About firewall chaining

Firewall chaining specifies how Microsoft Forefront Threat Management Gateway redirects requests from Firewall clients and SecureNAT clients. Requests can be routed directly to the Internet (by default) or to upstream servers located more closely to the Internet. The Firewall service on the downstream server acts as a Firewall client of the upstream server, communicating directly with the Firewall service. Upstream servers can be running ISA Server 2000, ISA Server 2004, ISA Server 2006, or Forefront TMG. Firewall chaining routes non-HTTP requests but does not route HTTP requests from Firewall and SecureNAT clients. The Web proxy filter transparently handles the HTTP requests, which are routed by using Web chaining rules.

For configuration instructions, see Configuring firewall chaining.

If firewall chaining is configured to send requests to an upstream server, requests for remote destinations are forwarded. The downstream server handles requests for local destinations. Firewall client considers the following addresses as local:

  • All addresses on the network on which the Firewall client is located.
  • All addresses specified in the local routing table on the Firewall client computer.
  • All domain suffixes specified on the Domains tab of the network properties page for the network in which the Firewall client is located.
  • All IP addresses contained in the Locallat.txt file, configured on the Firewall client computer.

For Firewall clients, the user credentials are forwarded with the request to the Firewall service on the upstream server. This makes it possible for you to configure a centralized access policy on an upstream server, such as a main office, as well as a local access policy on the downstream server. SecureNAT clients cannot present user credentials and therefore are denied access if authentication is required on the downstream or upstream server.

The following limitations apply to firewall chaining:,

  • Responses to firewall chaining requests are not cached.
  • Setting authentication between the downstream and upstream servers does not work as expected. Use of firewall chaining is not recommended if user authentication is required on the upstream server.
  • Requests from Firewall clients do not work as expected for protocols with secondary connections. For these protocols, we recommend that you do not configure firewall chaining to forward requests from Firewall clients to an upstream server.
  • Firewall chaining does not work as expected if there is a network object defined between the downstream and upstream server locations. We recommend that you do not configure a network between the downstream and upstream firewall.

Even with these limitations, firewall chaining can be useful for the support of SecureNAT clients. Firewall chaining ensures that SecureNAT clients do not rely on a routing infrastructure and default gateway settings. The only requirement is that the downstream Forefront TMG computer has a route to the upstream proxy. For example, in a branch office scenario, firewall chaining lets you chain non-Web requests from SecureNAT clients (who may not be Windows clients) to the main office.