So, in the world of SSL/https you can just bind a new static public IP address to the firewall internet interface and use one SSL service (like an https://site, Outlook Anywhere or something like RDP over RCP over HTTPS) per public IP address - as using more than one per IP address like you can with HTTP using host headers/aliasing isn't normally possible...
...however, in this lab of mine I only get dynamic public IP addresses. Enabling more than one SSL service is a bit of a problem but I would certainly like to try ^^
I see two possibilites (if any):
Somehow get the firewall interface (which runs Windows 2003 and ISA 2006 right now) to request and bind more than 1 public IP address using DHCP. Some kind of cheating with bridging, MAC spoofing or something to get more than one address assigned to the same logical firewall interface? Just adding another NIC is sadly not supported as an ISA won't have more than one external logical interface (but it can have any number of (normally static) IP addresses).
Use some neat trick with the ISA (which has a wildcard certificate) to splice incoming SSL requests for different host names to different internal SSL services. This I recall was some new internet feature which isn't widely supported, using host header-like inspection of SSL traffic. But as the ISA should be able to terminate any SSL connections locally and then bridge them to internal services - shouldn't it be able to inspect a host header even with the old-school standard and do something useful?
So far I've had no luck thinking of a good solution involving either of these other than trying to convince the ISP to sell some static leases or just give up and set up another separate ISA for each SSL service. At production sites this is not a problem and one simply add the number of given static IP addresses to the external firewall interface as needed.
I'm all ears for good ideas - perhaps I just overlooked something really obvious ^^
