I have an Internal network routing through ISA 2k4sp2 which is physically remote, on a different subnet and seperated from my local net via a VPN tunnel. Those users in the remote site can not pass HTTPS at all as SecureNAT clients (yeah, I'm still chasing that problem) and lately have started having trouble passing HTTP... In both cases, the processing time goes into the six figure range (hundreds of thousands of milliseconds, i.e. hundreds of seconds.)
I've got them working via explicit Proxy (for both Secure and HTTP) and this works for a while, but after several days ALL firewall'd traffic starts timing out. Interestingly I can traceroute through ISA to, for example, one of the IPs of www.google.com but can't load http://www.google.com/ REBOOTING ISA FIXES THIS, but does not fix https.
Could this be related to Internal network conflict? (I justed started a different thread in Infrastructure describing my Net-In-Net woes.) It seems as if some buffer is being filled and not cleared. It is noteworthy that local SecureNAT and Proxy clients (in the same building as my ISA firewall) do not seem to suffer any performance or connectivity problems when my remote users suffer.