We are running ISA Server 2004 on a 2003 SP1 machine. We have set up PPTP VPN access with a quarantine. The only way to get out of the quarantine currently is by being in an exempted group. We have been having an intermitten issue where a user connects to the VPN server, and is issued a DHCP address for our network. After that point, they cannot use any of the resources that should be available to a quarantined user (ie: RDP, HTTP, etc). They can ping internal devices, and they can do nslookups, but no other traffic seems to get through. This has happened to both quarantined and non-quarantined users.
Sometimes just disconnecting, waiting a few minutes and then reconnecting will solve this problem. Othertimes it is persistent for the user. At the same time, we will have other users not experiencing the problem (both quarantined and non-quarantined). It seems to be more common on some users' machines than others (mostly running Windows XP SP2).
We applied ISA service pack 2 and several hotfixes to see if the issue would resolve, but have had no success. Any ideas?
We have found the problem to be the Firewall Client. This has mostly happened to laptop users. They use the Firewall client when they are on our network to authenticate and get out to the Internet. Then they take their laptop home, and try to connect. If the Firewall client is running, then as soon as it finds the ISA server, they cannot get any tcp traffic to go out. If they disable it, then they can do anything their group is allowed to do.
To explain the intermittent part, when running the FWclient and connecting to vpn it takes a few seconds for the VPN client to find the ISA server. During this time, the user can establish TCP connections to various resources (eg: terminal services). If they have an established connection, even after the client finds the ISA server, their connection continues. If they disconnect from their terminal service session, they cannot reconnect to it without disconnecting and reconnecting their VPN session (or disabling the firewall client of course).
It seems like Microsoft would have had the foresight to allow the Firewall client to work through a VPN session, or at least not cause a problem like this..