Adam: You didn't describe your network architecture. Is this server your gateway to the internet? How are you protecting your client systems? To answer one of your questions, pings are often left open to allow for connectivity debugging. If pings work properly, then your problems are caused by filtering rules. I can't speak to specifics of ISA configuration, but in general, the firewall functions as a static router between the untrusted/external net and the internal net. Most modern firewalls default to allowing clients on the internal net to initiate connections to the outside but prevent external systems from reaching the internal net until you open specific ports/IPs to your public servers. In your case, it almost sounds like this is an ordinary server with a single network connection. If you are using ISA as a "personal firewall" on this server then you will have to open the ports used by each service to the client IPs using these services, e.g. with exchange you will have to open port 25 to the world so you can send/receive emails from the outside and POP or IMAP to your clients depending on what they need. Without knowing more about the architecture, my suggestion would be to put a separate appliance or linux firewall between your net and the ISP. Then you can open just the services you want to make public to the world. This removes much of the confusion I have seen when a server with a built-in firewall has to have different rules for the local net and the internet as a whole. rt

Adam: You didn't describe your network architecture. Is this server your gateway to the internet? How are you protecting your client systems? To answer one of your questions, pings are often left open to allow for connectivity debugging. If pings work properly, then your problems are caused by filtering rules. I can't speak to specifics of ISA configuration, but in general, the firewall functions as a static router between the untrusted/external net and the internal net. Most modern firewalls default to allowing clients on the internal net to initiate connections to the outside but prevent external systems from reaching the internal net until you open specific ports/IPs to your public servers. In your case, it almost sounds like this is an ordinary server with a single network connection. If you are using ISA as a "personal firewall" on this server then you will have to open the ports used by each service to the client IPs using these services, e.g. with exchange you will have to open port 25 to the world so you can send/receive emails from the outside and POP or IMAP to your clients depending on what they need. Without knowing more about the architecture, my suggestion would be to put a separate appliance or linux firewall between your net and the ISP. Then you can open just the services you want to make public to the world. This removes much of the confusion I have seen when a server with a built-in firewall has to have different rules for the local net and the internet as a whole. rt