Secure Network Address Translation

Secure network address translation (SecureNAT) is an extension of the Microsoft® Windows® Server 2008 network address translation (NAT) driver.

NAT substitutes a global IP address, valid on the Internet, for an internal IP address. This substitution allows multiple hosts with private IP addresses to share a single external (public) IP address, yet remain protected by the Microsoft Firewall service.

The Forefront TMG SecureNAT feature provides a degree of address transparency for networked clients. NAT is based on an Internet Engineering Task Force (IETF) standard. Forefront TMG enhances the underlying NAT functionality of Windows Server 2008 by enabling access control for FTP, ICMP, H.323, and PPTP. NAT also enables rerouting of HTTP requests, which can then frequently be satisfied by a local cache, as is the case for a CERN proxy.

SecureNAT provides Internet connectivity for multiple computers that share a single modem and Internet service provider (ISP) account. SecureNAT lets multiple internal hosts connect through a single gateway computer to the public Internet. The SecureNAT feature allows a single dial-up or other connection to the public network to serve the entire network, which then allows access to both the Internet and corporate networks for telecommuting and other purposes. Every host on a private network shares one or more global IP addresses.

If the network settings of internal client computers are configured so that the default gateway is the IP address of a Forefront TMG computer, NAT substitutes the globally valid source IP address for the private IP address of a client computer that originates an outgoing request. NAT substitutes the source IP address of the Forefront TMG computer in the data packet, because responses must return to the global IP address of the Forefront TMG computer.

Although the transparency in SecureNAT eliminates the need for settings, other than the default gateway settings, SecureNAT does not work for all protocols. SecureNAT does not work for certain gaming protocols or for new protocols, for which no protocol editors exist.

SecureNAT can be used with the Microsoft Firewall service in the case of applications with Windows Sockets (Winsock) capabilities. There is no need to perform manual configuration of this functionality, because configuration occurs automatically. Because SecureNAT works with the Firewall service, application filters can perform the function of extensions of the Windows NAT driver known as NAT editors and create secondary connections for specific protocols, and NAT clients can be managed by the administrator as Firewall service clients. This means that Forefront TMG rules and policies can apply to NAT clients.

SecureNAT Considerations

Although SecureNAT provides transparency without special client configuration or installation of software on the client, and provides automatic setting of default gateways, NAT has the following limitations:

• Only IP-based (not user-based) policies can be implemented, because the identity of users is not passed to the Forefront TMG computer. This limits policies to those based on the IP address of the client computer.
• NAT works only for those protocols explicitly supported by NAT and may not be used with the majority of protocols that embed IP addresses within packets.

Note to Developers

With SecureNAT, Forefront TMG extends the underlying NAT functionality of Windows Server 2008 to the level of the Firewall service, and thus, to user mode. An application filter that enables secondary connections for a NAT client takes the place of a NAT editor. Enabling secondary connections for NAT clients through SecureNAT is simplified, and you have access to user-mode debugging tools for the development process.

You can develop an application filter that enables secondary connections for a NAT client and adds functionality that is equally efficient for Firewall clients and NAT clients. Alternatively, you can develop an application filter to specifically address the secondary connection needs of NAT clients, enabling them to work with other application filters, such as those that perform content filtering.

If you create an application that uses a proprietary protocol, you can create an application filter that enables SecureNAT clients to use that application.

Because SecureNAT functions in user mode and is an integral part of Forefront TMG, Forefront TMG policy can be applied to NAT clients. With SecureNAT, you can control access to FTP, Streaming Media protocols, and Windows NetMeeting® for H.323. The Forefront TMG SecureNAT feature also permits you to reroute HTTP requests, which can then frequently be fulfilled by a local cache. This enhancement boosts HTTP performance and lowers bandwidth requirements.

Send comments about this topic to Microsoft

Build date: 11/30/2009