Additional issues to consider should center on the nature of your proxy server. Does it cache content for internal users? What about it assuming a dual role and caching your internal Web content for external users? Does your proxy server restrict rich Web content such as Java applets and ActiveX controls? Will it work in conjunction with a firewall? What about restricting user access to individual Web sites? What extra security features are available for your benefit?

Your Proxy Server's Role Before purchasing a proxy server, be aware of the role it will play in your network. The size of your network and how you use it often dictate which proxy server solutions are most appropriate for you. Large sites can use proxy servers primarily to limit HTTP bandwidth across their Internet pipes, as well as to concentrate Web client access through a single point. This allows for potential access control and lets accounting data be gathered for future analysis.

Smaller sites can use proxy servers in a slightly different role. Since it concentrates Web clients into a single visible IP address, a Web proxy server can be a poor man's NAT (Network Address Translation). With a small proxy server, a branch office or small workgroup can provide Internet access through a single dial-up ISP account. Products like Microsoft Corp.'s Proxy Server include on-demand autodial capabilities as well as autodial scheduling, enabling administrators to fine-tune dial-up link usage.

Web proxy servers can be used in a variety of other situations, often involving more complicated protocols and traffic types. Finjan Software's SurfinGate, for example, is a Java/ActiveX security solution that scans Web content as it passes through the Web proxy, preventing malicious content from entering your network. Other proxy servers, such as those from Aventail Corp. and Deerfield Communications, are all-in-one solutions for Internet access and can proxy most well-known protocols, including FTP, HTTP, NNTP (Network News Transfer Protocol), SMTP and others.

Still other proxy servers act as tunneling mechanisms, allowing other protocols, such as SSL (Secure Sockets Layer)-based protocols and UDP (User Datagram Protocol)-based stream protocols, to pass through the proxy. Web proxy servers provide tunneling by encapsulating one protocol within another.

Most protocols that pass through a proxy server are handled at the application level--that is, the proxy is aware of the data and the behavior of the protocol itself. This allows the proxy to add another step or way point for network traffic passing through the proxy. In order for this to occur, the proxy server may modify the data being proxied, which may affect communications.

For most protocols this is not a problem, and the proxy server can perform its functions just fine. FTP, Gopher and HTTP are all physically altered by the proxy in order for the traffic to pass through the proxy server. Communication isn't affected in these instances since the proxy server has only acted on behalf of the clients that proxy through it. But a proxy server can't handle some protocols without the assistance of another protocol. Telnet and RealAudio traffic are two of these "problem" protocols and the applications that use them.

Problem protocols can be proxied by the Socks protocol. Proxy servers that support Socks let users route additional traffic over a network's proxy server. Although some installations will benefit from this protocol, others will not. A good approach is to look for proxy servers that support Socks but let you disable it on demand. Other capabilities, such as port numbers that are potentially useful for limiting which services can be proxied via Socks, also should be on your list of requirements. Restricting or limiting specific port numbers can tighten your control over what is proxied.

You also should consider the scalability of Web proxy servers. Some vendors, such as Microsoft and Netscape Communications Corp., permit the use of a clustering mechanism and share user and network information between multiple Web proxy servers. Others extend this cluster idea to include a hierarchy of proxies employing different functionality at different levels.

When choosing a Web proxy server, it's in your favor to consider its potential uses beyond its initial purpose of proxying Web traffic. A Web proxy server should support the most recent version of HTTP so you'll have the most advanced and refined features set. Currently, HTTP is in version 1.1, with plans and development focusing on HTTP-NG (HTTP Next Generation).

Cache as Cache Can While evaluating Web proxy servers, you'll find caching taking center stage. Caching Web content becomes critical when you consider the size of a particular access link and the amount of redundant content running over it. Rather than repeatedly requesting the same content from a particular server, proxies can use caching. Various caching protocols have been developed, while others are waiting in the wings. CARP (Cache Array Routing Protocol) and ICP (Internet Cache Protocol) are the two main caching protocols.

Single Web proxy servers should allow network administrators complete control over all aspects of caching; memory usage and file space should be configurable options as well. Some proxy servers let specific Web sites and URLs be downloaded (into cache) and checked for content changes periodically. If your clients visit many of the same Web sites, this feature can significantly reduce the use of your access link's bandwidth. However, content caching may lead to storage problems for larger networks by potentially requiring gigabytes of disk space. Smaller networks may forgo this feature because it won't produce significant performance increases for their client bases.

Also keep in mind that the two caching protocols, CARP and ICP, were not created equal. The older ICP is a response-based system with a high level of redundancy, while CARP is a flexible, hash-based caching system designed for optimal efficiency. Because ICP is less efficient and seldom implemented, it's rarely an option on Web proxy servers. CARP's hash-based nature eliminates redundancy between many cache servers and the content on them. CARP easily handles downed cache servers and quickly compensates for lost cached content as a result of downed servers. We strongly recommend CARP support when implementing a large network of proxy servers for optimal use of a network's resources.

Caching may prompt you into investing in other Web proxy server features. For example, is a client that requests a cached document guaranteed the document is up to date? Generally, the answer is no. Proxies have a cache sitting time that indicates the longest period any cached document can stay in cache before a new copy must be retrieved. The ability to configure this sitting time is an important feature. Additionally, other related timers, such as downed Web sites and authentication time-outs, should be part of a good proxy solution.

Sound Security Frequently, Web proxy servers deal with sensitive information, and you should be concerned with the way in which a Web proxy server controls access to the content it proxies. User name and password conventions work well, but they're often limited by the operating system on which the proxy runs. They also require constant upkeep when adding and removing users. Proxy servers that let administrators import user credentials from the OS are more convenient, but they still demand an unacceptable amount of upkeep since user information maintained across multiple directories must be updated as information changes.

By far, the most efficient means of providing access control is via directories, such as LDAP directories, Windows NT Domains, NIS (Network Information Services) and NIS+, and NDS directory structures. A central repository of user credentials and information limits the amount of bookkeeping needed to ensure synchronized user information across your network.

More efficient yet less complicated access-control mechanisms utilize static network-configuration data such as IP and MAC (Media Access Control) addresses. Configuring your proxy server with IP addresses lets you configure the proxy server just once, regardless of which user is logged into which machine. Restrictions by IP ranges and domains further simplify the security configuration of a proxy server and should be considered. Regardless of the access-control features provided, we recommend products that use existing user directories rather than provide their own.