"Introduction The use of network firewalls@ systems that effectively isolate an organizations internal network structure from an exterior network@ such as the INTERNET is becoming increasingly popular. These firewall systems typically act as application-layer gateways between networks@ usually offering controlled TELNET@ FTP@ and SMTP access. With the emergence of more sophisticated application layer protocols designed to facilitate global information discovery@ there exists a need to provide a general framework for these protocols to transparently and securely traverse a firewall. There exists@ also@ a need for strong authentication of such traversal in as fine-grained a manner as is practical. This requirement stems from the realization that client-server relationships emerge between the networks of various organizations@ and that such relationships need to be controlled and often strongly authenticated. The protocol described here is designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall. The protocol is conceptually a ""shim-layer"" between the application layer and the transport layer@ and as such does not provide networklayer gateway services@ such as forwarding of ICMP messages."