Secure remote access for secured enterprise communications

US 10,454,931 B2
Filed: 01/20/2016
Issued: 10/22/2019
Est. Priority Date: 01/31/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of securing communications with an enterprise, the method comprising:

initiating a first secured connection between a remote computing device and a VPN appliance associated with an enterprise using service credentials maintained in a secure applet installed on the remote computing device;

initiating communication with the authentication server within an enterprise via the first secured connection;

providing user credentials from the secure applet to the authentication server;

receiving specific credentials from the authentication server based on the user credentials, the specific credentials providing access to one or more computing devices within the enterprise that are within a community of interest accessible by the user, the community of interest including the one or more computing devices and the remote computing device, and obfuscating to the user and the remote computing device one or more other computing systems within the enterprise excluded from the community of interest;

terminating the first secured connection with the VPN appliance;

after terminating the first secured connection, initiating a second secured connection between the remote computing device and the VPN appliance using the specific credentials from the authentication server, the specific credentials including a one-time password used for establishing the second secured connection;

wherein the second secured connection enables communication between the remote computing device and the one or more computing devices within the community of interest via a virtual data relay (vDR) that manages access to the community of interest on behalf of the remote computing device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for securing communications with an enterprise from a remote computing system are disclosed. One method includes initiating a secured connection with a VPN appliance associated with an enterprise using service credentials maintained in a secure applet installed on a remote computing device, and initiating communication with an authentication server within an enterprise via the secured connection. The method also includes receiving specific credentials from the authentication server, terminating the secured connection with the VPN appliance, and initiating a second secured connection with the VPN appliance using the specific credentials, the specific credentials providing access to one or more computing devices within the enterprise being within a same community of interest as the remote computing device and obfuscating one or more other computing systems within the enterprise excluded from the community of interest. The method also includes initiating communications with at least one of the one or more computing devices included in the community of interest.

3 Citations

22 Claims

1. A computer-implemented method of securing communications with an enterprise, the method comprising:
- initiating a first secured connection between a remote computing device and a VPN appliance associated with an enterprise using service credentials maintained in a secure applet installed on the remote computing device;
  
  initiating communication with the authentication server within an enterprise via the first secured connection;
  
  providing user credentials from the secure applet to the authentication server;
  
  receiving specific credentials from the authentication server based on the user credentials, the specific credentials providing access to one or more computing devices within the enterprise that are within a community of interest accessible by the user, the community of interest including the one or more computing devices and the remote computing device, and obfuscating to the user and the remote computing device one or more other computing systems within the enterprise excluded from the community of interest;
  
  terminating the first secured connection with the VPN appliance;
  
  after terminating the first secured connection, initiating a second secured connection between the remote computing device and the VPN appliance using the specific credentials from the authentication server, the specific credentials including a one-time password used for establishing the second secured connection;
  
  wherein the second secured connection enables communication between the remote computing device and the one or more computing devices within the community of interest via a virtual data relay (vDR) that manages access to the community of interest on behalf of the remote computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 22)
- - 2. The computer-implemented method of claim 1, further comprising transmitting a session termination message to the authentication server.
  - 3. The computer-implemented method of claim 2, further comprising, after transmitting the session termination message, terminating the second secured connection.
  - 4. The computer-implemented method of claim 1, wherein the community of interest is associated with user credentials received at a secured application installed on the remote computing device.
  - 5. The computer-implemented method of claim 1, wherein the specific credentials include a username and password of a user of the remote computing device.
  - 6. The computer-implemented method of claim 1, wherein the specific credentials are different from the service credentials.
  - 22. The computer-implemented method of claim 1, wherein the one or more computing devices within the enterprise being within a same community of interest as the remote computing device are accessible using the second secured connection between the remote computing device and the VPN appliance, and the one or more computing devices within the enterprise are inaccessible using the first secured connection between the remote computing device and the VPN.

7. A computer-implemented method of securing communications between a remote computing device and an enterprise, the method comprising:
- receiving a request for a secured connection from a remote device at a secure remote access gateway device using a set of service credentials maintained at the remote device;
  
  starting a service virtual data relay useable by the remote device to communicate with an authentication server within the enterprise;
  
  accepting the request for the secured connection at the secure remote access gateway device, thereby establishing a VPN connection between a VPN appliance associated with the secure remote access gateway device and the remote device;
  
  receiving user credentials from the remote device;
  
  providing user credentials to the authentication server within the enterprise;
  
  receiving specific credentials from the authentication server based on the user credentials, the specific credentials providing access to one or more computing devices within the enterprise that are within a community of interest accessible by the user, the community of interest including the one or more computing devices and the remote computing device, and obfuscating to the user and the remote computing device one or more other computing systems within the enterprise excluded from the community of interest;
  
  providing the specific credentials to the remote device;
  
  receiving a request from the remote device to terminate the secured connection;
  
  terminating the service virtual data relay;
  
  after terminating the service virtual data relay, receiving a request from the remote device to initiate a second secured connection from the remote device at the secure remote access gateway device using the specific credentials;
  
  starting a device-specific virtual data relay useable by the remote computing device to communicate with the one or more computing systems within the enterprise, the device-specific virtual data relay being provided with a community of interest key associated with the community of interest by the authentication server; and
  
  accepting the request for the second secured connection, thereby allowing the remote computing device to initiate communications with at least one of the one or more computing devices included in the community of interest without requiring communication of the community of interest key to the remote device.
- View Dependent Claims (8, 9, 10)
- - 8. The computer-implemented method of claim 7, further comprising receiving a request to terminate the second secured connection from the remote computing device.
  - 9. The computer-implemented method of claim 8, further comprising, in response to the request to terminate the second secured connection, terminating the device-specific virtual data relay.
  - 10. The computer-implemented method of claim 8, further comprising maintaining service credentials associated with a service community of interest.

11. A system enabling secured communications with an enterprise, the system comprising:
- a secure remote access gateway device operable as an intermediary between a remote device and one or more computing devices within an enterprise, the secure remote access gateway device configured to execute program instructions to;
  
  receive a request for a secured connection from a remote device using a set of service credentials maintained at the remote device;
  
  start a service virtual data relay useable by the remote device to communicate with an authentication server within the enterprise;
  
  accept the request for the secured connection at the secure remote access gateway device, thereby establishing a VPN connection between a VPN appliance associated with the secure remote access gateway device and the remote device;
  
  receive user credentials from the remote device;
  
  provide user credentials to the authentication server within the enterprise;
  
  receive specific credentials from the authentication server based on the user credentials, the specific credentials providing access to one or more computing devices within the enterprise that are within a community of interest accessible by the user, the community of interest including the one or more computing devices and the remote computing device, and obfuscating to the user and the remote computing device one or more other computing systems within the enterprise excluded from the community of interest;
  
  provide the specific credentials to the remote device;
  
  receive a request from the remote device to terminate the secured connection;
  
  terminate the service virtual data relay;
  
  after terminating the service virtual data relay, receive a request from the remote device to initiate a second secured connection from the remote device at the secure remote access gateway device using the specific credentials;
  
  start a device-specific virtual data relay useable by the remote computing device to communicate with the one or more computing systems within the enterprise, the device-specific virtual data relay being provided with a community of interest key associated with the community of interest by the authentication server; and
  
  accept the request for the second secured connection, thereby allowing the remote computing device to initiate communications with at least one of the one or more computing devices included in the community of interest without requiring communication of the community of interest key to the remote device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11, wherein the secure remote access gateway device is communicatively connected to the remote device.
  - 13. The system of claim 12, further comprising a remote device communicatively connected to the secure remote access gateway device.
  - 14. The system of claim 13, further comprising an authorization server maintained within the enterprise.
  - 15. The system of claim 14, further comprising one or more servers maintained within the enterprise, the one or more servers included within a common community of interest with the remote device and communicatively accessible by the remote device via the secure remote access gateway device.
  - 16. The system of claim 11, wherein the remote computing device includes at least partially non-trusted content received from external to the enterprise.
  - 17. The system of claim 11, wherein the remote computing device includes an applet configured to manage secure communications with the secure remote access gateway device.
  - 18. The system of claim 11, wherein the remote computing device is a member of a second community of interest different from the community of interest, the second community of interest including devices external to the enterprise.
  - 19. The system of claim 12, wherein the remote computing device is assigned an endpoint mode selected from among a collection of endpoint modes consisting of:
    - an enterprise workstation mode;
      
      an enterprise server mode;
      
      a roaming workstation mode;
      
      a remote office workstation mode;
      
      a remote office server mode; and
      
      an isolated endpoint mode.
  - 20. The system of claim 12, wherein the remote computing device is assigned one or more filters, each filter of the one or more filters defining a list of computing devices with which the remote computing device is authorized to communicate.
  - 21. The system of claim 12, wherein communication between the remote computing device and the one or more computing devices within the enterprise is routed through the device-specific virtual data relay.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Hinaman, Ted, Rajcan, Steven J, Mohr, Matthew, Gunn, William, Inforzato, Sarah K, Johnson, Robert A, Small, Gregory J, Dodgson, David S
Primary Examiner(s)
Patel, Ashokkumar B
Assistant Examiner(s)
Jones, William B

Application Number

US15/001,354
Publication Number

US 20170208038A1
Time in Patent Office

1,371 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/104   Grouping of entities

H04W 12/06   Authentication

H04W 72/04   Wireless resource allocation

H04W 88/16   Gateway arrangements

Secure remote access for secured enterprise communications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure remote access for secured enterprise communications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links