TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

321

322

323

324

325

326

327

328

329

330

4-81

Firewall

Application-Level Gateways

pptp

PPTP uses TCP 1723 for its control connection and Generic Routing Encap-

sulation (GRE) for its data connection.

The PPTP ALG:

■ processes all packets that arrive on TCP 1723. PPTP control message

types are the following:

• Control-connection management — The ALG does not process

any of these messages; the packets are allowed to pass through

without any processing. These messages are used to establish a tunnel

between a PPTP Access Concentrator (PAC) and a PPTP Network

Server (PNS). Once the tunnel gets established between a PAC and a

PNS, either the PAC or PNS can initiate a session through the call-

management messages.

• Call management — These messages establish and break down

sessions. There can be multiple sessions in a single tunnel. Each

session is differentiated by the call IDs that are exchanged in the call-

management messages during session establishment.

• Error reporting — These messages are used for error reporting by

the PAC to the PNS.

• PPP session control — These messages are used to set up the PPP-

negotiated options that are sent by the PNS to the PAC.

■ monitors an established tunnel throughout its lifetime. The ALG interprets

the call-management messages that are used to establish a session

through a tunnel. Either the PAC or PNS can initiate a session. The session

initiator sends a call-request message, which contains the call ID to be

used by the other end of the session. Once a call-request message is

detected by the ALG, it keeps track of the information related to the

session.

■ extracts the peer call ID from Incoming-Call-Reply messages and checks

for any Incoming-Call-Request message that was initiated with this ID. If

the Incoming-Call-Request exists, the ALG creates a new dynamic connec-

tion using the GRE protocol, with the port numbers as call IDs, which

were exchanged during the connection-establishment process. This

enables the data transfer that is initiated by the PAC or PNS to go through

the firewall.

■ allocates a new call ID if NAT is enabled and replaces the original call ID

sent by the internal systems with the NAT call ID. During the data transfer,

all of the GRE packets that arrive contain the NAT call ID, which is

replaced by the original call ID that was stored by the ALG for that session.

■ removes the session information when it receives a Call-Clear-Request or

Call-Disconnect-Notify message.