In a client/server computer network environment the client computers are typically separated from the server computer by a firewall that protects the client computers from any unauthorized tampering. The server computer might be part of the same corporate intranet as the client computers but located on a different network segment, or might be located anywhere in the world. Whether the network environment is part of a corporate intranet or is connected to the Internet, use of a firewall prevents unauthorized access to the client computers that might originate from within the intranet or from anywhere on the Internet. Such use of a hardware or software firewall is well known.
In such a typical client/server network environment a client makes a connection to the server, requests a service, the server replies to client and then the connection is closed. An example of this request-reply type protocol is the HTTP/HTTPS web protocol. Using such a protocol, a server would not be able to open a connection to a client computer behind firewall of its own accord. Unfortunately, in many situations it would be desirable to allow a server computer to proactively deliver a time-critical message to a client computer behind firewall without waiting for a client to establish a connection and make a request first.
For example, when a new computer virus outbreak occurs certain companies track such an outbreak and are in a good position to alert their clients to take protective action. It would be desirable to deliver an urgent message within minutes to any number of their client's client computers advising them to make a configuration change, even before the new virus update or virus pattern is available to more effectively counteract the new virus. Once the new virus pattern is available, it is also important to be able to deliver these patterns as quickly as possible to client computers. Other situations where it would be desirable to deliver an urgent message to client computers include immediate delivery of security policies and general command messages in order to immediately enforce such policies.
Prior art techniques do not adequately address these needs while at the same time preserving the integrity of the purpose of the firewall. In some situations each client computer behind the firewall maintains an active connection to the server computer outside the firewall at all times through polling. But, polling is very resource intensive technique and not very scalable. It is not uncommon to have hundreds of client computers behind a firewall; it is not practical to have each client continuously poll the server to see if there are any urgent messages. Even if polling were successful, if polling happens only every five minutes for each computer, then an urgent message might be delayed by as much as five minutes. Other techniques, such as custom protocols, rely upon opening “a hole” in the firewall to allow for an active connection from the server computer to a client computer, thus accommodating any urgent messages. For example, one company opens a dedicated DNS port in the firewall to allow such urgent communications. But, such an open port makes the firewall and the client computers behind it more vulnerable to exploitation from the outside.
Given the need to deliver such urgent messages to client computers behind a firewall, and the inadequacy of prior art techniques, a solution is desired.