SecureNAT Clients
The next sections provide information about SecureNAT clients, including request handling, configuring SecureNAT clients, name resolution, authentication, and server publishing. Request Handling
ISA Server has no knowledge of SecureNAT clients except in the context of the IP address and protocol used in requests. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Microsoft Firewall service to determine if access is allowed. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache. Because requests from SecureNAT clients are handled by the Firewall service, SecureNAT clients benefit from the Firewall service security features. All ISA Server rules can be applied to SecureNAT clients, and policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients. Also, the request may be filtered by application filters and other extensions. To allow handling of complex protocols (those requiring multiple primary or secondary connections), Microsoft Windows NAT uses NAT editors, which are written as kernel-mode NAT editor drivers. ISA Server application filters replace the functionality generally available through Windows-based NAT editors, and can modify the protocol stream to allow handling of complex protocols. Note the following limitations:
Configuring SecureNAT Clients
SecureNAT clients do not require special software, but are dependent on the organizational routing structure to forward requests to ISA Server. You must configure the default gateway of the client computer so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. When setting the default gateway property, identify which type of network topology you are configuring:
Name Resolution
SecureNAT clients can request objects both from computers in the local network and from the Internet. Thus, SecureNAT clients require DNS servers that can resolve names both for external and internal computers. The following is recommended:
In particular, when configuring name resolution for SecureNAT clients, it is important to avoid looping back requests for internal resources through the ISA Server computer. For example, if a SecureNAT client makes a request to an internal resource published by ISA Server on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does, and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the ISA Server internal network adapter, which is recognized as internal by the published server, which may therefore respond directly to the SecureNAT client. This creates a scenario is which packets in one direction go through a route that does not involve ISA Server, and packets in the other direction go through ISA Server, and ISA Server will drop the response as invalid.
Authentication
SecureNAT clients cannot send credentials to ISA Server. The only control available for authenticating outgoing requests for SecureNAT clients is based on IP addresses. If an ISA Server access rule requires authentication, the user may see an authentication message or a failure message.
SecureNAT Clients and Server Publishing
Internal servers published using ISA Server server publishing are usually configured as SecureNAT clients. In a server publishing scenario, ISA Server listens on a specific IP address and port for requests for the internal server. When a request arrives, ISA Server forwards it to the published server in accordance with the server publishing rule. If ISA Server is configured to forward the request to the published server with the original source IP address of the external client with which the packet originated, the published server must be configured as a SecureNAT client. The internal server requires a default route to the Internet through ISA Server, so that reply packets can be translated by ISA Server and returned to the source IP address. Configure a published server as a SecureNAT client to ensure that it has a default gateway to the Internet through the ISA Server computer that is server publishing it. If the published server cannot be configured as a SecureNAT client (it has no default route to the Internet), ensure that the server publishing rule has the setting Requests appear to come from the ISA Server computer selected. (责任编辑:admin) |