SecureNAT clients
Client computers that do not have Firewall client software are SecureNAT clients. SecureNAT clients can benefit from many of the features of ISA Server. This includes most access control features, with the exception of high-level protocol support and user-level authentication.
Although SecureNAT clients do not require special software, you must configure the default gateway so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. You can configure clients either by using the Dynamic Host Configuration Protocol (DHCP) service or manually.
Since requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security feature. Application filters can modify the protocol stream to allow handling of complex protocols. In Microsoft® Windows® network address translation (NAT), this mechanism is accomplished through the use of NAT editors which are written as kernel-mode NAT editor drivers.
Note that ISA Server application filters replace the functionality generally available through Windows-based NAT editors. That is, an application filter must be available in order for SecureNAT clients to use specific applications or protocols. For more information, see Application filters.
SecureNAT and network address translation
ISA Server extends the network address translation (NAT) functionality by enforcing ISA Server policy for SecureNAT clients. That is, all ISA Server rules can be applied to SecureNAT clients, despite the fact that NAT does not have an inherent authentication mechanism. Policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.
SecureNAT clients and server publishing
As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules to publish servers as SecureNAT clients.
Configuring SecureNAT clients
Although SecureNAT clients do not require specific software to be deployed on the client computers, you must configure the network appropriately. This section details network considerations for SecureNAT clients.
Setting up the default gateway for SecureNAT clients
SecureNAT clients do not require specific software to be deployed on the client computers. However, you must configure your network topology for the ISA Server computer to protect the SecureNAT clients and ensure that their requests are serviced.
Specifically, the default gateway for the SecureNAT clients must be properly configured. When setting the default gateway property, identify which type of network topology you are configuring:
- Simple network.
- A simple network topology does not have any routers configured between the SecureNAT client and the ISA Server computer.
- Complex network.
- A complex network topology has one or more routers bridging multiple subnets that are configured between a SecureNAT client and the ISA Server computer.
Configuring SecureNAT clients on a simple network
To configure SecureNAT clients on a simple network, you should set the SecureNAT client's IP default gateway settings to the IP address of the ISA Server computer's internal network address card. You can set this manually, using the TCP/IP settings on the client. (These settings can be made by clicking the Network icon in Control Panel.) Alternatively, you can configure these settings automatically for the client using the DHCP service.
Configuring SecureNAT clients on a complex network
To configure SecureNAT clients on a complex network, you should set the default gateway settings to the last router in the chain between the SecureNAT client and the ISA Server computer. In this case, you do not have to change the default gateway settings for the SecureNAT clients.
Optimally, the router should use a default gateway that routes along the shortest path to the ISA Server computer. Also, the router should not be configured to discard packets destined for addresses outside the corporate network; ISA Server will determine how to route the packets.
Resolving names for SecureNAT clients
SecureNAT clients will probably request objects both from computers in the local network and from the Internet. Thus, SecureNAT clients will require DNS servers that can resolve names both for external and internal computers.
Internet access only
For Internet access only, the SecureNAT clients should configure the Transmission Control Protocol/Internet Protocol (TCP/IP) settings to use the DNS servers on the Internet. You should create an access rule that allows the SecureNAT clients to use the DNS protocol and configure the DNS filter for the SecureNAT clients.
Internal network and Internet access
If the SecureNAT clients will request data both from the Internet and from the Internal network servers, the clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.
