Microsoft Internet Security and Acceleration Server 2004 SDK

Secure Network Address Translation

Secure network address translation (SecureNAT) is an extension of the Microsoft® Windows® Server 2003 and Windows 2000 network address translation (NAT) driver.

NAT substitutes a global IP address, valid on the Internet, for an internal IP address. This substitution allows multiple hosts with private IP addresses to share a single external (public) IP address, yet remain protected by the Microsoft Firewall service.

The ISA Server SecureNAT feature provides a degree of address transparency for networked clients. NAT is based on an Internet Engineering Task Force (IETF) standard. ISA Server enhances the underlying NAT functionality of Windows Server 2003 and Windows 2000 by enabling access control for FTP, ICMP, H.323, and PPTP. NAT also enables rerouting HTTP requests, which can then frequently be satisfied by a local cache, as is the case for CERN proxy.

SecureNAT provides Internet connectivity for multiple computers that share a single modem and Internet service provider account. SecureNAT lets multiple hosts connect through a single gateway computer to the public Internet. The SecureNAT feature allows a single dial-up or other connection to the public network to serve the entire network, which then allows access to both the Internet and corporate networks for telecommuting and other purposes. Every host on the private network shares one or more global addresses.

If network settings are configured so that the default gateway is the IP address of an ISA Server computer, NAT substitutes the globally valid source IP address for the private IP address of a client that originates an outgoing request. NAT substitutes the source address of the ISA Server computer in the data packet, because responses must return to the global ISA Server host IP address.

Although transparency in SecureNAT eliminates the need for settings, other than the default gateway settings, SecureNAT does not work for all protocols. SecureNAT does not work for certain gaming protocols or for new protocols, for which no protocol editors exist.

SecureNAT can be used with the Microsoft Firewall service in the case of applications with Windows Sockets (Winsock) capabilities. There is no need to perform manual configuration of this functionality, because configuration occurs automatically. Because SecureNAT works with the Firewall service, application filters can work as NAT editors, and NAT clients can be managed by the administrator as Firewall service clients. This means that ISA Server rules and policies can apply to NAT clients.

SecureNAT Considerations

Although SecureNAT provides transparency without special client configuration or installation of software on the client, and provides automatic setting of default gateways, NAT has the following limitations:

Note to Developers

With SecureNAT, ISA Server extends the underlying NAT functionality of Windows Server 2003 and Windows 2000 to the level of the firewall, and thus, to the user mode. An application filter that enables secondary connections for a NAT client takes the place of a NAT editor. Enabling secondary connections for NAT clients through SecureNAT is simplified, and you have access to user-mode debugging tools for the development process.

You can develop an application filter that enables secondary connections for a NAT client and adds functionality that is equally efficient for Firewall clients and NAT clients. Alternatively, you can develop an application filter to specifically address the secondary connection needs of NAT clients, enabling them to work with other application filters, such as those that perform content filtering.

If you create an application that uses a proprietary protocol, you can create an application filter that enables SecureNAT clients to use that application.

Because SecureNAT functions in user mode and is an integral part of ISA Server, ISA Server policy can be applied to NAT clients. With SecureNAT, you can control access to FTP, Streaming Media protocols, and Windows NetMeeting® for H.323. The ISA Server SecureNAT feature also permits you to reroute HTTP requests, which can then frequently be fulfilled by a local cache. This enhancement boosts HTTP performance and lowers bandwidth requirements.