Whenever an ISA or TMG server throws a 502 Proxy Error
your way, you know you are probably in for a real hurdle. But with a little
familiarity with what a 502 error means, and how it can be fixed, you will
be back in business in little time.
First, let’s take a look at the definition of 502 HTTP response code:
502 Bad Gateway
The server was acting as a gateway or proxy and received an invalid response
from the upstream server. Pay close attention to what that is saying. The
proxy (meaning your ISA or TMG server) received an invalid response from the
upstream server (implying that the internal webserver that you are
Unfortunately that is not always the case as ISA and TMG can throw that
error when they are unhappy about something that a normal browser would
readily accept. They can also throw one of several different kinds of 502
depending on the circumstances. Understanding is critical to a quick
resolution. Don’t just stop reading at 502, check the rest of the response.
Here is how to determine whether the problem is with your ISA/TMG, or on the
1. Open a browser on the internal network.
2. Access the URL in question.
3. If you can view the content successfully, the problem is with your
ISA/TMG. If not, the problem is with your webserver. Since this post is
about ISA and TMG, let’s assume you are able to view the content internally
just fine, so we’ll keep discussing ISA/TMG.
4. Go to your log viewer. In ISA that is Monitoring, or in TMG that is in
Logs & Reports.
5. Edit the filter to look at live logs and have the user try again, or
filter on the time range to see the error. Add the “Filter by” criteria for
HTTP Status Code, and set it equal to 502.
6. Run the query, and examine the results.
Some of the frequent causes of ISA/TMG generating 502s are:
• A 502 can be thrown by the ISA/TMG when content filtering is enabled and
something in the response is being blocked. Disable content filtering and
see if you are then able to access the resource. If you are, look at the
header in one of the logged errors (in your log, click the more information
link on the error) and see what content type is being returned by the
published server. Authorize that in your content filter.
• If you are using ISA/TMG as a client proxy, and the destination server is
running on a non-standard port, you can encounter this error. Create an
access rule allowing the non-standard ports.
• “502 Proxy Error. No data record is available. (11004)” is generated when
the ISA/TMG cannot resolve the internal resource’s name to an IP address.
Check your internal DNS, or your ISA/TMG’s DNS client configuration. I have
often seen clients configure their systems to use external DNS servers.
Editing your ‘hosts’ file is not the solution.
• “502 Proxy Error. The ISA Server denied the specified Uniform Resource
Locator (URL). (12202)” happens when the client requests content explicitly
blocked, like executables. Don’t link to and/or have clients download EXEs
directly; zip them.
• “502 proxy error, the request is not supported (50)” can occur when
content is compressed from the published server, but the HTTP compression
filter is disabled on the ISA/TMG. Either re-enable it, or disable
compression on the internal server.
• “502 Proxy Error. The password was not allowed.” You are doing one of two
things here; you are either passing credentials in the clear and not
allowing HTTP authentication, or you are trying to use an IE as an FTP
client and sending a URL like ftp://user:firstname.lastname@example.org. In both
cases, don’t be that guy. Credentials should always be encrypted, and web
browsers are not FTP clients. Check out Filezilla.
• “502 Proxy Error. The HTTP message includes an unsupported header or an
unsupported combination of headers. (12156)” happens when a web server
returns a header with a space or tab character. It would be better to fix
the header response on the web server, but you can also apply a hot fix or
reg hack to your ISA. See
Those are the most commonly encountered 502 errors where your ISA or TMG is
either the cause, or the easiest to fix.
This guest post was provided by Ed Fischer on behalf of GFI Software Ltd.
GFI is a leading software developer that provides a single source for
network administrators to address their network security, content security
and messaging needs. More information: GFI
web filtering solution
All product and company names herein may be trademarks of their respective
Post your questions, comments, feedbacks and suggestions
Contact a consultant