Is it possible to restrict the port range ISA uses for the virtual connection containing data sent from and to the Firewall Client? We have another firewall between our clients and ISA, and our firewall guys don't want to open all ports.
As I understood it, the FWC uses TCP 1745 for the control connection through which it receives an arbitrary port > 1024 from the server, and then establishes a connection to this high port for the "real data".
The Firewall client connects directly to the Firewall service using 1745 to negotiate protocols and obtain name resolution information. After that, the client connects to the site using the protocols required.
So, you must allow the required traffic through all firewalls. The best plan and the one I always use is put the ISA firewall in front of the users and make the ISA firewall a member of the domain.
Any firewall should be able to perform at least stateful filtering, so the packet filter admins shouldn't have to 'open ports'.