If the device has a need to access the Internet for WEB requests, then the simplest solution to satisfy the competing concerns of security and ease-of-use is a proxy server on the Windows machine. After a link is established, the device sends web requests to the Proxy Service on the Windows machine. The Proxy Service on the Windows side listens for such requests, and acts and an agent for the USB Device fetching the web pages and content and returning them to the USB Device.
Where is the proxy?
From the viewpoint of the device, the Windows server is the Proxy Server (implemented as a Windows Service). We assume that the application on the device can discover the IP address of the Windows side of the USB link.For example the Windows System might be at 192.168.100.1 whereas the device itself is at 192.168.100.2. To avoid conflicts an alternate port is used for the Proxy Service, e.g. 8080.
So the proxy server configuration for the device would be:
http://192.168.100.1:8080/
Standard Proxy Configuration
Most HTTP libraries will allow a Proxy Server to be configured. By specifying the IP address and port the application can then access the proxy server. The HTTP library passes the request to the configured proxy address, which may be numerical or symbolic, If the proxy server is across a USB network link, then the remote system handles the request as if it were a local request, and then passes the result back to the client on the device. This is more efficient as the HTTP library may be able to optimize accesses when it knows that it is talking to a proxy server (as compared to connecting to a transparent proxy server.).URL Redirection
If the device has no proxy libraries, there is a feature known as URL redirection which will permit a port in a URL to be a stand-in for a limited number of remote websites,URL redirection is done according to the TCP port number. When a TCP connection is established, it is customary for a client agent to specify a port number of 0, meaning that the network libraries will choose a random value. However, it is possible to specify a specific port number. This of course can fail if the specified port # is in use, but a few attempts with values in a specified range will generally succeed. Having done so, the client agent can ensure that the port is in a known range, given that the range is large enough.
With this capability, a proxy redirect rule might say to redirect requests from a range of ports to a specified destination URL.
Therefore, if no proxy capability is available in the web client libraries, then the decision of where to send requests can be done indirectly by source TCP ports, which the proxy re-maps to destination website choices.
Under this scenario, using the IP address choices above, the web client would sent all requests to http://192.168.100.1:8080/, and bind requests to a source port in the appropriate range. This relies on a ruleset in the proxy server on the Windows machine. However, it does not require any sophistication on the part of the web client libraries.
Windows Firewall Configuration
Windows will require two rules to be added.- An inbound rule to allow the proxy service to accept incoming connections on the private network (the Network over USB.)
- An outbound rule to allow the proxy service to make outbound connections on the public network (i.e. to the Intranet.)