Introduction

In the last two chapters, we went over how you create DMZ segments using untrusted networks. In the trihomed DMZ configuration, the untrusted segment is a public address segment directly connected to the ISA server and is a subnet of your public address block. In the back-to-back DMZ configuration, you had the choice of using public or private addresses. In all cases, the DMZ segment was an untrusted network segment. Untrusted network segments are not in the LAT.

Many organizations have only a small number of public IP addresses at their disposal. Creating a public address DMZ is out of the question for these organizations because they need to use their few public IP addresses to support Web and server publishing rules. Even if you have a large number of IP addresses at your disposal, you might not want to get another Windows 2000 or Windows .Net Server and a second copy of ISA Server to create either the public or private address back-to-back DMZ configuration.

There is a way for you to create what could be considered a "pseudo-DMZ" out of a trusted network segment. The trusted internal network segment is contained in the LAT. You can install multiple internal interfaces on the ISA Server computer. Unlike the single external interface limitation that ISA Server has, there is no limit to internal or DMZ interfaces.

You can place two or more network adapters on the ISA server that are dedicated to LAT network segments (Figure 4.1).