I was really trying to work an Animal Farm joke in here, but I can’t make it work.
Susan brings up a couple of really good points (IMNSHO) – first, I’ll tackle the NIC question: I always tend to come back to the two (plus)-NIC variant for any given ISA Server. From an ISA perspective, there are clear benefits (and a lack of limitations) to using multiple NICs.
In discussing how you need to get to know your firewall, Susan also touches upon something that one of my customers told me about ISA 2004 a while back:
“Tristan”, he said, “If you’re going to be giving feedback to the product team anytime soon, the live logging is a win.”
I’d forgotten that this was something new at the time he told me, but it offers a couple of huge benefits when troubleshooting: directly, you get to look at why a certain piece of traffic is being handled in a way you didn’t expect; indirectly, it helps you easily get a better understanding of the workings of the firewall.
This customer had a really good handle on protocols, publishing and general ISA operation, but some of the junior people he worked with didn’t (at least at first), and he said that this helped them see the traffic patterns and learn how the protocols themselves worked, without requiring a capture-and-analyze approach (as, say, Network Monitor/Ethereal or log analysis after the fact would).
If you’re not already using Live Logging in ISA 2004, quickly go check it out – it’s in the Monitoring area, on the Logging tab – just set the Log Time field to Live, and hit Start (optionally filtering on some useful criteria), then, um, do stuff, and watch how ISA reacts.
So, my advice: you can use Live Logging to get to know your firewall a little better.
(And if that doesn’t work, you can always try to buy it dinner and a movie; I find ISA just eats romantic comedies.)