ISA 2006 stopped working


I have an ISA 2006 array NLB between 2 ISA servers. The servers hold both a configuration server and ISA server roles.
Servers have 2 NICs one to my workstation VLAN and one to my internet segment. DNS is set for the Workstations to set to resolve the ISAs by their Workstation interface.
I use ISA to proxy my web clients, to block them from going to sites that is not configured in my allowed URL set. I then made a rule to deny all web traffic unless the site requested was part of said URL set.
I configure this rule to apply to a group call ‘restricted internet’ and added my users to this group.
I have a group policy that configures all systems within a OU to set their Internet Explorers to use my ISA proxy virtual name on 8080. I placed the users workstations in this OU.
This worked fine for 50 days with no one touching it. Then I got reports that users were not being blocked from visiting prohibited sites any longer.
I confirmed this report and checked my ISA servers. Logs were clean of any items that made me think may be related.
I have moved my restricted internet rule up to #1 in the order and still users are able to view any site they want.
I am watching logging on one client and I am seeing the ISA allow the connection but is not displaying what rule is allowing it.
Only thing I see that strikes me as abnormal is the SQL icon in the system tray says ‘Not connected \\’. I checked the SQL service on the ISA and they are running. I also found that in DNS both interfaces: Workstation VLAN and internet had registered their IPs under the ISA servers names. I removed the DNS entries for the internet interface IPs, and set those interfaces not to register with DNS.
I also rebooted the ISAs.
Only thing that I see of intrest in my logs is this:
Source WBLS
Event 55
NLB Cluster <<WORKSTATION VLAN IP>> : Inconsistent bi-directional affinity (BDA) teaming configuration detected on host 3.  The team in which this cluster participates will be marked inactive and this cluster will remain in the converging state until consistent teaming configuration is detected.  

I am not using teaming and to be safe I uninstalled the broadcomm teaming app. Other than that logs are clean

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NIC teaming is not the problem. I suggest you to:

1) check if DHCPMediaSense is disabled on all NICs
2) read the

JFTechAuthor Commented:
I have come to find that the IP assigned to my internal interfaces is to close to the IP that is assigned to the external interface. Hence ISA can not tell the difference between internal and external so it routes all internet requests. Note that the IPs are the same class but different sub-nets. How ever ISA does not care about sub-net differences in IP ranges it only looks at the IP ranges.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.