We are trying to implement an array of two isa servers 2k6 in the DMZ zone, as a Reverse Proxy for our Web Servers in the Intermediate zone. We have decided to set the ISAs as Firewalls because we want to publish not only Web Servers, but, we have other two Hardware Firewalls that protects the DMZ from Internet and Internal zone. In the perimeter we have Linkproof to balance the Internet links.
Please help to find the strongest and simplest solution.
Now we have some aspects in an ongoing discussion:
- ISAs Load Balancing Method. We have doubts in deciding if we use the NLB method or some Hardware/External method. - If we use the NLB method, how we will be able to avoid the broadcast that will generate the NLB in the DMZ zone?. - If we use the Hardware method, our actual standard is to implement load balancing with WSD from Radware. What are we loosing with this method?. - Could we use Linkproof instead of WSD to balance the ISAs?.
The NLB setup works fine for us. We have a dedicated VLAN for Internal, External and Intra-Array networks, since the broadcasting doesn't go beyond the VLAN, this contains is somewhat. However the traffic still goes through your switches, and if your switches are all trunked then the traffic is still going through the entire network. Another way to deal with the broadcasting is to put a hub on both sides of ISA.