the concept behind the fact is : the external interface of ISA "program" is considered as one. You can definitely have multiple interfaces bound to same external interface....where we just define ip and subnet mask but gateway is the same...
Now, of course, we can have multiple ISA servers bound to different IP addresses - like you have one wan IP and you have 5 lan IPs in your T1 line. You can definitely put 2 isa servers in those lan addresses behind straight router.
and you can connect the lan cables to same giga-bit switch.....now, only the issue we have to remember is we should not overlap the ips and subnet mask in these two areas....
YOur users behind the ISA lan can point either of the isa servers..as gateway.....you may need to add routing manually to get each other talk...
Multiple gateways is technically not allowed in Windows .......pitfall of code derived from NT world...or earlier.
Let me try to clarify.
Any router, and ISA+RRAS+TCP/P is basically just one big fat complicated router (among other things), can have interfaces to multiple networks and generally speaking these interfaces have IP subnets associated with them. The router sends traffic out a particular interface because it has some understanding of what IP addresses are reached via that interface.
Most routers have another concept: the ˘default÷ route; i.e., where it will send traffic that is addressed to an IP address which is not otherwise listed on any of it interfaces (i.e, is not in its routing table).
For example, most simple routers like a Linksys box know about only three routes: 1) the ˘inside÷ network (192.x), 2) a tiny subnet facing the ISP that reaches a default gateway (usually set up by DHCP or PPPoE and numbered by a temporary routable IP address), and 3) ˘other÷; i.e., the place where all ˘other÷ traffic is sent.
The problem starts here. If there is only one ˘other÷ then when that route fails ˘most÷ traffic routing will stop. As soon as you have two ISP connections things get complicated. Somebody has to decide when one connection will be used and when the other will be used. Each will probably get the packet to its destination. If you just want to leave one connection idle, and fail over to it when the primary connection dies, that would be simple (and there are simple products like the Linksys RV08 that will do that). As soon as you want to use both connections at the same time, sending some traffic out one and some out the other, you have to do two things. 1) Decide which to use; and 2) Keep track of NAT-like bookkeeping, because once you establish a particular TCP connection out one interface it is very hard (e.g, nearly impossible) to switch it to the other.
All of this is ˘too complicated÷ for your average TCP/IP stack which is why we have to resort to some add-on product to get this functionality; given the complexity of the VPN and RRAS engine inside Windows, and what is going on inside ISA, that of course is an absurd statement. This stuff should be built into ISA; but it isnĂt. So there you have it.
All of the above has to do with outbound traffic sharing two (or more in the case of RainConnect) connections. On the inbound side, things are complicated in different ways. Most inbound traffic arrives at just one IP address through DNS. Most of the products in this ˘inbound load balancing÷ category implement some type of DNS server that is set up to answer queries that are targeted to two or more IP addresses. These DNS ˘A Records÷ have very short TTL values so that endpoints out on the Internet are constantly asking the DNS server for the right IP address to use. The load balancer answers differently for each query, depending on load and the health of back end servers, and the health of each Internet connection. In this way, traffic can be routed around a bad connection quickly and automatically. Again all this functionality is really just a DNS server that is connected to something that is watching the health of the links, and youĂd think Microsoft might be able to do that part too but nooooo.
MS could do it, but then they would have to charge more for the core ISA firewall software. Price out something like a Sonicwall with equal specs as an ISA firewall. Its over 10,000US! Even if you buy the ISA firewall with RainConnect, you still beat the competition by miles.
We're not talking about shops that just want a cheapo NAT router, or a crummy PIX 501, we're talking about real firewall protection and you have to pay a premium. Or, you can put a 600US hardware device in front of the ISA firewall and get multiple Internet links.
Our shop is doing as Tom suggested with load balancing by using a Fortinet Fortigate 200 appliance in front of the isa server. That takes care of the load balancing. Fortinet has a Fortigate 60 model that also provides redundant ISP connections, as do a couple of models from symantec. There are probably many more out there too.