I was recently asked what happens when you select more than one authentication type in your web listener?
In this KB article: 295667, How to Allow Third-Party Internet Application Connections Through ISA Server 2000. It suggests 4 methods. Method 2 suggests checking Basic Authentication under Outgoing Web Requests under Properties of your Server. (For ISA 2004 this would be in the Properties of your Web Listener in Authentication.)
The article doesn't mention unchecking Integrated Authentication so this leaves you with both Basic Authentication and Windows Integrated Authentication selected. What's the ISA Server going to do?
The answer is, it will use which ever authentication method the requesting client sends. If the application, in this case stamps.com, sends only basic authentication, then ISA process it as Basic Authentication. There is no fail over as such. If the data comes as Basic then it'll be processed as Basic. If it comes Integrated, then it'll be processed differently.
ISA doesn't control the authentication method, the client does. It up to us as admins to tell ISA whether it's allowed to process those types of authentication.