Are there other application layer firewalls like Microsoft TMG (ISA) that do advanced http rules?

Well, you could use a combo with Squid and Varnish.

Squid will be used for the authentication on LDAP, and Varnish will redirect the server depending on the headers informations.

I think you can even use squid to do both jobs.

True application/proxy firewalls in appliance form generally run above that range. (Palo Alto and Sidewinder... I mean McAfee Firewall Enterprise come to mind, but are $$).

I would recommend the FortiNet FortiGate 60C. It is a really solid box, and a no-frills system would cover your two requirements at around $500.

• HTTP/HTTPS preauthentication support using LDAP auth source
• HTTP/1.1 Host header based load balancing - Should allow the routing you described

If the $300-$500 appliances could do all that, they'd cost more? :)

Application Request Routing, an add-on extension for IIS 7, can do bits of that. It can be configured with fairly extensive rules for forwarding, but doesn't have preauthentication built in. My read is that it would be non-trivial but not hard to do. Likewise, its interface for rule construction might leave a bit to be desired when compared with TMG.

The SSL host headers part can be done by ARR as well, or at least by IIS - it doesn't solve the problem of requiring a SAN or wildcard certificate (and arguably, nothing should), but it does allow/require the SSL session to be established before the host cracking bit happens.

It doesn't do garden-variety port forwarding though, so you'd want RRAS configured underneath it too, as a guess. But the total cost would be close to Windows + hardware, and it could be scaled down to a very small box in many cases, I'd guess.