Solved

iptables, isa 2004 and error 502

Posted on 2010-11-18
6
672 Views
Last Modified: 2012-05-10
Hi all - I would like to force our remote sites through our ISA 2004 proxy.  We are not using any VPN.  The remote sites use SOHO routers running DD-WRT so I can use iptables to do this. The ISA proxy is in anonymous mode right now.

My iptable rules (public IP is not valid):

#!/bin/sh
PROXY_IP=71.91.31.91
PROXY_PORT=9090
LAN_IP=192.168.1.1
LAN_NET=$LAN_IP/24

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However I'm getting an "error code: 502 proxy error.  The URL does not use a recognized protocol..."  on the client end.  The same thing is logged on the ISA server with the status 12006.

I would greatly appreciate any assistance with this.  What am I missing?
0
Comment
Question by:sunxtzu
  • 3
  • 2
6 Comments
 

Author Comment

by:sunxtzu
ID: 34166615
Also, can ISA 2004 or 2006 even be used in this scenario?  Or do I need to move to SQUID which can do transparent proxying?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34172699
The default proxy port on ISA is 8080 - have you amended this to reflect the proxy port used by the remote sites?
0
 

Author Comment

by:sunxtzu
ID: 34172841
yes - ISA and remote clients all know and use 9090
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 34181938
ISA has no "anonymous mode".

ISA is not a "tranparent proxy".  A tranparent proxy is a specific type of technology,..and ISA does not use it.  People confuse running a client through the SecureNAT Service as being tranparent, but it is not.  Yes, it is anonymous and without any client side cofniguration,...but it is not "tranparent" which is a specific thing.
0
 

Author Comment

by:sunxtzu
ID: 34199181
Right, that's the problem I'm having.  However I have users external to the network the ISA server resides that I would like to pass through the ISA proxy, quickly and easily.  

Does anyone know a way around this limitation by MS ISA server?  What about a small transparent proxy front end to the ISA server?   Has anyone experience with this?

Thanks much.

 
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205557
It isn't a limitation,..it isn't supposed to be a transparent proxy,..by design.   In fact it is really a Firewall,...being a "proxy" is only a secondary role.

If you want users to operate through the ISA Firewall without any client-side config,... the ISA needs to be in the "routing path" to the Internet the same way you would any other traditional "hardware" firewall.  Then the  ISA must have an Access Rule  that "fits" the users in question and is anonymous,...that is the Users Tab in the properties of the Rule is set to "All Users"   In ISA/TMG "All Users" = anonymous.

This also implies that the ISA/TMG operate with an Internal and an external interface,...just like any other firewall.   You cannot use it with one nic,...running with one nic cripples the product causing it to only be able to be used as a simple "web caching proxy" which is pretty much a waste of time and a waste of the money required to buy the product and the hardware to run it on.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now