From: Manchester, UK
I have recently build (and torn apart again) a similar sceanario to the one you are describing, except I was using a three homed perimeter network configuration.
You could do it two ways:
1. Use packet filtering (static firewall) instead of dynamic (server publishing) - then the ISA server would only have one public / internet IP address. Configure the router that is upstream of the ISA server so that it has a default route to the subnet that is in the DMZ, through the ISA server. Configure Packet Filters on the ISA server to allow the protocols through that are used by the servers in the DMZ. In this configuration the ISA server is acting as a kind of router, and all the servers in the DMZ must have public addresses.
2. Use server publishing rules, or Dynamic filtering. You can use private addresses in the DMZ (they are never actually made visible to the internet) - configure server publishing rules (as per Tom S's artical) - and yes, you will need to add enough addresses to the ISA servers internet side interface to support the different servers in the DMZ. You only need one IP address per service that you are offering though - so if you've got two SMTP servers in there, you'll need two IP addresses registered, but if you then want to offer HTTP, you can use one of the existing ones, as you are listening for a different port, and can use that to make the mapping, instead of the IP address.
I hope that all makes sense? One last thing, I did mention that I tore the DMZ config down again - reason: if you want to use MS Exchange in the DMZ, or you need NT / AD authentication on the webservers, you'll come up with two options, both of which are VERY insecure:
* Punch holes in the the firewall with packet filters to support NT / Win2k authenication / RPC / LDAP / NBT / etc... between the servers in the DMZ and your Domain Controllers (inside the LAN) -- Why is this bad - you need to open so many ports through your LAN firewall, it may as well not be there.
* If you are using Win2K - put a DC in the DMZ that is in a different site to the rest of the organisation, and use SMTP intersite communication. Then add a packet filter through your LAN side firewall to allow communication through port 25 through.
-- Why is this bad? Having a DC in your DMZ seems like a really bad idea. Although, if you were using server publishing rules, and private addresses to publish your server like this, it might not be too bad as the only services visable are ones that are explicitly defined in the publishing rules.
Does this answer any questions, or just raise more!