If the Firewall client machine sends to a destination that is not part of the defintion of the ISA Firewall Network on which the client is located, the Firewall client will remote the connection to the ISA Firewall to send to another ISA Firewall Network (such as the default External Network if there is no defined route on the ISA Firewall for the destination Network). Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Friday, May 18, 2007 9:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Exclusions Ok, open my original email go to Edit/replace and replace "ISA client" for "Microsoft Firewall client for ISA server 2004" J Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, May 18, 2007 10:44 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Exclusions What is the "ISA client" There is a FIREWALL client, SecureNAT (SecureNET) client, and a Web proxy client. THERE IS NO "ISA CLIENT". HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Friday, May 18, 2007 9:27 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Exclusions Good morning everybody (well, for most of you ;-) ) I have the following scenario: Subnet 10.200.*.*(NY) and subnet 193.138.73.* (Geneva) both are internals and connected with a router no ISA in the middle. For the NY users the Internet proxy (ISA 2004 array) is on the 10.200.*.* subnet and they have the ISA 2004 client installed configuring IE automatically. The NY guys are trying to access a citrix server in Geneva with IE, the Geneva range was included on the NY proxy array as part of the internal network, also on the Web Browse TAB (internal network properties) so the proxy is bypassed when accessing that subnet and the subnet was also included on the routing table of both servers members of the array. The point is citrix failed to open a desktop session. They can reach the login page and even login, but session failed to open. Now, if I disable the ISA client and manually add on IE the Geneva subnet between the exclusions, everything works fine. Any idea of what can be happening? Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies