Secure Network Address Translation

Secure network address translation (SecureNAT) is an extension of the Microsoft® Windows® 2000 NAT driver.

NAT substitutes a global IP address, valid on the Internet, for an internal IP address. This substitution allows multiple hosts with private IP addresses to share a single external (public) IP address, yet remain protected by the ISA Server Firewall service.

ISA Server's SecureNAT feature provides a degree of address transparency for networked clients. NAT is based on an Internet Engineering Task Force (IETF) standard, and substitutes a global IP address that is valid on the Internet for an internal IP address. ISA Server enhances the underlying NAT functionality of Windows 2000 by enabling access control for FTP, ICMP, H.323, and PPTP protocols. NAT also enables rerouting HTTP requests, which can then frequently be satisfied by a local cache, as is the case for CERN proxy.

SecureNAT provides Internet connectivity for multiple computers that share a single modem and Internet service provider account. SecureNAT lets multiple hosts connect through a single gateway computer to the public Internet. The SecureNAT feature allows a single dial-up or other connection to the public network to serve the entire network, which then allows access to both the Internet and corporate networks for telecommuting and other purposes. Every host on the private network shares one or more global addresses.

If network settings are configured so that the default gateway is the IP address of an ISA Server computer, the NAT substitutes such a globally valid source IP address for the private IP address of a client that originates an outgoing request. The NAT will substitute in the source address of the ISA Server computer in the data packet, because responses must return to the global ISA Server host IP address.

While SecureNAT's transparency eliminates the need to make settings other than that of the default gateway, it is important to note that SecureNAT will not work for all protocols, such as certain gaming protocols, and new protocols, for which no protocol editors exist.

SecureNAT can be used in conjunction with the ISA Firewall service in the case of applications with Windows Sockets (Winsock) capabilities. There is no need to perform manual configuration of this functionality, because configuration occurs behind the scenes. Since SecureNAT works with the Firewall service, application filters can work as NAT editors, and NAT clients can be managed by the administrator as Firewall service clients would be. This means that the ISA Server rules and policies can apply to NAT clients.

SecureNAT Considerations

While SecureNAT provides transparency without special client configuration or installation of software on the client and even provides automatic setting of default gateways, NAT has the following limitations:

• Only IP-based (not user-based) policies can be implemented, because the identity of users is not passed to the ISA Server. This limits policies to those based on the IP address of the client.
• NAT works only for those protocols explicitly supported by NAT and may not be used with the majority of protocols that embed IP addresses within packets.
• For SecureNAT clients, creating a rule that allows access to all IP traffic is the same as allowing access to all of the protocols that are defined in ISA Server. This is not equivalent to allowing access to all IP traffic.

Note to Developers

With SecureNAT, ISA Server extends the underlying NAT functionality of Windows 2000 to the level of the firewall, and thus, to the User mode. An application filter that enables secondary connections for a NAT client takes the place of a NAT editor. Enabling secondary connections for NAT clients through SecureNAT is thus simplified, and you have access to user-mode debugging tools for the development process.

You can develop an application filter that enables secondary connections for a NAT client and that adds functionality equally efficiently for Firewall clients and NAT clients. Alternatively, you can develop an application filter to specifically address the secondary connection needs of NAT clients, enabling them to work with other application filters, such as those that perform content filtering.

If you create an application that uses a proprietary protocol, you can create an application filter that will enable SecureNAT clients to use that application.

Because SecureNAT functions in User mode and is an integral part of ISA, ISA policy can be applied to NAT clients. With SecureNAT, you can control access to FTP, Streaming Media protocols, and Windows NetMeeting® for H.323. ISA Server's SecureNAT also permits you to reroute HTTP requests, which can then frequently be fulfilled by a local cache. This enhancement boosts HTTP performance and lowers bandwidth requirements.