Introduction to ISA&TMG three types of client mode (iii) SecureNAT client

Secure NAT clients can be said to be the simplest of Tmg/isa three clients, because such clients do not require special software support or configure some proxies, but rely on the organization's routing structure to transfer requests to the ISA/TMG server. Therefore, you must configure a default gateway for the client computer so that ISA Server can send all communication information to the Internet directly or indirectly through a router.

To summarize, the Secure NAT client needs to determine your current network environment before it is configured, with two of them sorted below:

1, Simple network. In a simple network scenario, there is no router between the SecureNAT client and the ISA Server computer, and the default gateway for the SecureNAT client should be set to the IP address of the ISA server network (typically the internal network) where the client resides. You can set it manually by using the TCP/IP settings on the client. (You can access these settings by clicking the Network icon in Control Panel.) ）

2, complex network. In a complex network, one or more routers configured to bridge multiple subnets between the SecureNAT client and the ISA server computer. The default gateway setting on the last router in this chain should point to ISA server. Best of all, routers should use the default gateway that routes to the shortest path of the ISA server computer. In addition, routers should not be configured to discard packets destined for addresses outside the corporate network. ISA server determines how these packets are routed.

We know that either Isa or TMG three client mode except that the secure NAT client does not send credentials to ISA Server, the only control method that can be used to verify outgoing requests from the SecureNAT client is to be controlled by IP address. If the ISA server access rule requires authentication, the user can see an authentication message or a failure message.

Internal servers that are published using the server Publishing feature of ISA server are typically configured as SecureNAT clients.

In a server publishing scenario, ISA server listens for requests to internal servers for specific IP addresses and ports. When a request is received, ISA server will be forwarded to the published server based on the server publishing rules. If ISA server is configured to forward requests to the published server with the original source IP address of the external client used to generate the packet, the published server must be configured as a SecureNAT client. The internal server needs to pass the ISA Server's default route to the Internet so that the reply packets are converted by ISA Server and returned to the source IP address. Configure the published server as the SecureNAT client to ensure that it has a default gateway to the Internet through the ISA server computer (the server that publishes it). If you cannot configure a published server as a SecureNAT client (it does not have a default route to the Internet), make sure that the "Make requests from ISA server computer" setting is selected for the server rule.

For SecureNAT name resolution, also do a simple share below:

SecureNAT clients can request objects on the local network computer, or on computers on the Internet. Therefore, the SecureNAT client will require the DNS server to resolve the names of external and internal computers. We recommend that you perform the following actions:

1. If you want to allow access to the Internet only, you should configure the TCP/IP settings on the client to use a DNS server on the Internet. You should create access rules that allow SecureNAT clients to use the DNS protocol and configure DNS filters for SecureNAT clients.

2. If the SecureNAT client will request data from the Internet and internal resources, these clients should use a DNS server located on the internal network. You should configure the DNS server to resolve internal addresses and Internet addresses. In particular, it is important to avoid using the ISA server computer to loop back requests for internal resources when configuring the name resolution of SecureNAT clients. For example, if a SecureNAT client makes a request for an internal resource that is published by an ISA server on an external network, name resolution should not resolve the request to a public IP address on the external network. Otherwise, when the SecureNAT client sends a request to an external IP address, the publisher may respond directly to the SecureNAT client and discard the response. Replaces the client's source IP address with the IP address of the ISA server's internal network adapter, and the published server sees the address as an internal address and therefore responds directly to the SecureNAT client. The following scenario occurs when a packet sent in one direction passes through a route without an ISA Server, and packets sent in another direction pass through ISA Server, and ISA Server discards the packet because it is invalid.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/