Establishing a split-terminated communication connection through a stateful firewall, with network transparency

US 8,255,544 B2
Filed: 06/02/2011
Issued: 08/28/2012
Est. Priority Date: 03/05/2009
Status: Active Grant

First Claim

Patent Images

1. A network intermediary apparatus for facilitating establishment of a network-transparent communication connection between a client and a server, through a stateful firewall, the network intermediary apparatus comprising:

a client communication apparatus adapted to receive from the client a request for the client-server connection;

a connection management apparatus adapted to;

determine whether another network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server; and

if the other network intermediary apparatus exists, establish an optimized communication session with the other network intermediary apparatus; and

an optimization apparatus configured to optimize at least a portion of client-server communications that transit the optimized communication session.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second intermediary that responds affirmatively. Some or all client-server communications that transit the intermediaries'"'"' session are accelerated or otherwise optimized. The first intermediary'"'"'s probe uses the client'"'"'s source address, but a different port number, while the optimized intermediary session is opened using the client'"'"'s source address and source port. Therefore, a network monitoring tool can monitor the end-to-end connection, and the stateful firewall will not reject the optimized session.

22 Citations

View as Search Results

30 Claims

1. A network intermediary apparatus for facilitating establishment of a network-transparent communication connection between a client and a server, through a stateful firewall, the network intermediary apparatus comprising:
- a client communication apparatus adapted to receive from the client a request for the client-server connection;
  
  a connection management apparatus adapted to;
  
  determine whether another network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server; and
  
  if the other network intermediary apparatus exists, establish an optimized communication session with the other network intermediary apparatus; and
  
  an optimization apparatus configured to optimize at least a portion of client-server communications that transit the optimized communication session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network intermediary apparatus of claim 1, wherein said connection management apparatus is further adapted to:
    - determine whether the other network intermediary apparatus exists by sending a test connection request from a source address of the client and a source port different from a client source port; and
      
      establish the optimized communication session from the source address of the client and a source port of the client.
  - 3. The network intermediary apparatus of claim 2, wherein said connection management apparatus is further configured to:
    - configure the test connection request with an initial sequence number out of range of an initial sequence number of the request for the client-server connection; and
      
      configure a request for the optimized communication session with an initial sequence number out of range of the initial sequence number of the request for the client-server connection.
  - 4. The network intermediary apparatus of claim 1, wherein said connection management apparatus determines whether another network intermediary exists in logical proximity to the server by:
    - identifying, in the request for the client-server connection, a source address and a first source port of the client; and
      
      issuing toward the server a replacement request, wherein the replacement comprises the source address of the client and a second source port different from the first source port.
  - 5. The network intermediary apparatus of claim 4, wherein said connection management apparatus establishes an optimized communication session with the other network intermediary apparatus by:
    - issuing toward the server a final request, wherein the final request comprises the source address of the client and the first source port.
  - 6. The network intermediary apparatus of claim 5, wherein:
    - the replacement request comprises a first tag understandable by the other network intermediary apparatus as a probe to determine whether the other network intermediary apparatus is active; and
      
      the final request comprises a second tag understandable by the other network intermediary apparatus as a request for an optimized client-server connection.
  - 7. The network intermediary apparatus of claim 6, wherein said first tag and said second tag comprise different TCP (Transport Control Protocol) options.
  - 8. The network intermediary apparatus of claim 4, wherein:
    - the request for the client-server connection comprises a first initial sequence number; and
      
      the replacement request comprises a second initial sequence number out of range of the first initial sequence number.
  - 9. The network intermediary apparatus of claim 8, wherein the final request comprises a third initial sequence number out of range of the first initial sequence number.
  - 10. The network intermediary apparatus of claim 1, further comprising:
    - a memory for temporarily storing the request for the client-server connection until said connection management apparatus determines whether another network intermediary exists in logical proximity to the server.

11. A method for facilitating establishment of a network transparent communication connection between a client and a server through a stateful firewall, the method comprising:
- in a network intermediary apparatus;
  
  receiving from the client a request for the client-server connection;
  
  determining whether another network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server; and
  
  in response to determining that the other network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server, establishing an optimized communication session with the other network intermediary apparatus; and
  
  optimizing at least a portion of client-server communications that transit the optimized communication session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein said determining includes sending a test connection request from a source address of the client and a source port different from a client source port;
    - and wherein said establishing includes establishing the optimized communication session from the source address of the client and a source port of the client.
  - 13. The method of claim 12, wherein said determining includes configuring the test connection request with an initial sequence number out of range of an initial sequence number of the request for the client-server connection;
    - and wherein said establishing includes configuring a request for the optimized communication session with an initial sequence number out of range of the initial sequence number of the request for the client-server connection.
  - 14. The method of claim 11, wherein said determining includes:
    - identifying, in the request for the client-server connection, a source address and a first source port of the client; and
      
      issuing toward the server a replacement request, wherein the replacement comprises the source address of the client and a second source port different from the first source port.
  - 15. The method of claim 14, wherein said establishing includes issuing toward the server a final request, wherein the final request comprises the source address of the client and the first source port.
  - 16. The method of claim 15, wherein:
    - the replacement request comprises a first tag understandable by the other network intermediary apparatus as a probe to determine whether the other network intermediary apparatus is active; and
      
      the final request comprises a second tag understandable by the other network intermediary apparatus as a request for an optimized client-server connection.
  - 17. The method of claim 16, wherein said first tag and said second tag comprise different TCP (Transport Control Protocol) options.
  - 18. The method of claim 14, wherein:
    - the request for the client-server connection comprises a first initial sequence number; and
      
      the replacement request comprises a second initial sequence number out of range of the first initial sequence number.
  - 19. The method of claim 18, wherein the final request comprises a third initial sequence number out of range of the first initial sequence number.
  - 20. The method of claim 11, further comprising temporarily storing the request for the client-server connection until said connection management apparatus determines whether another network intermediary exists in logical proximity to the server.

21. A non-transitory computer-readable storage medium storing instructions that, when executed by a network intermediary apparatus, cause the network intermediary apparatus to perform a method for facilitating establishment of a network-transparent communication connection between a client and a server through a stateful firewall, the method comprising:
- receiving from the client a request for the client-server connection;
  
  determining whether another network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server; and
  
  in response to determining that the other network intermediary apparatus capable of establishing optimized communication sessions through the stateful firewall exists in logical proximity to the server, establishing an optimized communication session with the other network intermediary apparatus; and
  
  optimizing at least a portion of client-server communications that transit the optimized communication session.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein said determining includes sending a test connection request from a source address of the client and a source port different from a client source port;
    - and wherein said establishing includes establishing the optimized communication session from the source address of the client and a source port of the client.
  - 23. The non-transitory computer-readable storage medium of claim 22, wherein said determining includes configuring the test connection request with an initial sequence number out of range of an initial sequence number of the request for the client-server connection;
    - and wherein said establishing includes configuring a request for the optimized communication session with an initial sequence number out of range of the initial sequence number of the request for the client-server connection.
  - 24. The non-transitory computer-readable storage medium of claim 21, wherein said determining includes:
    - identifying, in the request for the client-server connection, a source address and a first source port of the client; and
      
      issuing toward the server a replacement request, wherein the replacement comprises the source address of the client and a second source port different from the first source port.
  - 25. The non-transitory computer-readable storage medium of claim 24, wherein said establishing includes issuing toward the server a final request, wherein the final request comprises the source address of the client and the first source port.
  - 26. The non-transitory computer-readable storage medium of claim 25, wherein:
    - the replacement request comprises a first tag understandable by the other network intermediary apparatus as a probe to determine whether the other network intermediary apparatus is active; and
      
      the final request comprises a second tag understandable by the other network intermediary apparatus as a request for an optimized client-server connection.
  - 27. The non-transitory computer-readable storage medium of claim 26, wherein said first tag and said second tag comprise different TCP (Transport Control Protocol) options.
  - 28. The non-transitory computer-readable storage medium of claim 24, wherein:
    - the request for the client-server connection comprises a first initial sequence number; and
      
      the replacement request comprises a second initial sequence number out of range of the first initial sequence number.
  - 29. The non-transitory computer-readable storage medium of claim 28, wherein the final request comprises a third initial sequence number out of range of the first initial sequence number.
  - 30. The non-transitory computer-readable storage medium of claim 21, the method further comprising temporarily storing the request for the client-server connection until said connection management apparatus determines whether another network intermediary exists in logical proximity to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Lam, Blanco Zee Leung
Primary Examiner(s)
WON, MICHAEL YOUNG

Application Number

US13/152,152
Publication Number

US 20110264810A1
Time in Patent Office

453 Days
Field of Search

709/203, 709/219, 709/227, 709/239, 709/240
US Class Current

709/227
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/164   at the network layer

H04L 67/14   Session management for real...

Establishing a split-terminated communication connection through a stateful firewall, with network transparency

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Establishing a split-terminated communication connection through a stateful firewall, with network transparency

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others