SecureNAT Clients

Client computers that do not have Firewall Client software installed and enabled are automatically clients of secure network address translation (SecureNAT).

Although SecureNAT clients do not require special software, you must configure their default gateway so that all traffic destined to the Internet is sent by way of a Forefront TMG computer either directly or indirectly, through a router. The default gateway of SecureNAT clients can be set to the IP address of the network adapter of a Forefront TMG computer in the network in which they reside, or SecureNAT clients can be configured to use a router (or chain of routers) whose default gateway is an IP address of a Forefront TMG computer. You can configure clients either by using the DHCP service or manually.

Requests from SecureNAT clients are processed by the Microsoft Firewall service, which checks the policy rules to determine whether each request may be sent from the source to the destination host using the protocol specified. During this check, the Firewall service performs any required reverse DNS name resolution to determine whether a rule applies to the request.

Because requests from SecureNAT clients are handled by the Firewall service, SecureNAT clients can benefit from many of the features of Forefront TMG. These include most access control features, with the exception of high-level protocol support and user-level authentication. In particular, SecureNAT clients benefit from the following security features:

• Application filters can modify the protocol stream to allow handling of complex protocols. In network address translation (NAT), introduced in Windows 2000, this mechanism is accomplished through the use of NAT editors, which are written as kernel-mode extensions of the NAT driver.
• The Firewall service can pass all Web requests to the Web proxy, which handles caching and ensures that policy rules are applied appropriately.

SecureNAT and Windows NAT

In Forefront TMG, SecureNAT extends the Windows NAT functionality by enforcing Forefront TMG policy for SecureNAT clients. All Forefront TMG rules can be applied to SecureNAT clients, despite the fact that Windows NAT does not have an inherent authentication mechanism. Policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.

SecureNAT Clients and Server Publishing

As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules to publish servers as SecureNAT clients.

A server publishing rule uses SecureNAT to allow requests that are sent to an IP address that is valid on the source network to reach an IP address on a protected network behind the Forefront TMG computer. The server publishing rule maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG computer that listens for requests from the clients to a port number and an IP address on the published server. Requests that meet the conditions specified by the rule are then redirected to the IP address of the published server. However, only requests that are identified as part of the designated protocol are processed by the server publishing rule and redirected to the published server. Note that the published server (the SecureNAT client) must be configured to use the Forefront TMG computer as its default gateway.

Send comments about this topic to Microsoft

Build date: 11/30/2009