No, they're not SecureNAT clients. Our network is managed by our corporate parent and we have a packet filtering firewall in place that they manage. We set up ISA mainly to more securely publish web sites to the internet, and it has been doing a great job of it.
Now I'd like to expand that to other protocols, esp. protecting our DNS server.
So basically the architecture I'm shooting for is:
Internet -> External IP -> NAT firewall -> internal IP ISA firewall -> inspect packet -> forward to DNS server (Linux/BIND)
If the servers you're publishing don't point to ISA for the default route, then you'll need to set the option in the rule to make requests appear to come from the ISA Server (I believe its on the From tab) . This is the default for Web Publishing rules, but an option for Server Publishing rules.
I do have it set to have the connection appear to come from the ISA server, and it doesn't work.
I'm thinking something else is amiss though. I turned on monitoring for live traffic on port 53 to see what was happening. The traffic is being denied by the default rule. It's as if the publishing rule doesn't exist.