar with dialing into remote computers is that this type of connection is a network connection similar to, but with lower speeds, than your LAN. With a network connection you can run simultaneous transactions from one client and have multiple clients moving data at the same time. You can, for instance, have a World Wide Web browser move through several objects on the Web while an FTP application retrieves a shareware file.
The two metrics that impact the cost of your Internet connection are bandwidth and the persistence of connection.
You select bandwidth based on the peak level demand of your users and the type of Internet objects they want to download. Users who browse graphics intensive sites will consume bandwidth. However, note that the caching capabilities of the Catapult Server Proxy service can be used to reduce bandwidth (and therefore costs) consumed by users browsing the WWW. For more information about caching, see Chapter 5, “Server Configuration,” Appendix A, “Architecture,” and Appendix C, “Proxy Cache Configuration.”
ISPs provide access that is available at an hourly rate or on a 24-hour, 7-days a week basis. Consider whether your users need full-time or part-time access to the Internet.
© 1996 by Microsoft Corporation. All rights reserved.