Microsoft Internet Security and Acceleration Server 2000

Filter Requirements for SecureNAT Clients

Application filters can work with Firewall clients and SecureNAT clients. This section describes specific design considerations for filters that must work with SecureNAT clients. For information on designing filters to work with Firewall clients, see Filter Requirements for Firewall Clients.

To handle SecureNAT client connect requests for outbound primary connections, the filter must register for events originating from a SecureNAT client. Use the fwxSourceNAT value of the FwxFirewallEventSource enumerated type when registering for SecureNAT client events. To handle both Firewall client and SecureNAT client requests, use the macro FWX_ALL_SOURCES.

If a filter is going to handle inbound connections to SecureNAT clients, including primary connections, a specific protocol has to be registered and associated with the Connection object. Use IFWXFilterAdmin::RegisterProtocolForFilter to register the protocol, and IFWXConnection::SetProtocol to associate the protocol with the Connection object.

Inbound primary connections can be directed to the SecureNAT client by using the IFWXFirewall::CreatePrivateSession or IFWXFirewall::GetNATSession method. Use IFWXFirewall::CreatePrivateSession when the inbound connection has been requested by an application, the SecureNAT client is not known by the Firewall service, and no session object has been created. Use IFWXFirewall::GetNATSession only if the filter can assert that the client is configured to be a SecureNAT client of that server.

Use the IFWXSession::BindForClient method to permit SecureNAT clients to receive secondary inbound connections. Data filters that call IFWXSession::BindForClient and then edit addresses passed on a connection should use the fwx_dfpc_NAT value of the FwxDataFilterPriorityClass enumerated type. This places the filter as close to the client as possible, that is, it is the first data filter to receive data from the client. This is important because you want to ensure that the first filter to handle the SecureNAT data is one that is capable of doing so. For more information, see Setting Filter Priorities.

Note  In a publishing scenario, mapping of the internal, SecureNAT addresses for your publishing server to external IP addresses is done by using ISA Management or the FPCServerPublishingRule object.