H3C Technologies H3C SecPath F1000-E User Manual
Page 465
2
•
Trivial File Transfer Protocol (TFTP)
•
Skinny Client Control Protocol (SCCP)
•
X Display Manager Control Protocol (XDMCP)
The following describes the operation of an ALG-enabled device, taking FTP as an example. As shown
in
, the host in the outside network accesses the FTP server in the inside network in passive
mode through the ALG-enabled device.
Figure 1 Network diagram for ALG-enabled FTP application in PASV mode
The communication process includes the following stages:
1.
Establishing a control connection
The host sends a TCP connection request to the server. If a TCP connection is established, the server and
the host enter the user authentication stage.
2.
Authenticating the user
The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the packet
will be resolved and used to check whether the state machine transition is going on correctly. If not, the
request will be dropped. In this way, ALG protects the server against clients that send packets with state
machine errors or log into the server with illegal user accounts.
An authentication request with a correct state is forwarded by the ALG-enabled device to the server,
which authenticates the host according to the information in the packet.
3.
Establishing a data connection
If the host passes the authentication, a data connection is established between it and the server. Note
that if the host is accessing the server in passive mode, the data connection process is different. In
passive mode, the server sends to the host a PASV response using its private network address and port
number (IP1, Port1). When the response arrives at the ALG-enabled device, the device resolves the
packet and translates the server’s private network address and port number into the server’s public