WO2002067540A1 - Method and device for data communication through a firewall - Google Patents

Method and device for data communication through a firewall Download PDF

Info

Publication number
WO2002067540A1
WO2002067540A1 PCT/SE2002/000278 SE0200278W WO02067540A1 WO 2002067540 A1 WO2002067540 A1 WO 2002067540A1 SE 0200278 W SE0200278 W SE 0200278W WO 02067540 A1 WO02067540 A1 WO 02067540A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
connection
firewall
intermediate unit
unique
Prior art date
Application number
PCT/SE2002/000278
Other languages
French (fr)
Inventor
Anders Eriksson
Jeremiah Bassett
Original Assignee
Gatespace Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gatespace Ab filed Critical Gatespace Ab
Publication of WO2002067540A1 publication Critical patent/WO2002067540A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • the present invention relates to a method for establishing a connection to a first unit located inside a firewall, wherein the connection is desired from a second unit located outside said firewall.
  • It also relates to a system used for establishing a connection to a first unit located behind a firewall, wherein the connection is desired from a second unit located outside said firewall.
  • an intermediate unit used for establishing a connection to a first unit located inside a firewall, said connection being desired from a second unit located outside the firewall, said intermediate unit being reachable from said second unit.
  • Firewalls are used for protecting terminals or a network of terminals from insight and influences from other terminals.
  • a problem arises when a terminal outside this firewall wants to connect to a terminal inside the firewall.
  • firewalls are usually constructed to allow a unit located inside the firewall to connect to a unit located outside the firewall but not the other way around.
  • US 60 1797 discloses a method for establishing connections from outside and in through a firewall.
  • this method requires that the firewall is manipulated or configured in a particular way and furthermore it is only certain trusted terminals outside the firewall that are given a port number to connect to and thus have the possibility to connect to a terminal inside the firewall.
  • One object of the invention is to provide a method and a system for easily and transparently to the applications used connecting to a terminal inside a firewall.
  • Another object of the invention is to provide a method for connecting to a terminal inside a firewall where no configurations need to be done to the applications.
  • a further object of the invention is to provide such a method and system where the firewall does not need to be affected in any way.
  • step iii) could be performed anywhere between step i) and step iv) and step vi) could be performed anywhere between step i) and vii) but after step iii): i) providing an intermediate unit outside the firewall, reachable from at least the second unit; ii) making a unique ID, which is associated with the first unit and with the intermediate unit, available to the second unit and other units located outside the firewall; iii) establishing a first connection, being a control channel, from the first unit to the intermediate unit, said intermediate unit being reachable from at least the second unit; iv) requesting, from the second unit, a connection to said unique ID; v) forwarding this connection request from the intermediate unit to the first unit through the first connection; vi) establishing a data channel from the first unit to the intermediate unit; vii) transferring data between the second unit and the first unit.
  • a system as initially described, which comprises an intermediate unit, which is located outside the firewall and which is reachable from at least the second unit, said intermediate unit being adapted to mediate con- nections required from the second unit to the first unit, whereby a unique ID corresponding to the first unit points out a low level address of the intermediate unit to units located outside the firewall.
  • an intermediate unit as initially described com- prising connection means adapted to receive a control channel and a data channel from the first unit, said channels being used for communication between the intermediate unit and the first unit, said intermediate unit comprising further receiving means adapted to receive a request from the second unit for a connection to the first unit and forwarding means adapted to forward the request to the first unit.
  • the requesting of a connection from the second unit further comprises the steps of:
  • quested unique ID the corresponding low level address being the low level address of the intermediate unit since connections to the first unit has to go through the intermediate unit;
  • the method further comprises enclosing the unique ID, being a dns-name, together with the low level address, being an IP-address, in the connection request sent to the intermediate unit from the second unit.
  • the intermediate unit knows which unit the second unit wants to connect to.
  • the data channel could be a new separate second connection between the first unit and the intermediate unit adapted for transferring data.
  • the establishing of a data channel includes multiplexing of the traffic on the first connection and wherein the data channel thus is included in the first connection.
  • the method could further comprise communicating the unique ID corresponding to the first unit from the first unit to the intermediate unit after the initial establishment of the first connection.
  • the method comprises assigning a unique ID to the first unit in the intermediate unit.
  • the method comprises making the unique ID, which corresponds to the first unit, available outside the firewall by including the unique ID in an external dns.
  • other units which are located outside the firewall and can reach the intermediate unit, can resolve the unique ID of the first unit.
  • Http hypertext transfer protocol
  • https ( hypertext transfer protocol-security) could be used as the communication protocol.
  • PKI public key infrastructure
  • One or more of the units could be gateways in computer networks. Furthermore one or more of the units could be servers in computer networks.
  • the first unit and the intermediate units are provided with software necessary for the communication between these two units.
  • the first unit and the intermediate unit are http-proxies.
  • Fig. 1 is a schematic view of a first embodiment of a system according to the inven- tion.
  • Fig. 2 is a flow chart of a method according to the invention.
  • Fig. 3 is a schematic view of an intermediate unit according to the invention.
  • Fig. 4 is a schematic view of a second embodiment of a system according to the invention.
  • Fig. 1 is a schematic view of a first embodiment of a system according to the invention.
  • the system comprises a first unit 1 hidden by a firewall 3. Outside the firewall 3 an intermediate unit 5 is located, which is reachable from a second unit 7.
  • the intermediate unit 5 and the second unit 7 could for example be connected to the same network. This could for example be the Internet.
  • Fig. 2 the different steps of a method according to the invention are shown: The steps are divided into different blocks illustrated in Figure 2, where the blocks are described in order below:
  • a first connection 9 (Fig. 1) is established from the first unit 1 to the intermediate unit 5.
  • This first connection 9 is established from the first unit 1 when the first unit 1 wants that units located outside the firewall should be able to connect to the first unit.
  • This first connection 9 is a control channel.
  • the control channel could in one embodiment be set up through a sock-server.
  • the intermediate unit 5 needs to know a unique ID corresponding to the first unit 1. This is in this embodiment a dns-(domain name system)-name.
  • the first unit 1 communicates its dns-name over the first connection 9 to the intermediate unit 9.
  • the dns-name is in this embodiment made available to other units, which can reach the intermediate unit. This is performed from the intermediate unit 5 by including the dns-name in an external domain name system. For example it is registered in the dns-information in the intermediate unit 5. Hereby all the units which can reach the intermediate unit will reach this name when they are searching for it. It is also possible that the dns-name has been made available in the network outside the firewall sometime before the first connection was established. The first unit 1 may have connected to another unit outside the firewall just to let it announce its dns-name. The dns-name should always be connected to a low level address, for ex- ample the IP-address, of the intermediate unit 5 since a connection to the first unit 1 always has to go through the intermediate unit 5.
  • B32 A unit, which can reach the intermediate unit 5, for example the second unit 7, resolves the dns-name of the first unit 1.
  • the dns-name is found since it is registered in the external dns.
  • the IP-address given to the second unit 7 is the IP-address of the intermediate unit 5 since all connections to the first unit 1 has to go through the intermediate unit 5.
  • the second unit 7 connects to the retrieved IP-address and believes that this is the unit corresponding to the wanted dns-name. In fact the second unit 7 is connecting to the intermediate unit 5. The connection is made to the IP-address but the dns-name is always enclosed in the request. This is an important feature of the invention since it makes it possible to forward the connection request to the correct destination.
  • the second unit 7 initiates in one embodiment an http-(hypertext transfer protocol)-dialogue.
  • the intermediate unit 5 forwards the connection request to the first unit 1, which corresponds to the requested dns-nanie.
  • the connection request is transferred to the first unit 1 through the first connection 9.
  • the first unit 1 now establishes a data channel from the first unit 1 to the intermediate unit 5. It is also possible that the data channel already had been established when the second unit 7 requests a connection to the first unit 1.
  • the data channel between the first unit 1 and the intermediate unit 5 can in fact be established at any time.
  • the data channel establishment could be done in different ways. Two ways are described in the two parallel blocks B39 and B41.
  • the other possibility is that the first connection 9 is utilised also for the data channel. Then, multiplexing of all the traffic on the first connection 9 is needed.
  • http is used as the communication protocol and any port(s) may be used.
  • a big advantage is that the applications in neither the first nor the second unit need to be configured or manipulated in any way to be able to per- form the communication through the firewall. The applications need not even to be aware of the firewall and the method to get through the firewall.
  • the second unit 7 only needs to communicate using, for example, the usual http protocol. It is also possible to use https (hypertext transfer protocol security) as the communication protocol. If https is used, a PKI ( Public Key Infrastructure) could also be integrated. A PKI would, for example, ensure that the communication layer between the first unit 1 and the intermediate unit 5 is authenticated.
  • tcp-(transmission control protocol)-connections since tcp, for example, has its own flow control and no further flow control needs to be added.
  • the first unit 1, the intermediate unit 5, and the second unit 7 can all be gateways or servers in networks.
  • the first unit 1 is a server connected to a plurality of computers the first unit 1 can transfer the connection request to a third unit in this network if the second unit 7 requests a connection to the third unit.
  • This is possible thanks to the addressing system used according to this invention where even though the connection required from the second unit is established to the retrieved IP-address the wanted dns-name is always enclosed in the request.
  • the first unit 1 receives a connection request from the intermediate unit 5, it can forward this connection request to the unit with the requested dns-name.
  • the first unit needs to find the IP-address corresponding to the dns-name. This is done using dns.
  • the firewall also need not be configured to enable communication initiated from outside the firewall.
  • the first unit 1 has to be provided with software enabling the communication with the intermediate unit 5.
  • the first unit 1 should be able to initiate the first connection 9 with the intermediate unit 5, possibly transfer the dns- name, maintain the dialogue and initiate a second data connection 13 or multiplex the traffic on the first connection 9.
  • the software in the first unit needs to take care of this.
  • the intermediate unit 5 needs software of the same kind being able to communicate with the first unit 1. Possibly these functions could be implemented in the hardware of the first unit and the intermediate unit.
  • Fig. 3 is a schematic view of an intermediate unit according to the invention.
  • Said intermediate unit comprises software defining a connection means 81 adapted to receive the first connection 9 and also possibly the second connection 13 from the first unit.
  • the software also defines an assigning means 83 adapted to assign a dns-name to the first unit 1.
  • the assigning means 83 is connected to the connection means 81.
  • the intermediate unit comprises a receiving means 87 adapted to receive a connection request from the second unit 7 and a forwarding means 89 connected to the receiving means 87 and to the connection means 81 adapted to forward this request through the first connection 9 to the first unit 1. All these described functions comprised in the intermediate unit are defined by the integrated software.
  • the intermediate unit according to the invention can serve more than one unit located inside a firewall. It can serve more units inside the same firewall and also units inside different firewalls. Thus it is in accordance with the invention possible to establish a connection from one unit inside a first firewall to another unit inside a second firewall.
  • Fig. 4 is a schematic view of a second embodiment of a system according to the invention.
  • a first unit 61 is located behind a first firewall 63. Outside the first firewall 63 a first intermediate unit 65 is located. This first intermediate unit 65 is connectable to a third unit 67. The third unit 67 and the first intermediate unit 65 are shielded by a second firewall 69. Outside this sec- ond firewall 69 a second intermediate unit 71 and a second unit 73, which is connectable to the second intermediate unit 71, are located.
  • the process when the sec- ond unit 73 requests a connection to the first unit 61 is similar to the process described for the first embodiment. The difference is that the third unit 67 forwards the request coming from the second intermediate unit to the first intermediate unit 65 since the dns-name not corresponds to the third unit 67. The first intermediate unit 65 in turn forwards the request to the first unit 61 which corresponds to the dns- name requested by the second unit and the connection process is performed in the ⁇ same way as described above.

Abstract

An intermediate unit used for establishing a connection to a first unit (1) located inside a firewall (3), said connection being desired from a second unit (7) located outside the firewall (3), said intermediate unit being reachable from said second unit (7), said intermediate unit comprises connection means (81) adapted to receive control channel and a data channel from the first unit (1), said channels being used for communication between the intermediate unit and the first unit (1), said intermediate unit comprising further receiving means (87) adapted to receive a request from the second unit (7) for a connection to the first unit (1) and forwarding means (89) connected to the receiving means (87) and to the connection means (81) adapted to forward the request to the first unit (1).

Description

METHOD AND DEVICE FOR DATA COMMUNICATION THROUGH A FIREWALL
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a method for establishing a connection to a first unit located inside a firewall, wherein the connection is desired from a second unit located outside said firewall.
It also relates to a system used for establishing a connection to a first unit located behind a firewall, wherein the connection is desired from a second unit located outside said firewall.
Furthermore it relates to an intermediate unit used for establishing a connection to a first unit located inside a firewall, said connection being desired from a second unit located outside the firewall, said intermediate unit being reachable from said second unit.
RELATED ART
Firewalls are used for protecting terminals or a network of terminals from insight and influences from other terminals. However a problem arises when a terminal outside this firewall wants to connect to a terminal inside the firewall. As defined in this document, firewalls are usually constructed to allow a unit located inside the firewall to connect to a unit located outside the firewall but not the other way around.
Different examples of how to contact a terminal inside a firewall are present today. For example, mail can be used as an information carrier towards the terminal. The problem with mail is that it does not provide any delivery guarantees and it is da- tagram oriented. Most applications today want stream oriented communication and timely delivery. Another possible way to contact a terminal inside a firewall today is to use socks. However, there are drawbacks with this method. For example, the applications in the terminals located inside the firewall have to be converted to use the socks proto- col and the application has to have knowledge of the location of the socks server. This can not be achieved transparently to the application.
US 60 1797 discloses a method for establishing connections from outside and in through a firewall. However this method requires that the firewall is manipulated or configured in a particular way and furthermore it is only certain trusted terminals outside the firewall that are given a port number to connect to and thus have the possibility to connect to a terminal inside the firewall.
One problem with all these methods is that they need some kind of configurations to be done to the clients. For example, the client in the US-patent mentioned above needs to know which port number to connect to. Another problem is that in most of these existing methods the firewall has to be affected or configured in some way.
SUMMARY
One object of the invention is to provide a method and a system for easily and transparently to the applications used connecting to a terminal inside a firewall.
Another object of the invention is to provide a method for connecting to a terminal inside a firewall where no configurations need to be done to the applications.
A further object of the invention is to provide such a method and system where the firewall does not need to be affected in any way.
These objects are achieved in a method as initially described where the method comprises the steps described below but not necessarily performed in the mentioned order, whereby step iii) could be performed anywhere between step i) and step iv) and step vi) could be performed anywhere between step i) and vii) but after step iii): i) providing an intermediate unit outside the firewall, reachable from at least the second unit; ii) making a unique ID, which is associated with the first unit and with the intermediate unit, available to the second unit and other units located outside the firewall; iii) establishing a first connection, being a control channel, from the first unit to the intermediate unit, said intermediate unit being reachable from at least the second unit; iv) requesting, from the second unit, a connection to said unique ID; v) forwarding this connection request from the intermediate unit to the first unit through the first connection; vi) establishing a data channel from the first unit to the intermediate unit; vii) transferring data between the second unit and the first unit.
The objects are also achieved by a system, as initially described, which comprises an intermediate unit, which is located outside the firewall and which is reachable from at least the second unit, said intermediate unit being adapted to mediate con- nections required from the second unit to the first unit, whereby a unique ID corresponding to the first unit points out a low level address of the intermediate unit to units located outside the firewall.
The objects are further achieved by an intermediate unit as initially described com- prising connection means adapted to receive a control channel and a data channel from the first unit, said channels being used for communication between the intermediate unit and the first unit, said intermediate unit comprising further receiving means adapted to receive a request from the second unit for a connection to the first unit and forwarding means adapted to forward the request to the first unit. Hereby a method for connecting to a terminal inside a firewall from a terminal outside the firewall where no configurations or manipulations need to be done to neither the firewall nor the applications used in the communicating- units is achieved.
Preferably the requesting of a connection from the second unit further comprises the steps of:
- resolving, from the second unit, a low level address corresponding to the re-
, quested unique ID, the corresponding low level address being the low level address of the intermediate unit since connections to the first unit has to go through the intermediate unit;
- establishing, from the second unit, a connection to the retrieved low level address;
- initiating a http-dialogue from the second unit;
- forwarding, from the intermediate unit to the first unit, the connection request made by the second unit since the first unit corresponds to the requested unique
ID.
Suitably the method further comprises enclosing the unique ID, being a dns-name, together with the low level address, being an IP-address, in the connection request sent to the intermediate unit from the second unit. Hereby the intermediate unit knows which unit the second unit wants to connect to.
The data channel could be a new separate second connection between the first unit and the intermediate unit adapted for transferring data.
Otherwise the establishing of a data channel includes multiplexing of the traffic on the first connection and wherein the data channel thus is included in the first connection. The method could further comprise communicating the unique ID corresponding to the first unit from the first unit to the intermediate unit after the initial establishment of the first connection.
Alternatively the method comprises assigning a unique ID to the first unit in the intermediate unit.'
Suitably the method comprises making the unique ID, which corresponds to the first unit, available outside the firewall by including the unique ID in an external dns. Hereby other units, which are located outside the firewall and can reach the intermediate unit, can resolve the unique ID of the first unit.
Http ( = hypertext transfer protocol) could be used as the communication protocol.
Alternatively https ( = hypertext transfer protocol-security) could be used as the communication protocol.
Preferably a public key infrastructure (PKI) is used. This will further increase the security.
Suitably tcp-( = transmission control protocol)-connections are used.
One or more of the units could be gateways in computer networks. Furthermore one or more of the units could be servers in computer networks.
Suitably the first unit and the intermediate units are provided with software necessary for the communication between these two units.
Advantageously the first unit and the intermediate unit are http-proxies. BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a schematic view of a first embodiment of a system according to the inven- tion.
Fig. 2 is a flow chart of a method according to the invention.
Fig. 3 is a schematic view of an intermediate unit according to the invention.
Fig. 4 is a schematic view of a second embodiment of a system according to the invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Fig. 1 is a schematic view of a first embodiment of a system according to the invention. The system comprises a first unit 1 hidden by a firewall 3. Outside the firewall 3 an intermediate unit 5 is located, which is reachable from a second unit 7. The intermediate unit 5 and the second unit 7 could for example be connected to the same network. This could for example be the Internet.
In Fig. 2 the different steps of a method according to the invention are shown: The steps are divided into different blocks illustrated in Figure 2, where the blocks are described in order below:
B25: A first connection 9 (Fig. 1) is established from the first unit 1 to the intermediate unit 5. This first connection 9 is established from the first unit 1 when the first unit 1 wants that units located outside the firewall should be able to connect to the first unit. This first connection 9 is a control channel. The control channel could in one embodiment be set up through a sock-server. The intermediate unit 5 needs to know a unique ID corresponding to the first unit 1. This is in this embodiment a dns-(domain name system)-name. There are different possibilities for the intermedi- ate unit 5 to achieve a dns-name corresponding to the first unit 1. Two of these possibilities are illustrated in Fig. 2 by two parallel blocks, block B27 and B29.
B27: The first unit 1 communicates its dns-name over the first connection 9 to the intermediate unit 9.
B29: The other, here described, possibility is that the intermediate unit 5 assigns a dns-name to the first unit 1. This could be done when the first unit 1 does not already have a dns-name.
B31 : The dns-name is in this embodiment made available to other units, which can reach the intermediate unit. This is performed from the intermediate unit 5 by including the dns-name in an external domain name system. For example it is registered in the dns-information in the intermediate unit 5. Hereby all the units which can reach the intermediate unit will reach this name when they are searching for it. It is also possible that the dns-name has been made available in the network outside the firewall sometime before the first connection was established. The first unit 1 may have connected to another unit outside the firewall just to let it announce its dns-name. The dns-name should always be connected to a low level address, for ex- ample the IP-address, of the intermediate unit 5 since a connection to the first unit 1 always has to go through the intermediate unit 5.
B32: A unit, which can reach the intermediate unit 5, for example the second unit 7, resolves the dns-name of the first unit 1. The dns-name is found since it is registered in the external dns. The IP-address given to the second unit 7 is the IP-address of the intermediate unit 5 since all connections to the first unit 1 has to go through the intermediate unit 5.
B35: The second unit 7 connects to the retrieved IP-address and believes that this is the unit corresponding to the wanted dns-name. In fact the second unit 7 is connecting to the intermediate unit 5. The connection is made to the IP-address but the dns-name is always enclosed in the request. This is an important feature of the invention since it makes it possible to forward the connection request to the correct destination. The second unit 7 initiates in one embodiment an http-(hypertext transfer protocol)-dialogue.
B37: The intermediate unit 5 forwards the connection request to the first unit 1, which corresponds to the requested dns-nanie. The connection request is transferred to the first unit 1 through the first connection 9. To enable the communication between the first unit 1 and the second unit 7 the first unit 1 now establishes a data channel from the first unit 1 to the intermediate unit 5. It is also possible that the data channel already had been established when the second unit 7 requests a connection to the first unit 1. The data channel between the first unit 1 and the intermediate unit 5 can in fact be established at any time. The data channel establishment could be done in different ways. Two ways are described in the two parallel blocks B39 and B41.
B39: One possibility is to establish a new separate second connection 13 (Fig. 1) from the first unit 1 to the intermediate unit 5. This second connection 13 is used for data communication.
B41 : The other possibility is that the first connection 9 is utilised also for the data channel. Then, multiplexing of all the traffic on the first connection 9 is needed.
B43: Once the data channel is established the transfer of data between the second unit 7 and the first unit 1 is started and the data is transferred through the data channel, the intermediate unit 5 and through the connection between the second unit 7 and the intermediate unit 5.
In one described embodiment, http is used as the communication protocol and any port(s) may be used. A big advantage is that the applications in neither the first nor the second unit need to be configured or manipulated in any way to be able to per- form the communication through the firewall. The applications need not even to be aware of the firewall and the method to get through the firewall. The second unit 7 only needs to communicate using, for example, the usual http protocol. It is also possible to use https (hypertext transfer protocol security) as the communication protocol. If https is used, a PKI ( Public Key Infrastructure) could also be integrated. A PKI would, for example, ensure that the communication layer between the first unit 1 and the intermediate unit 5 is authenticated.
It is also preferred to use tcp-(transmission control protocol)-connections since tcp, for example, has its own flow control and no further flow control needs to be added.
The first unit 1, the intermediate unit 5, and the second unit 7 can all be gateways or servers in networks. For example if the first unit 1 is a server connected to a plurality of computers the first unit 1 can transfer the connection request to a third unit in this network if the second unit 7 requests a connection to the third unit. This is possible thanks to the addressing system used according to this invention where even though the connection required from the second unit is established to the retrieved IP-address the wanted dns-name is always enclosed in the request. Thus, when the first unit 1 receives a connection request from the intermediate unit 5, it can forward this connection request to the unit with the requested dns-name. The first unit needs to find the IP-address corresponding to the dns-name. This is done using dns.
As mentioned above no configurations need to be done to the applications in neither the first unit 1 nor the second unit 7. Furthermore the user of the second unit 7 does not have to know anything more than the dns-name of the first unit 1. The firewall also need not be configured to enable communication initiated from outside the firewall. However, the first unit 1 has to be provided with software enabling the communication with the intermediate unit 5. The first unit 1 should be able to initiate the first connection 9 with the intermediate unit 5, possibly transfer the dns- name, maintain the dialogue and initiate a second data connection 13 or multiplex the traffic on the first connection 9. The software in the first unit needs to take care of this. Also, the intermediate unit 5 needs software of the same kind being able to communicate with the first unit 1. Possibly these functions could be implemented in the hardware of the first unit and the intermediate unit.
Fig. 3 is a schematic view of an intermediate unit according to the invention. Said intermediate unit comprises software defining a connection means 81 adapted to receive the first connection 9 and also possibly the second connection 13 from the first unit. In this embodiment the software also defines an assigning means 83 adapted to assign a dns-name to the first unit 1. The assigning means 83 is connected to the connection means 81. Furthermore the intermediate unit comprises a receiving means 87 adapted to receive a connection request from the second unit 7 and a forwarding means 89 connected to the receiving means 87 and to the connection means 81 adapted to forward this request through the first connection 9 to the first unit 1. All these described functions comprised in the intermediate unit are defined by the integrated software.
The intermediate unit according to the invention can serve more than one unit located inside a firewall. It can serve more units inside the same firewall and also units inside different firewalls. Thus it is in accordance with the invention possible to establish a connection from one unit inside a first firewall to another unit inside a second firewall.
Fig. 4 is a schematic view of a second embodiment of a system according to the invention. In this embodiment it is shown that it is possible to penetrate more than one firewall with the method according to the invention thanks to the addressing system where the dns-name is enclosed in the request. Here a first unit 61 is located behind a first firewall 63. Outside the first firewall 63 a first intermediate unit 65 is located. This first intermediate unit 65 is connectable to a third unit 67. The third unit 67 and the first intermediate unit 65 are shielded by a second firewall 69. Outside this sec- ond firewall 69 a second intermediate unit 71 and a second unit 73, which is connectable to the second intermediate unit 71, are located. The process when the sec- ond unit 73 requests a connection to the first unit 61 is similar to the process described for the first embodiment. The difference is that the third unit 67 forwards the request coming from the second intermediate unit to the first intermediate unit 65 since the dns-name not corresponds to the third unit 67. The first intermediate unit 65 in turn forwards the request to the first unit 61 which corresponds to the dns- name requested by the second unit and the connection process is performed in the same way as described above.

Claims

1. A method for establishing a connection to a first unit (!) located inside a firewall (3), wherein the connection is desired from a second unit (7) located outside said firewall (3), characterised in that the method comprises the steps described below but not necessarily performed in the mentioned order, whereby step iii) could be performed anywhere between step i) and step iv) and step vi) could be performed anywhere between step i) and vii) but after step iii): i) providing an intermediate unit (5) outside the firewall (3), reachable from at least the second unit (7); ii) making (B31) a unique ID, which is associated with the first unit (1) and with the intermediate unit (5), available to the second unit (7) and other units located outside the firewall (3); iii) establishing (B25) a first connection (9), being a control channel, from .the first unit (1) to the intermediate unit (5), said intermediate unit (5) being reachable from at least the second unit (7); iv) requesting, from the second unit (7), a connection to said unique ID; v) forwarding (B37) this connection request from the intermediate unit (5) to the first unit (1) through the first connection (9); • vi) establishing (B39; B41) a data channel from the first unit (1) to the intermediate unit (5); viϊ) transferring (B43) data between the second unit (7) and the first unit (1).
2. A method according to claim 1, wherein the requesting of a connection from the second unit (7) further comprises the steps of:
- resolving, from the second unit (7), a low level address corresponding to the requested unique ID, the corresponding low level address being the low level ad- . dress of the intermediate unit (5) since connections to the first unit (1) has to go through the intermediate unit (5); - establishing (B35), from the second unit (7), a connection to the retrieved low level address: - initiating a http-dialogue from the second unit (7);
- forwarding (B37), from the intermediate unit (5) to the first unit (1), the connection request made by the second unit (7) since the first unit (1) corresponds to the requested unique ID.
3.' A method according to claim 1 or 2, further comprising enclosing the unique ID, being a dns-name, together with the low level address, being an IP-address in the connection request sent to the intermediate unit (5) from the second unit (7).
4. A method according to any one of the claims 1-3, wherein the data channel is a new separate second connection (13) between the first unit (1) and the intermediate unit (5) adapted for transferring data.
5. A method according to any one of the claims 1-3,-wherein the establishing of a data channel includes multiplexing (B41) of the traffic on the first connection (9) and wherein the data channel thus is included in the first connection (9).
6. A method according to any one of the claims 1-5, further comprising communicating (B27) the unique ID corresponding to the first unit (1) from the first unit (1) to the intermediate unit (5) after the initial establishment (B25) of the first connection (9).
7. . A method according to any one of the claims 1-5, further comprising assigning
(B29) a unique ID to the first unit (1) in the intermediate unit (5).
8. A method according to any one of the preceding claims, comprising making the unique ID, which corresponds to the first unit (1), available outside the firewall (3) by including the unique ID in an external dns.
9. A method according to any one of the preceding claims, further comprising using http ( = hypertext transfer protocol) as the communication protocol.
10. A method according to any one of the claims 1-8, further comprising using https ( = hypertext transfer protocol-security) as the communication protocol.
11. A method according to claim 9, further comprising using a public key infrastructure (PKI). -
12. A method according to any one of the preceding claims, further comprising utilising tcp-( = transmission control protocol-connections.
13. A method according to any one of the preceding claims, wherein one or more of the units (1 ,5,7) could be gateways in computer networks.
*
14. A method according to any one of the preceding claims, wherein one or more of the units (1 ,5,7) could be servers in computer networks.
15. A method according to any one of the preceding claims, further comprising providing the first unit (1) with a software necessary for the communication with the intermediate unit (5).
16. A system used for establishing a connection to a first unit (1) located behind a firewall (3), wherein the connection is desired from a second unit (7) located outside said firewall (3), characterised in that said system comprises an intermediate unit (5), which is located outside the firewall (3) and which is reachable from at least the second unit (7), said intermediate unit (5) being adapted to mediate connections required from the second unit (7) to the first unit (1), whereby a unique ID corresponding to the first unit (1) points out a low level address of the intermediate unit to units located outside the firewall (3).
17. A system according to claim 16, wherein the first unit (1) and the intermediate unit (5) comprises software necessary for the communication between these two units (1,5).
18. A system according to claim 16 or 17, wherein the first unit (1) and the intermediate unit (5) are http-(hypertext transfer protocol)-proxies.
19. An intermediate unit used for establishing a connection to a first unit (1) located inside a firewall (3), said connection being desired from a second unit (7) located outside the firewall (3), said intermediate unit being reachable from said second unit (7), characterised in that said intermediate unit comprises connection means (81) adapted to receive a control channel and a data channel from the first unit (1), said channels being used for communication between the intermediate unit and the first unit (1), said intermediate unit comprising further receiving means (87) adapted to receive a request from the second unit (7) for a connection to the first unit (1) and forwarding means (89) connected to the receiving means (87) and to the connection means (81) adapted to forward the request to the first unit (1).
20. An intermediate unit according to claim 19, wherein the intermediate unit acts as a http-proxy. °'
21. An intermediate unit according to claim 19 or 20, comprising software necessary for the communication with the first and second units (1,7).
22. An intermediate unit according to any one of the claims 19-21, comprising assigning means (83) adapted for assigning to the first unit (1) a unique ID.
23. An intermediate unit according to any one of the claims 19-22, wherein the in- termediate unit is a gateway.
PCT/SE2002/000278 2001-02-19 2002-01-18 Method and device for data communication through a firewall WO2002067540A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0100545-3 2001-02-19
SE0100545A SE0100545D0 (en) 2001-02-19 2001-02-19 Method and device for data communication

Publications (1)

Publication Number Publication Date
WO2002067540A1 true WO2002067540A1 (en) 2002-08-29

Family

ID=20283035

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2002/000278 WO2002067540A1 (en) 2001-02-19 2002-01-18 Method and device for data communication through a firewall

Country Status (2)

Country Link
SE (1) SE0100545D0 (en)
WO (1) WO2002067540A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070283422A1 (en) * 2004-10-12 2007-12-06 Fujitsu Limited Method, apparatus, and computer product for managing operation
EP1886455A2 (en) * 2005-06-03 2008-02-13 Nokia Corporation System and method for accessing a web server on a device with a dynamic ip-address residing a firewall
WO2012170705A1 (en) * 2011-06-07 2012-12-13 Vertical Computer Systems, Inc. System and method for running an internet server behind a closed firewall
US9112832B1 (en) 2010-12-13 2015-08-18 Vertical Computer Systems, Inc. System and method for running a web server on a mobile internet device
US9710425B2 (en) 2010-12-13 2017-07-18 Vertical Computer Systems, Inc. Mobile proxy server for internet server having a dynamic IP address
CN109246060A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 A kind of method established the link, terminal and system
US10305915B2 (en) 2010-12-13 2019-05-28 Vertical Computer Systems Inc. Peer-to-peer social network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998031124A1 (en) * 1997-01-10 1998-07-16 Hanson Gordon L Reverse proxy server
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
WO1999028819A2 (en) * 1997-12-04 1999-06-10 Hewlett-Packard Company Object gateway
EP0969368A2 (en) * 1998-06-30 2000-01-05 Sun Microsystems, Inc. Remote access firewall traversal url
US6104716A (en) * 1997-03-28 2000-08-15 International Business Machines Corporation Method and apparatus for lightweight secure communication tunneling over the internet

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
WO1998031124A1 (en) * 1997-01-10 1998-07-16 Hanson Gordon L Reverse proxy server
US6104716A (en) * 1997-03-28 2000-08-15 International Business Machines Corporation Method and apparatus for lightweight secure communication tunneling over the internet
WO1999028819A2 (en) * 1997-12-04 1999-06-10 Hewlett-Packard Company Object gateway
EP0969368A2 (en) * 1998-06-30 2000-01-05 Sun Microsystems, Inc. Remote access firewall traversal url

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070283422A1 (en) * 2004-10-12 2007-12-06 Fujitsu Limited Method, apparatus, and computer product for managing operation
US8341705B2 (en) * 2004-10-12 2012-12-25 Fujitsu Limited Method, apparatus, and computer product for managing operation
EP1886455A2 (en) * 2005-06-03 2008-02-13 Nokia Corporation System and method for accessing a web server on a device with a dynamic ip-address residing a firewall
EP1886455A4 (en) * 2005-06-03 2011-03-09 Nokia Corp System and method for accessing a web server on a device with a dynamic ip-address residing a firewall
US8190773B2 (en) 2005-06-03 2012-05-29 Nokia Corporation System and method for accessing a web server on a device with a dynamic IP-address residing behind a firewall
US9112832B1 (en) 2010-12-13 2015-08-18 Vertical Computer Systems, Inc. System and method for running a web server on a mobile internet device
US9710425B2 (en) 2010-12-13 2017-07-18 Vertical Computer Systems, Inc. Mobile proxy server for internet server having a dynamic IP address
US10305915B2 (en) 2010-12-13 2019-05-28 Vertical Computer Systems Inc. Peer-to-peer social network
WO2012170705A1 (en) * 2011-06-07 2012-12-13 Vertical Computer Systems, Inc. System and method for running an internet server behind a closed firewall
CN109246060A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 A kind of method established the link, terminal and system
CN109246060B (en) * 2017-07-10 2022-07-05 中兴通讯股份有限公司 Method, terminal and system for establishing link

Also Published As

Publication number Publication date
SE0100545D0 (en) 2001-02-19

Similar Documents

Publication Publication Date Title
JP5301571B2 (en) Method and system for providing connectivity between clients connected to the Internet
US6839757B1 (en) System and method for automatically discovering accessible services on a computer network and providing automatic access thereto
US20070233844A1 (en) Relay device and communication system
EP1723769B1 (en) Method and system for web service handling
KR100416541B1 (en) Method for accessing to home-network using home-gateway and home-portal sever and apparatus thereof
EP2112788B1 (en) A method and node for p2p content sharing
US20040243710A1 (en) Method of user data exchange in the data network and a data network
AU2001247590A1 (en) Method and apparatus for coordinating a change in service provider between a client and a server
US20080259942A1 (en) Arrangements For Providing Peer-To-Peer Communications In A Public Land Mobile Network
WO2005099165A2 (en) Method and system for providing web browsing through a firewall in a peer to peer network
WO2002054699A2 (en) Extending an internet content delivery network into an enterprise
JP3666654B2 (en) Internet communication method {MethodforanInternetCommunication}
WO2002067540A1 (en) Method and device for data communication through a firewall
EP1593230B1 (en) Terminating a session in a network
US20130268584A1 (en) Methods and apparatus for publishing and subscribing electronic documents using intermediate rendezvous servers
US7260644B1 (en) Apparatus and method for re-directing a client session
US7526528B2 (en) Network access arrangement
CN115174310B (en) PDN dialing and configuration method, system, device, equipment and storage medium
US7275262B1 (en) Method and system architecture for secure communication between two entities connected to an internet network comprising a wireless transmission segment
JP2005184110A (en) Device and method for transmitting packet
CA2533282A1 (en) Communications system providing shared client-server communications interface and related methods
Cisco Configuring the CSS Domain Name Service
Cisco Protocol Translation Configuration Commands
Cisco Protocol Translation Configuration Commands
Cisco Protocol Translation Configuration Commands

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP