I'm trying to do the same thing I have it mostly working, but I'm getting some url problems. For example on google.com the groups url becomes groups.ipaddress instead of groups.google.com. I'm not sure if this issue is with ISA or with Squid. I'm actually using DansGuardian on top of Squid. I'll do some more testing.
I'm chaining an ISA server through squid and it works fine setting it as an upstream proxy to redirect requests to. The problem I am having is that the ISA server believes that the squid proxy becomes unavailable and uses the bypass route to go dorect to the internet, even though the squid proxy is never unavailable This appears to be happening as ISA server cant get the array information from the upstream squid proxy. Is there a way to turn this request off and have ISA blindly pass the request to the squid box?
From: Truro, Cornwall, UK
I've got similar issues with chaining an ISA 2004 box to an upstream Squid. We get regular routing/chaining alerts saying that the ISA can not contact the Squid when its definately available and we also get issues with SNAT clients and various URLS such as hotmail.com (same issue as wasserja where urls end up containing IP addresses and not names).
We are using ISA 2004 with web chaining to a Linux server running DansGuardian and Squid. Everything seems to work fine except some clients send the IP address as the URL instead of the dns name which is causing some problems. We've tried clearing the cache on the ISA server and on Squid but the problem seems to lie with the user account in Windows. For example trying to access a site http://my.homepage.com would be sent to the upstream proxy as http://126.96.36.199. This only happens with a few sites so it's difficult to nail down. Other than that this solution is working great and provides inexpensive fast content filtering.
We are still having the same problems with some of our clients, particularly our VPN clients. It is sending the IP address instead of the URL through the ISA server to the upstream proxy server. Does anybody have any suggestions?
From: Paul Welsh
This is a route I'm considering going down. I see that Kaspersky do an anti-virus for Squid proxy servers - http://www.kaspersky.com/anti-virus_linux_proxy_server - and, given Linux and Squid are open source then it doesn't seem a bad route to go down in terms of cost. The main advantage I can see is that it means I wouldn't have to install SurfControl and an anti-virus package like Kaspersky for ISA Server onto the ISA server. I can just envisage performance / reliability problems going down this road.
Currently we use a service that MessageLabs provides for scanning web sites. It's called scansafe and costs over GBP20 per user per year. This involves chaining our ISA 2004 server with MessageLabs's remote proxy. Wonder if their proxies are running Squid?
The squid server could also act as a mail scanning server using www.mailscanner.info plus spamassassin and Clam anti-virus (open source) plus a commercial anti-virus scanner. Now that really would constitute a big saving compared to MessageLabs.
As I see it, we'd just be replacing the scansafe proxy with an in-house proxy server; all that would change on the ISA box is the IP of the server to chain to. The squid / smtp server would sit in the DMZ with a separate public IP to the ISA box. It could even have a separate, relatively inexpensive, high speed ADSL connection.
Does anyone have any experience regarding the ease of use of Squid? Is it something that can be configured and more or less left alone on a day-to-day basis?