Tcp proxy working mechanism, Unidirectional proxy – H3C Technologies H3C SecPath F1000-E User Manual

Page 40

Figure 35 Network diagram for unidirectional proxy

Figure 36 Network diagram for unidirectional/bidirectional proxy

TCP proxy working mechanism

Unidirectional proxy

Figure 37 Data exchange process in unidirectional proxy mode

After receiving a SYN message from a client to the protected server (such a message matches a protected
IP address entry), the TCP proxy sends back a SYN ACK message with a wrong sequence number on

behalf of the server, that is, using the IP address and port number of the server. If the client is legitimate,

the TCP proxy will receive an RST message, and will receive a SYN message again from the client. The

TCP proxy then directly forwards the SYN, SYN ACK, and ACK messages to establish a TCP connection
between the client and the server.
After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection

without additional processing.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS