如何穿透防火墙

如何穿透防火墙 Firewalls are a fact of life at many companies. Firewalls block access in a number of ways: by blocking ports, by filtering what kind of data can go through some port numbers, by blocking all data except through a "proxy", etc. ASTA 2.6 has a number of techniques that you can use in your ASTA client application to work through a firewall, including the addition of WinINet support. Another feature of ASTA 2.6 is that ASTA servers can now serve TCP/IP and stateless http remote clients with no changes on the server. ASTA Servers require a static IP Address and a "port" to run on. There are 65535 ports available on any machine with port numbers lower than 1024 generally reserved for the operating system. HTTP Servers typically run on port 80, ftp runs on port 23 and SMTP (mail) servers run on port 21. You can run as many as ASTA servers as your hardware allows, on any one machine, as long as each one runs on a different port. Figure 1 shows a typical ASTA server connected to a database, usually over an Ethernet network, with remote clients connected to it via TCP/IP. The only requirement for the remote clients is that they can connect to the ASTA server IP Address and port. The IP Address can be specified either numerically (1.2.3.4) or as a hostname (somecomputer.companyname.com). Figure 1 ASTA provides numerous ways to defeat firewalls. They can be grouped between those that maintain state and use TCP/IP and those that are stateless and use http. State: TCP/IP and HTTP ASTA Servers and traditional clients use TCP/IP, which maintains state. This means that once a client connects to a server, that connection is maintained until the client disconnects, the server disconnects the client or there is a network failure. HTTP on the other hand is said to be Stateless. Browsers make html requests to remote HTTP Servers and the request is completed and the browser is disconnected. Cookies are a way for HTTP Servers to maintain some kind of active user list from remote clients that are not connected to the server. There is usually some kind of time out value so when a request is made to a server a unique valued is added to a server side user list and a "cookie" containing this value is planted on the remote machine. All subsequent requests from that specific remote user will contain the value from the "cookie" so that they can be matched up on the server. Since HTTP does not maintain state, server side HTTP applications like shopping carts needs to maintain that state themselves in order to function. This means that concepts like the AstaServerSocket.UserList and Server "push" with Server initiated messages are not possible when running stateless. After ASTA 2.6 was released, an AstaStatelessUserList was implemented that allows stateless http clients to have access to a server side UserList that implements Cookies and the concept of expiration. Techniques that maintain State Have the Firewall Administrator open the port your ASTA server is ,, running on ,,Run your ASTA server on port 80 or port 8080 ,,Use ASTA SOCKS Support ,,ASTAProxyServer Stateless Techniques ,,Set the AstaClientSocket.WinINet property to true along with ISAPI DLL on a Web Server ,,Use the AstaClientSocket ability to format messages as http through an ISAPI DLL on Web Server ,,Use ASTA Proxy Server support Maintain State Firewall Solution #1: Open a Port Most firewall issues are port restrictions. ASTA clients can connect seamlessly through a firewall if the administrator agrees to open up the port that the ASTA server is running on. For example, if the ASTA server is configured to use port 9000 and administrator opens up the port on the client firewall to allow TCP/IP traffic on port 9000, the firewall issue is resolved. Maintain State Firewall Solution #2: Run the ASTA Server on Port 80 Sometimes the firewall administrator will not open a port up. The next solution is to run your ASTA server on port 80 or port 8080, as firewalls must have port 80 open if clients are allowed to use browsers to access the Internet and remote HTTP servers. They must allow unfiltered TCP/IP traffic on port 80/etc. for this solution to work. Figure 2 shows a network where there is a firewall but only port 80 is opened. Figure 2 Maintain State Firewall Solution #3: SOCKS Support Running ASTA clients stateless doesn't allow you to use such features as Server broadcasts or client-to-client messaging along with provider broadcasts. SOCKS is a technology available to provide Authenticated Firewall Traversal. If you have a SOCKS4 or SOCKS5 Server, ASTA can allow you to connect via the SOCKS server and use TCP/IP as a normal client application. The AstaClientSocket has a method to set it up to connect through a SOCKS5 Server. Procedure SetupForSocks5Server( AstaServerAddress, TheSocks5ServerAddress, TheSocksUserName, TheSocksPassword: String; AstaServerPort, TheSocksServerPort: Word); Figure 3 shows the SOCKS Setup form that allows client applications to configure their SOCKS server settings. Figure 3 Maintain State Firewall Solution #4: ASTA Proxy Server ASTA also provides an ASTA Proxy Server that can be run on the same machine as the firewall that allows ASTA clients to connect to the AstaProxyServer and be re-routed to a remote ASTA server. Figure 4 shows the ASTA proxy server. Figure 4 Stateless Firewall Solution #1: Use WinInet (Highly Recommended) The Microsoft WinInet DLL comes with Internet Explorer and provides client access to HTTP support including SSL, SOCKS and access through Proxy Servers. ASTA 2.6 allows the AstaClientSocket to use WinINet and the AstaHttp.dll to get through any Firewall that Internet Explorer can use the same registry settings for proxy servers and authentication as set by Internet Explorer. To activate WinINet support just set the public AstaClientSocket.WinINet:Boolean property to true. You would still need to setup the address of the remote Web Server and location of AstaHttp.dll as explained below in Firewall Solution #5 HTTP Stateless with IIS running remotely but you would not need to set any proxy server addresses or Proxy Username or Passwords as WinINet handles this transparently. Stateless Firewall Solution #2: HTTP Stateless with IIS running remotely In this scenario a Web Server like IIS (Internet Information Server) receives requests from remote ASTA clients through an ISAPI dll (AstaHttp.dll) and proxies the request to an ASTA server that can be located anywhere. ASTA supplies an ISAPI dll that can be placed in the scripts directory or equivalent of the Web Server and remote clients are configured to format their messages as HTTP messages by calling SetupforIsapiUse. procedure TAstaclientSocket.SetForIsapiUse(WebServerAddress, AstaServerAddress, AstaIsapiDll: String; WebServerPort, AstaServerPort: Word); Clients can call AstaIsapiSetup to input the address and port information for the remote Web Server and ASTA server as well as the location of AstaHttp.dll Figure 4 shows the setup form that appears when the AstaClientSocket. AstaIsapiSetup routine is called. A Kylix built Apache DSO that does the same on Linux will be available in September 2001. ASTA Palm and WinCE clients will also be able to take advantage of this technique. For more information see www.astawireless.com Figure 5 Figure 5 shows how ASTA clients can be configured to appear as normal browsers with HTTP formatted messages and running through an existing HTTP Server like IIS using the ASTAHTTP.DLL Figure 6 This is of course another stateless solution since the client is using real HTTP and communicating through IIS just like a normal browser. Use this technique if your clients don't have WinInet.dll available. Stateless Firewall Solution #3: Through a Proxy Server Sometimes there may be a proxy server like Netscape Proxy Server running on your client application. In this case your ASTA client application must connect to the proxy server rather than the ASTA server. ASTA supports this with the AstaClientSocket Method SetForProxyUse. Note: WinINet is still recommended before this technique. Use this only if WinINet.DLL is not available on your client machines. Procedure SetForProxyUse(AstaServerAddress, ProxyIPAddress: String; AstaServerPort, ProxyPort: Word); Figure 6 shows an ASTA proxy setup form that allows your ASTA client application to be configured to connect through a Proxy Server like Netscape Proxy Server. Note: this call is not required if you use the ASTA WinINet support as WinINet will use the proxy settings as set by Internet Explorer. Figure 7 Figure 8 ASTA provides a variety of methods and techniques that you can use to solve any Firewall problem.