Yes, you can do it. However you will not be doing(Or shouldn't) do it with ISA alone.
I can see using two ISPs, but three?!?! WHY?!

Also, this setup is pretty complex, so I will only cover it at 60,000 feet. Also, I assume you do it the standard way, two ISPs. However it can be done with three, just more complex...

Also, you do NOT need, nor want three IP ranges from three ISPs. A single transportable block would be fine. The preference is for you to own them. Second preference is for an ISP to rent them to you(A single block as big as you require).

With that assumed....

The Firewall/s should connect to a router/s that have the connection to the ISPs. You then need an Autonomous system number assigned to your company to so BGP routing.

Two ISP's must agree to route that single block over both ISP networks.So, lets say you have the following

24.24.24.0/24 or mask 255.255.255.0

Both ISPs MUST announce this route is availabe from their network to get it routed down your pipes. There are other ways to kludge this, but they are kludges....

So, for the sake of redundancy...

Asssume you will have 2 Cisco 3660 routers, loaded to the teeth with ram, 256 Megs(I believe the max on a 3660. This should be more than enough. Any less might be too light to pull full BGP table though..)

Hmmmm... On second thought... Why both with redundancy when ISA as a Firewall isn't redundant... OK, make that a single 3660.

Vis BGP the traffic will go over both links.... I've never done a third, but it shouldn't that much of a big deal. Except if you don't own your IP addresses.....

If you need more info I could point you in the right direction...

I'd still like to know why you want three Interfaces, each with Internet legal and from three ISPs. Sounds like something isn't right... Also, what about your private network addresses??

quote:

---

Originally posted by george:
Is this possible? I'd like to setup ISA with 3 NIC's, each NIC has an IP from each of our ISP (yes we have 3 different ISP). I understand that I have to setup the IP settings that is specific to each ISP like the IP address, Default Gateway, and DNS. Do I have to have 3 NICS for my DMZ as well? We're going to deploy the back-to-back as taken from the Microsoft ISA deployment guide. We have 3 different ISP for fault tolerance so if one of the ISP ever goes down, the other 2 will still service relay request for HTTP, FTP or Email. Is this even possible?

---

quote:

---

Originally posted by rapidrick:
Wow.... To give you the simple answer...

Yes, you can do it. However you will not be doing(Or shouldn't) do it with ISA alone.
I can see using two ISPs, but three?!?! WHY?!

Also, this setup is pretty complex, so I will only cover it at 60,000 feet. Also, I assume you do it the standard way, two ISPs. However it can be done with three, just more complex...

Also, you do NOT need, nor want three IP ranges from three ISPs. A single transportable block would be fine. The preference is for you to own them. Second preference is for an ISP to rent them to you(A single block as big as you require).

With that assumed....

The Firewall/s should connect to a router/s that have the connection to the ISPs. You then need an Autonomous system number assigned to your company to so BGP routing.

Two ISP's must agree to route that single block over both ISP networks.So, lets say you have the following

24.24.24.0/24 or mask 255.255.255.0

Both ISPs MUST announce this route is availabe from their network to get it routed down your pipes. There are other ways to kludge this, but they are kludges....

So, for the sake of redundancy...

Asssume you will have 2 Cisco 3660 routers, loaded to the teeth with ram, 256 Megs(I believe the max on a 3660. This should be more than enough. Any less might be too light to pull full BGP table though..)

Hmmmm... On second thought... Why both with redundancy when ISA as a Firewall isn't redundant... OK, make that a single 3660.

Vis BGP the traffic will go over both links.... I've never done a third, but it shouldn't that much of a big deal. Except if you don't own your IP addresses.....

If you need more info I could point you in the right direction...

I'd still like to know why you want three Interfaces, each with Internet legal and from three ISPs. Sounds like something isn't right... Also, what about your private network addresses??

---

Rick gave a very elegant explanation of the options, and its not something I can improve on. When it comes to ISA Server, I tend to take a more lunkheaded approach.

If I have three internet connections, I would deploy three ISA Servers, and forget kludging around with multiple interfaces on a single server. From what I can tell, MS really would prefer that you don't do this. They're happy with you having multiple internal interface, a single external interface, and a DMZ interface, but outside of that, you start getting into areas they don't want to deal with.

I would use three ISA Servers and connect each one to the Internet. Then I would use CARP for outbound fault tolerance and load balancing. As we've all ascertained, fault tolerance for Winsock requests is a lot trickier, because if you use the WLBs (NLB)you are limited to using it on the external or internal network, but not both. Also, as Rick has commented on in another post, the ISA Servers do not share a session state table, which can create problems.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/