This is a bit of a common issue, but it's not normally noticed as the tests are normally carried out on IE, so it uses the ActiveX components, which aren't an issue.
The fix (found here: http://forums.forefrontsecurity.org/?g=posts&m=553):
The default rule set blocking the java-client, so make the following changes to the URL list:
_helperagent_mac_helperagent_lin_helper)\.jar) change Parameters value Reject to: Ignore
Duplicate rule 29: Change URL value of new rule to: /internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class
It worked for my Firefox users, but didn't impact me using ActiveX clients on IE8.