The New NAT-Friendly Microsoft

March 8, 2008 – 2:14 PM

VPN just got easier. Windows 2000 and XP clients can do IPSec out of the box, but when you attempt to VPN to an external resource from behind a NAT router/firewall, challenges ensue. To date, Microsoft has not gotten along well with NAT, but in a brand new update made available for Win2K and XP clients via Windows Update, Microsoft has added NAT-T functionality, which allows the creation of IPSec tunnels when banished to a NAT environment. The description bothers me a bit, as it only notes that the tunnels can be created between Win2K/XP clients and Windows Server 2003 servers. I haven’t yet had the opportunity to setup a test of the new toy, but you can count on hearing more about how it works once I hook up with my buddy Warren for some play time.

There are IPSec management features packed into the update as well, bringing much needed administrative ability down to the client level, and now Windows XP clients are able to take advantage of all of the new IPSec functionality built into Windows Server 2003. Windows 2000 is left out in the cold in many respects, but at least the main NAT-T stuff is available at the very least. One additional note here regarding compatibility. ISA Server environments are warned not to expect compatibility with the latest client updates at this point. My guess is that a patch or service pack will address those issues in time.

MS Article