Configuring SecureNAT clients
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
The Forefront TMG SecureNAT client is a computer running any operating system that uses TCP/IP networking. Forefront TMG has no knowledge of SecureNAT clients, except in the context of the IP address and protocol used in client requests. SecureNAT clients display the following characteristics:
In a simple network scenario (with no routers between the client and Forefront TMG), the client's default gateway points to the IP address of the Forefront TMG network in which the client is located (usually the Internal network). In a complex network with routers bridging subnets between the client and Forefront TMG, the default gateway settings on the last router in the chain should point to Forefront TMG. Optimally, the router should use a default gateway that routes along the shortest path to the Forefront TMG server.
SecureNAT clients can use any simple protocol defined in Forefront TMG. SecureNAT clients can use complex protocols requiring secondary connections if there is a Forefront TMG application filter for the protocol.
SecureNAT clients cannot authenticate to Forefront TMG. If authentication is required for a request, the client either receives an authentication pop-up window, or the request is denied.
Web proxy applications running on SecureNAT client computers can use automatic detection of proxy settings. For more information, see Configuring automatic detection.
To configure SecureNAT clients, specify the default gateway to point to Forefront TMG or to a router. Ensure that the Forefront TMG server is the default route to the Internet for the client.
Configuring name resolution
SecureNAT clients can request objects from computers in the local network and from the Internet, and they must be able to resolve names for both external and internal computers. Forefront TMG does not perform name resolution on behalf of SecureNAT clients. The following is recommended:
For Internet access only, configure the client's TCP/IP settings to use Domain Name System (DNS) servers on the Internet. Create an access rule to allow SecureNAT clients to use the DNS protocol, and configure the DNS filter for the SecureNAT clients.
If SecureNAT clients request data from both the Internet and internal resources, clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.
Avoid looping back through Forefront TMG for SecureNAT client requests to internal resources. For example, if the client makes a request to an internal resource published by Forefront TMG on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does, and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the Forefront TMG internal network adapter, which is recognized as internal by the published server. The server may therefore respond directly to the SecureNAT client, causing packets in one direction to pass through a route that does not involve Forefront TMG, and packets in the other direction to pass through Forefront TMG. As a result, Forefront TMG drops the response as invalid.