Troubleshooting Firewall Policy | Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)

Firewall policies are the heart and soul of ISA Server's functionality, and some scenarios can become fairly complex. Be sure to review the Microsoft Knowledge Base (http://support.microsoft.com) for issues that relate to your particular scenario. See http://www.isaserver.org and the ISA Server newsgroups (listed at http://www.microsoft.com/isaserver/community) for tutorials and a great forum where many people share stories of how to set up access rules, publish servers, and overcome environmental and technical challenges.

Here are a few key points to remember and good resources to use when troubleshooting.

When you make changes to firewall policies, current sessions aren't affected. You need to either disconnect the sessions or restart the firewall service for these sessions to enlist the new policies.
Be sure that you understand the difference between system policies, access rules, and publishing rules. Remember that traffic is processed first at the network, then system policies, then access or publishing rules.
For ISA Server 2000 users, don't forget to click Apply after making changes. ISA needs to commit the changes to the register (in Standard Edition) or the CSS (in Enterprise Edition).
Remember that if you have a NAT relationship between networks, access rules can only apply from the source (protected) to destination (untrusted) networks. Publishing rules are necessary to allow traffic in the other direction. When the network relationship is set to Route, access rules can apply both ways.