Posts: 3
Joined: 8.Jul.2004
From: Australia
Status: offline
We are migrating to ISA 2004 from ISA 2000 which is in a front-end/back-end scenario behind a Cisco Pix.
We currently publish one OWA server & Fileway using SSL and one web server not using SSL.
Part of the reason for migrating is multiple networks (ie secure wireless) but the other is to publish 2 OWA servers (in 2 different forests with one way external trust - ISA is in the down level forest) and 2 Sharepoint sites.
We would like to use forms based athentication for the OWA sites which doesn't live nicely with other authentication methods so we want one listener each for the OWA servers and one listener for all other web publishing (using host headers).
I was assuming three separate NICs in 3 different subnets talking to 3 interfaces on the Pix (if these are going through a switch instead of directly connected to Pix what happens about gateways) but the Pix engineer doesn't want to 'use' up the six interfaces available just in case(?) so he asked if one listener can have mutiple IPs in either the same subnet (all using same gateway - the PIX) or in different subnets, still all talking to the PIX (not sure what to do about gateways in that case) which then sends request to ISA depending upon URL of originating request.
The PIX's external interfaces has the public IPs (we have a couple to play with) and currently ISA's 'external' interface has a 172.x.x.x with the DG of the PIX and the internal interface has a 192.168.x.x address with no gateway.
I have to provide the PIX gentleman with some facts within the next two days and am not having much luck finding information about a similar installation. Any ideas would be greatly appreciated.
You can bind multiple addresses to a single interface on the ISA firewall, but each network ID must be on a different interface.
So, if you have three different network IDs, then you'll need three NICs, and define three ISA firewall Networks representing the addresses reachable by each interface.
I assume the PIX is in front of one of the interfaces?
Posts: 3
Joined: 8.Jul.2004
From: Australia
Status: offline
Hello, Tom,
Many thanks for the quick reply.
I reread some more of the ISAServer.org articles yesterday and now with your reply I think I have got it! (I hope)
As the PIX is indeed on the interface ISA will have as the 'external' network and for that network what we want to do is have different listeners for different published servers with different forms of authentication then what we must do is have three IPs in same subnet on that one NIC with one gateway and use each individually in each listener.
I will use the other NICs in ISA when I have a different network (ie a different subnet entirely like a wirelss subnet)to configure. We have installed a few for future expansion of networks.
Have I understood this correctly now? On the external interface I will assign three IPs all in the same subnet with one DG and I will create three different listeners, one for each IP with a different form of authentication on each and use each in a different publishing rule.
Many thanks for all your time and effort and the great articles and books.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Multiple 'external' listeners 
Multiple 'external' listeners - 
RE: Multiple 'external' listeners - 
RE: Multiple 'external' listeners - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread