Configuring SecureNAT clients

The Microsoft Forefront Threat Management Gateway SecureNAT client is a computer running any operating system that uses TCP/IP networking. Forefront TMG has no knowledge of SecureNAT clients, except in the context of the IP address and protocol used in client requests. SecureNAT clients display the following characteristics:

  • In a simple network scenario (with no routers between the client and Forefront TMG), the client's default gateway points to the IP address of the Forefront TMG network in which the client is located (usually the Internal network). In a complex network with routers bridging subnets between the client and Forefront TMG, the default gateway settings on the last router in the chain should point to Forefront TMG. Optimally, the router should use a default gateway that routes along the shortest path to the Forefront TMG server.
  • SecureNAT clients can use any simple protocol defined in Forefront TMG. SecureNAT clients can use complex protocols requiring secondary connections if there is a Forefront TMG application filter for the protocol.
  • SecureNAT clients cannot authenticate to Forefront TMG. If authentication is required for a request, the client will either see an authentication pop-up, or the request is denied.
  • Web proxy applications running on SecureNAT client computers can use automatic detection of proxy settings. For more information, see About automatic discovery.

To configure SecureNAT clients, specify the default gateway to point to Forefront TMG or to a router. Ensure that the Forefront TMG server is the default route to the Internet for the client.

Configuring name resolution

SecureNAT clients can request objects both from computers in the local network and from the Internet, and they must be able to resolve names for both external and internal computers. Forefront TMG does not perform name resolution on behalf of SecureNAT clients. We recommend the following:

  • For Internet access only, configure the client's TCP/IP settings to use DNS servers on the Internet. Create an access rule to allow SecureNAT clients to use the DNS protocol, and configure the DNS filter for the SecureNAT clients.
  • If SecureNAT clients request data from both the Internet and internal resources, clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.

Avoid looping back through Forefront TMG for SecureNAT client requests to internal resources. For example, if the client makes a request to an internal resource published by Forefront TMG on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the Forefront TMG internal network adapter, which is recognized as internal by the published server. The server may therefore respond directly to the SecureNAT client. This causes packets going in one direction to go through a route that does not involve Forefront TMG, and packets going in the other direction to go through Forefront TMG.  Forefront TMG then drops the response as invalid.