I'm having a bit of trouble figuring this out, so I thought I'd check with everyone here, who, through their posts and tutorials, has already answered a lot of my questions.
We run a single ISA server, which is part of our domain, and publish a few websites and email servers through it (a mix of web publishing and server publishing), and initially set everyone as a secure NAT client, just to make the rollout easier, as we are a mix of 2000/98 machines. Now, I'd like to move to the firewall client, which will streamline authentication to the Web Proxy client, which I'd like to require authorization for (and thus keep track of users internet access.)
My trouble is this. We've configured a few extra protocol rules so that specific destination sets (defined by IP, currently) can access a few things outside the Allow Internet Access rule, such as Terminal Services or POP3. When the client is a secure NAT client, everything works fine. But if you install the firewall client, you're still able to get the basic internet access rules, but none of the extra protocols are working. Right click and disable the FWC, and you can use the extra protcols again.
I'm not sure if this is related, but just to be complete -- VPN is activated on the ISA server.
This situation indicates to me that the DNS configuration on the ISA Server is incorrect. Also, if VPN connections break your Internet connections for internal netowrk clients, that indicates your ISA Server is also a DC.
Thanks for the reply. I read your book by the way -- very well done.
ISA is not a DC, although it is a member of the domain. ISA has two cards, one internal, one external. The internal card resolves DNS queries on our internal DNS servers. Those internal DNS servers are configured to resolve anything they don't have by means of forwarders, to external DNS servers provided by our ISP. Looking at the cache on our internal DNS servers, I'm pretty confident all DNS requests are being resolved on our internal servers.
Just for redundancy, ISA also has external DNS servers configured on its external card. In network connections /advanced options, the internal connection is given priority over the external connection.
As to the VPN, its only allowed for Domain Admins, of which all 3 of us are in the building, and aren't using VPN during the day.
I would check the Protocol Rules and make sure the users have permissions to use the Protocols. Also, check the Firewall service log and check the error codes on the client requests. Make sure you also log Rule#1 and Rule#2 in the log files.