If ease of configuration is your primary goal, SecureNAT clients require only that you configure the gateway on the clients to route to the ISA server. SecureNAT clients support almost any type of browser or OS.
Planning for SecureNAT implementations requires you to understand how the default gateways are configured on your clients. If you're using Dynamic Host Configuration Protocol (DHCP), you can automatically configure the default gateway. A SecureNAT client might also be a Web proxy client.
If you wish to control access to sites and content based on users or groups, you must use either Web proxy or Firewall clients, which support sending user authentication. SecureNAT does not provide user authentication. You can, however, restrict access based on machine IP addresses.
The installation of the SecureNAT client doesn't require you to run an executable; instead, simply configure the default gateway on the local workstation to point to the ISA server's internal IP address (or to the IP address of the local router, which has a route to the internal adapter of the ISA Server). See the following procedures on how to configure the network adapter properties.
To configure the network adapter on a Windows computer with a manually configured IP address, complete the following steps:
Open Network And Dial-Up Connections (also known simply as Network Connections). The exact steps to open Network Connections vary according to the client OS, but the interface generally can be found within Control Panel.
Select the network adapter installed on the workstation, right-click it, and select Properties.
Click Internet Protocol (TCP/IP) and click Properties.
In the Default Gateway field, type the IP address of the internal network adapter on the ISA server (or the IP address of the local router, which has a route to the internal adapter of the ISA Server) and click OK twice to close all windows.
In addition to configuring the default gateway, you should also configure the IP address and subnet mask fields. Remember that Steps 1–4 in the preceding procedure are for client workstations with a static IP address defined. The following steps should be used for DHCP-assigned addresses.
If all the workstations are dynamically assigned IP addresses from a DHCP server, you can configure each workstation as a SecureNAT client by configuring the scope option 003 Router. To define the router scope option on a Windows-based DHCP server, follow these steps:
Open the DHCP console by clicking the Start, selecting Programs, Administrative Tools, and then DHCP.
In the left pane, click the plus sign (+) next to the DHCP server name object.
Click the plus sign (+) next to the appropriate scope and then click ScopeOptions. If each scope uses the same default gateway address, you don't have to add the router option to each scope individually. You can configure a server option to apply the router option once across all scopes configured on the DHCP server. (Configuring server options follows the same procedure as configuring Scope Options, except that, in the left pane, you view the Server Options properties instead of the Scope Options properties.) Right-click Scope Options and select Configure Options. On the General tab, select the 003 Router check box, which activates additional fields within the window.
In the IP Address field, type the IP address of the ISA server's internal network adapter (or the IP address of the local router, which has a route to the internal adapter of the ISA server). As an option, you can type the ISA server's server name and click Resolve to have the IP Address field populated automatically. Click Add to add the IP address. Click OK to close.
If you do provide the server name and click Resolve, ensure that the IP address is correct (that is, the ISA server's internal interface) before clicking Add.
Whereas simple networks (namely, networks in which no routing takes place) clients only need their default gateway configured to point to the ISA server's internal IP address, for complex or routed networks, you need to create a path to the ISA server's internal IP address. The client always needs its default gateway set to the IP address of a router connected to the same local area network. The router then needs to be configured to pass traffic to the ISA server, or the next closest router to the ISA server as shown in Figure 4-2. Client A is on a separate subnet than the ISA server, and so the client's default gateway must be set to the IP Address of the router (10.0.0.254). The router then forwards the client traffic on to the ISA server at 192.168.1.254. Client B, which is on the same subnet as the ISA server, only needs its default gateway set to the internal interface of the ISA server.
Figure 4-2: This diagram shows how complex networks route Secure NAT client traffic.
VPN clients configured as SecureNAT clients use the VPN credentials to authenticate. When clients are configured as Firewall clients, they use the logged-on user credentials instead. By default, when a rule allowing access from the VPN clients' network to the internal network exists, VPN clients access the internal interface of the ISA server (port 8080 for Web proxy clients, and 1745 for Firewall clients).
See Chapter 11, "Securing Virtual Private Network Access," for more information about how VPN clients are configured.
The beauty of SecureNAT clients is that little configuration beyond the default gateway must take place on the client. If, however, the IP address of the ISA server's internal interface changes, be sure to update the default gateway and routes. To check your IP address configuration (including the default gateway), use the IPCONFIG command-line utility. To check your computer's connection to the ISA Server, use the TRACERT or PATHPING command-line utilities.
For more information on the command-line utilities mentioned above, see the Windows Help file.
Customers often find that they are unable to connect to a resource externally once ISA Server is in place. Because SecureNAT clients rely on DNS to provide name resolution, if you're having problems with connectivity, check your DNS settings first. A best practice is to configure a splits DNS environment, which consists of having a DNS server on an internal or perimeter network, which then forwards resolution to an external DNS server.
For more information about this subject, see Dr. Tom Shinder's excellent article, "You Need to Create a Split DNS!" at http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html.