When the CPD receives an
GET request connection from the PFD's data interface, it replies with an
MOVED redirect message (response code 301). This redirect URL forces the end user's browser to directly connect to the CPD, bypassing the PFD's NAT, because the PFD allows direct connections to the CPD from everyone. In this way, the application lowers the load on the PFD.
In other words, before the redirect, an unauthorized user thinks they are communicating with the HTTP server (on the internet/network, through the outbound interface) with which they originally requested communication. After receiving the redirect response, the user knows to target the CPD directly.
When the user connects directly to the CPD, the HTTP server presents a page with a button allowing the user to authorize themselves. When the button is clicked, the CPD adds the user's source IP to the list of authorized users and sends an update to the PFD over the internal communication channel.
A user who becomes authorized can make connections through the router and through other outbound interfaces. The user must directly connect to the CPD and click the button to remove their authorization; the PFD does not redirect communications from that user to the CPD.
The following figure shows how this works with an authorized user.
Workflow For an Authorized User
The next figure shows how the CPD operates with an unauthorized user. In this figure:
Workflow For an Unauthorized User