Hi all,
In our infrastruture, we use proxy to browse to the internet and also our intranet system. But we having a problem where one of the web application cannot run properly behind of the proxy.
Did anybody knows on how to set the squid and ISA proxy to bypass when the client browse to that server.

bypass what? by the time that a proxy has recieved a request from a client, it's a bit late to not ask the proxy for it isn't it?? if you mean to stop squid requesting upstream to ISA then check the always_direct option, which will allow certain sites to be directly connected to and not go to a parent proxy.

you may also wish to look into a proxy.pac file which can tell the client not to go to a proxy in the first place for certain url's.

You may consult also your squid logs to check for a TCP_DENIED message that associates to sites being accessed. It happened to one of my clients that connects to their webmail on port 8443 and I simply added that port in squid.conf's

acl SSL_ports port 443 563 8443

By looking interactively in your squid's access.log, you can pinpoint that while a clinet is trying to connect to the site in subject. Adjust the path according to your distro.

# tail -f /var/squid/logs/access.log |grep a.client.ip.add

Squid has a minimum configuration for this:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 445 # I added this one for Windows update
acl CONNECT method CONNECT

I don't know how it is done in ISA.

What i meant is in my network i've used the proxy to browse the internet and intranet system, but in some cases, i need to go direct access to one of my inranet server www.mylocalserver.int. It is hard to configure client browser to bypass proxy, so that is there any possibility to configure my proxy to enable direct access for www.mylocalserver.int.

i think you're missing something here... how can you possibly "bypass" a proxy when your using it??? doesn't make sense mate.

My knowledge of such things are very limited and rusty.... However I feel that you may try transparent proxy and iptables.

The rule at your gw should be
1. Allow requests to local servers to pass through
2. Redirect requests to external servers to your squid

Can someone correct me if I am wrong or provide more info?

--Sarin

When we are in trouble, let us not always forget to consult the logs, it has the hints to address the problem.

Squid, as far as I know, does not by default blocks http access unless you defined something to block certain sites or if your web app is connecting via a port like

http://server.domain.com:PORT#/

and that port was not included in its default configurations of safely allowed ports.

acl Safe_port port PORT#

If you are also running another layer of proxy behind squid that handles application filtering like a content filter with file extensions blocking, this could cause your problem and you will need to consult its manual.

But if still your webapp is really in trouble when behind any http proxy, this suggestion is not practical considering and can only become your last option if only very few of your users needing frequent access to that webapp.

1. Add another NIC in your firewall box.
2. Don't bind squid on this NIC's IP. Assign to this your next network IP block.
3. Don't port forward outgoing http traffic from this network block to squid port.
4. Give this a separate switch/hub and therefore a separate network. This is almost like a DMZ.
5. If you have a good structured cabling installed with Patch panels, simply switch your clients' patch plugs to this switch/hub and this would force yo to separate your users accessing your webapp.
6. Configure your firewall if possible to allow specific traffic (ports & protocols) to traverse between your separated networks that are needed like SMB/Windows/Netbios and others.

I realize I am a little late to the party here but, why can't you simply put your server in the proxy exceptions list in your browser settings? This will allow your browser to bypass the proxy for connections to that server.

Ex:
*.local.domain.name
or
.local.domain.name

yes, very late. please don't drag up dead threads.