What Is a SecureNAT Client?
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.
3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.
4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.
2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.
3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.
4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.
2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.
