Thanks everybody for the valuable feedback and suggestions.
Lex, I agree that a search on TCP_NOT_SYN gives some interesting hits, but as stated earlier I don't see that this problem has anything to do with SMB or if NETBIOS is enabled or not. I mean, if I try to do a FTP connection from a LINUX prompt the ISA2004 still gives this error, so then for sure I am not using SMB or Netbios.
I will try to fix some kind of Linux box that can act as a router in the middle of my network, but I can't help the feeling of doing something really wrong. It's like I were the captain of the Titanic, I just crashed into an iceberg, and you guys are patting my back, saying "Don't worry, these boats are designed to crash into icebergs and go down, you have done the right thing..."
What I mean is that I would really love the ISA2004 to be able to accept all defined protocols to be accepted from INTERNAL to INTERNAL, that's almost how it works now, with the exception of RPC, FTP and PPTP. So LDAP, RDP, DNS and so on works fine right now. And the beauty of it all is that the the virus-infested computers in our global network don't even get a chance to bother us, because most viruses use non-standard ports that I can easily see in the live monitoring tool as DENIED and that's just a fantastic improvement to ISA2000.
Isn't there a workaround to achieve this? If I define all my internal networks as subnets and remove them from INTERNAL, (even if that's just what they are) , and then make separate access rules for every one of them, stating that all defined protocols should be allowed between INTERNAL and these subnets, will that work? Or will I still get FWX_E_TCP_NOT_SYN_PACKET_DROPPED if I keep the ISA2004 as the default gateway?
You have to understand that I am talking about going to 3-4 branch offices with maybe 20-30 computers locally, and try to convince their bosses that I need to "complicate" their network by putting a router (be it a linux machine or whatever) to get the internal networking to work. Since they have a ISA2K in place it will be a bit strange to explain that ISA2004 is not capable of doing things the same way - even if I of course agree with Bill Stewart that this is a new beast, not just a "ISA2K V2".
I am also thinking about Bill suggestions, to add static routes to the servers, so that the traffic don't touch the ISA2004. This should be OK for the servers, even if I see some problems that I have to keep track of every time a new network is added in Timbuktu and Shangri-La that need to be reached, but for the clients it sounds impossible. Laptops gets bought, get stolen, are spilled coffee over - you know how it is. And all of them require routes then for Datacenters, support tools, Intranet websites, Sharepoint portals, Customer networks.
It just doesn't work.
Maybe I should go back to ISA2000, where I had no problems at all, but I just can't do that! ISA2004 is the potentially best firewall I ever seen, and I have used NAI Gauntlet on BSD and NT4, then Firewall-1 and then Cisco Pix, but they do not even come close to the features and ease-of-use of the ISA2004.
Any more suggestions and advice would be most welcome, while I wait for Dr. Shinders book to reveal the Truth and the Light to me about ISA2004