Home | Site Map | Cisco How To Net How To | Wireless | Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Track user web activity with GFI WebMonitor™. Download free trial!


ISA server Error Code: 502 Proxy Error

Whenever an ISA or TMG server throws a 502 Proxy Error your way, you know you are probably in for a real hurdle. But with a little familiarity with what a 502 error means, and how it can be fixed, you will be back in business in little time.

First, let’s take a look at the definition of 502 HTTP response code:
502 Bad Gateway
The server was acting as a gateway or proxy and received an invalid response from the upstream server. Pay close attention to what that is saying. The proxy (meaning your ISA or TMG server) received an invalid response from the upstream server (implying that the internal webserver that you are publishing!).

Unfortunately that is not always the case as ISA and TMG can throw that error when they are unhappy about something that a normal browser would readily accept. They can also throw one of several different kinds of 502 depending on the circumstances. Understanding is critical to a quick resolution. Don’t just stop reading at 502, check the rest of the response. Here is how to determine whether the problem is with your ISA/TMG, or on the internal server:

1. Open a browser on the internal network.
2. Access the URL in question.
3. If you can view the content successfully, the problem is with your ISA/TMG. If not, the problem is with your webserver. Since this post is about ISA and TMG, let’s assume you are able to view the content internally just fine, so we’ll keep discussing ISA/TMG.
4. Go to your log viewer. In ISA that is Monitoring, or in TMG that is in Logs & Reports.
5. Edit the filter to look at live logs and have the user try again, or filter on the time range to see the error. Add the “Filter by” criteria for HTTP Status Code, and set it equal to 502.



6. Run the query, and examine the results.

Some of the frequent causes of ISA/TMG generating 502s are:

• A 502 can be thrown by the ISA/TMG when content filtering is enabled and something in the response is being blocked. Disable content filtering and see if you are then able to access the resource. If you are, look at the header in one of the logged errors (in your log, click the more information link on the error) and see what content type is being returned by the published server. Authorize that in your content filter.
• If you are using ISA/TMG as a client proxy, and the destination server is running on a non-standard port, you can encounter this error. Create an access rule allowing the non-standard ports.
• “502 Proxy Error. No data record is available. (11004)” is generated when the ISA/TMG cannot resolve the internal resource’s name to an IP address. Check your internal DNS, or your ISA/TMG’s DNS client configuration. I have often seen clients configure their systems to use external DNS servers. Editing your ‘hosts’ file is not the solution.
• “502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)” happens when the client requests content explicitly blocked, like executables. Don’t link to and/or have clients download EXEs directly; zip them.
• “502 proxy error, the request is not supported (50)” can occur when content is compressed from the published server, but the HTTP compression filter is disabled on the ISA/TMG. Either re-enable it, or disable compression on the internal server.
• “502 Proxy Error. The password was not allowed.” You are doing one of two things here; you are either passing credentials in the clear and not allowing HTTP authentication, or you are trying to use an IE as an FTP client and sending a URL like ftp://user:pass@ftp.example.com. In both cases, don’t be that guy. Credentials should always be encrypted, and web browsers are not FTP clients. Check out Filezilla.
• “502 Proxy Error. The HTTP message includes an unsupported header or an unsupported combination of headers. (12156)” happens when a web server returns a header with a space or tab character. It would be better to fix the header response on the web server, but you can also apply a hot fix or reg hack to your ISA. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;935693.

Those are the most commonly encountered 502 errors where your ISA or TMG is either the cause, or the easiest to fix.

This guest post was provided by Ed Fischer on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI web filtering solution

All product and company names herein may be trademarks of their respective owners.



Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics





  This web is provided "AS IS" with no warranties.
Copyright © 2002-2017 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.