Distributed VPN gateway for processing remote device management attribute based rules

US 10,051,002 B2
Filed: 11/01/2015
Issued: 08/14/2018
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing sets of instructions for processing remote-device data messages entering a network, the sets of instructions for:

receiving, at a virtual private network (VPN) gateway executing on a computer, a data message sent by a remote device through a tunnel that connects the remote device to the network; and

intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to the message'"'"'s destination within the network; and

identifying a set of remote device management (RDM) attributes associated with the received data message by retrieving the RDM attribute set from a data storage on the computer that stores different RDM attribute sets for different data message flows; and

based on the RDM attribute set, performing a service operation on the data message;

the sets of instructions for execution by a set of processing units of the computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

50 Citations

View as Search Results

20 Claims

1. A non-transitory machine readable medium storing sets of instructions for processing remote-device data messages entering a network, the sets of instructions for:
- receiving, at a virtual private network (VPN) gateway executing on a computer, a data message sent by a remote device through a tunnel that connects the remote device to the network; and
  
  intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to the message'"'"'s destination within the network; and
  
  identifying a set of remote device management (RDM) attributes associated with the received data message by retrieving the RDM attribute set from a data storage on the computer that stores different RDM attribute sets for different data message flows; and
  
  based on the RDM attribute set, performing a service operation on the data message;
  
  the sets of instructions for execution by a set of processing units of the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory machine readable medium of claim 1 further storing a set of instructions for forwarding the data message to the destination within the network after performing the service operation on the data message.
  - 3. The non-transitory machine readable medium of claim 1, wherein the set of instructions for performing the service operation comprises a set of instructions for discarding the data message when the data message is associated with a first set of RDM attributes.
  - 4. The non-transitory machine readable medium of claim 1, wherein the set of instructions for performing the service operation comprises a set of instructions for performing a load balancing operation on the received data message based on the RDM attribute set.
  - 5. The non-transitory machine readable medium of claim 1, wherein the set of instructions for performing the service operation comprises a set of instructions for using the identified RDM attribute set to identify a service rule that specifies the service operation to perform on the received data message.
  - 6. The non-transitory machine readable medium of claim 5, wherein the set of instructions for using the identified RDM attribute set to identify the service rule comprises a set of instructions for using the identified RDM attribute set to identify a service rule with an RDM attribute set that matches the identified RDM attribute set.
  - 7. The non-transitory machine readable medium of claim 1, wherein the set of instructions for performing the service operation comprises a set of instructions for performing a destination network address translation (DNAT) operation on the received data message based on the RDM attribute set.
  - 8. The non-transitory machine readable medium of claim 1, wherein the set of instructions for performing the service operation comprises a set of instructions for selecting a domain name system (DNS) server based on the RDM attribute set.
  - 9. The non-transitory machine readable medium of claim 8, wherein the set of instructions for selecting a DNS server comprises selecting a DNS server associated with a location with which the remote device is associated.
  - 10. The non-transitory machine readable medium of claim 8, wherein the location is a first location, wherein the set of instructions for selecting the DNS server further comprises a set of instructions for forwarding the data message to the selected DNS server, said DNS server in the first location, the first location being different than a second location at which the DNS server was selected.
  - 11. The non-transitory machine readable medium of claim 1, wherein the RDM attribute set is stored in the data storage for the received data message after the VPN gateway authenticates a request for a VPN session for the received data message'"'"'s flow.
  - 12. The non-transitory machine readable medium of claim 11, wherein the RDM attribute set is stored in the data storage by the VPN gateway.
  - 13. The non-transitory machine readable medium of claim 11, wherein the RDM attribute set is stored in the data storage by an RDM server that authenticates the VPN session request for the VPN gateway.

14. A non-transitory machine readable medium storing sets of instructions for processing remote-device data messages entering a network, the sets of instructions for:
- receiving a data message sent by a remote device;
  
  identifying a set of remote device management (RDM) attributes associated with the received data message; and
  
  based on the RDM attribute set, performing a destination network address translation (DNAT) operation on the received data message by;
  
  (i) determining, based on the RDM attribute set, that the remote device is associated with a first location but is accessing the network at a second location;
  
  (ii) identifying an RDM based rule specifying that remote devices associated with the first location that access the network at the second location have to be directed to network elements in the second location that are segregated from other network elements in the second location for use by remote devices associated with the first location; and
  
  (iii) performing the DNAT operation to direct the data message to one of the segregated network elements;
  
  the sets of instructions for execution by a set of processing units of one computer.

15. A computer comprising:
- a set of processing units for processing instructions;
  
  a memory for storing sets of instructions for processing remote-device data messages entering a network, the sets of instructions for;
  
  establishing, at a VPN gateway executing on the computer, a VPN tunnel with a remote device;
  
  receiving, at the VPN gateway, a data message sent by the remote device through the tunnel;
  
  intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to the message'"'"'s destination within the network; and
  
  identifying a set of remote device management (RDM) attributes associated with the data message received from the remote device by retrieving the RDM attribute set from a data storage on the computer that stores different RDM attribute sets for different data message flows; and
  
  based on the identified RDM attribute set, performing a service operation on the remote-device data message.
- View Dependent Claims (16)
- - 16. The computer of claim 15, wherein the service operation is one of a firewall operation, a load balancing operation, a destination network address translation operation, and a domain name system (DNS) operation.

17. A method of processing remote-device data messages entering a network, the method comprising:
- receiving, at a virtual private network (VPN) gateway executed by a set of processing units of a computer, a data message sent by the remote device through a tunnel that connects the remote device to the network; and
  
  intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to the message'"'"'s destination within the network; and
  
  identifying a set of remote device management (RDM) attributes associated with the received data message by retrieving the RDM attribute set from a data storage on the computer that stores different RDM attribute sets for different data message flows; and
  
  based on the RDM attribute set, performing a service operation on the data messagewherein said receiving, identifying and performing are executed by the set of processing units of the computer.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the RDM attribute set is stored in the data storage for the received data message after the VPN gateway authenticates a request for a VPN session for the received data message'"'"'s flow.
  - 19. The method of claim 18, wherein the RDM attribute set is stored in the data storage by the VPN gateway.
  - 20. The method of claim 18, wherein the RDM attribute set is stored in the data storage by an RDM server that authenticates the VPN session request for the VPN gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jain, Jayant, Sengupta, Anirban, Nimmagadda, Srinivas, Tiagi, Alok S., Kumar, Kausum
Primary Examiner(s)
Zand, Davoud

Application Number

US14/929,402
Publication Number

US 20170063782A1
Time in Patent Office

1,017 Days
Field of Search

709201, 709202, 709203, 709205, 709206, 709207, 709212, 709217, 709218, 709219, 709223, 709225
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/5045   Making service definitions ...

H04L 61/256   NAT traversal

H04L 61/2571   for identification, e.g. fo...

H04L 61/2585   through application level g...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/1004   Server selection for load b...

H04L 67/1097   for distributed storage of ...

H04L 69/22   Parsing or analysis of headers

H04W 12/08   Access security

H04W 76/12   Setup of transport tunnels

Distributed VPN gateway for processing remote device management attribute based rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed VPN gateway for processing remote device management attribute based rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links