Apparatus and method for firewall traversal

US 8,090,845 B2
Filed: 10/18/2004
Issued: 01/03/2012
Est. Priority Date: 10/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for traversing a firewall device to maintain a registration between a first device and a second device separated by the firewall device, the method comprising:

intercepting a registration message from the first device to the second device;

determining, after intercepting the registration message, whether it is time to renew the first device'"'"'s registration by determining whether another registration message from the first device will be intercepted prior to an expiration of a first timeout period defined by the second device;

forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;

sending a substitute response to the first device without forwarding the registration message to the second device if it is not time to renew the first device'"'"'s registration, wherein the substitute response includes the second timeout period;

intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and

replacing the first timeout period in the intercepted response message with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device'"'"'s registration. If it is time to renew the first device'"'"'s registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

Citations

18 Claims

1. A method for traversing a firewall device to maintain a registration between a first device and a second device separated by the firewall device, the method comprising:
- intercepting a registration message from the first device to the second device;
  
  determining, after intercepting the registration message, whether it is time to renew the first device'"'"'s registration by determining whether another registration message from the first device will be intercepted prior to an expiration of a first timeout period defined by the second device;
  
  forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;
  
  sending a substitute response to the first device without forwarding the registration message to the second device if it is not time to renew the first device'"'"'s registration, wherein the substitute response includes the second timeout period;
  
  intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and
  
  replacing the first timeout period in the intercepted response message with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising modifying a source address of the registration message before forwarding the registration message to the second device.
  - 3. The method of claim 2 further comprising modifying a destination address of the response message prior to forwarding the response message to the first device.
  - 4. The method of claim 1 further comprising establishing an anchor between the first device and a third device positioned between the firewall device and the second device, wherein the anchor forms a communication channel for the first and third devices through the firewall device.
  - 5. The method of claim 4 wherein establishing an anchor comprises:
    - sending an encapsulated request message from the third device to the first device;
      
      decapsulating the request message by the first device; and
      
      sending the decapsulated request message to the third device via the firewall device, wherein the firewall device opens a channel based on the request message from the first device.
  - 6. The method of claim 1 further comprising discovering the second timeout period, wherein the discovering includes:
    - sending a register request from a first socket associated with the first device to a third device positioned between the firewall device and the second device;
      
      waiting for a predefined period of time;
      
      sending a binding request to the third device from a second socket associated with the first device after the predefined period of time expires; and
      
      if a response is received on the first socket, setting the second timeout period to the predefined period of time.
  - 7. The method of claim 6 further comprising reducing the predefined period of time if no response is received and sending a new register request from the first socket to the third device.
  - 8. The method of claim 1 further comprising sending ping requests to the first device from a third device positioned between the firewall device and the second device.
  - 9. The method of claim 1 further comprising determining a packet delay by sending a time stamped packet to the first device from a third device positioned between the firewall device and the second device, and calculating the packet delay as a difference between the timestamp and the time the packet is received back at the third device from the first device.
  - 10. The method of claim 1 further comprising obtaining status and alarm information from the first device by sending messages to the first device from a third device positioned between the firewall device and the second device.
  - 11. The method of claim 1 further comprising:
    - periodically sending a synthetic packet from the first device to a third device positioned between the firewall device and the second device; and
      
      filtering the synthetic packet by the third device to prevent the packet from reaching the second device, wherein the synthetic packet prevents an active channel from being terminated due to lack of outbound traffic.

12. A system providing for firewall traversal, the system comprising:
- a first device positioned in a private network;
  
  a firewall device accessible to the private network and a public network;
  
  a second device in the public network configured to register the first device; and
  
  a session controller positioned in the public network between the firewall device and the second device, the session controller comprising a plurality of software executable instructions including;
  
  instructions for intercepting a registration message from the first device to the second device;
  
  instructions for determining, after intercepting the registration message, whether to renew the first device'"'"'s registration by determining whether another registration message from the first device will be intercepted prior to an expiration of a first timeout period defined by the second device;
  
  instructions for forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration,instructions for sending a substitute response to the first device without forwarding the registration message to the second device if it is not time to renew the first device'"'"'s registration, wherein the substitute response includes the second timeout period;
  
  instructions for intercepting a registration response message from the second device to the first device, wherein the response message includes the first timeout period defined by the second device; and
  
  instructions for replacing the first timeout period in the response message with the second timeout period before forwarding the response message to the first device.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 wherein the session controller further comprises:
    - instructions for learning a first port of the firewall device that has been assigned to a signaling channel established between the first device and the session controller, wherein the first port is learned from the registration message sent from the first device to the second device; and
      
      instructions for learning a second port of the firewall device that has been assigned to a transport channel established between the first device and the session controller.
  - 14. The system of claim 12 wherein the first device is an IP telephone.
  - 15. The system of claim 12 wherein the first device is an analog telephone adapter.
  - 16. The system of claim 12 wherein the registration message is a session initiation protocol (SIP) REGISTER message.

17. An apparatus for enabling a network edge device to maintain a registration between a first device and a second device separated by the edge device, the apparatus comprising:
- an interface accessible to the edge device and the second device; and
  
  means for intercepting a registration message from the first device to the second device;
  
  means for determining, after intercepting the registration message, whether it is time to renew the first device'"'"'s registration by determining whether another registration message from the first device will be intercepted prior to an expiration of a first timeout period defined by the second device;
  
  means for forwarding the registration message to the second device if it is time to renew the first device'"'"'s registration;
  
  means for sending a substitute response to the first device without forwarding the registration message to the second device if it is not time to renew the first device'"'"'s registration, wherein the substitute response includes the second timeout period;
  
  means for intercepting a response message from the second device to the first device, wherein the response message includes the first timeout period; and
  
  means for replacing the first timeout period in the response message with a second timeout period based on a binding lifetime of the edge device before forwarding the response message to the first device.
- View Dependent Claims (18)
- - 18. The apparatus of claim 17 further comprising means for establishing an anchor between the first device and a third device positioned between the edge device and the second device, wherein the anchor forms a communication channel for the first and third devices through the edge device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AudioCodes, Inc. (Audiocodes Limited)
Original Assignee
AudioCodes, Inc. (Audiocodes Limited)
Inventors
Maher, Robert Daniel III, Rana, Aswinkumar Vishanji, Lie, Milton Andre, Deerman, James Robert
Primary Examiner(s)
Patel, Chirag

Application Number

US10/967,470
Publication Number

US 20060085548A1
Time in Patent Office

2,633 Days
Field of Search

726/11, 709/229, 709/228
US Class Current

709/228
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Apparatus and method for firewall traversal

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for firewall traversal

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links