The Forefront TMG SecureNAT client is a computer running any operating system that uses TCP/IP networking. Forefront TMG has no knowledge of SecureNAT clients, except in the context of the IP address and protocol used in client requests. SecureNAT clients display the following characteristics:

To configure SecureNAT clients, specify the default gateway to point to Forefront TMG or to a router. Ensure that the Forefront TMG server is the default route to the Internet for the client.

Configuring name resolution

SecureNAT clients can request objects from computers in the local network and from the Internet, and they must be able to resolve names for both external and internal computers. Forefront TMG does not perform name resolution on behalf of SecureNAT clients. The following is recommended:

  • For Internet access only, configure the client's TCP/IP settings to use Domain Name System (DNS) servers on the Internet. Create an access rule to allow SecureNAT clients to use the DNS protocol, and configure the DNS filter for the SecureNAT clients.

  • If SecureNAT clients request data from both the Internet and internal resources, clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.

Avoid looping back through Forefront TMG for SecureNAT client requests to internal resources. For example, if the client makes a request to an internal resource published by Forefront TMG on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does, and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the Forefront TMG internal network adapter, which is recognized as internal by the published server. The server may therefore respond directly to the SecureNAT client, causing packets in one direction to pass through a route that does not involve Forefront TMG, and packets in the other direction to pass through Forefront TMG. As a result, Forefront TMG drops the response as invalid.

Related Topics