08 February 2011

TMG and ISA VPN and additional networks NAT differences


Both Microsoft Threat Management Gateway 2010 (TMG) and Internet Security and Accelerator Server 2006 (ISA) provide VPN capability.  When the VPN is enabled you have an additional network available.  This network's interaction with the other attached networks is governed by the network rules.  A network rule can be defined to either route or NAT (network address translation) between the networks.

In routing the IP addresses do not change, routers are aware of the address ranges and can route traffic between the networks.

In the NAT addresses are changed so that all communication happens through a common IP address or addresses.

With ISA 2006 you only had the ability to choose between route and NAT.


In TMG 2010 this has been extended for better NAT configuration.  You can still choose to route or NAT but now you can choose the NAT IPs as opposed to being limited to the destination network default addresses. This is available from the additional NAT address selection tab.

Since these setting are for all network rules this greatly enhances your configuration option when it comes to deploying TMG in a multi network environment.  Even for configuring basic internet access.  You can now NAT all the servers in an Array behind a common NLB IP as opposed to having to allow an IP for each member in the array.  This make a big difference if you have to configure a primary or 3rd party firewall to line up with your TMG deployment.

No comments:

Post a Comment