Protocols handled by sat – Amer Networks E5Web GUI User Manual

7.4.8. Protocols Handled by SAT

Generally, SAT can handle all protocols that allow address translation to take place. However,
there are protocols that can only be translated in special cases, and other protocols that cannot
be translated at all.

Protocols that are impossible to translate using SAT are most likely also impossible to translate
using NAT. Reasons for this include:

•

The protocol cryptographically requires that the addresses are unaltered; this applies to
many VPN protocols.

•

The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently
requires that, in some way or another, the addresses visible on IP level are the same as those
embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS.

•

Either party is attempting to open new dynamic connections to the addresses visible to that
party. In some cases, this can be resolved by modifying the application or the security
gateway configuration.

There is no definitive list of what protocols can or cannot be address translated. A general rule is
that VPN protocols cannot usually be translated. In addition, protocols that open secondary
connections in addition to the initial connection can be difficult to translate.

Some protocols that are difficult to address translate may be handled by specially written
algorithms designed to read and/or alter application data. These are commonly referred to as
Application Layer Gateways or Application Layer Filters. cOS Core supports a number of such
Application Layer Gateways and for more information please see Section 6.2, “ALGs”.

Chapter 7: Address Translation

518