Filter Requirements for SecureNAT Clients

Application filters can work with Firewall clients and SecureNAT clients. This topic describes specific design considerations for filters that must work with SecureNAT clients. For information about designing filters to work with Firewall clients, see Filter Requirements for Firewall Clients.

To handle connect requests for outbound primary connections from SecureNAT clients, an application filter must register for events originating from SecureNAT clients. Use the fwxSourceNAT value of the FwxFirewallEventSource enumerated type to register for SecureNAT client events. To handle both Firewall client and SecureNAT client requests, use the FWX_ALL_SOURCES macro.

If an application filter will handle inbound connections to SecureNAT clients, including primary connections, a specific protocol must be registered. Use the IFWXFilterAdmin::RegisterProtocol method to register the protocol.

Inbound primary connections can be directed to a SecureNAT client by using the IFWXFirewall::CreatePrivateSession or IFWXFirewall::GetClientSession method. Use IFWXFirewall::CreatePrivateSession when the inbound connection was requested by an application, the SecureNAT client is not known by the Microsoft Firewall service, and no session object has been created. Use IFWXFirewall::GetClientSession only if the filter can assert that the client is configured to be a SecureNAT client of that server.

Use the IFWXSession::BindForClient method to permit SecureNAT clients to receive secondary inbound connections. Data filters that call IFWXSession::BindForClient and then edit addresses passed on a connection should use the fwx_dfpc_NAT value of the FwxDataFilterPriorityClass enumerated type. This places the filter as close as possible to the client in the filter chain, that is, it will be the first data filter to receive data from the client. This is important because you want to ensure that the first filter to handle the SecureNAT data is one that is capable of doing so. For more information, see Setting Filter Priorities.

Note  In a server publishing scenario, mapping internal SecureNAT addresses for your published server to external IP addresses is done by using Forefront TMG Management or the FPCServerPublishingProperties object.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.