This document specifies protocols and methodologies to route Simple Symmetric Transport Protocol (SSTP) through firewalls and proxies. SSTP is defined separately in the Simple Symmetric Transport Protocol (SSTP). These protocols and methods are used to traverse firewalls and proxy servers. Multiple protocols are necessary because no one protocol is capable of traversing all firewalls and proxy configurations, because of lack of standards, different implementation characteristics and different transport restrictions common to various firewall and proxy implementations.
The protocols defined in this specification are:
LongLived Encapsulation Protocol
KeepAlive Encapsulation Protocol
Polling Encapsulation Protocol
These three protocols use different forms of HTTP encapsulation and collectively referred to as the HTTP Encapsulation protocols.
Also, the use of two tunneling protocols is described:
Secure Tunnel Proxy Protocol
Collectively, these protocols are known as the HTTP Encapsulation of SSTP protocols.
The focus of this document is the encapsulation of the SSTP protocol, but these protocols could encapsulate any protocol.
The LongLived, KeepAlive and Polling encapsulation protocols provide an alternative transport mechanism to TCP for encapsulating SSTP protocols within HTTP. Using HTTP as a transport allows SSTP application data to seamlessly traverse firewalls and proxies. This is accomplished by wrapping SSTP commands inside of HTTP messages. The main benefit of HTTP encapsulation is that it makes it possible to route data across network topologies that allow HTTP communications that require little or no network configuration changes.
The Secure Tunnel Proxy Protocol and SOCKS Protocol are proxy negotiation protocols based on Internet standard protocols that use TCP as a transport. The benefit of using these industry standard protocols is to allow the SSTP data stream to tunnel through firewalls and proxies. The Secure Tunnel Proxy uses an HTTP protocol, intended for use by SSL, to negotiate a secure tunnel through an HTTP proxy. The SOCKS protocol uses a binary protocol commonly implemented by HTTP servers.
Firewall traversal is accomplished using LongLived, KeepAlive and Polling encapsulation protocols without proxy negotiation. These protocols enable end-to-end communication through firewalls that inspect HTTP traffic or block non-port 80 traffic.
Proxy traversal is accomplished using any of the protocols defined in this specification. These protocols provide a proxy negotiation mechanism. When a proxy is traversed for SSTP communication, clients first establish a connection to a proxy. Proxy negotiation includes a message exchange between client and proxy that includes the target servers name and port number. The proxy then establishes a TCP connection with the target server on the specified port. After successfully negotiating the proxy connection, the proxy transfers the application data between the client and target server. Proxies do not do OSI model Level 3 routing as do firewalls. Instead, data is transferred across two TCP connections at the application layer. For additional security, proxies commonly support proxy authentication which introduces additional headers and message exchanges as part of proxy negotiation.
Clients commonly attempt proxy access serially and use the first encapsulation method that succeeds. This specification documents each of these protocols in detail in subsequent sections.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in RFC 2119. Sections 1.5 and 1.9 are also normative but cannot contain those terms. All other sections and examples in this specification are informative.