1812 results about "Network address translation" patented technology

An approach provides interdomain traversal to support packetized voice transmissions. A request is received from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain. Encrypted user credential information is retrieved from a credentials database resident within the first domain, wherein the encrypted user credential includes a password associated with a user associated with the first endpoint. Further, the encrypted user credential information is transmitted to a tunneling server in response to the request, wherein the tunneling server is configured to selectively setup a tunnel to support the communication session based on the encrypted user credential information. The tunnel traverses a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.

A firewall clustering system connects two or more firewalls between an internal network and an external network. The plurality of two or more firewalls are combined to supply high-availability and scaling of processing capacity. Firewalls maintain client-server state information. Flow controllers are connected to the firewalls and placed on both the internal “trusted” side and the external “untrusted” side of the firewalls. Flow controllers are placed on both sides of the firewalls to ensure that traffic for a given client-server session flows through the same firewall in both inbound and outbound directions. The firewalls perform filtering operations and/or network address translation (NAT) services. In both cases, the flow controllers supply high availability, scalability, and traffic distribution for the firewalls in the firewall cluster.

Reduction of administrative overhead in maintaining network information, rapid convergence on an optimal routing path through the data network, and utilization of only required network resources are realized by a novel method for establishing a call path between network users. The method is based upon deployment of a network information server that stores network topology information and that is addressable by each end user. In this method, the network information server receives a request to establish a call path. The request identifies at least the calling party. In response to the request, the network information server determines a network traversal between the calling party and a root network wherein the network traversal includes call path information about the sub-networks between the calling party and the root network. The request for establishing a call path can also identify the called party. Based on the calling and called party identification, the network information server also determines a second network traversal between the called party and the root network. The second network traversal is sent to either the calling party or the called party or to both the calling and called parties. The server can determine an intersection of the traversals and send the intersection information to the parties. The intersection information is known as a merge point and represents an optimal call path between the parties.

Methods and systems for optimized routing of real time media session data between session initiation protocol SIP endpoints. In one embodiment of the invention, first and second SIP endpoints each provide notification of network address translation NAT topology thereof and based on the NAT topologies of the two endpoints an SIP server decides whether to route media between the two endpoints via a direct path or via a media relay.

A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Disclosed are systems and methods for peer-to-peer communication over a network between a first node behind a first network address translator (NAT) and a second node behind a second NAT, despite the first NAT and the second NAT intervening between the first and second nodes. The first NAT is a Symmetric NAT. A port prediction is performed wherein the first node constructs a list of predicted transport addresses on the first NAT. A message containing the list of predicted transport addresses is sent from the first node to the second node. A connectivity check is performed with the second node using the predicted transport addresses.

A security gateway provides a secure connection among one or more networks and a protected resource network. One of the local networks may be connected to the remote private network via a VPN IPsec tunnel. The networks may be local networks that share resources without compromising the security of the protected resource network. The local networks may have access to an untrusted network such as the Internet, sharing a single connection through the security gateway. Dynamic source network address translation is used to permit access from the network connected to the protected resource network to other, less trusted networks while concealing the actual IP addresses of hosts within that network.

A method of operating a node of a telecommunications system, the node comprising a plurality of entities each arranged to send and receive IP packets to peer entities, via a Network Address Translation function, using a layer 4 control protocol which facilitates multi-homing by allowing an entity to include more than one IP address in a layer 4 packet chunk. The method comprises maintaining at each of said plurality of entities a table mapping one or more private addresses of the entity to one or more public addresses of the Network Address Translation function, and, for each association initiation message generated by an entity, including in said layer 4 packet chunk of the message the public IP address(es) of the Network Address Translation function obtained from said table for the corresponding private IP address(es).

A network traversal method is provided. A plurality of endpoints in a plurality of network address translators (NATs) is grouped into a plurality of groups, and an on-line server is deployed for managing information related to the groups and information related to connections that have traversed the NATs, wherein the endpoints in the same NAT are grouped into the same group. In addition, when one of the endpoints is about to establish a connection with another one of the endpoints, whether there is a peer-to-peer direct connection between the groups corresponding to the two endpoints is determined. If there is the peer-to-peer direct connection between the groups corresponding to the two endpoints, the connection between the two endpoints is established by using the peer-to-peer direct connection. Thereby, the network traversal method can effectively reduce the time, cost, and complexity for traversing the NATs.

Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time. Outgoing packets from the client to that foreign address and incoming packets from that foreign address to the NAT's global IP address and GPN are translated according to the entry until the entry expires. In associations with these translations to outgoing and incoming packets, the client implements any Application Layer Gateway (ALG) that would otherwise be implemented at the NAT. Further, at the client, outgoing packets are modified before being transmitted so as to pre-compensate for the effects of the translations. Incoming packets at the client from the NAT are similarly modified so as to post-compensate for the effects of the translations. For the IPSec protocol, these modification include adjusting the checksum in the TCP or UDP header to account for IP address and TCP or UDP port number translations.

An approach provides interdomain traversal packetized voice transmissions. A request is received from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain. A tunnel is established by a TURN (Traversal Using Relay NAT (Network Address Translation)) server to support the communication session. The TURN server is controlled by a service provider as part of a managed communication service. The tunnel traverses a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint, wherein the communication session is encrypted and transported via the tunnel.

A system and method controls access to a network. The system and method intercepts communications received from, and responses and other communications to, devices on the network. Communications may be forwarded to their intended destination if the sending device has sufficient privileges to do so, or the communications may be handled by the system and method or forwarded to a different destination (e.g. a printer nearby the access point to which the user is communicating) using network address translation or redirection. Responses are received and stored by the system and method and may be forwarded to the device that sent the original communication, either directly or via a different device that requests the stored communications using a tunnel.

Methods and systems are provided for efficient handover of a media session between heterogeneous Internet Protocol (IP) networks. A mobile device with Internet access can operate a software program to communicate with a corresponding node. The corresponding node may access the Internet through a firewall which may include Network Address Translation (NAT)-routing functionality. The mobile device establishes a media session with a corresponding node via the transmission of a first media stream and receipt of a second media stream, and a media-control channel can optionally be implemented. The mobile device can acquire Internet access through a second IP address, and packets routed between the second IP address and the Internet may traverse a firewall. The mobile device can evaluate a set of network parameters at the second IP address from a stored Local Area Network (LAN) profile. A software routine can (i) evaluate that handover of the media session from the first IP address to the second IP address is preferred and (ii) select an efficient handover procedure according to handover procedure rules.

A method, system, and computer program product for providing consistent, end-to-end protection within a computer network for user datagrams (i.e. packets) traveling through the network. The network may comprise network segments that are conventionally assumed to be secure (such as those found in a corporate intranet) as well as network segments in non-secure networks (such as the public Internet or corporate extranets). Because security breaches may in fact happen in any network segment when datagrams are unprotected, the present invention discloses a technique for protecting datagrams throughout the entire network path by establishing cascaded tunnels. The datagrams may be exposed in cleartext at the endpoints of each tunnel, thereby enabling security gateways to perform services that require content inspection (such as network address translation, access control and authorization, and so forth). The preferred embodiment is used with the “IPSec” (Internet Protocol Security Protocol) and “IKE” (Internet Key Exchange) protocols, thus providing a standards-based solution.

IP network address translation (NAT) and IP filtering with dynamic address resolution in an Internet gateway system. Symbolic interface names are recognized in selected rule statements. An symbolic s-rule file is generated from these rule statements which includes symbolic interface names. During processing of a packet message, the s-rule file corresponding to the interface name in the packet message is processed, with symbolic addresses in the s-rule file resolved to the IP addresses obtained from the packet message.

A method and system for seamlessly handing off a Mobile Node (MN) equipped with a Wireless Local Area Network (WLAN) adaptor from a cellular network such as a GRPS/UMTS network to a WLAN network without interrupting the ongoing IP connection/session. When entering a WLAN coverage area, the roaming MN sends mobility information to a WLAN Integration Gateway (WIG) node allowing the WIG node to identify the source Service GPRS Support Node (SGSN). The WIG node contacts the source SGSN to obtain PDP Context information relative to the roaming MN, and establishes a new GTP tunnel with the servicing GGSN in order to complete the handoff. The WIG node may route data traffic for the MN by assigning a new IP address to the MN and by either performing IP-in-IP encapsulation or Network Address Translation (NAT).

An approach provides interdomain traversal to support packetized voice transmissions. A request for establishing a voice call is received from a source endpoint behind a first network address translator of a first domain, wherein the request specifies a directory number of a destination endpoint within a second domain. A network address is determined for communicating with the destination endpoint based on the directory number. Additionally, existence of a second network address translator within the second domain is determined. If the network address can be determined, a media path is established between the source endpoint and the destination endpoint based on the network address to support the voice call.