# Configuring NAT Settings

## Introduction

NAT (Network Address Translation) is the method by which the Central Server can be made available for managed devices to communicate with it. For any deployment to be carried out on a managed device, the Central Server and the respective agent installed device must be in contact, irrespective of the network they reside in.

![nat settings](https://www.manageengine.com/products/desktop-central/images/configure-nat-sett.png)

To configure NAT Settings in the product console, navigate to **Admin > Server Settings > NAT Settings**, where the communication network can be selected either as:

- LAN (Local Area Network)
- WAN (Wide Area Network)

NAT Settings can be configured for both LAN and WAN setups depending on business needs. To manage devices that connect via VPN, the LAN method can be selected. The NAT Settings can be secured by importing SSL certificates, such as a third-party certificate.

## NAT Settings for LAN Setup

- When managed devices reside in a LAN, the IT admin can configure NAT with a private IP address or FQDN (Fully Qualified Domain Name), which will be used by managed devices to reach the Central Server.
- The same NAT can be used by devices that connect to the business network using a VPN.

## NAT Settings for WAN Setup

- To manage devices over the internet, configure the NAT Settings with a public IP address or FQDN (Fully Qualified Domain Name), which is required by WAN devices to contact the Central Server.

**Note:** It is recommended to configure NAT Settings with an FQDN rather than an IP address. This is because an FQDN will be used to check the integrity of secured communication when using certificates. Also, an FQDN can be easily resolved in DNS irrespective of whether the IP address is static or dynamic.

## Modify Your NAT Settings

Once configured, NAT Settings can be modified by navigating to the same page. When NAT Settings are modified:

- Previously managed devices will try to contact the previous FQDN/IP address.
- Devices added to Endpoint Central's scope after the modification will contact the updated FQDN/IP address.

To eliminate communication breaks for previously managed devices, the former FQDN/IP address should be mapped to the newly added one.

For scenarios involving certificate import and NAT FQDN changes, refer to this [KB on avoiding agent communication failure due to SAN mismatch](https://www.manageengine.com/products/desktop-central/kb/error-while-updating-nat-settings-or-import-certificate.html).

## Secure Management of Over-the-Internet Devices

Secure Gateway Server is used to secure communication between the Central Server and managed devices over the internet. This provides an additional layer of security for device management.

To configure Secure Gateway Server, the public FQDN/IP address of the Central Server is mapped to the Secure Gateway Server.

For further understanding of the importance and working of Secure Gateway Server, visit this [page](https://www.manageengine.com/products/desktop-central/secure-communication-of-mobile-users-using-forwarding-server.html).