The simplest way would be to disallow IP forwarding between the internal and external interfaces. That way only HTTP/HTTPS traffic passing through the proxy will be allowed. But this simplistic solution cannot be used if non HTTP(S) traffic must be allowed, for example SMTP, IMAP, POP or DNS. So to make it acceptable, you must setup filtering rules explicitely allowing some ports (or some machines) while forbidding HTTP(S). In medium to large organizations, you would setup mail and DNS systems that would be allowed to use those ports through the external firewall while all client machines would only be allowed to use the HTTP(S) proxy.
The remaining is no more than my opinion. Windows 2012 server is an excellent OS to build internal servers, because if offers rich services through AD. But to build secure firewalls exposed to the internet, I would prefere simpler systems like Linux or even better BSD, because they can more easily be stripped down to contain only the applications and services required for that usage: typically no X11 GUI interface but a reliable IP filtering service (IPTABLE, IPF, IPFilter, etc.) and optionaly(*) some proxies. The rationale behind that is just: the less services open on the bastion host, the less potential vulnerabilities. Of course, it highly depends on the size of your network and your knowledge: if you are an expert in securing Windows servers, and know little or nothing on Unix basic configuration, this will not be an option...
(*) as some proxies may be complex on a configuration or code size point of view, it can make sense not to install them on the bastion host itself but on another server