This checks for a connection to a local machine port, and the associated program behind it. If it matches, the connection proceeds. If not, the connection initiation is abandoned.
There is a single inline string value parameter:
Absolute program file path -
Activation Phase = Top Down
Type = Step
Stream Interaction = One Off
Network terminating = No
JSON Value Type = inline string
Initiator = No
This component can make sure only a single program on your computer can connect to the local service point that tunnels to the remote endpoint. This means, that only the specified application will be able to connect to that port, others will be disconnected.
This makes the tunnel more secure. With a traditional PPTP VPN system, if malware infects your PC and the VPN connection is active, it's able to connect to devices on that VPN without detection. The local firewall provides tight control around what software application is allowed to access a single host and port.
It works by
Analysing the tunnel configuration at the initiation stage.
It looks up the chain of duct points for the first one, and if it isn't a supported type, it fails
If the remote endpoint IP address isn't localhost, it fails
It then uses p-invoking on iphlpapi.dll to get the table of bindings between port and application
If the remote endpoint IP and port isn't found it fails
If it's found, it checks the application path, if it doesn't match expectation it fails
Technically, this duct type is not a duct, but a process step. Although it could be argued that on one side is this Firewall-Local duct-point, and the other side is the application itself (and it's name). It's a stretch though.