More than you'll need

Talk about shooting a fly with an elephant gun. That's the type of thing Microsoft Corp. and Netscape Communications Corp. equip you to do with new versions of their Web proxy servers.

Both Netscape Proxy Server 3.5 and Microsoft Proxy Server 2.0 adequately perform the basic function of acting as a Web server that delivers copies of frequently accessed content from cache faster than it can be downloaded across the Internet. They also authenticate Internet access and filter out some forms of unwanted content such as Java applets.

However, the products go beyond satisfying basic proxy server requirements with a number of extra features. While it isn't necessarily bad to have feature-rich products, many of the extra features in these proxy servers add little or no benefit and make them harder to configure and manage.

Microsoft went further than Netscape in this endeavor and becomes a prime candidate for the most misnamed product of the year award by bundling in a number of firewall features, including advanced packet filters and IPX-to-IP gateways. Microsoft would have been better off simplifying its proxy server management, improving documentation and providing more detailed reports that can help you improve performance.

In Netscape's case, the new release gives you predictive and distributed caching techniques that could add more to your administrative overhead and network cost than what they're worth. Putting the feature creep aside, though, Netscape is the more solid, mature and easily managed of the two.

Basic differences

Microsoft's product has to run on the same machine as the firm's Internet Information Server (IIS). This limits Proxy Server 2.0 to running under Windows NT Server 4.0, and means it inherits all the bugs and security problems in NT Server and IIS. Netscape's product can run on a standalone server under a wider array of operating systems, making it more flexible.

Moreover, Microsoft's offering ties you into the authentication database in NT Server, while Netscape's can use its own flat file database or a new Lightweight Directory Access Protocol (LDAP) link to an enterprise directory. Netscape gets the edge here when you consider that NT Server's authentication system doesn't scale very well and the LDAP link enables you to hook Netscape's product into multiple directories.

The vendors even take different approaches in how they offer their excess features. With Microsoft's heavily touted active Web caching feature, Proxy Server 2.0 examines historical usage trends, predicts which Web pages people are most likely going to request on which days and downloads them beforehand. Netscape's on-command caching attempts to meet the same goal of having pages in cache before they're needed but forces you to manually load the URLs for those pages.

In our view, both features offer little benefit in a production environment. For all the time it takes to set up the features and download the pages, you'd be just as well off to let the proxy server cache them on its own. After all, the only person who benefits from having a page prefetched is the one who initially requests it, and even then you're only saving a few seconds if you have T-1 or higher speed Internet access.

Both vendors also tout their ability to support a large array of proxy servers that can check each other's caches for pages before submitting requests to the Internet. For instance, if a server does not have a requested page in cache, it will check to see if the page is on any of the others in the array before retrieving it across the Internet.

Again, our review indicates that implementing these proxy server arrays is too much work for the benefit and adds to your ongoing management head aches. The pain of keeping all those caches in synch just to retrieve a few pages across your internal network as opposed to the Internet won't be worth it in the vast majority of cases.

Netscape pulls ahead

The proxy server generates a URL for that file. You then have to manually enter the URL in all your browsers. Every time a browser is launched, it uses the URL to check the file on the proxy server and update itself.

While both vendors' proxy servers built their own autoconfiguration files and gave them a URL, Microsoft's never delivered its file to the browsers. This was due to a communications problem between Microsoft's proxy server and IIS. The proxy relies on IIS to deliver the file _ and any cached files for that matter _ to the browser.

We contacted Microsoft technical support about the problem but couldn't get an answer before press deadline. So, we had to manually configure our browsers to use Microsoft's proxy.

Netscape's autoconfiguration feature worked the first time and didn't have a complicated and overly long URL, as did Microsoft's. All we had to do was type the short autoconfiguration file URL in the browsers and we were done. The proxy server handled the rest.

When it comes to security, Microsoft offers features you'd find in a firewall but oddly is missing some of what you'd expect in a proxy server. At a minimum, you want a proxy server to require authentication before permitting users to surf the Internet. The proxy also should enable you to restrict or block access to specific sites, filter out certain types of content such as Java applets and scan for viruses.

Both Microsoft and Netscape offer authentication options with approximately the same level of granularity. However, Netscape's access restriction features are more flexible. For example, we were able to grant specific users access to certain Web sites and block access to the rest. Netscape also enables you to build your own Access Control List (ACL) file, which is a chore but at least enables you to block access to specific sites.

Microsoft does not support ACL files, opting instead for loading in lists of sites found in third party access restriction products, such as Microsystems Software, Inc.'s Cyber Patrol. While Netscape also will read in restricted site lists from third party products, neither vendor supports time-of-day restrictions that would enable you to open restricted sites for after hours access.

Netscape includes what is needed to filter out specific parts of Multi-purpose Internet Mail Extensions e-mail messages and HTML objects such as Java applets, ActiveX pages or JavaScript routines. Proxy Server 3.5 also can filter outgoing traffic based on packet header information and will pass incoming files off to a preinstalled third party plug-in for virus scanning.

On the other hand, Microsoft requires installation of third party products to filter MIME parts, Java applets and ActiveX pages. It also defers virus scanning to an extra cost plug-in. However, Microsoft makes it easy for users of a plug-in subscription service to download those third party products via hot links built into Proxy Server 2.0.

While it's true that Microsoft leaves Netscape at the gate when it comes to firewall features, we question whether you want to mix proxy server and firewall functionality in one product, especially one from Microsoft. For one thing, building a complex firewall on top of NT is no day at the beach, given the problems in NT's TCP/IP stack. Just as important, putting firewall and proxy server functionality on the same server forces you to implement internal and external access policies that can be at odds with each other on one machine. For instance, in steeling your network against external intruders, you may be unable to deliver the type of performance that internal users want.

Still, as a dual-homed host that has separate interfaces to your local network and the Internet, Microsoft Proxy Server 2.0 will handle Web caching, plus do some smart packet filtering, application-level proxying, act as a SOCKS 4 or WinSock proxy, and provide a gateway for getting IPX traffic onto the Internet.

Microsoft loses points for generally weak documentation. While Microsoft matches Netscape in providing step-by-step instructions to get things rolling, Netscape gives additional depth at every stage. For example, one of the key issues you face in configuring a proxy server is how large the cache should be. Netscape provides a tutorial on caching, cache performance and cache sizing to help you make that decision. Microsoft leaves you high and dry with nary a word on cache optimization.

Netscape also provides a more stable browser-based management interface that enables you to easily retrieve cache hit rates, response time measurements, traffic patterns and usage levels. Couple that with easy-to-find help and you'll be better able to intelligently tune your Netscape proxy server than you will Microsoft's.

The applications to manage Microsoft's product had their problems too. We had to fight crashes when Internet Explorer was reading help files, lockups when we then tried to restart the Windows NT-based Microsoft Management Console, and confusion in trying to tap into NT's Performance Monitor to look at performance numbers. When the applications were working, things weren't much better. For example, we couldn't easily find out what our cache hit rates were or what kind of data was being cached.

So, if you want the more solid and easily managed product, get Netscape Proxy Server 3.5. However, understand that both offerings may have much more than you'll ever need, and that is going to make your management of either one more complex and expensive. It seems that providing simple Web caching isn't sexy enough to keep either Netscape's or Microsoft's interest.