Yep - this is what I thought you were talking about. The problem is; most people don't own their own external routing structure and that's about the only way you'll get anycast routing configured. By "DNS redirection", I mean you'll have to use incredibly short DNS record TTL for your published names and use the "ISP Link is unavailable", "ISP Link is available" and ISP Link is online" alert set with custom scripts to change your public DNS records to reflect the change in ISP connectivity state. ..of course, this assumes that you can reach your public DNS server through the active ISP (or perhaps hoist it yourself). JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, March 05, 2009 8:47 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Two external interface on isa Ah... oh-oh. Did I make I point? I thought I just asked a couple of questions. :) And about to which did you think I was making a point? IP Anycast? Some decent documentation about IP Anycast already exists. The following is the link at which I first learned about it (and not long ago!!); it's used at a DNS hosting company which I ended up recommending to my current client when they started looking to outsource their DNS hosting, and has allowed the hosting vendor to maintain a 100% uptime SLA. https://www.dnsmadeeasy.com/s0306/res/ipanycast.html A more technical - but still high level enough for a networking neophyte like myself to understand - can be found in the following PDF. http://www.pch.net/resources/papers/ipv4-anycast/ipv4-anycast.pdf Now, with regards to the *question* I raised - it really wasn't a point - it looks like it may be possible to set up the TMG Server interfaces to appear to be separate server "instances", providing each external interface is hung off of different routers (see page 7 of the PDF file). That was really what I was alluding to by getting "creative". The real question is whether or not an interface in Windows (only 2008 and later??) can be configured with a loopback address and TMG (or the server OS itself) can speak an IGP routing protocol to the BGP-speaking border router to which it is connected. It was really just a thought and why I asked the question. :) By the way, the answer to "DNS redirection" was...? :) On Thu, Mar 5, 2009 at 9:18 AM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote: Unfortunately, most people don't have that option. Speaking of which, where's that article you were supposed to write on this point? Huh? Huh?!? :) JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jerry Young Sent: Wednesday, March 04, 2009 8:04 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Two external interface on isa Jim, Can you explain further by what you mean when saying "DNS redirection"? While moving away from a purely Microsoft implementation, would it be possible to make creative use of IP Anycast (which is usually implemented across mutiple hosts in multiple geographic locations, not interfaces on the same host as far as I am aware) to provide the desired assumed behavior? On Wed, Mar 4, 2009 at 10:02 AM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote: ..and how would you provide inbound LB across ISP connections? DNS redirection is the only way to accommodate this. JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Steve Moffat Sent: Wednesday, March 04, 2009 4:48 AM To: ISA Mailing List Subject: [isalist] Re: Two external interface on isa Indeed. Only outgoing LB at the moment tho' S From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jerry Young Sent: Wednesday, March 04, 2009 8:45 AM To: ISA Mailing List Subject: [isalist] Re: Two external interface on isa So the solution (assuming a Microsoft-based solution) would be to drop ISA Server and pick up Forefront Threat Management Gateway? On Wed, Mar 4, 2009 at 7:38 AM, Steve Moffat <steve@xxxxxxxxxx<mailto:steve@xxxxxxxxxx>> wrote: Not without rainwall or some other 3rd party app. Can only have 1 gateway in ISA. TMG does it natively. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jerry Young Sent: Wednesday, March 04, 2009 8:36 AM To: ISA Mailing List Subject: [isalist] Re: Two external interface on isa You're only allowed a single default route in a generic setting. By having two avenues to the Internet, you're essentially indicating that you need two, which you won't be able to do. Now, you may be able to leverage RRAS and configure the box as an OSPF router but I don't know if you can run ISA on top of such a configuration and if you can I don't know what might be able to be done to get ISA to play nicely with OSPF in the way you want it. On Wed, Mar 4, 2009 at 7:26 AM, Vineet Tripathi <vineetktripathi@xxxxxxxxx<mailto:vineetktripathi@xxxxxxxxx>> wrote: I want to setup ISA Server with 3 network cards. One will be connected to the internal network, where all client workstations and corporate file/mail servers are. Two other network cards will be connected to two independent external networks; each external network has it's own connection to the Internet (to different ISP). . I want ISA server to route packets between those two external networks. How I can do this? -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer