There are different types of computer communication networks. Some are public networks to which many different users can gain access and communicate, or through which network traffic (e.g., data packets) may pass unimpeded. Other networks are private networks. In contrast to a public network, a private network may limit access to the network and limit communication to network resources connected to the private network. A private network may only permit authorized network traffic to pass through the network. Examples of private networks include home networks of computer users and corporate enterprise networks where only employees of the corporation may be permitted to access the private network. In some cases, a private network may be a portion of another network, such as where a portion of a corporate enterprise network is more secure than the enterprise network as a whole and has further limited access, thus making it a private network when compared to the rest of the corporate network.
Because of restricted access, network resources of a private network may not be freely accessible to computing devices outside the private network (e.g., to those connected to another network outside the private network, i.e., an “outside network”). In some such cases, the outside network may be communicatively connected to the private network, such that network traffic could flow if permitted, but the security settings of the private network may stop some network traffic from entering the private network.
In some circumstances, it is desirable to enable a computing device connected to an outside network to communicate to network resources of a private network. For example, an employee of a corporation, working from home or while traveling, may desire access to network resources of the corporation's enterprise network to perform a task related to his or her job.
Remote access technologies have been developed to provide access to a private network when connected to an outside network. One example of these remote access technologies is Virtual Private Networking (VPN). A computing device may be provided with a VPN client, into which a user of the computing device (e.g., an employee of a corporation) enters his or her credentials, such as a user name and password. The VPN client may then pass those credentials to a VPN gateway, which may then in turn authenticate those credentials to ensure the credentials are legitimate. Once authenticated, a secure connection (e.g., through a public network, such as the Internet) may be opened to the private network for the computing device running the VPN client, and the computing device may be allowed to access network resources connected to the private network while connected to an outside network. This secure connection may be formed using a “virtual” network interface, created on the computing device by the VPN client, that makes use of the hardware network interfaces/adapters of the computing device but that is assigned network characteristics (e.g., an IP address) by the private network. When using a VPN connection, a client may have full access to the private network and all network resources connected to it.
Another remote access technology is known as link translation. Link translation technology performs a translation of links or textual identifiers used by a private network resource. For example, a private network resource, such as a web server hosting an intranet web site available only to computing devices on the private network, may have the textual identifier “hrweb” identifying it as the host of the intranet web site for the Human Resources (HR) department. This identifier may be used to establish a connection to the web server, such as when it is input to a web browser. Inside the private network, the identifier (“hrweb”) will be resolved to an IP address for the web server using the Domain Name System (DNS), and a connection will be established to the web server using that IP address.
This identifier, however, is not recognizable outside the private network, and cannot be resolved. Because the web server identified as “hrweb” is not accessible outside the private network, when a computing device connected to an outside network (e.g., an employee trying to access the HR department web site via the Internet while at home or traveling) attempts to connect to “hrweb” the user will experience an error. A link translation client on the computing device may therefore edit the link—which may include editing a document containing the link—to substitute for the internal private identifier a textual identifier for the network resource that is accessible to the outside network. For example, a gateway device that is connected to the private network and accessible via outside network may be identified to the outside network as “gateway.corporate.com.” When a computing device not connected to the private network is using the private textual identifier, the link translation client, instead of using the original, private identifier (“hrweb”), may substitute the textual identifier for the gateway device and connect to the gateway device, and may separately pass the original, private identifier (“hrweb”) to the gateway device. For example, when opening a connection for a web server using the HyperText Transfer Protocol (HTTP), when a user initially inputs “http://hrweb/” the link translation client may “translate” the link into “http://gateway.corporate.com/?originalURL=“http://hrweb/”. A connection may be established to the private network using the translated link, such as to a networking device of the private network acting as a reverse proxy. The reverse proxy may then again translate these translated links back to the original, private identifier, and establish a connection in the private network to the network resource identified by the original identifier. The reverse proxy may then pass messages between the computing device on the outside network and the network resource of the private network.
The substitution process of link translation is performed prior to any action being taken to open a connection to the private network. It is the substituted link, and the substituted identifier (e.g., “gateway.corporate.com”) that is used to open the connection, and not the originally-input identifier “hrweb.” Thus, when a Domain Name System (DNS) process is carried out to resolve a domain name into an IP address to be used to open a connection, the substituted identifier, “gateway.corporate.com,” is resolved, and not the originally-input identifier.
In addition to the computing device opening the connection, a gateway device for a private network that uses link translation techniques may also translate links. For example, as a user of a computing device connected to an outside network requests information, such as web pages or documents, through the gateway device, the gateway device may scan all the information and perform a substitution on any private identifiers for private network resources. For example, if the intranet web site for the HR department includes a link to the intranet web site for the Accounting department (e.g., a link to “http://accountingweb/”) the gateway device may substitute that link with a textual identifier that may be used on the outside network. For example, a link to “http://accountingweb/” may be substituted with “http://gateway.corporate.com/?originalURL=“http://accountingweb/”).