Microsoft Internet Security and Acceleration Server 2000

Filter Requirements for Firewall Clients

Application filters can work with both Firewall clients and SecureNAT clients. This section describes specific design considerations for filters that must work with Firewall clients. For information on designing filters to work with SecureNAT clients, see Filter Requirements for SecureNAT Clients.

To handle Firewall client connect requests for outgoing primary connections, the filter must register for events originating from a Firewall client. Use the fwxSourceWSP value of the FwxFirewallEventSource enumerated type to register for Firewall client events. A filter designed to handle both Firewall client and SecureNAT client requests should use the macro FWX_ALL_SOURCES to include both values.

To allow a Firewall client to receive a secondary inbound connection, use IFWXSession::RetroactiveAllowBind. Use this method because the client application may have already bound a socket on the Firewall service, and the filter should use that socket. IFWXSession::RetroactiveAllowBind enables the previously created bind by associating it with a protocol, and also tests to see if the client application bound a Firewall service socket. If the client application did not bind a Firewall service socket, IFWXSession::RetroactiveAllowBind will fail. Therefore, the filter should also call IFWXSession::BindForClient. IFWXSession::BindForClient lets a client application — for which the Firewall client component failed to create a remote socket for a bind call — receive an inbound connection.