ISA as webproxy and Mikrotik ROS

sanjeev · April 30, 2009, 7:09am

Hi all
I have installed ISA server 2006 in windows server 2003
I have only one LanCard and ISA is configured for webproxy on port 8080.
If i specify manually on browsers settings of clients, i can browse the sites without any problem. But doing manually on each and everyclient is cumbersome,

so in mikrotik ROS i made a dstnat rule as follow
chain=dstnat action=dst-nat to-addresses=ip.of.the.proxy to-ports=8080
protocol=tcp dst-port=80
but i get the following error.

Technical Information (for support personnel)
Error Code: 502 Proxy Error. The Uniform Resource Locator
(URL) does not use a recognized protocol. Either the protocol
is not supported or the request was not typed correctly.
Confirm that a valid protocol is in use (for example, HTTP for
a Web request). (12006)
IP Address: xx.yy.zz.mm
Date: 2/2/2009 12:48:35 AM [GMT]

before ISA i had squid. and it was working fine.
I'm a bit confused what is giving me this annoying error.
any suggestions,clues and hints are greatly appreciated
Thanks
sanjeev

sanjeev · May 1, 2009, 12:21pm

Hello senior gurus please help…

I was using a Squid box as a webcache, and use the mikrotik to transparently redirect web traffic to the squid box.
Now I’m using a ISA Server as webproxy and use the mikrotik to redirect web traffic to the ISA webproxy.
and i’m getting the following error

Technical Information (for support personnel)
Error Code: 502 Proxy Error. The Uniform Resource Locator
(URL) does not use a recognized protocol. Either the protocol
is not supported or the request was not typed correctly.
Confirm that a valid protocol is in use (for example, HTTP for
a Web request). (12006)
IP Address: xx.yy.zz.mm
Date: 2/2/2009 12:48:35 AM [GMT]

If i manually specify the proxy and port setting on browser it’s working like charm.
I can’t figure it out what might be wrong …
this is the dstnat rule in mikrotik router

chain=dstnat action=dst-nat to-addresses=ip.of.the.proxy to-ports=8080
protocol=tcp dst-port=80

please friends experience with ISA and Mikrotik gurus help me
Thankyou very much
sanjeev

csickles · May 2, 2009, 12:52am

I “looks like” the dest NAT is incorrect…

I just set one of these up for a cell modem based AP..

My development net:
Givens:
wireless network = 192.168.0.0/24
gateway (router wireless card IP) 192.168.0.1
DHCP range X.X.X.50 = X.X.X.100

The dest nat should be from any host on the desired net.
(In this case 192.168.0.0/24)
The target should be ANY OTHER device other tnan the router (this allows for access to the routers web resources via port 80)
IE: !192.168.0.1

Dest port should generaly port 80.

The action should be DST-NAT
The destination should be the router at port 8080

This rule should be ABOVE and masqurade rules or it will not be processed. (the masq rule will occure first and the NAT will have occured and the matching will fail, and the packet will not be re-dirrected.)

NOTE if the proxy desired is the ISA then point the DEST nat to it… or use the ISA as a parrent proxy and point the Dest-NAT to your RouterOS box..

Craig

sanjeev · May 3, 2009, 4:29am

hi csickles
sorry.. but; i can neither make head nor tail out of your reply.
could you please be more specific and post the dstnat rule.
Thankyou

sanjeev · May 5, 2009, 4:58am

Hello.. Mirkotik gurus
please help me..
I’m confused either it’s a Mikrotik dstnat problem or ISA problem.
please some one with hands on experience with ISA and Mikrotik.. show me the way.
Sanjeev
Thankyou

normis · May 5, 2009, 5:43am

squid needs some special settings to work with transparent proxy (nat redirection) so I guess same could be true for ISA … but I don’t know anything about microsoft products

sanjeev · May 5, 2009, 5:59am

Thankyou verymuch normis for the prompt reply.
so i’ll have a look at the ISA part
Thanks once again

sanjeev · May 5, 2009, 6:05am

well.. i got my answer transparent proxy with ISA is not possilbe
after a bit of google i found this.

Yes, but it is not a true “transparent proxy”. Such a thing is not possible
with ISA, it was not desinged to be that way.
SecureNAT is fine, but it is the least secure of the three possible ways to
use ISA, however it is the only method that does not require any
configuration on the Client and would be the closest thing to “transparent”.
However you can also have “anonymous” access with either the Firewall
Service or the Web Proxy Service.
The term “transparent proxy” should be thrown out and forgotten about. ISA
can do anonymous access just fine with any of its “services” but they are
not the same thing as “transparent proxys”.

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com >

ISA as webproxy and Mikrotik ROS

so in mikrotik ROS i made a dstnat rule as follow chain=dstnat action=dst-nat to-addresses=ip.of.the.proxy to-ports=8080 protocol=tcp dst-port=80 but i get the following error.

I was using a Squid box as a webcache, and use the mikrotik to transparently redirect web traffic to the squid box. Now I’m using a ISA Server as webproxy and use the mikrotik to redirect web traffic to the ISA webproxy. and i’m getting the following error

so in mikrotik ROS i made a dstnat rule as follow
chain=dstnat action=dst-nat to-addresses=ip.of.the.proxy to-ports=8080
protocol=tcp dst-port=80
but i get the following error.

I was using a Squid box as a webcache, and use the mikrotik to transparently redirect web traffic to the squid box.
Now I’m using a ISA Server as webproxy and use the mikrotik to redirect web traffic to the ISA webproxy.
and i’m getting the following error