We have ISA 2006 installed in single NIC mode behind another firewall. It uses integrated authentication to allow our clients to surf the 'net.
When we go to www.bissell.com via HTTP (the vacuum cleaner company), our firewall drops an incoming IKE (UDP 500) connection from www.bissell.com. Yes, the simple act of browsing to www.bissell.com automatically causes their web server to initiate a VPN connection back to us.
Their explanation is that they set up IPSec from the web server to their backend servers, a very common practice, and their web server is set up to "request secure communications." They said that if our clients and their server are both set up to "request secure communications", then the IKE connection occurs. ( Microsoft network client: Digitally sign communications (if server agrees) )
If I bypass our ISA proxy, then the automatic IKE connection attempt does not occur.
Sooo, it seems that ISA 2006 is embedding something in the HTTP request (and it is only an HTTP request from us) that is tripping something on their server. In all of the years that we've used ISA, this is the only web site that this has happened with.
That kind of tells me that they have something configured incorrectly, but it also tells me that we may have something configured incorrectly since bypassing ISA causes this behavior to stop.
If anyone can shed any light on what the heck is going on, I'd sure like to hear it.