ISA server does NOT support two default gateways. Therefore, as said before numerous times, do NOT configure a default gateway on the perimeter or DMZ interface. You should instead define persistent static routes for the destinations reachable through the perimeter/DMZ interface.
Ok, I red the articles, and that was clear before.
When ISA was originally set up for the two connection, it has only ONE default gateway, on the 192.168... NIC. On the perimeter NIC (195.199.55....) wasn't any default GW-entry.
I think the routing was correct, because everyone could surf on the net, no matter whether they get a page from the 195.199 subnet, or from anywhere.
I think, there weren't any problems, if the default GW would be the 22.214.171.124. Because in this config, every session from outside came in on that interface. (Because our DNS-name is that!) And nobody wanted to get in on the other interface, because it hadn't a DNS name!
But I can't do that! I can isolate only the 195.199 segment.
wait a moment... I have the impression you misunderstood the trihomed DMZ configuration for that particular scenario!
You can only use it to access from the internal LAN a limited set of destinations through the DMZ interface. Likewise, you can only publish services through the DMZ interface to the same limited set of destinations.
Can you elaborate in more detail on what you want to achieve *exactly*?
So, to sum up everything... The ISA doesn't support the two Internet connections except you have a DMZ, which is on a particular subnet (no matter whether it has private or public IP.) and you can reach these machines only on the DMZ interface, and they can see only the DMZ interface.
well, in fact the configuration can be a little bit more complex! Let's draw a little schema:
LAN --- [ISA] --- [RTR1] --- Internet ! ! NetID2 ! +--- [RTR2] --- WAN --- [RTR3] --- [Servers] NetID3
The ISA default gateway is set on the ISA external interface and points to the LAN interface of RTR1. Also, no default gateway is set on the ISA DMZ interface. On ISA you define a persistent static route for the NetID3 reachable through the DMZ interface with as gateway the LAN interface of RTR2. So, ISA knows 2 routes through his DMZ interface: NetID2 (directly connected) and NetID3.
Now, if an internal host wants to access a destination on NetID3, then the normal outbound policy will be applied (protocol and site&content rules) and ISA will route that traffic to RTR2. The source IP address will be the primary IP address assigned to the ISA DMZ interface.
It should be clear now that the servers on NetID3 should route the responses back through RTR3. In other words, seen from NetID3, NetID2 should only be reachable through RTR3. This is very important. The above means also that any service you publish on the ISA DMZ interface will be reachable from NetID3.