ps3cheats

We're moving to a Cisco ASA and we'd like to setup a proxy via ISA server that can proxy the requests to our internal servers rather than allowing them to be directly contacted through the ASA (pretty typical setup I'm sure).

My issue is that I have multiple SSL websites running and I can't setup ISA server in Proxy/Single NIC mode when running multiple SSL sites because it needs (in my understanding) to use multiple IP addresses (one for each SSL site). Otherwise it can't understand which site the external user is requesting. I can't use a wildcard SSL certificate (which seems like the only way) because the sites are two different domain names. Virtual IP addresses don't work in Single NIC mode in ISA apparently, at least when I setup the listener nodes it will only list the primary IP address of the interface whereas in dual NIC mode it lists them all.

So, at this point it looks like I have to run dual interfaces so I can use virtual IPs but I'm confused as to how to set this up since I don't particularly want the firewall aspects of ISA and also I'm having issues with Gateway problems since there are two interfaces that are basically going to be both plugged directly into the ASA.

I guess I just want to know if anyone has done this and basically how they configured it. If there is a way to run multiple different domain SSL sites through the ISA in a single NIC mode that would be probably the best option, but I've searched all over and can't find a way to do it.

This is confusing to explain so I'm sure it's confusing to read as well, let me know if you have any questions.

ps3cheats

I don't know anything about the ASA so I'll leave that to others. ISA is my bag so lets take each of your points....

Lets take a scenario that I use for my home setup


Internet
|
external router
|
switch
|
------------------------------------------------------------
| |
| |
217.x.y.118 217.x.y.117
ISA external PIX 501 (Runs my VPN)
-------- ISA Perimeter 10.10.10.2 ------------------10.10.10.1
ISA internal
192.168.100.1
|
----------------------------------------------------- internal LAN ---------------------------------------------------------------
| | | |
Exchange OWA (with SSL Certificate) www (with SSL Certificate) | Sharepoint (with SSL Certificate)
|
|
--------------------------
|
www (with SSL Certificate for different DNS Domain)

The seperate domain is actually a failover for my wife's company web site.
The ISA external domain is on a different subnet to the ISA perimeter subnet. Using the ISA publishing capabilities I don't need to put the servers in the DMZ, the publishing/listeners provide all of the reverse proxy capabilities I need. I could do away with the PIX but I like Cisco's VPN better plus I like having the facilities on different boxes, never been a fan of 'jack of all trades' devices.

For you, I assume your ASA will front the ISA and just pass all required traffic through?