SecureNAT Clients

Client computers that do not have Firewall client software are secure network address translation (SecureNAT) clients. SecureNAT clients can benefit from many of the features of ISA Server. This includes most access control features, with the exception of high-level protocol support and user-level authentication.

Although SecureNAT clients do not require special software, you should configure the default gateway so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. You can configure clients either by using the DHCP service or manually.

Since requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security features:

• Application filters can modify the protocol stream to allow handling of complex protocols. In Windows 2000 NAT, this mechanism is accomplished through the use of NAT editors which are written as kernel-mode NAT editor drivers in Windows 2000.
• The Firewall service can pass all Hypertext Transfer Protocol (HTTP) requests to the Web proxy service, which handles caching and ensures that site and content rules are applied appropriately.

SecureNAT and Windows 2000 NAT

ISA Server extends the Windows 2000 network address translation (NAT) functionality by enforcing ISA Server policy for SecureNAT clients. In other words, all ISA Server rules can be applied to SecureNAT clients, despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism. (Policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.)

SecureNAT Clients and Server Publishing

As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules to publish servers as SecureNAT clients.

SecureNAT clients are not supported in cache mode.