About SecureNAT clients

You do not have to install any software to configure internal clients as SecureNAT clients. SecureNAT clients depend upon the organizational routing structure in order to forward requests to Microsoft Forefront Threat Management Gateway. You route all Internet traffic through Forefront TMG, as follows:

  • In a simple network scenario without routers between the client and the Forefront TMG server, you should set the client's default gateway to the IP address of the Forefront TMG network in which the client is located (usually the Internal network).
  • In a complex network with routers bridging subnets between the SecureNAT client and the Forefront TMG server, the default gateway settings on the last router in the chain should point to Forefront TMG. Optimally, the router should use a default gateway that routes along the shortest path to the Forefront TMG computer. The router should not be configured to discard packets destined for addresses outside the corporate network. Forefront TMG determines how to route the packets.

Forefront TMG has no knowledge of SecureNAT clients except in the context of the IP address and protocol used in requests. Requests are handled as follows:

  1. A request is directed to the network address translation (NAT) driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the client.
  2. The request is then directed to the Microsoft Firewall service in order to determine if access is allowed. The Firewall service may cache the requested object or deliver the object from the cache.

SecureNAT client requests benefit from the Firewall service security features. All Forefront TMG rules can be applied to SecureNAT clients, and policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients. Also, application filters and other extensions may filter the request.

To allow handling of complex protocols (those requiring multiple primary or secondary connections), Forefront TMG application filters modify the protocol stream in order to allow handling of complex protocols. Note the following limitations:

  • SecureNAT clients can use complex protocols to access resources if an application filter is available on the Forefront TMG computer.
  • SecureNAT clients can only use protocols that have a protocol definition in Forefront TMG.

Name resolution

SecureNAT clients can request objects both from computers in the local network and from the Internet, and they must be able to resolve names for both. We recommend the following:

  • For Internet access only, you should configure the client's TCP/IP settings to use DNS servers on the Internet. Create an access rule that allows SecureNAT clients to use the DNS protocol,
  • For access to both the Internet and internalresources, the clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.

It is important to avoid looping back through Forefront TMG for SecureNAT client requests to internal resources. For example, if a SecureNAT client makes a request to an internal resource published by Forefront TMG on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the Forefront TMG internal network adapter, which is recognized as internal by the published server, which may therefore respond directly to the SecureNAT client. This creates a scenario in which packets going in one direction go through a route that does not involve Forefront TMG, and packets going in the other direction go through Forefront TMG. In this scenario, Forefront TMG drops the response as invalid.


SecureNAT clients cannot send credentials to Forefront TMG. The only control available for authenticating outgoing requests for SecureNAT clients is based on IP addresses. If an accessrule requires authentication, or the client network has the Require all users to authenticate setting enabled, SecureNAT clients may see an authentication message or a failure message.