Académique Documents
Professionnel Documents
Culture Documents
Introduction
With the release of Microsoft Forefront Threat Management Gateway (TMG) 2010, advanced capabilities such as URL filtering, malware protection, the Network Inspection System (NIS), HTTPS inspection, and ISP redundancy seem to get most of the attention. Under the hood there are lots of other improvements however, and among the most important and helpful of those, in my opinion, is Enhanced NAT (E-NAT).
Figure 1
Specify the source of the traffic you wish to translate. In this example I have chosen a specific individual server. However, you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. This provides maximum flexibility when establishing NAT relationships in TMG.
Figure 2 Specify the destination for which this NAT rule will apply. In this example I have chosen the External network, as I want to translate any outbound traffic from the server using this rule. Here you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. Again, this allows granular control for address translation.
Figure 3
Figure 4 Select the Use the specified IP address option and select an IP address from the available list. Note: These IP addresses must be assigned to the network interface prior to creating this network rule, otherwise they will not appear in this list.
Figure 5
You also have the option to select the Use multiple IP addresses option which allows you to choose more than one IP address to use for this network rule. This is useful for enterprise arrays when NLB is not enabled.
Figure 6
Figure 7
It is important to understand that network rules, like firewall policy rules, are processed in order. For proper operation, more specific rules must be placed before less specific rules. In our example, the more specific rule defining a NAT relationship between a particular host and the External network must be placed before the general rule defining a NAT relationship between the entire Internal network (which the host is a member of) and the External network. After the wizard completes and before applying the configuration, make sure that this new network rule is listed before the general Internet Access network rule.
Figure 8 Once configured, any traffic originating from the host mail.celestix.net that is destined for the External network will match rule #3, in which the network relationship is defined as NAT and the NAT address is explicitly defined as 10.0.0.2 in our example.
Summary
Static many-to-one and one-to-one NAT is a feature that veteran ISA firewall administrators have been requesting for years. Finally, TMG now includes this capability. E-NAT allows fine-grained control over IP address translation, which is especially helpful when configuring the TMG firewall as a back firewall to a front firewall that includes ACLs for egress filtering.