Configure Network Load Balancing (NLB) based cluster of VPN Servers

How network load balancing cluster enhances scalability of vpn server?

To create a NLB VPN cluster each host runs Remote Access (VPN) Service & NLB Service. NLB allows all of the computers in the cluster to be addressed by the same cluster IP address. NLB distributes incoming client requests across the vpn servers in the cluster. The load weight to be handled by each vpn server can be configured as necessary. You can also add a vpn server dynamically to the cluster to handle increased load. In addition, NLB can direct all traffic to a designated single vpn server, which is called the default host.

How network load balancing cluster ensures high availability of vpn server?

When a vpn server fails or goes offline, active connection to the failed or offline server are lost. But new connection request is automatically redistributed among the vpn servers that are still operating. However, if you bring a host down intentionally, you can use “drainstop” command to service all active connection prior to bringing the computer offline. Drainstop allows the host to continue surviving active connections but disables all new traffic to that host.

How to configure a NLB cluster?

To configure the Network Load Balancing (NLB) cluster, you must configure three types of the parameters:

• Host parameters, which are specific to each host in a NLB cluster.
• Cluster parameters, which apply to an NLB cluster as a whole.
• Port rules, which control how the cluster functions. By default, a port rule equally balances all TCP/IP traffic across all servers.

In the following section we will describe step by step guide to deploy an nlb cluster of vpn servers for test lab.

Verification step to make sure vpn server is configured properly before installing nlb:

1. Assign satic ip to vpn-server1 (say 201.0.0.1), vpn-server2 (say 201.0.0.2) [Note: NLB does not support DHCP. NLB disables DHCP on each interface that it configures, so the IP addresses must be static]

2. Ensure client is able to make vpn connection to both the servers for different tunnel types (PPTP, L2TP, SSTP or IKEv2).

Install & Configure NLB in vpn-servers:

3. Install NLB in vpn-server1 & vpn-server2.

4. Create a new cluster using the NLB manager [Open nlbmgr.msc (in Administrative tools)] of vpn-server1 according the steps mentioned below. Add host to the cluster, choose priority of the host & assign cluster IP (say 201.0.0.11).

a) Add new host to the cluster:

Give host name or ip address and select the interface of the host for configuring cluster.

Select cluster operation mode as unicast to specify that a unicast media access control (MAC) address should be used for cluster operation. In this mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. Unicast is the default setting for Cluster operation mode.

 5) Configuring Port Rules:

· Select Affinity Single or Network to ensure that all network traffic from a particular client is directed to the same host.

· Select Filtering mode to Multiple hosts or Single host considering the following:

 The Multiple hosts parameter specifies that multiple hosts in the cluster will handle network traffic for the associated port rule. This filtering mode provides scaled performance and fault tolerance by distributing the network load among multiple hosts. You can specify that the load be equally distributed among the hosts or that each host will handle a specified load weight.

 The Single host parameter specifies that network traffic for the associated port rule be handled by a single host in the cluster according to the specified handling priority. This filtering mode provides port specific fault tolerance for handling network traffic.

6. Ensure both the server got same MAC Address for that interface & Cluster IP. [Note: NLB automatically instructs the driver that belongs to the cluster adapter to override the adapter’s unique, built-in network address and to change its MAC address to the cluster’s MAC address. This is the address used on all cluster hosts.]

Verification after configuring nlb cluster for vpn server:

7. Make Connection from the client using Cluster IP. Connection should succeed & it should be connected to high priority server (vpn-sever1 in this case).

8. Give nlb drainstop on vpn-server1.

9. Drainstop allows the host to continue surviving active connections but disables all new traffic to that host. All new connections should go to vpn-server2.

10. Give nlb drainstop on the vpn-server2.

11. Now all new connections should fail since both the servers are in “drainstop” mode.

12. Give nlb start.

13. Client should be able to connect to vpn-server1.

VPN configurations for Firewall

When designing a virtual private network (VPN) remote access solution that involves network firewalls, you typically choose between the following two options for server placement. Each option has different design requirements.

• VPN server behind a firewall.The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This is the placement used in a typical perimeter network configuration, in which one firewall is positioned between the VPN server and the intranet and another firewall is positioned between the VPN server and the Internet.
  
  
• VPN server in front of a firewall. The VPN server is connected directly to the Internet, with the firewall between the VPN server and the intranet.

VPN server behind a firewall

In the configuration shown in the following figure, the firewall is connected to the Internet and the VPN server is an intranet resource on the perimeter network. The perimeter network is an IP network segment that typically contains resources available to Internet users, such as Web servers and FTP servers. The VPN server has an interface on both the perimeter network and on the private intranet.

In this approach, the firewall must be configured with input and output filters on its Internet and perimeter network interfaces to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the perimeter network. As an added layer of security, the VPN server should also be configured with Point-to-Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) packet filters on its perimeter network interface as described in “VPN server in front of a firewall” in this topic.

Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

Packet filters for a VPN server behind a firewall

If the VPN server is behind a firewall, packet filters must be configured for both an Internet interface and a perimeter network interface. In this scenario, the firewall is connected to the Internet and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the Internet.

VPN server in front of a firewall.

With the VPN server in front of the firewall and connected to the Internet, as shown in the following figure, administrators need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server’s interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall, which uses its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specified intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of intranet resources with non-VPN Internet users.

Packet filters for a VPN server in front of a firewall

When a VPN server is in front of a firewall and connected to the Internet, inbound and outbound packet filters on the VPN server must be configured to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface. Use this configuration if the VPN server is in a perimeter network, with one firewall positioned between the VPN server and the intranet and another between the VPN server and the Internet.

Which VPNs Are The Best?

Which VPNs Are The Best?

When we ran our recent Hive Five on VPN service providers, we heard from VPN providers begging to be included, angry CEOs who claimed their company was maliciously left out, and others accusing some of the contenders of illegal or unethical behavior. We took at look at the poll and the claims, and while there's no definitive proof the poll was gamed, we decided to come up with our own top five, based on our own research rather than reader feedback, that are great whether you're the privacy advocate, the student, or the downloader.

Private Internet Access

Supports: Windows, OS X, Linux, iOS, Android
Protocols: SSL, PPTP, IPSec, and L2TP. You can also configure Private Internet Access to work on your DD-WRT or Tomato router (via SSL/OpenVPN) for constant security.
Home Country: United States, and has exit servers in the US, Canada, the UK, Switzerland, Romania, and the Netherlands.
Logging Policies: The service keeps no logs of your activity whatsoever (in fact, the only things they do keep are your email address and payment information,) uses shared IPs, and has committed to keeping your data private.

proXPN

Supports: Windows, OS X, iOS
Protocols: SSL, PPTP.
Home Country: United States, with exit servers in the US, The Netherlands, Singapore, and the UK.
Logging Policies: proXPN keeps minimal logs of your activity. proXPN collects your email address, payment information (if you're a premium user,) bandwidth usage, connection duration, and login/logout times. They've committed to only keeping those logs for 14 days or less, and promise to never share their logs with anyone, period.

TorVPN

Supports: Windows, OS X, Linux, iOS, Android
Protocols: SSL (they often refer to it as OpenVPN), PPTP, and full SSH tunneling.
Home Country: Hungary, with exit servers in Hungary.
Logging Policies: The service doesn't log your connection aside from bandwidth usage to compare against your quota, and your payment details. They also are committed to your privacy, and specifically say they won't surrender their data without a Hungarian court order.

TorGuard

Supports: Windows, OS X, Linux, and iOS and Android via built-in VPN
Protocols: SSL (OpenVPN), PPTP, and L2TP, (with 256 bit security)
Home Country: Panama, with exit servers in The Netherlands, Romania, Ukraine and Panama.
Logging Policies: TorGuard wholeheartedly supports privacy, so you can feel a bit more secure that your connection is secure and anonymous. They purge their logs daily, and only keep payment information and registration info. They don't even keep login/logout times.

WiTopia

Supports: Windows, OS X, Linux, iOS, Android, webOS, Chromebooks.
Protocols: SSL, PPTP, IPSec, and L2TP (with 256 bit security)
Home Country: United States, with exit servers in 10 US cities, and countries in Latin and South America, Asia, Australia, Europe, Africa, and the Middle East—way too many to list here.
Logging Policies: WiTopia does not log information that can be attributable to individual users, purges logs weekly, and only saves registration information and payment details when you sign up.

Alternatively, Roll Your Own VPN

We've shown you how to roll your own VPN using Hamachi, and even how to set up Privoxy to secure your web browsing once you have your personal VPN set up. Hamachi isn't the only option: you can also download and configure OpenVPN (a free SSL VPN) on your own home server,, or if you have a router that supports it, enable OpenVPN on your home router so you can connect back to it when you're abroad. Combined with Privoxy, you get the privacy and anonymity benefits of a VPN without spending a dime.

Both of these options put control in your hands, and while they're not quite as anonymous as subscription methods or offer international exit locations, they do give you the the most important benefits of a VPN: security, privacy, and anonymity while you're away from home.

What Makes for a Good VPN?

What Makes for a Good VPN?

The best VPNs offer a solid balance of features, server location, connectivity protocols, and price. Some are great for occasional use, others are geared towards getting around the location restrictions companies put on their apps and services, and others are targeted at people who do heavy downloading and want a little privacy while they do it. Here's what you should look for.

Protocol: When you're researching a VPN, you'll see terms like SSL/TLS (sometimes referred to as OpenVPN support,) PPTP, IPSec, L2TP, and other VPN types. We asked Samara Lynn, Lead Analyst for Networking and Small Business at PCMag, whether or not a user shopping for a VPN should shop for one over another. "SSL is what is commonly used these days. All of these protocols will provide a secure connection," she explained, and pointed out that most solutions are invisible to the end-user anyway. Strictly, each protocol has its benefits and drawbacks, and if you're concerned about this  you're probably already aware of them. Most users don't need to be concerned about this—corporate users on the other hand, are probably all using IPSec or SSL clients anyway.

Corporate and Exit Locations: Depending on what you'reusing a VPN for, your service's location—and the exit locations you can choose—are important to consider. If you want to get around a location restriction and watch live TV in the UK, for example, you want to make sure your VPN service provider has servers in the UK. If you're concerned about privacy or state-sponsored snooping, you may want to pick a service operated outside of your home country. Similarly, if the service is based on the US, they're subject to US laws, and may be forced to turn over usage data to the authorities upon request. Many people make more of this than they should (we've seen overseas services turn over their data to friendly governments without any hesitation repeatedly), but it's important to make sure a VPN has servers in multiple locations—or at least the location you're interested in—when shopping.

Logging: When you connect to a VPN, you're trusting the VPN service provider with your data. Your communications may be secure from eavesdropping, but other systems on the same VPN—especially the operator—can log your data if they choose. If this bothers you (e.g., you're the privacy/security advocate or the downloader), make absolutely sure you know your provider's logging policies before signing up. This applies to location as well—if your company doesn't keep logs, it may not matter as much where it's located. (There's a popular rumor that US-based VPN providers are required to log, in case the government wants them. This isn't true, but the government can always request whatever data they have if they do log.) For a good list of VPN providers that don't log your activities when connected

Anti-Malware/Anti-Spyware Features: Using a VPN doesn't mean you're invulnerable. You should still make sure you're using HTTPS whenever possible, and you should still be careful about what you download. Some VPN service providers especially mobile ones—bundle their clients with anti-malware scanners to make sure you're not downloading viruses or trojans. When you're shopping, see if the providers you're interested in offer anti-malware protection while you're connected. For example, previously mentioned Hotspot Shield offers malware protection to its premium users. It may not be a dealbreaker for you, but it's always good to have someone watching your back.

Mobile Apps: If you're going to spend money on a VPN service provider (or even if you use a free one, frankly), you should be able to get a consistent experience across all of your devices. Most prominent providers offer desktop and mobile solutions for individual users, and while corporate and school networks may be a bit behind the curve here, they're catching up too. Make sure you don't have to use two different VPNs with two different policies and agreements just because you want to secure your phone along with your laptop.

Price: Finally, go into your user agreement with both eyes open. You should read the privacy policy for the service you're interested in, and be very aware of the differences between free and paid services.

 For example:

Free VPN Providers are more likely to log your activities and serve contextual ads while you're connected. They're also more likely to use your usage habits to tailor future ads to you, have fewer exit locations, and weak commitments to privacy. They may offer great features, but if logging and privacy are important to you, you may want to avoid them. However, if you just need quick, painless security while traveling on a budget, they're a great option.

Subscription VPN Providers usually take your privacy a bit more seriously, since you're paying for the service. It's unusual for them to show ads, although whether they do logging or store data about your usage varies from company to company. They usually offer free trials so you can give the service a shot first, but remember: just because you're paying for a service doesn't mean you shouldn't do your homework.

A mix of features and price make a good VPN, but plenty of bad VPNs masquerade as good ones. Look for articles written by trustworthy sources that discuss the merits of each service based on its features, versus simple rundowns and user testimonials, which are almost always polluted by a combination of fanatical users and corporate bootstrapping in attempt to get their names out to potential customers.
• 
  

Why and when you should use VPN??

What Is a VPN?

Put simply, a Virtual Private Network, or VPN, is a group of computers (or discrete networks) networked together over a public network—namely, the internet. Businesses use VPNs to connect remote datacenters, and individuals can use VPNs to get access to network resources when they're not physically on the same LAN (local area network), or as a method for securing and encrypting their communications when they're using an untrusted public network.

When you connect to a VPN, you usually launch a VPN client on your computer (or click a link on a special website), log in with your credentials, and your computer exchanges trusted keys with a far away server. Once both computers have verified each other as authentic, all of your internet communication is encrypted and secured from eavesdropping.

The most important thing you need to know about a VPN: It secures your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes.

Whether the VPNs you're familiar with are the ones offered by your school or business to help you work or stay connected when you're traveling or the ones you pay to get you watch your favorite shows in another country as they air, they're all doing the same thing.

Why You Need a VPN, or How You Can Benefit from Using One ?

A VPN alone is just a way to bolster your security and access resources on a network you're not physically connected to. What you choose to do with a VPN is a different story. Usually, VPN users fall into a few separate categories:

The student/worker. This person has responsibilities to attend to, and uses a VPN provided by their school or company to access resources on their network when they're at home or traveling. In most cases, this person already has a free VPN service provided to them, so they're not exactly shopping around. Also, if they're worried about security, they can always fire up their VPN when using airport or cafe WI-Fi to ensure no one's snooping on their connection.

The downloader. Whether they're downloading legally or illegally, this person doesn't want on some company's witch-hunt list just because they have a torrenting app installed on their computer. VPNs are the only way to stay safe when using something like BitTorrent.
The privacy minded and security advocate. Whether they're a in a strictly monitored environment or a completely free and open one, this person uses VPN services to keep their communications secure and encrypted and away from prying eyes whether they're at home or abroad. To them, unsecured connections mean someone's reading what you say.

Even if none of the above really sound right to you, you can still benefit from using a VPN. You should definitely use one when you travel or work on an untrusted network (read: a network you don't own, manage, or trust who manages.) That means opening your laptop at the coffee shop and logging in to Facebook or using your phone's Wi-Fi to check your email at the airport can all potentially put you at risk.

Proxy and Its functioning

PROXY

If you work remotely, or have to handle corporate files on the road, then chances are you've used a specific type of proxy and may not even be aware of it. In fact, proxies are used by workers all over the world in the form of a VPN. A virtual private network is one specific type of proxy which provides you with the ability to work remotely and securely. But what is a proxy exactly, how does it work, and what are some of the advantages it can give not only a remote worker, but anyone who wants an extra layer of privacy? Here's a look at the various types of proxies and a review of one particular service which provides you with proxies on steroids.

How proxies work

Basically, a proxy is a point to point connection between you and a remote location on the Internet. If you're in a hotel in Seattle and you work for a large corporation down in Dallas, then opening a VPN to your corporate office means your computer will create a permanent connection between your own system and a dedicated device at the corporate office called the VPN server. This connection provides you with a tunnel through which all further communication will pass. This is the first and most well known quality of a VPN. All of your traffic, whatever it is, will be encrypted inside that tunnel, going from your current location to the VPN server, and then be resent on your behalf to the wider Internet. What this means is that anyone listening nearby, or trying to see the packets going from your own system, will see nothing but static. In fact, they won't even know which websites you visit, because everything is encrypted. This is an even stronger security mechanism than SSL, since with SSL people can still see the headers and know which sites you surf to.

But a VPN, or any other type of proxy, provides quite a few more benefits. Whether you use a VPN, which relies on a protocol like PPTP to encapsulate your packets securely, an SSL proxy, a Socks proxy, or even a simple web gateway (which doesn't actually provide you with any encryption) they all have a couple of features  that are similar. The basic principle is that the server is relaying those packets for you, and stripping the originating address. Instead of your own IP address, they only see the proxy server's

Criminals also make heavy use of proxies to obscure their actual locations. They can even chain proxy servers together to increase the difficulty of being tracked. But proxies are used for a lot more than just to watch the latest Family Guy, or commit crimes. A lot of people use them simply for safety. If you have a slow Internet connection, you could use a proxy server with a lot of bandwidth, and malware threats roaming the net trying to find unpatched systems, or launch potential denial of service attacks, would find only the proxy. Security researchers also love proxies. When you're trying to infiltrate the criminal underground, the last thing you want is to give them your home address.

One such service: HMA

As you can see, proxies provide security and anonymity that can be very handy. If you don't have a corporate VPN you can use, there are a lot of services that offer some alternatives. One of the most popular right now, and the one I've used, is called hide my ass. One of the things I like about it is that, first, it provides a very easy-to-use client software. Instead of having to configure the proxy settings manually, you simply install the client, and it keeps track of your connection status, allowing you to set preferences. Then, it also has a massive amount of 36,000+ IP addresses all over the world. This means you can connect to any of those servers and appear to be from that location.

Proxies still require trust

Finally, there are some things you need to keep in mind when using proxies. First, remember that while a proxy server will provide you with security and anonymity, the proxy itself has to decode your traffic to send it through. This means it can see everything you're doing, unless you use SSL connections. So you need to trust it. A lot of people use TOR, which is a free anonymity network run by volunteers, or some go to underground channels to get so-called "private"proxies, but the problem is you never know if you can trust those servers. It may end up being worse than not using a proxy at all. Popular commercial services like Hide My Ass base their business on providing this service, so personally I have more faith in them. Don't think of using them for criminal acts however, since they do state clearly that they cooperate with law enforcement. Because again, the proxy server is the one party that knows what your real IP address is. Also, using proxies will typically slow your connection down, since you're basically transferring all your data to another location around the world before it goes out to the Internet. As you attempt to connect to various proxy servers, you may find very big differences in speed, so it's a good idea to try them out. Whether you want security, anonymity, or both, proxies provide a good way to surf the net.

Different types of Proxy Server and Its types

What is a Proxy Server?

A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes.

Web proxies

A common proxy application is a caching Web proxy. This provides a nearby cache of Web pages and files available on remote Web servers, allowing local network clients to access them more quickly or reliably.

When it receives a request for a Web resource (specified by a URL), a caching proxy looks for the resulting URL in its local cache. If found, it returns the document immediately. Otherwise it fetches it from the remote server, returns it to the requester and saves a copy in the cache. The cache usually uses an expiry algorithm to remove documents from the cache, according to their age, size, and access history. Two simple cache algorithms are Least Recently Used (LRU) and Least Frequently Used (LFU). LRU removes the least-recently used documents, and LFU removes the least-frequently used documents.

Web proxies can also filter the content of Web pages served. Some censorware applications - which attempt to block offensive Web content - are implemented as Web proxies. Other web proxies reformat web pages for a specific purpose or audience; for example, Skweezer reformats web pages for cell phones and PDAs. Network operators can also deploy proxies to intercept computer viruses and other hostile content served from remote Web pages.

A special case of web proxies are "CGI proxies." These are web sites which allow a user to access a site through them. They generally use PHP or CGI to implement the proxying functionality. CGI proxies are frequently used to gain access to web sites blocked by corporate or school proxies. Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity.

You may see references to four different types of proxy servers:

• Transparent Proxy

  

  This type of proxy server identifies itself as a proxy server and also makes the original IP address available through the http headers. These are generally used for their ability to cache websites and do not effectively provide any anonymity to those who use them. However, the use of a transparent proxy will get you around simple IP bans. They are transparent in the terms that your IP address is exposed, not transparent in the terms that you do not know that you are using it (your system is not specifically configured to use it.)

• Anonymous Proxy

  

  This type of proxy server identifies itself as a proxy server, but does not make the original IP address available. This type of proxy server is detectable, but provides reasonable anonymity for most users.

• Distorting Proxy

  This type of proxy server identifies itself as a proxy server, but make an incorrect original IP address available through the http headers.

• High Anonymity Proxy

  This type of proxy server does not identify itself as a proxy server and does not make available the original IP address
• Socks 4 and 5 proxies provide proxy service for UDP data and DNS look up operations in addition to Web traffic. Some proxy servers offer both Socks protocols.
• DNS proxies forward domain name service (DNS) requests from LANs to Internet DNS servers while caching for enhanced speed.
  
• Proxy hacking

In proxy hacking, an attacker attempts to steal hits from an authentic web page in a search engine's index and search results pages. The proxy hacker would have a either a fraudulent site emulating the original or whatever they felt like showing the clients requesting the page.

Here's how it works: The attacker creates a copy of the targeted web page on a proxy server and uses methods such as keyword stuffing and linking to the copied page from external sites to artificially raise its search engine ranking. The authentic page will rank lower and may be seen as duplicated content, in which case a search engine may remove it from its index.

This form of hacking can be also be used to deliver pages with malicious intent. Proxy hacking can direct users to fake banking site, for example, to steal account info which can then be sold or used to steal funds from the account. The attacker can also use the hack to direct users to a malware-infected site to compromise their machines for a variety of nefarious purposes.

Some means have been developed to compromise proxy abilities. Specially crafted Flash and Java apps, Javascript,Active X and some other browser plugins can be used to reveal a proxy user’s identity, so proxies should not be used on untrusted sites or anywhere that anonymity is important.

Website owners who suspect they have been the victim of a proxy hack can test the theory by searching for a phrase that would be almost uniquely identifying to the site. Their site should be prominent on the search engine results page (SERP). If a second site with the same content shows up, it may be a proxy page.

Proxy Server

What is a Proxy Server?

A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes.

A proxy server is a dedicated computer or a software system running on a computer that acts as an intermediary between an endpoint device, such as a computer, and another server from which a user or client is requesting a service. The proxy server may exist in the same machine as a firewall server or it may be on a separate server, which forwards requests through the firewall.

An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time. A proxy can also log its interactions, which can be helpful for troubleshooting. 

Here’s a simple example of how proxy servers work:

When a proxy server receives a request for an Internet resource (such as a Web page), it looks in its local cache of previously pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user.

Proxy servers are used for both legal and illegal purposes. In the enterprise, a proxy server is used to facilitate security, administrative control or caching services, among other purposes. In a personal computing context, proxy servers are used to enable user privacy and anonymous surfing. Proxy servers can also be used for the opposite purpose: To monitor traffic and undermine user privacy.

To the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with the addressed Internet server. (The proxy is not actually invisible; its IP address has to be specified as a configuration option to the browser or other protocol program.)

Users can access web proxies online or configure web browsers to constantly use a proxy server. Browser settings include automatically detected and manual options for HTTP,SSL, FTP, and SOCKS proxies. Proxy servers may serve many users or just one per server. These options are called shared and dedicated proxies, respectively. There are a number of reasons for proxies and thus a number of types of proxy servers, often in overlapping categories.

Forward and reverse proxy servers

Forward proxies send the requests of a client onward to a web server. Users access forward proxies by directly surfing to a web proxy address or by configuring their Internet settings. Forward proxies allow circumvention of firewalls and increase the privacy and security for a user but may sometimes be used to download illegal materials such as copyrighted materials or child pornography.

Reverse proxies transparently handle all requests for resources on destination servers without requiring any action on the part of the requester.

Reverse proxies are used:

• To enable indirect access when a website disallows direct connections as a security measure.
• To allow for load balancing between severs.
• To stream internal content to Internet users.
• To disable access to a site, for example when an ISP or government wishes to block a website.
  

Sites might be blocked for more or less legitimate reasons. Reverse proxies may be used to prevent access to immoral, illegal or copyrighted content. Sometimes these reasons are justifiable but sometimes justification is dubious. Reverse proxies sometimes prevent access news sites where users could view leaked information. They can also prevent users from accessing sites where they can disclose information about government or industry actions. Blocking access to such websites may violate free speech rights.