Solved

iptables, isa 2004 and error 502

Posted on 2010-11-18
6
679 Views
Last Modified: 2012-05-10
Hi all - I would like to force our remote sites through our ISA 2004 proxy.  We are not using any VPN.  The remote sites use SOHO routers running DD-WRT so I can use iptables to do this. The ISA proxy is in anonymous mode right now.

My iptable rules (public IP is not valid):

#!/bin/sh
PROXY_IP=71.91.31.91
PROXY_PORT=9090
LAN_IP=192.168.1.1
LAN_NET=$LAN_IP/24

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However I'm getting an "error code: 502 proxy error.  The URL does not use a recognized protocol..."  on the client end.  The same thing is logged on the ISA server with the status 12006.

I would greatly appreciate any assistance with this.  What am I missing?
0
Comment
Question by:sunxtzu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:sunxtzu
ID: 34166615
Also, can ISA 2004 or 2006 even be used in this scenario?  Or do I need to move to SQUID which can do transparent proxying?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34172699
The default proxy port on ISA is 8080 - have you amended this to reflect the proxy port used by the remote sites?
0
 

Author Comment

by:sunxtzu
ID: 34172841
yes - ISA and remote clients all know and use 9090
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 34181938
ISA has no "anonymous mode".

ISA is not a "tranparent proxy".  A tranparent proxy is a specific type of technology,..and ISA does not use it.  People confuse running a client through the SecureNAT Service as being tranparent, but it is not.  Yes, it is anonymous and without any client side cofniguration,...but it is not "tranparent" which is a specific thing.
0
 

Author Comment

by:sunxtzu
ID: 34199181
Right, that's the problem I'm having.  However I have users external to the network the ISA server resides that I would like to pass through the ISA proxy, quickly and easily.  

Does anyone know a way around this limitation by MS ISA server?  What about a small transparent proxy front end to the ISA server?   Has anyone experience with this?

Thanks much.

 
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205557
It isn't a limitation,..it isn't supposed to be a transparent proxy,..by design.   In fact it is really a Firewall,...being a "proxy" is only a secondary role.

If you want users to operate through the ISA Firewall without any client-side config,... the ISA needs to be in the "routing path" to the Internet the same way you would any other traditional "hardware" firewall.  Then the  ISA must have an Access Rule  that "fits" the users in question and is anonymous,...that is the Users Tab in the properties of the Rule is set to "All Users"   In ISA/TMG "All Users" = anonymous.

This also implies that the ISA/TMG operate with an Internal and an external interface,...just like any other firewall.   You cannot use it with one nic,...running with one nic cripples the product causing it to only be able to be used as a simple "web caching proxy" which is pretty much a waste of time and a waste of the money required to buy the product and the hardware to run it on.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question