I have heard that with 1 NIC you can only do HTTP publishing which includes OWA/EAS/OWA. What about if I need to do SMTP Publishing or VPN to the internal network. Do I really need 2 NICs or is this 1 NIC limitation to HTTP only a myth?
From: Lebanese in Kuwait
Configuring ISA Server with a Single Network Adapter Configuration Problem: There are a number of issues associated with the configuration of ISA Server on a computer with a single network adapter. Cause: The causes include:
•Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
•Application layer inspection. Application level filtering does not function, except for Web Proxy Filter for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP.
•Server publishing. Server publishing is not supported. Because there is no separation of Internal and External networks, ISA Server cannot provide the NAT functionality required in a server publishing scenario.
•Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and Firewall Client requests are not supported.
•SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and SecureNAT client requests are not supported.
•Virtual private networking. Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario. Remote client VPN access is supported in a single network adapter scenario.
1st question: 2 more questions. My current client doesn't have a DMZ but wants SMTP Publishing. If we use 2 NICs, will it be fine if both NICs are part of the same subnet and we use an Internet IP NAT'd to one of the internal IPs to use that NIC as the public NIC and then the other NIC on the same subnet as the internal NIC?
Will this work?
2nd question: I see the following on the site you linked: ISA Server Does Not Support Multiple External Interfaces Problem: ISA Server does not support multiple external connections to the Internet. Cause: ISA Server does not support configuring multiple connections on the External network adapter. Solution: No workaround. There are a number of third-party products that may provide a solution. For more information, see High Availability and Load Balancing at the Windows Server System Web site.
Does this apply in ISA 2006? On the public interface, I was planning to have 2 IPs and NAT 2 different public IPs to each one of the 2 IPs on the internet facing NIC.
< Message edited by icroyal -- 11.Apr.2008 8:31:18 AM >