iptables, isa 2004 and error 502

Hi all - I would like to force our remote sites through our ISA 2004 proxy.  We are not using any VPN.  The remote sites use SOHO routers running DD-WRT so I can use iptables to do this. The ISA proxy is in anonymous mode right now.

My iptable rules (public IP is not valid):

#!/bin/sh
PROXY_IP=71.91.31.91
PROXY_PORT=9090
LAN_IP=192.168.1.1
LAN_NET=$LAN_IP/24

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


However I'm getting an "error code: 502 proxy error.  The URL does not use a recognized protocol..."  on the client end.  The same thing is logged on the ISA server with the status 12006.

I would greatly appreciate any assistance with this.  What am I missing?
sunxtzuAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
ISA has no "anonymous mode".

ISA is not a "tranparent proxy".  A tranparent proxy is a specific type of technology,..and ISA does not use it.  People confuse running a client through the SecureNAT Service as being tranparent, but it is not.  Yes, it is anonymous and without any client side cofniguration,...but it is not "tranparent" which is a specific thing.
0
 
sunxtzuAuthor Commented:
Also, can ISA 2004 or 2006 even be used in this scenario?  Or do I need to move to SQUID which can do transparent proxying?
0
 
Keith AlabasterEnterprise ArchitectCommented:
The default proxy port on ISA is 8080 - have you amended this to reflect the proxy port used by the remote sites?
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
sunxtzuAuthor Commented:
yes - ISA and remote clients all know and use 9090
0
 
sunxtzuAuthor Commented:
Right, that's the problem I'm having.  However I have users external to the network the ISA server resides that I would like to pass through the ISA proxy, quickly and easily.  

Does anyone know a way around this limitation by MS ISA server?  What about a small transparent proxy front end to the ISA server?   Has anyone experience with this?

Thanks much.

 
0
 
pwindellCommented:
It isn't a limitation,..it isn't supposed to be a transparent proxy,..by design.   In fact it is really a Firewall,...being a "proxy" is only a secondary role.

If you want users to operate through the ISA Firewall without any client-side config,... the ISA needs to be in the "routing path" to the Internet the same way you would any other traditional "hardware" firewall.  Then the  ISA must have an Access Rule  that "fits" the users in question and is anonymous,...that is the Users Tab in the properties of the Rule is set to "All Users"   In ISA/TMG "All Users" = anonymous.

This also implies that the ISA/TMG operate with an Internal and an external interface,...just like any other firewall.   You cannot use it with one nic,...running with one nic cripples the product causing it to only be able to be used as a simple "web caching proxy" which is pretty much a waste of time and a waste of the money required to buy the product and the hardware to run it on.
0
All Courses

From novice to tech pro — start learning today.