SecureNAT Clients

The next sections provide information about SecureNAT clients, including request handling, configuring SecureNAT clients, name resolution, authentication, and server publishing.

Request Handling

ISA Server has no knowledge of SecureNAT clients except in the context of the IP address and protocol used in requests. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Microsoft Firewall service to determine if access is allowed. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache. Because requests from SecureNAT clients are handled by the Firewall service, SecureNAT clients benefit from the Firewall service security features. All ISA Server rules can be applied to SecureNAT clients, and policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients. Also, the request may be filtered by application filters and other extensions.

To allow handling of complex protocols (those requiring multiple primary or secondary connections), Microsoft Windows NAT uses NAT editors, which are written as kernel-mode NAT editor drivers. ISA Server application filters replace the functionality generally available through Windows-based NAT editors, and can modify the protocol stream to allow handling of complex protocols. Note the following limitations:

• SecureNAT clients can only use protocols that have a protocol definition in ISA Server.
  
• SecureNAT clients can access resources through ISA Server using complex protocols with secondary connections if an application filter is available on the ISA Server computer.
  

Configuring SecureNAT Clients

SecureNAT clients do not require special software, but are dependent on the organizational routing structure to forward requests to ISA Server. You must configure the default gateway of the client computer so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. When setting the default gateway property, identify which type of network topology you are configuring:

• Simple network. In a simple network scenario, without routers between the SecureNAT client and the ISA Server computer, you should set the SecureNAT client's default gateway to the IP address of the ISA Server network in which the client is located (usually the Internal network). You can set this manually, using the TCP/IP settings on the client. (These settings can be accessed by clicking the Network icon in Control Panel.)
  
• Complex network. In a complex network, one or more routers bridge multiple subnets between the SecureNAT client and the ISA Server computer. The default gateway settings on the last router in the chain should point to ISA Server. Optimally, the router should use a default gateway that routes along the shortest path to the ISA Server computer. Also, the router should not be configured to discard packets destined for addresses outside the corporate network. ISA Server determines how to route the packets.
  

Name Resolution

SecureNAT clients can request objects both from computers in the local network and from the Internet. Thus, SecureNAT clients require DNS servers that can resolve names both for external and internal computers. The following is recommended:

• For Internet access only, you should configure TCP/IP settings on the client to use DNS servers on the Internet. You should create an access rule that allows SecureNAT clients to use the DNS protocol and configure the DNS filter for the SecureNAT clients.
  
• If SecureNAT clients request data both from the Internet and internal resources, the clients should use a DNS server located on the Internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses.
  

In particular, when configuring name resolution for SecureNAT clients, it is important to avoid looping back requests for internal resources through the ISA Server computer. For example, if a SecureNAT client makes a request to an internal resource published by ISA Server on the External network, name resolution should not resolve the request to a public IP address on the External network. If it does, and the SecureNAT client sends a request to the external IP address, the publishing server may respond directly to the SecureNAT client, and the response is dropped. The source IP address of the client is replaced with the IP address of the ISA Server internal network adapter, which is recognized as internal by the published server, which may therefore respond directly to the SecureNAT client. This creates a scenario is which packets in one direction go through a route that does not involve ISA Server, and packets in the other direction go through ISA Server, and ISA Server will drop the response as invalid.

Authentication

SecureNAT clients cannot send credentials to ISA Server. The only control available for authenticating outgoing requests for SecureNAT clients is based on IP addresses. If an ISA Server access rule requires authentication, the user may see an authentication message or a failure message.

SecureNAT Clients and Server Publishing

Internal servers published using ISA Server server publishing are usually configured as SecureNAT clients.

In a server publishing scenario, ISA Server listens on a specific IP address and port for requests for the internal server. When a request arrives, ISA Server forwards it to the published server in accordance with the server publishing rule. If ISA Server is configured to forward the request to the published server with the original source IP address of the external client with which the packet originated, the published server must be configured as a SecureNAT client. The internal server requires a default route to the Internet through ISA Server, so that reply packets can be translated by ISA Server and returned to the source IP address. Configure a published server as a SecureNAT client to ensure that it has a default gateway to the Internet through the ISA Server computer that is server publishing it. If the published server cannot be configured as a SecureNAT client (it has no default route to the Internet), ensure that the server publishing rule has the setting Requests appear to come from the ISA Server computer selected.

(责任编辑：admin)