Network connection through NAT routers and firewall devices

US 20060053485A1
Filed: 09/08/2004
Published: 03/09/2006
Est. Priority Date: 09/08/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for exchanging communication, comprising:

a first computing entity located in a first private network;

a second computing entity located in a second private network;

a first firewall device protecting the first private network, the first firewall device being configured to perform network address translation;

a second firewall device protecting the second private network, the second firewall device being configured to perform network address translation; and

a proxy server, the proxy server being a part of neither the first private network nor the second private network;

wherein the first computing entity and the second computing entity are enabled to essentially directly exchange communication packets, the first computing entity being configured to transmit communication packets through the first firewall device to the second computing entity behind the second firewall device and to receive communication packets from the second computing entity transmitted through the second firewall device and the first firewall device, the second computing entity being configured to transmit communication packets through the second firewall device to the first computing entity behind the first firewall device and to receive communication packets from the first computing entity transmitted through the first firewall device and the second firewall device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for communication and data exchange between two or more systems located in separate, private networks with each network behind a firewall device includes establishing communication with a proxy server. A first system and a second system establish a TCP connection with the proxy server. A TCP probing packet is transmitted to expose the port and address mapping of each firewall device for the systems in the network, and the mapping is provided to the systems. The proxy server commands each system to transmit a SYN packet to the other system, and then to transmit a SYN+ACK packet. The proxy server is used to facilitate the systems establishing essentially direct communication, and enables continued TCP data packet exchange without continued involvement of the proxy server.

53 Citations

View as Search Results

25 Claims

1. A system for exchanging communication, comprising:
- a first computing entity located in a first private network;
  
  a second computing entity located in a second private network;
  
  a first firewall device protecting the first private network, the first firewall device being configured to perform network address translation;
  
  a second firewall device protecting the second private network, the second firewall device being configured to perform network address translation; and
  
  a proxy server, the proxy server being a part of neither the first private network nor the second private network;
  
  wherein the first computing entity and the second computing entity are enabled to essentially directly exchange communication packets, the first computing entity being configured to transmit communication packets through the first firewall device to the second computing entity behind the second firewall device and to receive communication packets from the second computing entity transmitted through the second firewall device and the first firewall device, the second computing entity being configured to transmit communication packets through the second firewall device to the first computing entity behind the first firewall device and to receive communication packets from the first computing entity transmitted through the first firewall device and the second firewall device.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the proxy server is configured to expose the IP and port address mapping of the first computing entity and first firewall device to the second computing entity, and the proxy server is further configured to expose the IP and port address mapping of the second computing entity and second firewall device to the first computing entity.
  - 3. The system of claim 2, wherein the proxy server is further configured to enable each of the first computing entity and the second computing entity to establish an essentially direct communication exchange, the essentially direct communication exchange being without a routing of communication packets of the essentially direct communication exchange through the proxy server.
  - 4. The system of claim 3, wherein the enabling of each of the first computing entity and the second computing entity to establish an essentially direct communication exchange includes, establishing a TCP connection between the first computing entity and the proxy server;
    - establishing a TCP connection between the second computing entity and the proxy server;
      
      directing the first computing entity to transmit a SYN packet to the second computing entity;
      
      directing the second computing entity to transmit a SYN packet to the first computing entity;
      
      directing the first computing entity to transmit a SYN+ACK packet to the second computing entity;
      
      directing the second computing entity to transmit a SYN+ACK packet to the first computing entity;
      
      receiving the SYN+ACK packet at the second computing entity;
      
      transitioning to a TCP Connection Established state by the second computing entity;
      
      directing the first computing entity to transmit an ACK packet to finish the connection establishment;
      
      receiving the SYN+ACK packet at the first computing entity;
      
      transitioning to the TCP Connection Established state by the first computing entity; and
      
      directing the second computing entity to transmit an ACK packet to finish establishing the essentially direct communication between the first computing entity and the second computing entity.

5. A method for communication between two or more computers on at least two private networks, a first computer behind a first firewall device and a second computer behind a second firewall device, the method comprising:
- establishing communication with a proxy server, the first computer and the second computer establishing a TCP connection with the proxy server;
  
  transmitting an TCP SYN probing packet, the first computer and the second computer each transmitting a TCP SYN probing packet to the proxy server;
  
  transitioning the first computer and the second computer to a connection established state according to TCP protocol; and
  
  exchanging TCP data packets between the first computer behind the first firewall device and the second computer behind the second firewall device, the exchanging being essentially direct communication between the first computer behind the first firewall device and the second computer behind the second firewall device.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method according to claim 5, wherein the transitioning the first computer and the second computer to a connection established state according to TCP protocol comprises:
    - transmitting a SYN packet, the proxy server commanding the first computer behind the first firewall device to transmit a SYN packet to the second computer and the proxy server commanding the second computer behind the second firewall device to transmit a SYN packet to the first computer; and
      
      transmitting a SYN+ACK packet, the proxy server commanding the first computer behind the first firewall device to transmit a SYN+ACK packet to the second computer and the proxy server commanding the second computer behind the second firewall device to transmit a SYN+ACK packet to the first computer.
  - 7. The method according to claim 5, wherein the transmitting of the TCP SYN probing packets exposes port and IP mapping to the proxy server.
  - 8. The method of claim 7, further comprising:
    - exposing the port and IP mapping of the first computer behind the first firewall device to the second computer; and
      
      exposing the port and IP mapping of the second computer behind the second firewall device to the first computer.
  - 9. The method of claim 5, wherein the establishing of communication with the proxy server defines a command channel between the proxy server and the first computer and between the proxy server and the second computer.

10. A method of conducting a communication exchange between systems located in separate private networks, each separate private network having a firewall device, the method comprising:
- establishing a TCP connection between a proxy server and a first system behind a first firewall device;
  
  establishing a TCP connection between a proxy server and a second system behind a second firewall device;
  
  transmitting a SYN packet from the first system to the second system;
  
  transmitting a SYN packet from the second system to the first system;
  
  transmitting a SYN+ACK packet from the first system to the second system;
  
  transmitting a SYN+ACK packet from the second system to the first system; and
  
  exchanging TCP packets between the first system behind the first firewall device and the second system behind the second firewall device.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the transmitting of the SYN packet from the first system to the second system includes the proxy server commanding the first system behind the first firewall device to transmit the SYN packet to the second system, the SYN packet being blocked by the second firewall device and yet the firewall state transitions to SYN_SENT state
  - 12. The method of claim 10, wherein the transmitting of the SYN packet from the second system to the first system includes the proxy server commanding the second system behind the second firewall device to transmit the SYN packet to the first system, the SYN packet being blocked by the first firewall device and yet the firewall state transitions to SYN_SENT state.
  - 13. The method of claim 10, wherein the transmitting of the SYN+ACK packet from the first system to the second system includes the proxy server commanding the first system behind the first firewall device to transmit the SYN+ACK packet to the second system, the SYN+ACK packet being allowed to pass through the second firewall device and the firewall state transitions to ESTABLISHED state.
  - 14. The method of claim 10, wherein the transmitting of the SYN+ACK packet from the second system to the first system includes the proxy server commanding the second system behind the second firewall device to transmit the SYN+ACK packet to the first system, the SYN+ACK packet being allowed to pass through the first firewall device and the firewall state transitions to ESTABLISHED state.
  - 15. The method of claim 10, wherein when the second system receives the SYN+ACK packet transmitted from the first system to the second system, the second system transitions to a TCP Connection Established state.
  - 16. The method of claim 10, wherein when the first system receives the SYN+ACK packet transmitted from the second system to the first system, the first system transitions to a TCP Connection Established state.

17. A method for establishing a communication link between two or more computers located in separate private networks, each separate private network having a firewall device, the method comprising:
- establishing a TCP connection between a first computer and a proxy server;
  
  establishing a TCP connection between a second computer and a proxy server;
  
  directing the first computer to transmit a SYN packet to the second computer;
  
  directing the second computer to transmit a SYN packet to the first computer;
  
  directing the first computer to transmit a SYN+ACK packet to the second computer;
  
  directing the second computer to transmit a SYN+ACK packet to the first computer;
  
  receiving the SYN+ACK packet at the second computer;
  
  transitioning to a TCP Connection Established state by the second computer;
  
  directing the first computer to transmit a ACK packet to finish the connection establishment;
  
  receiving the SYN+ACK packet at the first computer;
  
  transitioning to the TCP Connection Established state by the first computer; and
  
  directing the second computer to transmit a ACK packet to finish the connection establishment.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, wherein the directing of the first computer to transmit a SYN packet to the second computer and the directing of the first computer to transmit a SYN+ACK packet to the second computer is by the proxy server to the first computer.
  - 19. The method of claim 17, wherein the directing of the second computer to transmit a SYN packet to the first computer and the directing of the first computer to transmit a SYN+ACK packet to the second computer is by the proxy server to the second computer.
  - 20. The method of claim 17, wherein the SYN packet transmitted by the first computer to the second computer is blocked at a second firewall device, the second computer being behind the second firewall device and yet the firewall state transitions to SYN_SENT state.
  - 21. The method of claim 17, wherein the SYN packet transmitted by the second computer to the first computer is blocked at a first firewall device, the first computer being behind the first firewall device and yet the firewall state transitions to SYN_SENT state.
  - 22. The method of claim 17, wherein the SYN+ACK packet transmitted by the first computer to the second computer is allowed to pass through a second firewall device, the second computer being behind the second firewall device and the firewall state transitions to ESTABLISHED state.
  - 23. The method of claim 17, wherein the SYN+ACK packet transmitted by the second computer to the first computer is allowed to pass through a first firewall device, the first computer being behind the first firewall device and the firewall state transitions to ESTABLISHED state.

24. An integrated circuit chip for establishing data exchange between systems located in separate private networks, each separate private network having a firewall device, the integrated circuit chip comprising:
- logic for establishing a TCP connection between a first computer and a proxy server;
  
  logic for establishing a TCP connection between a second computer and a proxy server;
  
  logic for directing the first computer to transmit a SYN packet to the second computer;
  
  logic for directing the second computer to transmit a SYN packet to the first computer;
  
  logic for directing the first computer to transmit a SYN+ACK packet to the second computer;
  
  logic for directing the second computer to transmit a SYN+ACK packet to the first computer;
  
  logic for directing the first computer to transmit a ACK packet to finish the connection establishment; and
  
  logic for directing the second computer to transmit a ACK packet to finish the connection establishment, wherein when the second computer receives the SYN+ACK packet transmitted by the first computer, the second computer transitions to a TCP Connection Established state, and when the first computer receives the SYN+ACK packet transmitted by the second computer, the first computer transitions to the TCP Connection Established state.

25. A computer readable media having program instructions for establishing a communication link between two or more computers located in separate private networks, each separate private network having a firewall device, the computer readable media comprising:
- program instructions for establishing a TCP connection between a first computer and a proxy server;
  
  program instructions for establishing a TCP connection between a second computer and a proxy server;
  
  program instructions for directing the first computer to transmit a SYN packet to the second computer;
  
  program instructions for directing the second computer to transmit a SYN packet to the first computer;
  
  program instructions for directing the first computer to transmit a SYN+ACK packet to the second computer;
  
  program instructions for directing the second computer to transmit a SYN+ACK packet to the first computer;
  
  program instructions for directing the first computer to transmit a ACK packet to finish the connection establishment; and
  
  program instructions for directing the second computer to transmit a ACK packet to finish the connection establishment, wherein when the second computer receives the SYN+ACK packet transmitted by the first computer, the second computer transitions to a TCP Connection Established state, and when the first computer receives the SYN+ACK packet transmitted by the second computer, the first computer transitions to the TCP Connection Established state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seiko Epson Corporation (Seiko Group)
Original Assignee
Seiko Epson Corporation (Seiko Group)
Inventors
Li, Chia-Hsin

Application Number

US10/935,980
Publication Number

US 20060053485A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/50   Address allocation

H04L 63/029   Firewall traversal, e.g. tu...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Network connection through NAT routers and firewall devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network connection through NAT routers and firewall devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links