John, Im think MS have a bit of confusion in the release notes. In the Beta SP1 release notes, there is the list of Q article fixes which it says are included in the SP, but there is also another list of NEW fixes just in SP1, which have no seperate Q article release (section 9).
In the release notes for the Full SP1, that section appears to be missing, and been replaced with a sentence saying "see Q313249". However, Q313249 has a very small list of fixes...and excludes the SP1 only fixes.
I.E: Section 9 of the Beta release notes starts:
9.0 ISA Server Bug Fixes
1. A VPN client in the DMZ, using L2TP, was unable to access the Internet server. This occurred because the code excluded this protocol for creating a filter.
2. When server publishing an FTP server on an ISA server with multiple IP addresses on the external interface using any IP other than the primary IP, the response to the client data connection went over the primary IP. This resulted in a connection failure for firewall clients.
3. POST requests did not utilize previously established proxy-server connections.
13. ISA Server dynamically selects a secondary connection port for a FTP server that is published
through ISA. This secondary connection, initiated by the server through ISA, does not come from port 20.
Note Sections 3 and 13 relate to the FTP problem, which my clients were experiencing.
Anyway...just a bit weird, thats all.
The issue is where you server publish out (not web publish) a service (e.g HTTP Server), and an internal client cant access the site.
E.g, we map out about 80 websites using server publishign rules (need the IP's in the IIS logs, so cant use web publishing). We map our internal 10.3.1.x addresses to our external 194.x.x.x addresses. Internal users, who try to connect to 194.x.x.x just get a 404 error. PSS just said to put all the FQDN entries in the local DNS server, so the internal clients resolve the FQDN's to the internal IP's. However, creating a zone for each website is not feasible...anyway, the firewall shoudl be able to map them out.
This is not a blanket problem though, im still trying to figure out why it happens. Ive seen the same effect when publishign out SMTP and POP3 servers too.
I currently just use routing rules to redirect requests for the FQDN's to the internal IP's (although this then doesnt work with HTTPS).
Oh well...not big problems anyway, i'll make a couple more calls and see what the status of those problems is...will let you know!
Got a time critical ISA / RRAS / Win2k related problem?
Email me for details of remote assistance, telephone advice, and on-site visits!
Two books I highly recommend:
(Click an image to see the book at amazon)