Application programming interface and generalized network address translator for intelligent transparent application gateway processes
First Claim
1. A method of providing an intelligent transparent application gateway between a private and a public network, the private network serving at least one client and the public network including at least one server, comprising the steps of:
- binding a proxy application to a local socket;
commanding, by the proxy application, a generalized network address translator (gNAT) to generate a dynamic port-redirect from a destination port number to the local socket;
receiving, by the gNAT, a request from a client to connect to the destination port number;
redirecting the request to the local socket; and
servicing the request by the proxy application.
2 Assignments
0 Petitions
Accused Products
Abstract
An intelligent transparent gateway is provided having the advantages of both a proxy and a network address translator, without the necessity of client application compatibility with a proxy. The intelligent transparent gateway is facilitated by a generalized network address translator (gNAT) at the kernel level that is under user-mode proxy control through a proxy application programming interface (API). Initially, the proxy binds to a local socket and commands the API to generate a dynamic port-redirect in the gNAT for all connection requests for a given port to itself (at the local port to which it is bound). The proxy also commands the API to retrieve the address information of the server to which the client has attempted to connect so that a proper translation mapping may be made. The proxy may then service the request itself, establish a session on the client'"'"'s behalf with the requested server, establish a session on the client'"'"'s behalf with a different server, etc. The proxy may also request that the API command an address translation in the gNAT so that further messages between the client and the server need not pass up to the user-mode, but may be dynamically redirected within the kernel-mode.
-
Citations
20 Claims
-
1. A method of providing an intelligent transparent application gateway between a private and a public network, the private network serving at least one client and the public network including at least one server, comprising the steps of:
-
binding a proxy application to a local socket;
commanding, by the proxy application, a generalized network address translator (gNAT) to generate a dynamic port-redirect from a destination port number to the local socket;
receiving, by the gNAT, a request from a client to connect to the destination port number;
redirecting the request to the local socket; and
servicing the request by the proxy application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
invoking a transparent proxy application programming interface (API) to create the dynamic port-redirect; and
instructing a generalized network address translation module (gNAT), by the API, to perform the dynamic port-redirect at a kernel-mode.
-
-
3. The method of claim 2, wherein the step of redirecting the request to the local socket comprises the steps of:
-
changing, by the gNAT, a destination address of the connection request to a local address of the local socket;
recording the change made in a translation mapping; and
forwarding the connection request to the proxy application.
-
-
4. The method of claim 3, wherein the step of servicing the request in the proxy application comprises the steps of;
-
invoking the API to determine the address of the server to which the request was originally sent;
establishing a session on the client'"'"'s behalf with the server; and
forwarding the request to the server.
-
-
5. The method of claim 4, further comprising the step performed by the proxy application of establishing a data session for responses from the server to the client.
-
6. The method of claim 5, wherein the step of establishing a data session comprises the steps of:
-
commanding a dynamic address translation for message packets received from the server to the client;
receiving a message packet from the server at the kernel-mode gNAT;
translating a destination address of the message packet to the client in the kernel-mode gNAT;
forwarding the message packet directly to the client, thereby bypassing the proxy application.
-
-
7. The method of claim 4, further comprising the step performed by the proxy application of establishing a session for communication between the client and the server.
-
8. The method of claim 7, wherein the step of establishing a session for communication between the client and the server comprises the steps of:
-
commanding a dynamic source address translation for client message packets addressed to the server from the client;
commanding a dynamic destination address translation for server message packets from the server;
translating a source address of the client message packet from the client to the server in the kernel-mode gNAT;
forwarding the client message packet directly to the server, thereby bypassing the proxy application;
translating a destination address of the server message packet from the server to the client in the kernel-mode gNAT; and
forwarding the server message packet directly to the client, thereby bypassing the proxy application.
-
-
9. The method of claim 4, further comprising the step performed by the proxy application of establishing a data session for client message packets from the client to the server.
-
10. The method of claim 9, wherein the step of establishing a data session for client message packets comprises the steps of:
-
commanding a dynamic address translation for client message packets received from the client to the server;
receiving a client message packet from the client at the kernel-mode gNAT;
translating a source address of the client message packet to the server in the kernel-mode gNAT;
forwarding the message packet directly to the server, thereby bypassing the proxy application.
-
-
11. The method of claim 3, wherein the step of servicing the request in the proxy application comprises the steps of;
-
invoking the API to determine the address of the server to which the request was originally sent;
commanding the API to establish an address translation of the address of the server to which the request was originally sent to an alternate address of another server;
establishing a session on the client'"'"'s behalf with the other server; and
forwarding the request to the other server.
-
-
12. The method of claim 11, further comprising the steps of:
-
mapping the commanded address translation in the gNAT;
receiving a message packet from the client at the kernel-mode gNAT addressed to the server;
translating the destination address of the message packet in accordance with the commanded address translation;
passing the message packet with the translated destination address to a kernel-mode driver; and
forwarding the message packet to the other server.
-
-
13. The method of claim 1, further comprising the step of reserving a plurality of port numbers.
-
14. The method of claim 13 wherein the request includes therein advertised port numbers, further comprising the step of replacing advertised port numbers by the client within the request with at least one of the plurality of port numbers reserved.
-
15. A method of communicating between a client and a server through a gateway, comprising the steps of:
-
commanding, by a proxy application, that a generalized network address translator (gNAT) generate a dynamic port-redirect within the gateway from a specified first port to a specified second port, the second port being bound to the proxy application;
receiving, by the gNAT, a connection request directed to the first port;
performing a kernel-mode dynamic address translation in accordance with the commanded dynamic port-redirect to direct the connection request to the proxy application;
invoking, by the proxy application, an application programming interface to determine an address of the server to which the request was originally sent; and
servicing the connection request by the proxy application. - View Dependent Claims (16, 17, 18, 19)
establishing a session with the server to which the request was originally sent;
commanding a dynamic address redirect associated with the server at a kernel-level within the gateway; and
dynamically redirecting messages at the kernel-level in accordance with the commanded dynamic address redirect, thereby bypassing the proxy.
-
-
17. The method of claim 15, wherein the step of servicing the connection request comprises the steps of:
-
establishing a session with an alternate server other than that to which the request was originally sent;
commanding a dynamic address redirect associated with the alternate server at a kernel-level within the gateway; and
dynamically redirecting messages in the kernel-mode in accordance with the proxy commanded dynamic address redirect, thereby bypassing the proxy.
-
-
18. The method of claim 15, further comprising the step of reserving a plurality of TCP and UDP port numbers.
-
19. The method of claim 18 wherein the client transmits messages bound for the server, the messages including therein advertised port numbers, further comprising the step of replacing the advertised port numbers from the client within the request with at least one of the plurality of TCP and UDP port numbers reserved.
-
20. A computer-readable medium having stored thereon modules for transparently proxying communications between a client and a server, comprising:
-
a proxy application module existing at a user-mode level for servicing client and server communications;
a proxy application programming interface module called by said proxy application module; and
a generalized network address translation module existing at a kernel-mode for performing dynamic address translation; and
wherein said proxy application module commands said proxy application programming interface module to command a dynamic address translation between specified addresses by said generalized network address translation module in the kernel-mode; and
wherein said generalized network address translation module translates source and destination addresses of messages at the kernel-mode in accordance with the proxy application module commanded translation.
-
Specification