We have 2 ISA 2006 Enterprise Servers with 2 NICs each on our LAN behind hardware firewalls. Both are on the same subnet. The only reason we have two is so any one of the two ISA servers can be rebooted or fail/crash without anyone losing Internet access.
I would like to set ISA rules for a mix of computers on our network.
1. Firewall Clients: Our domain-joined XP and Windows 7 desktop workstations get the firewall client and proxy settings set by GPO.
2. Authenticated Web Proxy Clients: Our laptops, plus other computers on our employee LAN that aren't joined to our domain would be web proxy clients with browsers set to automatically detect proxy settings. WPAD settings would be configured in DNS and DHCP.
3. SecureNat clients: Other computers on the network that cannot have the firewall client installed and have applications that need to get out to the local network and Internet without having to know proxy settings need to work as SecureNat clients. . We would rather not have any of these groups bypass the proxy completely, but instead default to SecureNat.
4. Anonymous web proxy clients. Wireless network for visitors to use to get access the Internet.
5. Exceptions. Servers or workstations that have some process or application that cannot be made to work through any proxy configuration including Securenat. These will need to bypass the proxy on a case by case basis either as a temporary workaround while a fix is found or else permanently.
How would array firewall access rules be set for this and in what order to make them all work correctly?