ISA Server 2006: How to configure two Web Listeners to listen to same Protocol and same Port

I have a 1 NIC ISA 2006 Configuration that primarily serves as a Reverse Proxy and listens for HTTP/HTTPS requests on PORTs 80/443 for site1.company.com and then forwards that traffic to SharePoint Server.  OK, the problem is I want to listen also for site2.company.com on both HTTP/HTTPS on PORTs 80/447 and ISA flips an ERROR and states:
The Web listeners used in the rule site2.company.com and in the rule site1.company.com specify identical IP addresses and ports. Web listener IP addresses and ports used by different rules cannot overlap.

Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
kvigorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
Actually the IP's don't over lap just the HTTP/HTTPS protocol, currently have site1.company.com and site2.company.com are on 2 different web servers.
It isn;t about the IP# of the web server,..it is about the fact that both listeners are using the same protocol on the same external IP on the ISA.
Your mistake is thinking that you even need two listeners to begin with.  Your supposed to use the same listener for both Publishing Rules.   You then use Host Headers to distinguish the sites.   Hosts headers are the same thing as the Common Name and the Public Name.
0
kvigorAuthor Commented:
Thanks windell,

You've just added a little bit of complexity to what I was planning on doing, because when I roll this out into production both of my sites will be on the same server, (same IP) and I'll need each site to use it's own certificate. As far as I can see you can only assign one certificate to an IP.  So how would I add both pub rules to one listener using 2 differents certs?  Is this even possible?  I  really don't want to have to purchase a wildcard cert if I don't have to... you know.
0
pwindellCommented:
Yes, you need a wild card cert.
If you don't have that then you need to have two or more IP#s for the External side of the ISA.  The same listener can use multiple IP#, then you assign a Cert to each IP# within the same listener.  ISA2004 could not do this,..ISA 2006 can.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

kvigorAuthor Commented:
Yes, however I'm listening to the pre defined External Network for web requests, could I add another nic and assign that to then listen for site2.company.com?
0
pwindellCommented:
I just saw that you were using a single Nic ISA.  I just don't get involved with single Nic ISAs.  They present a horrible situation,...they are a waste of time in my opinion..
All I can say is that you need multiple IP#s on the Nic (there is only one Nic).  The Listener needs to be tied to those.   The difference with 2004 -vs- 2006 is that 2004 would use a unique Listener for each Site/Cert/IP combo,...while the 2006 can do it on one Listener,..but beyond that they work the same way after that point.
The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364/en-us
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
 
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kvigorAuthor Commented:
My apologies for above post I was thinking out loud incorrectly I might add.  So, I'm stuck with either putting each site on different servers or buying a wild card cert?
0
kvigorAuthor Commented:
If I do add addt'l NICs to my ISA what does that buy me for my existing situation?
0
pwindellCommented:
It would no longer be your existing situation  :-)
Adding a Nic constitutes a redesign in topology.  
Two Nics gives you all of ISA's abilities,...a single nic gives you what the article I gave describes.  I don't have a simple answer for that.
0
kvigorAuthor Commented:
I'll research on technet/msdn if I can solve my problem with ading an addt'l NIC, after which I'll award points.
0
pwindellCommented:
These lilnk may speed up your research.
Technet Library
  ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
Internal Client Concepts in ISA Server 2006
http://technet.microsoft.com/en-us/library/bb794762.aspx
ISA Firewall Dirty Dozen (FAQ)
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html
0
kvigorAuthor Commented:
Thanks
0
NicolasQuenardCommented:
You are configuring a SSL port that is non-standard.
Create a Web Listener for 447 for the HTTPS protocol won't work.  Because you still need to use the HTTPS Web Proxy Filter, you need to create a new tunneling port 447.

To add a non-standard tunnel port, use the ISA script  http://www.isatools.org/tools/isa_tpr.js  (cscript isa_tpr.js portSSL447 447)

Once the tunneling port added, you won't be able to see it in the ISA console, but you will be able to see it with the the script above or with the following one http://www.isatools.org/tools/isainfo.zip

Cheers
0
kvigorAuthor Commented:
I've added another NIC to the ISA Server (2 total now) I also added another NIC to my Web Server (Just In Case).
My web listener is currently listing to the following Networks: External, Local Host, Internal 1 (for site1.company.com ), and Internal 2 (for site2.company.com).  Both sites are now on the same Web Server.  
I was able to tell ISA Server to associate ISA NIC 1(Internal 1) for site1.company.com with SSL_Cert1 and associate ISA NIC2(Internal 2) for site2.company.com with SSL_Cert2 .  The problem is for each Network I'm listening to ISA wants an IP for (View Image Below), and I can't use the same NIC IP to  associate with the other networks, so I'm wondering what am I doing wrong.  I have to listen to the External and localhost for Web Requests when publishing SharePoint Sites right?  I have not yet to change my ISA Network Configuration from a Single Network Adapter.
ISA2006-ListenterProperties.jpg
0
kvigorAuthor Commented:
In addition in order to get the IIS Server to respond to multiple SSL sites you have to add an addt'l NIC on the IIS Web Server as well responding to requests for the other SSL enabled site.
0
kvigorAuthor Commented:
Figured it out.. needed 3-Leg Network Template to accomplish what pwindell suggested in Post 24871345.
0
kvigorAuthor Commented:
OK had to go with the Edge Template instead.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.