Can anyone explain the comment in the ISA Server help file:
"Server publishing rules and Internet Protocol (IP) packet filters both open specific ports for communication between the local network and the Internet. In most situations, you will use server publishing rules to make internal servers accessible to external clients. Indeed, it is recommended that you use server publishing rules, because application filters can further process requests destined for the server. For more information on application filters, see Application filters.
"In some cases, IP packet filters must be used:
"* When you are publishing servers that are situated on a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), you must use IP packet filters to make them accessible to external clients."
Why can't you use publishing rules for servers inside a DMZ?
Good question. The reason why you can use Server Publishing rules is that routed communications are not processed through the ISA Server rules engine. Only requests moving between the internal and external network (as defined by the LAT).
Since packets are routed between the Internet and the DMZ, the only way to allow access into and out of the DMZ is by creating packet filters.