Solved

iptables, isa 2004 and error 502

Posted on 2010-11-18
6
675 Views
Last Modified: 2012-05-10
Hi all - I would like to force our remote sites through our ISA 2004 proxy.  We are not using any VPN.  The remote sites use SOHO routers running DD-WRT so I can use iptables to do this. The ISA proxy is in anonymous mode right now.

My iptable rules (public IP is not valid):

#!/bin/sh
PROXY_IP=71.91.31.91
PROXY_PORT=9090
LAN_IP=192.168.1.1
LAN_NET=$LAN_IP/24

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However I'm getting an "error code: 502 proxy error.  The URL does not use a recognized protocol..."  on the client end.  The same thing is logged on the ISA server with the status 12006.

I would greatly appreciate any assistance with this.  What am I missing?
0
Comment
Question by:sunxtzu
  • 3
  • 2
6 Comments
 

Author Comment

by:sunxtzu
ID: 34166615
Also, can ISA 2004 or 2006 even be used in this scenario?  Or do I need to move to SQUID which can do transparent proxying?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34172699
The default proxy port on ISA is 8080 - have you amended this to reflect the proxy port used by the remote sites?
0
 

Author Comment

by:sunxtzu
ID: 34172841
yes - ISA and remote clients all know and use 9090
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 34181938
ISA has no "anonymous mode".

ISA is not a "tranparent proxy".  A tranparent proxy is a specific type of technology,..and ISA does not use it.  People confuse running a client through the SecureNAT Service as being tranparent, but it is not.  Yes, it is anonymous and without any client side cofniguration,...but it is not "tranparent" which is a specific thing.
0
 

Author Comment

by:sunxtzu
ID: 34199181
Right, that's the problem I'm having.  However I have users external to the network the ISA server resides that I would like to pass through the ISA proxy, quickly and easily.  

Does anyone know a way around this limitation by MS ISA server?  What about a small transparent proxy front end to the ISA server?   Has anyone experience with this?

Thanks much.

 
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205557
It isn't a limitation,..it isn't supposed to be a transparent proxy,..by design.   In fact it is really a Firewall,...being a "proxy" is only a secondary role.

If you want users to operate through the ISA Firewall without any client-side config,... the ISA needs to be in the "routing path" to the Internet the same way you would any other traditional "hardware" firewall.  Then the  ISA must have an Access Rule  that "fits" the users in question and is anonymous,...that is the Users Tab in the properties of the Rule is set to "All Users"   In ISA/TMG "All Users" = anonymous.

This also implies that the ISA/TMG operate with an Internal and an external interface,...just like any other firewall.   You cannot use it with one nic,...running with one nic cripples the product causing it to only be able to be used as a simple "web caching proxy" which is pretty much a waste of time and a waste of the money required to buy the product and the hardware to run it on.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question