Proxy Server 2.0 Dynamic Packet Filtering Does Not Interoperate with NAT (245100)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Proxy Server 2.0
This article was previously published under Q245100

SUMMARY

You can install Proxy 2.0 on a Windows 2000-based server that is running the Windows 2000 Network Address Translation service (NAT). Both Proxy Server and NAT provide techniques for allowing internal network clients that are using private (ambiguous) IP addresses to gain access to program servers on the Internet by replacing the source address of the request with a valid (unambiguous) IP address. Although the end result is similar, the techniques used by Proxy Server and NAT to accomplish address masking are different. You can use a combination of these techniques to provide certain benefits in different scenarios. More information about these services and techniques is available in the Windows 2000 and Proxy 2.0 online documentation.

MORE INFORMATION

Both the Windows 2000 Routing and Remote Access service (RRAS) and Proxy Server 2.0 also include a Packet Filtering feature for security. When you are running Proxy Server, RRAS, and NAT on the same server, use only Proxy Server 2.0 packet filtering on the external network adapters. If packet filtering is required on the internal adapters, use RRAS packet filtering.

Proxy Server includes additional packet filtering configuration capabilities and dynamic packet filtering, which dynamically opens and closes ports so that client requests and responses can traverse the firewall. This requires no port configuration for the packet filter and provides a higher level of security because ports remain closed until a request to open them is made by an internal client.

Note that only Proxy Server clients (Web Proxy, Winsock Proxy, and Socks Proxy clients) can take advantage of the dynamic packet filter. If NAT clients need to gain access through the firewall, you must create static filter exceptions for the TCP and User Datagram Protocol (UDP) ports that the NAT clients need to use. This creates static "holes" in the firewall; use this method sparingly.

For additional information about running Proxy Server 2.0 on Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

253131 How to Install Proxy Server 2.0 on Windows 2000

Modification Type:MajorLast Reviewed:10/9/2002
Keywords:kbenv kbinfo kbinterop KB245100
©2002 Microsoft Corporation. All rights reserved.