166 lines
11 KiB
HTML
166 lines
11 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Client SOCKS support" />
|
|
<meta name="abstract" content="iSeries uses SOCKS version 4 to enable programs that use the AF_INET address family with SOCK_STREAM socket type to communicate with server programs that run on systems outside a firewall." />
|
|
<meta name="description" content="iSeries uses SOCKS version 4 to enable programs that use the AF_INET address family with SOCK_STREAM socket type to communicate with server programs that run on systems outside a firewall." />
|
|
<meta name="DC.Relation" scheme="URI" content="aconcepts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../apis/bind.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../apis/connec.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../apis/accept.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../apis/gsockn.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../apis/rbind.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2001, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2001, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="csocks" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Client SOCKS support</title>
|
|
</head>
|
|
<body id="csocks"><a name="csocks"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Client SOCKS support</h1>
|
|
<div><p>iSeries™ uses
|
|
SOCKS version 4 to enable programs that use the AF_INET address family with
|
|
SOCK_STREAM socket type to communicate with server programs that run on systems
|
|
outside a firewall.</p>
|
|
<p>A firewall is a very secure host that a network administrator places between
|
|
a secure internal network and a less secure external network. Typically such
|
|
a network configuration does not allow communications that originate from
|
|
the secure host to be routed on the less secure network, and vice versa. Proxy
|
|
servers that exist on the firewall help manage required access between secure
|
|
hosts and less secure networks. </p>
|
|
<div class="p">Applications that run on hosts in a secure internal network must send their
|
|
requests to firewall proxy servers to navigate the firewall. The proxy servers
|
|
can then forward these requests to the real server on the less secure network
|
|
and relay the reply back to the applications on the originating host. A common
|
|
example of a proxy server is an HTTP proxy server. Proxy servers perform a
|
|
number of tasks for HTTP clients: <ul><li>They hide your internal network from outside systems.</li>
|
|
<li>They protect the host from direct access by outside systems.</li>
|
|
<li>They can filter data that comes in from outside if they are properly designed
|
|
and configured.</li>
|
|
</ul>
|
|
HTTP proxy servers handle only HTTP clients.</div>
|
|
<p>A common alternative to running multiple proxy servers on a firewall is
|
|
to run a more robust proxy server known as a SOCKS server. A SOCKS server
|
|
can act as a proxy for any TCP client connection that is established using
|
|
the sockets API. The key advantage to iSeries Client SOCKS support is that
|
|
it enables client applications to access a SOCKS server transparently without
|
|
changing any client code.</p>
|
|
<p>The following figure shows a common firewall arrangement with an HTTP proxy,
|
|
a telnet proxy, and a SOCKS proxy on the firewall. Notice that the two separate
|
|
TCP connections used for the secure client that is accessing a server on the
|
|
internet. One connection leads from the secure host to the SOCKS server, and
|
|
the other leads from the less secure network to the SOCKS server.</p>
|
|
<p><br /><img src="rv4w201.gif" alt="Common firewall arrangement" /><br /></p>
|
|
<p>Two actions are required on the secure client host to use a SOCKS server:</p>
|
|
<ol><li>Configuration of a SOCKS server. On February 15, 2000, IBM<sup>®</sup> announced
|
|
that the IBM Firewall
|
|
for iSeries product
|
|
(5769-FW1), which provides SOCKS server support, is not enhanced beyond its
|
|
current V4R4 capability. </li>
|
|
<li>On the secure client system, define all outbound Client TCP connections
|
|
that are to be directed to the SOCKS server on the Client system. You can
|
|
define the secure client SOCKS configuration entries by using the SOCKS tab
|
|
found under the iSeries Navigator
|
|
function of iSeries Access
|
|
95 or Microsoft<sup>®</sup> Windows
|
|
NT<sup>®</sup>. The SOCKS tab has substantial help on configuring the secure client
|
|
system for Client SOCKS support. <p>To configure client SOCKS
|
|
support, follow these steps: </p>
|
|
<ol type="a"><li>In iSeries Navigator,
|
|
expand your <span class="menucascade"><span class="uicontrol">iSeries server</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">TCP/IP Configuration</span></span>. </li>
|
|
<li>Right-click <span class="uicontrol">TCP/IP Configuration</span>.</li>
|
|
<li>Click <span class="uicontrol">Properties</span>. </li>
|
|
<li>Click the <span class="uicontrol">SOCKS </span> tab.</li>
|
|
<li>Enter your connection information about the SOCKS page.</li>
|
|
</ol>
|
|
<div class="note"><span class="notetitle">Note:</span> The secure client SOCKS configuration data is saved in the file
|
|
QASOSCFG in library QUSRSYS on the secure client host system.</div>
|
|
</li>
|
|
</ol>
|
|
<p>When configured, the system automatically directs certain outbound connections
|
|
to the SOCKS server you specified on the SOCKS page. You do not need to make
|
|
any changes to the secure client application. When it receives the request,
|
|
the SOCKS server establishes a separate external TCP/IP connection to the
|
|
server in the less secure network. The SOCKS server then relays data between
|
|
the internal and external TCP/IP connections.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> The remote host on the less secure network connects directly to the
|
|
SOCKS server. It does not have direct access to the secure client.</div>
|
|
<p>Up to this point, <em>outbound</em> TCP connections that
|
|
originate from the secure client have been addressed. Client SOCKS support
|
|
also lets you tell the SOCKS server to allow an inbound connection request
|
|
across a firewall. An <span class="apiname">Rbind()</span> call from the secure client
|
|
system allows this communication. For <span class="apiname">Rbind()</span> to operate,
|
|
the secure client must have previously issued a <span class="apiname">connect()</span> call
|
|
and the call must have resulted in an outbound connection over the SOCKS server.
|
|
The <span class="apiname">Rbind()</span> inbound connection must be from the same IP
|
|
address that was addressed by the outbound connection that the <span class="apiname">connect()</span> established.</p>
|
|
<p>The following figure shows a detailed overview of how sockets
|
|
functions interact with a SOCKS server transparent to the application. In
|
|
the example, the FTP client calls the <span class="apiname">Rbind()</span> function
|
|
instead of a <span class="apiname">bind()</span> function, because the FTP protocol
|
|
allows the FTP server to establish a data connection when there is a request
|
|
from the FTP client to send files or data. It makes this call by recompiling
|
|
the FTP client code with the __Rbind preprocessor #define, which defines <span class="apiname">bind()</span> to
|
|
be <span class="apiname">Rbind()</span>. Alternatively, an application can explicitly
|
|
code <span class="apiname">Rbind()</span> in the pertinent source code. If an application
|
|
does not require inbound connections across a SOCKS server, <span class="apiname">Rbind()</span> should
|
|
not be used. </p>
|
|
<br /><img src="rv4w200.gif" alt="Interaction of sockets functions with a SOCKS server" /><br /><div class="note"><span class="notetitle">Notes:</span> <ol><li>FTP client initiates an outbound TCP connection to a less secure network
|
|
through a SOCKS server. The destination address that the FTP client specifies
|
|
on the <span class="apiname">connect()</span> is the IP address and port of the FTP
|
|
server located on the less secure network. The secure host system is configured
|
|
through the SOCKS page to direct this connection through the SOCKS server.
|
|
When configured, the system automatically directs the connection to the SOCKS
|
|
server that was specified through the SOCKS page.</li>
|
|
<li>A socket is opened and <span class="apiname">Rbind()</span> is called to establish
|
|
an inbound TCP connection. When established, this inbound connection is from
|
|
the same destination-outbound IP address that was specified above. You must
|
|
pair outbound and inbound connections over the SOCKS server for a particular
|
|
thread. In other words, all <span class="apiname">Rbind()</span> inbound connections
|
|
should immediately follow the outbound connection over the SOCKS server. You
|
|
cannot attempt to intervene non-SOCKS connections relating to this thread
|
|
before the <span class="apiname">Rbind()</span> runs.</li>
|
|
<li><span class="apiname">getsockname()</span> returns the SOCKS server address. The
|
|
socket logically binds to the SOCKS server IP address coupled with a port
|
|
that is selected through the SOCKS server. In this example, the address is
|
|
sent through the "control connection" Socket CTLed to the FTP server that
|
|
is located on the less secure network. This is the address to which the FTP
|
|
server connects. The FTP server connects to the SOCKS server and not directly
|
|
to the secure host.</li>
|
|
<li>The SOCKS server establishes a data connection with the FTP client and
|
|
relays data between the FTP client and the FTP server. Many SOCKS servers
|
|
allow a fixed length of time for the server to connect to the Secure client.
|
|
If the server does not connect within this time, errno ECONNABORTED is encountered
|
|
on the <span class="apiname">accept()</span>.</li>
|
|
</ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="aconcepts.htm" title="Advanced socket concepts go beyond a general discussion of what sockets are and how they work. They provide ways to design socket applications for larger and more complex networks.">Advanced socket concepts</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../apis/bind.htm">bind()</a></div>
|
|
<div><a href="../apis/connec.htm">connect()</a></div>
|
|
<div><a href="../apis/accept.htm">accept()</a></div>
|
|
<div><a href="../apis/gsockn.htm">getsockname()</a></div>
|
|
<div><a href="../apis/rbind.htm">Rbind()</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |