HP VPN Firewall Appliances Attack Protection Configuration Guide

TCP proxy can operate in two modes:

• Unidirectional proxy—Processes only packets from TCP clients.

• Bidirectional proxy—Processes packets from both TCP clients and TCP servers.

You can choose a proper mode according to your network scenario. For example, if packets from TCP

clients to a server go through the TCP proxy but packets from the server to clients do not, as shown

in Figure 1, configure unidirectional proxy.

Figure 1 Network diagram for unidirectional proxy

If all packets between TCP clients and a server go through the TCP proxy, as shown in Figure 2, you can

configure unidirectional proxy or bidirectional proxy as desired.

Figure 2 Network diagram for unidirectional/bidirectional proxy

• Unidirectional proxy

Figure 3 Data exchange process in unidirectional proxy mode

When the TCP proxy receives a SYN message sent from a client to a protected server, it sends

back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client,

if legitimate, responds with an RST message. If the TCP proxy receives an RST message from the

TCP client TCP proxy TCP server

1) SYN

2) SYN ACK (invalid sequence

number)

3) RST

4) SYN (retransmitting)

5) SYN (forwarding)

6) SYN ACK

7) ACK

8) ACK (forwarding)