How’s your network laid out, where are the two devices in relation to each other and any other routing/forwarding devices? Your clients should be sending their data to the router directly for access to resources on the 172.30 network as their gateway, not the ISA Server, assuming you mean non internet-based resources like user data, Windows services etc. Have you restricted access to specific IPs/hosts for the VPN tunnel on the firewall? Can you ping each end of the tunnel from a client? If you perform a tracert on this ping, what route is it following?