|Microsoft Internet Security and Acceleration Server 2000|
Allows a client to make secondary outbound connections.
HRESULT AllowFutureConnect( LPSOCKADDR Address, DWORD AddressLength, LPSOCKADDR ProxyExternalAddress, DWORD ProxyExternalAddressLength, INT Protocol, DWORD dwFlags, REFGUID ProtocolGuid, IFWXSessionFilter *pSessionFilter, IUnknown *punkContext, IFWXFirewallAction **ppFirewallAction );
|FWX_PROTOCOL_TCP||The connection will use the TCP protocol.|
|FWX_PROTOCOL_UDP||The connection will use the UDP protocol.|
|FWX_FLAG_ADDRESS_BASED||The permission should be associated with the client address, not the client session. This is necessary if the protocol involves connections that are intiated by different processes.|
|FWX_FLAG_ALLOW_MULTIPLE||By default, a single outbound connection is expected. If this flag is specified, multiple connections to the same address will be possible.|
|FWX_FLAG_TIMEOUT||The client is expected to use the permission within approximately one minute of the call. If the client does not make the connection, the permission automatically expires.|
|FWX_FLAG_NO_KERNEL_MODE||The connection is forced to go through user-mode code, even if currently there seems to be no reason not to use kernel-mode for the connection.|
|FWX_FLAG_BIDIRECTIONAL||Permission is also granted for packets coming back from the destination socket to the sending socket. This flag is only valid for UDP.|
A filter should call this method when it detects, by inspecting another (usually the "primary") connection, that the client needs to make a TCP connection to the server, or to send one or more UDP datagrams to that server. This is usually known when the server sends an address to the client. For example, when an FTP server sends the following, it is instructing the client to connect to address 184.108.40.206 on port 1046.
227 Entering Passive Mode (198,105,232,1,4,22)
The call allows an outbound connection from the client denoted by the session object (the IP address given by the GetClientAddress method) to the requested address.
Using this method is preferable to defining a secondary port, or port range in a protocol definition, and to handling all connect events and calling IFWXConnection::SetProtocol or IFWXConnection::Deny, as appropriate.
It is impossible to attach a data filter to a kernel-mode connection. For this reason, the Firewall service will not make a kernel-mode connection if a data filter is expected to be set on the connection or if a filter is registered for the resulting connection event. When a filter calls SetDataFilterFactory, the decision has already been made and cannot be modified. A filter that is going to call SetDataFilterFactory for the resulting connection should specify FWX_FLAG_NO_KERNEL_MODE. A filter that already called SetDataFilterFactory for the resulting connection is not required to specify this flag.
The FWX_FLAG_TIMEOUT flag cannot be specified in conjunction with the FWX_FLAG_ALLOW_MULTIPLE flag.
IFWXConnection::SetProtocol, IFWXFirewallAction, IFWXSession::GetClientAddress, IFWXSession::SetDataFilterFactory, IFWXFilterAdmin::RegisterProtocolForFilter