The Forefront TMG SecureNAT client is a computer running any operating system that uses TCP/IP networking. Forefront TMG has no knowledge of SecureNAT clients, except in the context of the IP address and protocol used in client requests. SecureNAT clients display the following characteristics:
- In a simple network scenario (with no routers
between the client and Forefront TMG), the client's default gateway
points to the IP address of the Forefront TMG network in which the
client is located (usually the Internal network). In a complex
network with routers bridging subnets between the client and
Forefront TMG, the default gateway settings on the last router in
the chain should point to Forefront TMG. Optimally, the router
should use a default gateway that routes along the shortest path to
the Forefront TMG server.
- SecureNAT clients can use any simple protocol
defined in Forefront TMG. SecureNAT clients can use complex
protocols requiring secondary connections if there is a Forefront
TMG application filter for the protocol.
- SecureNAT clients cannot authenticate to
Forefront TMG. If authentication is required for a request, the
client either receives an authentication pop-up window, or the
request is denied.
- Web proxy applications running on SecureNAT
client computers can use automatic detection of proxy settings. For
more information, see Configuring automatic
To configure SecureNAT clients, specify the default gateway to point to Forefront TMG or to a router. Ensure that the Forefront TMG server is the default route to the Internet for the client.
Configuring name resolution
SecureNAT clients can request objects from computers in the local network and from the Internet, and they must be able to resolve names for both external and internal computers. Forefront TMG does not perform name resolution on behalf of SecureNAT clients. The following is recommended:
- For Internet access only, configure the
client's TCP/IP settings to use Domain Name System (DNS) servers on
the Internet. Create an access rule to allow SecureNAT clients to
use the DNS protocol, and configure the DNS filter for the
- If SecureNAT clients request data from both
the Internet and internal resources, clients should use a DNS
server located on the Internal network. You should configure the
DNS server to resolve both internal addresses and Internet
Avoid looping back through Forefront TMG for SecureNAT client requests to internal resources. For example, if the client makes a request to an internal resource published by Forefront TMG on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does, and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the Forefront TMG internal network adapter, which is recognized as internal by the published server. The server may therefore respond directly to the SecureNAT client, causing packets in one direction to pass through a route that does not involve Forefront TMG, and packets in the other direction to pass through Forefront TMG. As a result, Forefront TMG drops the response as invalid.