Method and system for transmitting information across a firewall
First Claim
1. A method of transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy at the first side of the firewall and at least one second proxy at the second side of the firewall are associated respectively with the at least one first computer and with the at least one second computer, including the steps of:
- generating a plurality of firewall-incompatible messages that enable a server that is connected to the at least one second of the computers at the second side of the firewall to manage resources of the at least one first computer at the first side of the firewall;
establishing a pass-through communication tunnel that directly connects each first and second proxy, the communication tunnel being secured by mutual authentication of the corresponding first and second proxies;
causing a transmitting one of the computers to send a firewall-incompatible message, of the plurality of firewall-incompatible messages, for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy;
sending the firewall-incompatible message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel;
associating the firewall-incompatible message with the receiving computer; and
forwarding the firewall-incompatible message from the receiving proxy to the receiving computer,wherein each first computer consists of an endpoint in a demilitarized zone and each second computer consists of a gateway in a private network,further including the steps under the control of the second proxy of;
receiving a message of an initial login type encrypted with a shared static key from the first proxy, the initial login message being indicative of a request for an initial login from a first computer and being associated with an indication of a first address and a first logical connection of the first computer,deciphering the initial login message using the static key,allocating a corresponding listening logical connection to the second proxy,storing a memory structure associating the listening logical connection with the first address and the first logical connection,updating the initial login message by replacing the first logical connection with the listening logical connection, andencrypting the initial login message using the static key;
wherein the at least one first computer and the at least one first proxy consist of a plurality of first computers and a plurality of first proxies, respectively, an identifier of the first proxies being stored in a further memory structure on the second proxy, and further including the steps under the control of the second proxy of;
associating the identifier of a current first proxy from which the initial login message is received with the corresponding first address and first logical connection in the memory structure,determining the current proxy corresponding to each message received from each second computer using the memory structure, andtransmitting the message to the current first proxy when available or to a different one of the associated first proxies in the further memory structure otherwise.
2 Assignments
0 Petitions
Accused Products
Abstract
A method (300;400) and system (100) for transmitting information across a firewall (130b) between multiple endpoints (120) and gateways (135), in a resource management environment (such as the TME) having characteristics that are firewall-incompatible. A gateway proxy (125g) and an endpoint proxy (125e) are associated with the endpoints and the gateways, respectively. The two proxies are connected to each other by means of a pass through communication tunnel crossing the firewall, which tunnel is secured by mutual authentication of the gateway proxy and the endpoint proxy at its ends. Each endpoint and each gateway is tricked into communication only with the respective proxy. Particularly, a listening port is allocated on the endpoint proxy on behalf of each endpoint, so that the corresponding gateway will open a connection back to the endpoint proxy on the listening port for transmitting any packet to the endpoint. A table (230) stored on the endpoint proxy associates each listening port with the corresponding endpoint for managing the routing of the packets.
-
Citations
3 Claims
-
1. A method of transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy at the first side of the firewall and at least one second proxy at the second side of the firewall are associated respectively with the at least one first computer and with the at least one second computer, including the steps of:
-
generating a plurality of firewall-incompatible messages that enable a server that is connected to the at least one second of the computers at the second side of the firewall to manage resources of the at least one first computer at the first side of the firewall; establishing a pass-through communication tunnel that directly connects each first and second proxy, the communication tunnel being secured by mutual authentication of the corresponding first and second proxies; causing a transmitting one of the computers to send a firewall-incompatible message, of the plurality of firewall-incompatible messages, for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy; sending the firewall-incompatible message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel; associating the firewall-incompatible message with the receiving computer; and forwarding the firewall-incompatible message from the receiving proxy to the receiving computer, wherein each first computer consists of an endpoint in a demilitarized zone and each second computer consists of a gateway in a private network, further including the steps under the control of the second proxy of; receiving a message of an initial login type encrypted with a shared static key from the first proxy, the initial login message being indicative of a request for an initial login from a first computer and being associated with an indication of a first address and a first logical connection of the first computer, deciphering the initial login message using the static key, allocating a corresponding listening logical connection to the second proxy, storing a memory structure associating the listening logical connection with the first address and the first logical connection, updating the initial login message by replacing the first logical connection with the listening logical connection, and encrypting the initial login message using the static key; wherein the at least one first computer and the at least one first proxy consist of a plurality of first computers and a plurality of first proxies, respectively, an identifier of the first proxies being stored in a further memory structure on the second proxy, and further including the steps under the control of the second proxy of; associating the identifier of a current first proxy from which the initial login message is received with the corresponding first address and first logical connection in the memory structure, determining the current proxy corresponding to each message received from each second computer using the memory structure, and transmitting the message to the current first proxy when available or to a different one of the associated first proxies in the further memory structure otherwise.
-
-
2. A system for transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy at the first side of the firewall and at least one second proxy at the second side of the firewall are associated respectively with the at least one first computer and with the at least one second computer, the system comprising:
-
means for generating a plurality of firewall-incompatible messages that enable a server that is connected to the at least one second of the computers at the second side of the firewall to manage resources of the at least one first computer at the first side of the firewall; a pass-through communication tunnel that directly connects each first and second proxy, the communication tunnel being secured by mutual authentication of the corresponding first and second proxies; means for causing a transmitting one of the computers to send a firewall-incompatible message, of the plurality of firewall-incompatible messages, for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy; means for sending the firewall-incompatible message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel; means for associating the firewall-incompatible message with the receiving computer; and means for forwarding the firewall-incompatible message from the receiving proxy to the receiving computer, wherein each first computer consists of an endpoint in a demilitarized zone and each second computer consists of a gateway in a private network, the system further comprising, under the control of the second proxy; means for receiving a message of an initial login type encrypted with a shared static key from the first proxy, the initial login message being indicative of a request for an initial login from a first computer and being associated with an indication of a first address and a first logical connection of the first computer, means for deciphering the initial login message using the static key, means for allocating a corresponding listening logical connection to the second proxy, means for storing a memory structure associating the listening logical connection with the first address and the first logical connection, means for updating the initial login message by replacing the first logical connection with the listening logical connection, and means for encrypting the initial login message using the static key; wherein the at least one first computer and the at least one first proxy consist of a plurality of first computers and a plurality of first proxies, respectively, an identifier of the first proxies being stored in a further memory structure on the second proxy, and further including, under the control of the second proxy; means for associating the identifier of a current first proxy from which the initial login message is received with the corresponding first address and first logical connection in the memory structure, means for determining the current proxy corresponding to each message received from each second computer using the memory structure, and means for transmitting the message to the current first proxy when available or to a different one of the associated first proxies in the further memory structure otherwise.
-
-
3. A computer program product in a tangible computer readable medium for transmitting information across a firewall among a plurality of computers, at least one first of the computers being at a first side of the firewall and at least one second of the computers being at a second side of the firewall, wherein at least one first proxy at the first side of the firewall and at least one second proxy at the second side of the firewall are associated respectively with the at least one first computer and with the at least one second computer, the computer program product comprising:
-
instructions for generating a plurality of firewall-incompatible messages that enable a server that is connected to the at least one second of the computers at the second side of the firewall to manage resources of the at least one first computer at the first side of the firewall; instructions for establishing a pass-through communication tunnel that directly connects each first and second proxy, the communication tunnel being secured by mutual authentication of the corresponding first and second proxies; instructions for causing a transmitting one of the computers to send a firewall-incompatible message, of the plurality of firewall-incompatible messages, for a receiving one of the computers at the other side of the firewall to a transmitting one of the associated at least one proxy; instructions for sending the firewall-incompatible message from the transmitting proxy to a receiving one of the at least one proxy at the other side of the firewall through the corresponding tunnel; instructions for associating the firewall-incompatible message with the receiving computer; and instructions for forwarding the firewall-incompatible message from the receiving proxy to the receiving computer, wherein each first computer consists of an endpoint in a demilitarized zone and each second computer consists of a gateway in a private network, further including, under the control of the second proxy; instructions for receiving a message of an initial login type encrypted with a shared static key from the first proxy, the initial login message being indicative of a request for an initial login from a first computer and being associated with an indication of a first address and a first logical connection of the first computer, instructions for deciphering the initial login message using the static key, instructions for allocating a corresponding listening logical connection to the second proxy, instructions for storing a memory structure associating the listening logical connection with the first address and the first logical connection, instructions for updating the initial login message by replacing the first logical connection with the listening logical connection, and instructions for encrypting the initial login message using the static key; wherein the at least one first computer and the at least one first proxy consist of a plurality of first computers and a plurality of first proxies, respectively, an identifier of the first proxies being stored in a further memory structure on the second proxy, and further including, under the control of the second proxy; instructions for associating the identifier of a current first proxy from which the initial login message is received with the corresponding first address and first logical connection in the memory structure, instructions for determining the current proxy corresponding to each message received from each second computer using the memory structure, and instructions for transmitting the message to the current first proxy when available or to a different one of the associated first proxies in the further memory structure otherwise.
-
Specification