Perhaps I was being a little irrational when I said that ISA server is unnecessarily complicated - rather it just doesn't tell you a lot of the things that it does. For example, I don't think it allows you to route packets from the external to the internal interface (the interface that has an address that is within the LAT) even if you explicitly set up packet filters to allow it. I think iptables is far superior.