Relationships between networks affect how Microsoft Forefront Threat Management Gateway access rules work. In particular, take this into consideration when you configure internal clients to access resources in other internal networks.
Generally, internal client access to other networks is controlled by using access rules, but in some circumstances you may want to use server publishing rules in order to control this type of access, for example, when allowing clients in the main corporate network to access resources in a perimeter network, and vice versa. Note that for outbound Web proxy requests, the network relationship is not taken into account. The following table summarizes how access rules and server publishing rules behave in NAT and route network relationships.
Perimeter and internal relationship
Access rules
Server publishing rules
NAT
Forefront TMG listens for requests on the client-facing network adapter on the Forefront TMG computer.
Clients should make requests to the client-facing adapter and not directly to the IP address of the published server.
The client source IP address is that of the Forefront TMG computer. For example, if a NAT relationship is defined from source network A to destination network B, the IP addresses of client computers on A are replaced with the IP address of the network adapter connected to B on the Forefront TMG computer. Packets from B returned to clients on A are not translated.
Forefront TMG listens for requests on the client-facing network adapter on the Forefront TMG computer.
Clients should make requests to the client-facing adapter and not directly to the IP address of the published server.
Client source IP address is that of the Forefront TMG computer unless you configure the rule to forward the original client source IP address.
Note that there is a difference between server publishing (where the default is to pass the client address) and Web publishing (where the default is to use the Forefront TMG internal address).
Route
Forefront TMG listens on the IP address of the published server.
Published server log shows original client source IP address.
Note that if access rules allow HTTP traffic, this will go through the Web Proxy Filter and be subject to NAT, even in a route relationship. To override this default behavior, you disable the filter defined for the default HTTP protocol definition.
Forefront TMG listens on the IP address of the published server.
Clients should request the actual IP address of the published server.
Limit the rule to specific clients by limiting the sources specified in the From property of the server publishing rule.