My situation is this...I have a good deal of resources I need to publish that are on NAT'd machines, some of them are web which I know the listeners will simplify but some simply need a dedicated IP. I also have one application, Office Communication Server, that requires a dedicated PUBLIC IP for one of its services accessible via the edge server role. My ISP has issued me a 28-bit CIDR block. They have also assigned me a single IP and gateway that I need to use on my Internet facing adapter. This IP and gateway ARE NOT within the 28-bit CIDR block. Here are some of the scenarios I considered...
1. Use a 3-leg perimeter template and bind all addresses to the Perimeter network. I suppose this would be ok but can I "publish" NAT'd resources from the perimeter as I would the external?
2. Use a 3-leg perimeter template and further subnet my block into two 29-bit networks. Assign one of those networks to the perimeter network and configure the range on that network accordingly. This would probably be ok but what do I do with the other subnet...the one I would like to "publish" NAT'd resources with?
Well, here is what I did do and here is where I am stuck...
I considered option #2 above and created a 4th network with an MS loopback adapter to bind the other 29-bit subnet to. After all, I really don't need a "physical" network for that subnet...I simply need ISA aware that the addresses exist and are usable to publish resources. The perimeter network houses the other 29-bit network.
Here is where I am stuck. The solution I used in the aforementioned paragraph works fairly well with a couple of exceptions. Oddly enough the part I thought would not work, the loopback adapter scenario, works flawlessly. I have all usable addresses in the first 29-bit subnet bound to the adapter and the addresses show up when creating publishing rules as "external" addresses that I can select for the listener/publishing rule without any trouble and the rules work flawlessly. This includes the complexities of publishing OWA, Outlook Anywhere and ActiveSync to a NAT'd server as well with SSL. Mind you I created no additional "network" within the ISA server to accomplish this but I did need the loopback for ISA to know about the addresses.
The second 29-bit subnet is configured as a "perimeter" network. The first usable address in that subnet is bound to an adapter that is connected to a switch for hosts on that network since I have one physical machine on that network. The machine on that network has 3 IP's bound to the adapter and lists the IP of the ISA server physical interface facing that network as the default gateway. I cannot access the perimeter network...period. I can ping the interface of the adapter connected to that network on the ISA server but cannot reach the perimeter network. I can get on the DMZ machine and browse the web just fine so I'm not sure what gives as the route table must be working to some extent to allow me to browse the web from that perimter network. I'm sure it is an access rule or a configuration issue based on the behavior I'm seeing however I'd like to know if I'm taking the right approach or if there is a more practical way to meet the objective.
I've been at this for a couple of weeks...opinions would be most appreciated.