Socket Implementation in Forefront TMG

Each data filter works with two objects that implement a socket interface. One represents the internal socket and the other represents the external socket, and the filter pumps data between them.

Forefront TMG has two interfaces through which you can manage socket activity:

IFWXSocket is the interface for a socket that was opened by the Microsoft Firewall service. Its methods allow you to send and receive on the socket, or to close the socket. This limited functionality is intentional. A data filter that uses two IFWXSocket interfaces to send and receive data does not know whether it is communicating with the Internet, the client, or another data filter in a chain of data filters.

Because IFWXSocket is for use only with existing connections, it does not provide methods that are equivalent to functions such as bind or connect.

IFWXNetworkSocket is an extension of the IFWXSocket interface. IFWXNetworkSocket represents a true socket object for either the client or server. It allows you to establish a connection, and then use the IFWXSocket functionality to perform send and receive operations. Therefore, in addition to the Send, Recv, and Close methods of IFWXSocket, IFWXNetworkSocket provides methods such as Bind, Connect, and Listen.

A socket object that implements the IFWXNetworkSocket interface can be created by calling IFWXFirewall::CreateNetworkSocket, IFWXSession::CreateNetworkSocket, or IFWXFirewall2::CreateSSLNetworkSocket. In the first two cases, the socket object created by calling CreateNetworkSocket has full socket functionality for operations such as interacting with the dynamic packet filtering mechanism or working with chained Forefront TMG computers.

A socket object created by calling IFWXFirewall::CreateNetworkSocket is not user-specific. An example of a socket that should not be user-specific is a listening socket.

To create a user-specific socket, use IFWXSession::CreateNetworkSocket. The socket object created by IFWXSession::CreateNetworkSocket has the same functionality as that created by IFWXFirewall::CreateNetworkSocket, but because it is user-specific, its activities can be logged, and the Forefront TMG policies apply to it. The use of this kind of socket is appropriate when a filter will be making a connection for a specific user.

A socket object created by calling IFWXFirewall2::CreateSSLNetworkSocket represents an SSL socket for secured communication. A socket object created by this method can interact with the dynamic packet filtering mechanism, but it does not implement the Accept, Connect, and SendTo methods.


There are three reasons to create Windows Sockets (Winsock) for Forefront TMG through the CreateNetworkSocket method only:

  • The application filters and the Firewall service should use the same thread pool, and thus the same completion port.
  • With IFWXNetworkSocket, the filter becomes part of the dynamic packet filtering scheme. A socket created by using Firewall service interfaces (a socket object that implements the IFWXSocket interface) cannot open a port for dynamic packet filtering.
  • Proxy chaining is supported only by IFWXNetworkSocket.



Build date: 7/12/2010