Multi-WAN in front of ISA server 2006

  • Looking for some advice using pfSense as a multi-wan router in front of an ISA 2006 server. I have been using pfsense for about a year as a multi-wan router/firewall, first with 3 DSL connections, and now with 2 DS3 connections. Each DS3 connection has its own /25 IP block. I am now getting ready to deploy an ISA server to segregate my users, internal servers, and public servers.

    I've included a basic diagram of what I am envisioning. I'm trying to figure out where to NAT, where to route, where to bridge. I'll have 6-10 Publicly accessible web servers in the DMZ. I'd like to maximize the functionality of the ISA server, including web proxy for users, and application filters for my web servers. I want to minimize the use of the pfSense box, using it primarily as a packet filtering router. It seems like using pfSense in bridge mode would be ideal, but my understanding is that it is not possible when using multi-wan.

    So, how to I make my Web servers accessible? Where do I NAT, where do I port-forward, where do I route? I just can't seem to get my head around how to set it up.

    If I NAT on the ISA box for all internal clients and servers, doesn't my ISA box need a public IP on the WAN interface? If I NAT on the pfSense box, will that reduce my filter/proxy functionality on the ISA? Do I setup VIPs for the public address of the web servers, and NAT them to the private addresses of the web servers?

    It seems like I have to do NATing on the pfSense box, if I'm going to have a private network between it and the ISA. OR can I use some of my Public IP block for that segment?

    I'm still learning both of these products, and don't have a lot of time for training. So I thank your for any advice.

    ![Network Layout Basic.png](/public/imported_attachments/1/Network Layout Basic.png)
    ![Network Layout Basic.png_thumb](/public/imported_attachments/1/Network Layout Basic.png_thumb)