Apparatus and method for firewall traversal

US 20060085548A1
Filed: 10/18/2004
Published: 04/20/2006
Est. Priority Date: 10/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for traversing a firewall device to maintain a registration between a first device and a second device separated by the firewall device, the method comprising:

intercepting a registration message from the first device to the second device;

determining whether it is time to renew the first device'"'"'s registration, wherein the determination is based on a first timeout period defined by the second device;

forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;

intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and

replacing the first timeout period in the response message with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device'"'"'s registration. If it is time to renew the first device'"'"'s registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

53 Citations

View as Search Results

25 Claims

1. A method for traversing a firewall device to maintain a registration between a first device and a second device separated by the firewall device, the method comprising:
- intercepting a registration message from the first device to the second device;
  
  determining whether it is time to renew the first device'"'"'s registration, wherein the determination is based on a first timeout period defined by the second device;
  
  forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;
  
  intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and
  
  replacing the first timeout period in the response message with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising sending a substitute response to the first device without forwarding the registration message to the second device if it is not time to renew the first device'"'"'s registration, wherein the substitute response includes the second timeout period.
  - 3. The method of claim 1 further comprising modifying a source address of the registration message before forwarding the registration message to the second device.
  - 4. The method of claim 3 further comprising modifying a destination address of the response message prior to forwarding the response message to the first device.
  - 5. The method of claim 1 further comprising establishing an anchor between the first device and a third device positioned between the firewall device and the second device, wherein the anchor forms a communication channel for the first and third devices through the firewall device.
  - 6. The method of claim 5 wherein establishing an anchor comprises:
    - sending an encapsulated request message from the third device to the first device;
      
      decapsulating the request message by the first device; and
      
      sending the decapsulated request message to the third device via the firewall device, wherein the firewall device opens a channel based on the request message from the first device.
  - 7. The method of claim 1 further comprising discovering the second timeout period, wherein the discovering includes:
    - sending a register request from a first socket associated with the first device to a third device positioned between the firewall device and the second device;
      
      waiting for a predefined period of time;
      
      sending a binding request to the third device from a second socket associated with the first device after the predefined period of time expires; and
      
      if a response is received on the first socket, setting the second timeout period to the predefined period of time.
  - 8. The method of claim 7 further comprising reducing the predefined period of time if no response is received and sending a new register request from the first socket to the third device.
  - 9. The method of claim 1 further comprising sending ping requests to the first device from a third device positioned between the firewall device and the second device.
  - 10. The method of claim 1 further comprising determining a packet delay by sending a time stamped packet to the first device from a third device positioned between the firewall device and the second device, and calculating the packet delay as a difference between the timestamp and the time the packet is received back at the third device from the first device.
  - 11. The method of claim 1 further comprising obtaining status and alarm information from the first device by sending messages to the first device from a third device positioned between the firewall device and the second device
  - 12. The method of claim 1 further comprising:
    - periodically sending a synthetic packet from the first device to a third device positioned between the firewall device and the second device; and
      
      filtering the synthetic packet by the third device to prevent the packet from reaching the second device, wherein the synthetic packet prevents an active channel from being terminated due to lack of outbound traffic.

13. A system providing for firewall traversal, the system comprising:
- a first device positioned in a private network;
  
  a firewall device accessible to the private network and a public network;
  
  a second device in the public network configured to register the first device; and
  
  a session controller positioned in the public network between the firewall device and the second device, the session controller comprising a plurality of software executable instructions including;
  
  instructions for intercepting a registration response message from the second device to the first device, wherein the response message includes the first timeout period; and
  
  instructions for replacing the first timeout period in the response message with a second timeout period before forwarding the response message to the first device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13 wherein the session controller further comprises:
    - instructions for intercepting a registration message from the first device to the second device;
      
      instructions for determining whether it is time to renew the first device'"'"'s registration based on a first timeout period defined by the second device; and
      
      instructions for forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration.
  - 15. The system of claim 14 wherein the session controller further comprises:
    - instructions for learning a first port of the firewall device that has been assigned to a signaling channel established between the first device and the session controller, wherein the first port is learned from the registration message sent from the first device to the second device; and
      
      instructions for learning a second port of the firewall device that has been assigned to a transport channel established between the first device and the session controller.
  - 16. The system of claim 13 wherein the first device is an IP telephone.
  - 17. The system of claim 13 wherein the first device is an analog telephone adapter.
  - 18. The system of claim 13 wherein the registration message is a session initiation protocol (SIP) REGISTER message.

19. An apparatus for enabling a network edge device to maintain a registration between a first device and a second device separated by the edge device, the apparatus comprising:
- an interface accessible to the edge device and the second device; and
  
  means for intercepting a registration message from the first device to the second device;
  
  means for determining whether it is time to renew the first device'"'"'s registration, wherein the determination is based on a first timeout period defined by the second device;
  
  means for forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;
  
  means for intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and
  
  means for replacing the first timeout period in the response message with a second timeout period based on a binding lifetime of the edge device before forwarding the response message to the first device.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19 further comprising means for establishing an anchor between the first device and a third device positioned between the edge device and the second device, wherein the anchor forms a communication channel for the first and third devices through the edge device.

21. A method for traversing a firewall device to maintain a registration between a first device and a second device separated by the firewall device, wherein the first device is protected by the firewall device and the second device is outside the firewall device'"'"'s protection, the method comprising:
- establishing a signaling channel between the first device and the second device;
  
  sending a request to the first device from the second device via the signaling channel, wherein the request is sent at a time that is less than a binding lifetime of the firewall device; and
  
  receiving a response from the first device at the second device via the signaling channel, wherein the response indicates to the firewall device that the signaling channel is active.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21 wherein the request is a session initiation protocol NOTIFY request.
  - 23. The method of claim 21 wherein the response is a “
    - 200 OK”
      
      message.
  - 24. The method of claim 21 wherein the second device learns a port and address of the firewall assigned for the signaling channel in order to establish the signaling channel.
  - 25. The method of claim 24 wherein the second device learns the port and address based on a registration message sent by the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AudioCodes, Inc. (Audiocodes Limited)
Original Assignee
Netrake Corp. (Audiocodes Limited)
Inventors
Maher, Robert Daniel III, Lie, Milton Andre, Rana, Aswinkumar Vishanji, Deerman, James Robert

Granted Patent

US 8,090,845 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Apparatus and method for firewall traversal

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for firewall traversal

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links