One of the major improvements introduced with the 2004 ISA firewall was it’s enhanced multinetworking support. Think of the ISA firewall’s multinetworking support as similar to the “multiple virtual firewalls” you get with other firewalls, where you assign firewall policies that apply to specific NICs. With the 2004, and subsequently with the ISA 2006 firewall, you can install a virtually unlimited number of NICs to create multiple DMZ, perimeter and internal networks.
The issue of multiple internal networks has been problematic because in order to get full autoconfiguration support for Firewall and Web proxy clients, you need to use the autoconfiguration script generated by the ISA firewall. The best way for Firewall and Web proxy clients to obtain this script is to use WPAD-based autodiscovery. Autodiscovery enables the Web proxy and Firewall clients to automatically obtain configuration information from the ISA firewall to optimize both performance and security.
Unfortunately, the autoconfiguration script imbeds with IP addresses or names into the script. This is problematic because clients need to connect to the NIC that connects to the ISA firewall Network from which the clients connected. Unfortunately, the ISA firewall is not aware of which ISA firewall Network that autodiscovery request comes from and delivers the same scripts to all hosts, regardless of their location.
Stefaan Pouseele has a great blog post that shows how to solve this problem by using DNS netmask ordering. Check out Stefaan’s solution here: http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-support-in-isa-2004/
You can use this method to complete the circle created by Jim Harrison and Chris Gregory in their presentation on how to create Wireless Internal Network. You can get information on this presentation at: http://blogs.isaserver.org/shinder/2006/06/15/teched-notes-jim-harrison-and-chris-gregory-present-securing-wireless-dmzs-with-isa-firewalls/
Thomas W Shinder, M.D.
MVP — ISA Firewalls