Lesson 3 | Protocols not supported by NAT |
Objective | List the protocols that NAT does not support |
Protocols not supported by NAT
When you integrate NAT into existing networks, consider that there are several protocols NAT does not support.
Some of these unsupported protocols may be able to work behind the NAT server if you are able to obtain a NAT editor for the server.
The NAT editor will allow the NAT server to translate protocols that it cannot support out-of-the-box. However, some protocols, such as IPSec and Kerberos, are not supportable because of the nature of packet encryption for these services.
Protocols not supported by NAT
The following is a list of protocols that NAT does not support:
- Lightweight Directory Access Protocol (LDAP)
- Component Object Model (COM) or Distributed Component Object Model (DCOM), as well as any application that uses DCOM to communicate between clients and servers in a multi-tier solution
- Kerberos Version 5.0
- The Active Directory(tm) directory service, which uses Kerberos Version 5.0 protocol; domain controllers cannot replicate through NAT
- Microsoft® Remote Procedure Call (RPC)
- Many of the Microsoft® Management Console (MMC) snap-ins, which use RPC to communicate between the client and the server
- Internet Protocol Security (IPSec) packets that use IP header encryption
For any applications that require the protocols not supported by NAT, use Microsoft® Proxy Server 2.0 as the Internet-connectivity solution.
Reasons for incompatibility
Most of these protocols do not work with NAT because the appropriate NAT editor is not available for them.
However, Microsoft® documentation states that certain protocols, such as RPCs and LDAP-based ILS registration are available through NAT via the proxy software included with the NAT service.
IPSec can't be made compatible with NAT because it encrypts and protects IP header information. If a packet is modified by the NAT server, IPSec interprets this as a possible security lapse and rejects the packet.
The Kerberos protocol is not supported for similar reasons. NAT has is incompatible with the way IKE (Internet Key Exchange) works,
and therefore Kerberos authentication fails when attempted across a NAT server.
In the next lesson, you will learn how to design a functional NAT solution.