In typical hypertext transfer protocol (HTTP) communications, one host is considered the HTTP client and initiates communication with another host, the HTTP server. The HTTP client requests the connection and, if the HTTP server accepts the connection, the client then transfers data to the server and waits for a response from the server. The response from the server might be as simple as an acknowledgement of the data from the client or the response might include data that was requested by the client.
Often, a host in a TCP/IP network is located “behind” a firewall—meaning that network access to the host from outside the firewall is greatly limited or restricted entirely. Hosts that are located behind a firewall are typically configured with a private IP address that is unique to its own intranet but is not valid for use on the public Internet.
Using a Network Address Translation (NAT) proxy or Network Address and Port Translation (NAPT) proxy, it is possible to map the private IP address on the intranet to a valid public IP address on the Internet. This can allow the host behind the firewall to establish communication with another host outside the firewall. Typically the configuration of the NAT proxy does not allow a host outside the firewall to initiate a connection to a host behind the firewall.
This type of environment which includes a client behind the firewall communicating with a server outside the firewall is referred to as a “post-only” environment because a client is able to post a request out to a server but a client outside the firewall is unable to post a request to a server behind the firewall. A post-only environment may be used for security so that a host behind the firewall is not subject to traffic from the public Internet.
As long as the hosts behind the firewall are acting as HTTP clients with respect to HTTP servers outside the firewall, the post-only environment works. However, if hosts behind the firewall act as an HTTP server with respect to HTTP clients outside the firewall, the post-only environment will not allow communication. Alternately, the firewall may allow access to the host from the public Internet. However, exposing the host increases the security risk to the host since it is now accessible from the public Internet and consumes resources in terms of public IP addressing. Leaving the host behind a limited access firewall limits accessibility of the host's HTTP server to those hosts that are also behind the firewall. In certain applications these options may be unacceptable. As such, an improved method and system for communicating with hosts behind a firewall would be desirable.