Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

iptables, isa 2004 and error 502

Posted on 2010-11-18
6
677 Views
Last Modified: 2012-05-10
Hi all - I would like to force our remote sites through our ISA 2004 proxy.  We are not using any VPN.  The remote sites use SOHO routers running DD-WRT so I can use iptables to do this. The ISA proxy is in anonymous mode right now.

My iptable rules (public IP is not valid):

#!/bin/sh
PROXY_IP=71.91.31.91
PROXY_PORT=9090
LAN_IP=192.168.1.1
LAN_NET=$LAN_IP/24

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However I'm getting an "error code: 502 proxy error.  The URL does not use a recognized protocol..."  on the client end.  The same thing is logged on the ISA server with the status 12006.

I would greatly appreciate any assistance with this.  What am I missing?
0
Comment
Question by:sunxtzu
  • 3
  • 2
6 Comments
 

Author Comment

by:sunxtzu
ID: 34166615
Also, can ISA 2004 or 2006 even be used in this scenario?  Or do I need to move to SQUID which can do transparent proxying?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34172699
The default proxy port on ISA is 8080 - have you amended this to reflect the proxy port used by the remote sites?
0
 

Author Comment

by:sunxtzu
ID: 34172841
yes - ISA and remote clients all know and use 9090
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 34181938
ISA has no "anonymous mode".

ISA is not a "tranparent proxy".  A tranparent proxy is a specific type of technology,..and ISA does not use it.  People confuse running a client through the SecureNAT Service as being tranparent, but it is not.  Yes, it is anonymous and without any client side cofniguration,...but it is not "tranparent" which is a specific thing.
0
 

Author Comment

by:sunxtzu
ID: 34199181
Right, that's the problem I'm having.  However I have users external to the network the ISA server resides that I would like to pass through the ISA proxy, quickly and easily.  

Does anyone know a way around this limitation by MS ISA server?  What about a small transparent proxy front end to the ISA server?   Has anyone experience with this?

Thanks much.

 
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205557
It isn't a limitation,..it isn't supposed to be a transparent proxy,..by design.   In fact it is really a Firewall,...being a "proxy" is only a secondary role.

If you want users to operate through the ISA Firewall without any client-side config,... the ISA needs to be in the "routing path" to the Internet the same way you would any other traditional "hardware" firewall.  Then the  ISA must have an Access Rule  that "fits" the users in question and is anonymous,...that is the Users Tab in the properties of the Rule is set to "All Users"   In ISA/TMG "All Users" = anonymous.

This also implies that the ISA/TMG operate with an Internal and an external interface,...just like any other firewall.   You cannot use it with one nic,...running with one nic cripples the product causing it to only be able to be used as a simple "web caching proxy" which is pretty much a waste of time and a waste of the money required to buy the product and the hardware to run it on.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question