it only ran from behind the ISA because you allowed it too. I'm sure you probably allowed that machine access to any site/destination. That's why it can authorize with WON. Players won't be able to join because packets will be sent the the ISA machine and you must tell the ISA machine to forward ports 27005, 27015, or whatever other ports HalfLife uses to the machine running behind the ISA.
How do I allow the traffic on the ISA server:
"Configuring filtering and routing:
When you enable packet filtering on Microsoft Internet Security and Acceleration (ISA) Server, all packets on the external interface are dropped unless they are explicitly allowed, either statically, by Internet Protocol (IP) packet filters, or dynamically, by access policy or publishing rules.
The opposite scenario is configured when you enable routing on ISA Server without enabling packet filtering. In that case, ISA Server simply routes all traffic between the Internet and your corporate network. In other words, ISA Server acts as a router, a device that connects disjointed networks by forwarding packets between them. This is not a recommended scenario for ISA Server."
personally, I would keep the the filtering on and just add rules when needed.
I'm guessing that this is how you do things, based on what little experience I have with ISA so please correct me whenever guys.
5 computer network (1 win9x, 4 win2k), HPNA 1mb network, cable modem.
don't forget to do security tests
http://www.dslreports.com/secureme (I love this one)