Home | Installation & Manual | F.A.Q. | Contact

External access to computers behind a firewall or NAT

How it looks like

This UML diagram shows example of how all this stuff can be located on the net. This diagram does not demonstrates all possible configurations, but the main idea should be clear.

Connector and Redirector are parts of Java Proxy, and we will skip them for first demonstration:

How it works without Java Proxy

Next UML diagram shows what happens when you try to connect computer behind firewall in a usual way. User calls client application to access some resource, client application requests this resource from the gateway (firewall or proxy), and if this gateway have no special instructions about allowing this connection - it denies access to this resource.

Restrictions for most firewalls work this way - they allow all client connections from internal network into Internet, but blocks all connection from Internet into internal network. It is default policy, additionaly they can block some resources on the Internet (by their port or hostname), and allow several connections going into internal network (to web server, mail server, etc.)

And it is even more restrictive if there is proxy in place of firewall. It applies the same restrictions as for firewall but additionaly restricts connections only to allow web connection (HTTP, HTTPS, FTP).

How it works with Java Proxy

Next UML diagram shows what happens when you try to connect computer behind firewall using Java Proxy. There are two new players - Java Proxy Connector and Java Proxy Redirector. They are two new programs you have to launch, (you can run Connector on Client Application computer and Redirector on Server computer, or you can run them on another computers). As you can see Redirector is located behind firewall, Java Proxy is not a "hack tool", you can not get access to the internal network without valid control over some computer in that network, but you don't have to control Firewall/Proxy gateway.

Request starts before any actions from the user, Redirector connects to Connector (it is allowed because it is client connection from internal network into the Internet) and holds this connection. When User calls client application to access some resource, client application sends request to Connector, but Connector already has connection to Redirector and asks it to transmit request to Server Behind Firewall and get answer.

If it is necessary, Redirector can additionaly pack connections to Connector into HTTPS messages to satisfy Firewall/Proxy.