Planning for internal clients

Microsoft Forefront Threat Management Gateway protects three types of clients in internal corporate networks:

  • SecureNAT clients
  • Web proxy clients
  • Firewall clients

Choosing which clients to deploy depends upon the Forefront TMG deployment scenario and existing network infrastructure. The following table summarizes client requirements and details.

Feature SecureNAT client Firewall client Web proxy client

Installation details

No installation required. The client's default gateway must route Internet requests to the Forefront TMG server. For more information, see About SecureNAT clients.

Firewall Client software must be installed on client computers. For more information, see About Firewall clients.

No installation required. CERN-compliant applications such as Web browsers make Web proxy requests to the Forefront TMG server. For more information, see About Web proxy clients.  

Operating system support

Any operating system that supports TCP/IP can be used.

Windows operating systems. For a detailed list of supported operating systems, see About Firewall clients.

Any platform running a CERN-compatible application. SecureNAT and Firewall clients making requests from such applications also act as Web proxy clients.

Protocol support

Supports all simple protocols. Complex protocols requiring multiple primary or secondary connections require a Forefront TMG application filter.

All Winsock applications are supported.

Supports HTTP, HTTPS, and FTP for download requests.

User-level authentication

Cannot present credentials and cannot be authenticated by Forefront TMG.

Automatically sends client credentials with requests to the Forefront TMG server.

Can authenticate if Forefront TMG requests credentials. No credentials are supplied if anonymous access is enabled.


Use for non-Windows clients. Use if support for non-TPC or UDP protocols (such as ICMP or GRE) is required. Configure published non-Web servers as SecureNAT clients if you want to forward the original source IP address of the client to the published server.

Use when support for secondary protocols is required. Use for strong access controls. Records user names in logs.

Use for user-based Web access through a proxy and for chaining Web requests to upstream proxies. Good performance because Web requests are forwarded directly to Web proxy filter.

The way in which Forefront TMG handles a request from a client in its internal networks depends on how the client computer is configured, and the type of request being made. For example:

  • On a Firewall client computer (with Firewall Client software installed and enabled), requests generated by applications that use Winsock application programming interfaces (APIs) are intercepted by the Firewall Client software. If the address requested is local, the connection is made directly. Otherwise, it is sent to the Firewall service on the Forefront TMG computer.
  • On a Firewall client computer or a SecureNAT client computer that does not have Web Proxy client settings configured, Web requests (HTTP, HTTPS, or FTP downloads) are passed transparently to the Web proxy listener for the network on which the request is received. This is known as transparent network address translation (NAT).
  • On any computer that is configured as a Web Proxy client, Web requests are sent directly to the Web proxy listener.