Am new to this group (and ISA), so hopefully this is clear. We have ISA 2006 and recently deployed the FWC to our users. This breaks some user connections to a VPN via PIX. We have network routes (in router) in place to point the destination VPN nets directly to the PIX which worked OK before installing FWC. FWC appears to send this traffic to ISA as expected. However, I tried adding the VPN networks to the 'Internal' network properties Web browser 'direct access' section and the Addresses section to no avail. I also tried adding the addresses to the local host file on ISA and gave it a address1.testdomain.com entry. Then added this domain to the domains tab (as this is the only tab that refers to exceptions for the FWC instead of the browser). Still no good. ISA client logging still shows traffic being denied at ISA.
So bottom line ... is there a way to bypass ISA for certain network destinations for a XP user with the FWC installed ?
After a brief review that looks like where we would want to get to, but was looking for a quick fix around ISA. The PIX rule for the VPN is pointed to an interface not connected to ISA. So to implement via that article, I would need to engage the vendor at the other end of the VPN and interrupt our connection to work through it. Was hoping for some setting to get ISA to ignore this traffic and let the router handle it internally like the Web Proxy allows for.
This did work before installing the FWC, and does work if you disable it. I did try your suggestion as best I could find it. In the ISA mgmt tool under Configuration >Networks, I selected Internal > properties. On the Web Browser tab I added the addresses to the box under 'directly access these servers or domains'. The 'Firewall Client' tab does not have any place to add addresses. I found under the 'Domains' tab, it says 'Firewall Clients will not use ISA Server when connecting to these domains' It does not allow addresses, and the server IP's are not in external DNS. So I added entries in our DNS server (that ISA queries) as Server1.ourdomain.com and server2.ourdomain.com . In this 'Domains' tab we already had an entry for *.ourdomain.com so I was hoping this would work. When logging for my client IP, I still get a deny message for one of the server#.ourdomain.com IP's . I would expect this as I have no rule to allow it through, but my current goal was to avoid ISA altogether for the time being.
I suggest you re-read that section in my article very carefully!
For the Web Proxy client you have to configure direct access for the domains/IP's reachable through he VPN. You can do this centrally on the ISA server in the Web Browser tab.
For the Firewall client you have to configure direct access for the IP's reachable through he VPN. There are two ways yo can do that. If it involves only a small number of workstations, I would use a 'locallat.txt' file on the workstation itself. However, if it involves all workstations you could tell ISA that those IP's belong to the internal network. The result is nearly the same.
BTW --- use the fwctool command to verify what the Firewall client considers as LAT.
Thanks for the info on the fwctool. This really helped me. I had put the VPN networks in the 'addresses' tab for my Internal network. Using the fwctool, I found they were not making it to the client. After alittle digging, I found an article that states after making such a change in ISA, the firewall client only updates itself on reboot, 6 hour interval, or a 'manual refresh is activated on the firewall client computer' (they did not elaborate on how to do this ... a disable/enable of the client didn't seem to do it). So, I had the modification correct, but I did not know the update needed 'forcing' or wait 6 hours to become effective on the FWC computer. This seems to have worked. Thanks agin for your help, it has been very much appreciated.