IFWXSession::RetroactiveAllowBind method

  • Article

Applies to: desktop apps only

The RetroactiveAllowBind method allows a Forefront TMG Client or Firewall Client computer to receive a secondary inbound connection on a socket that was previously bound by the Forefront TMG Client or Firewall Client computer, but was not necessarily approved by the Microsoft Firewall service.

Syntax

HRESULT RetroactiveAllowBind(
  [in]  INT Protocol,
  [in]  LPSOCKADDR Address,
  [in]  DWORD AddressLength,
  [in]  REFGUID ProtocolGuid,
  [in]  DWORD dwFlags,
  [in]  IFWXIpFilter *pIpFilter
);

Parameters

  • Protocol [in]
    Protocol flags. This parameter can have the following flag values:

    Value Meaning
    FWX_PROTOCOL_TCP

    The bind uses the TCP protocol.
    FWX_PROTOCOL_UDP

    The bind uses the UDP protocol.

     

  • Address [in]
    Pointer to a sockaddr structure that contains the external IP address of the Forefront TMG computer for which this request is made. The address can be INADDR_ANY. The port number must be nonzero.

  • AddressLength [in]
    Length, in bytes, of the structure pointed to by the Address parameter.

  • ProtocolGuid [in]
    GUID that identifies the protocol of which the connection is part.

  • dwFlags [in]
    Connection flags. This parameter can be any combination of the following flag values:

    Value Meaning
    FWX_FLAG_BIDIRECTIONAL

    Permission is also granted to send packets back to destinations that recently sent packets to the socket. This flag is only valid for UDP.
    FWX_INCREASE_RECEIVE_BUFFER

    The receive buffer will be increased to 64 kilobytes. This flag should be set to prevent packet loss if high-bandwidth packet bursts occur in a secondary UDP connection.

     

  • pIpFilter [in]
    Pointer to an IFWXIpFilter interface. All connections that are created by RetroactiveAllowBind will be restricted by the IFWXIpFilter interface pointed to by this parameter. If you specify NULL for this parameter, the connection will not be restricted by an IFWXIpFilter interface.

Return value

This method can return one of these values.

  • S_OK
    The method succeeded.

  • S_FALSE
    The connection exists and was already allowed.

  • E_INVALIDARG
    Invalid parameter.

  • HRESULT_FROM_WIN32(ERROR_NOT_FOUND)
    No connection with the specified address was found.

  • FWX_E_TERMINATING
    The (bind) connection exists, but is already terminating.

  • FWX_E_PROTOCOL_RULES_DENIED
    The access rules do not allow the user to use the protocol specified by the ProtocolGuid parameter.

Remarks

Usually a filter will know that a bind call made by a Forefront TMG Client or Firewall Client computer is valid only after the bind call succeeds and the Forefront TMG Client or Firewall Client computer sends the address to its peer. For this reason, the Firewall service will not fail a bind call even when the service does not allow the client inbound access. Instead, the Firewall service marks the connection, and discards datagrams sent or connection attempts to that address, unless the bind becomes valid later.

Requirements

Minimum supported client

 None supported

Minimum supported server

 Windows Server 2008 R2, Windows Server 2008 with SP2 (64-bit only)

Version

 Forefront Threat Management Gateway (TMG) 2010

Header

 Wspfwext.idl

DLL

 Wspsrv.exe

See also

IFWXSession

 

 

Build date: 7/12/2010