Active directory bridging of external network resources

US 10,498,583 B1
Filed: 03/04/2019
Issued: 12/03/2019
Est. Priority Date: 03/04/2019
Status: Active Grant

First Claim

Patent Images

1. An Active Directory Bridge system for joining an external network resource to an internal network, the system comprising:

an Active Directory (AD) Bridge Gateway device residing in a first network, the AD Bridge Gateway device including a memory and a processor;

an AD Bridge Gatekeeper device residing in a second network, the second network external to the first network, the AD Bridge Gatekeeper device in networked communication with the AD Bridge Gateway device; and

an AD Bridge Agent residing on an external network resource in a third network, the third network external to the second network and to the first network, the external network resource unable to directly join the first network;

wherein the AD Bridge Gateway device processor is configured to;

validate credentials received from the AD Bridge Agent through the AD Bridge Gatekeeper device at the AD Bridge Gateway device;

generate a registration token for the AD Bridge Agent based on the validated credentials;

generate a reference object based on the registration token; and

provide the reference object to a domain controller to join the external network resource to the first network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Active Directory Bridge (AD Bridge) provides the ability to register, represent, and manage external network resources on an internal network. The external network resources may include cloud resources, such as Internet of Things (IoT) devices, Software-as-a-Service applications (SaaS apps), cloud-hosted virtual machines (VMs), cloud-hosted computers, and other networked cloud resources. The external network resources may be unable to communicate directly with or join the internal network due to various network connection obstacles. The AD Bridge includes an AD Bridge Gateway, an AD Bridge Gatekeeper, and an AD Bridge Agent. The AD Bridge Agent resides on each external network resource, and provides the connection of the host external network resource through the AD Bridge Gatekeeper and through the AD Bridge Gateway to the internal network. The AD Bridge provides the ability to register, represent, and manage these external network resources on an internal network.

Citations

20 Claims

1. An Active Directory Bridge system for joining an external network resource to an internal network, the system comprising:
- an Active Directory (AD) Bridge Gateway device residing in a first network, the AD Bridge Gateway device including a memory and a processor;
  
  an AD Bridge Gatekeeper device residing in a second network, the second network external to the first network, the AD Bridge Gatekeeper device in networked communication with the AD Bridge Gateway device; and
  
  an AD Bridge Agent residing on an external network resource in a third network, the third network external to the second network and to the first network, the external network resource unable to directly join the first network;
  
  wherein the AD Bridge Gateway device processor is configured to;
  
  validate credentials received from the AD Bridge Agent through the AD Bridge Gatekeeper device at the AD Bridge Gateway device;
  
  generate a registration token for the AD Bridge Agent based on the validated credentials;
  
  generate a reference object based on the registration token; and
  
  provide the reference object to a domain controller to join the external network resource to the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, the AD Bridge Gateway device processor further configured to:
    - receive an AD request from an Active Directory domain; and
      
      provide a gateway response to the Active Directory domain in response to the AD request, the gateway response confirming a file system access for the AD Bridge Agent.
  - 3. The system of claim 2, the AD Bridge Gateway device processor further configured to:
    - forward the AD request to a gatekeeper router on the AD Bridge Gatekeeper device; and
      
      receive a validated response from the AD Bridge Gatekeeper device.
  - 4. The system of claim 3, wherein:
    - an agent key generator generates a public key based on an agent security certificate;
      
      a gatekeeper agent identity database generates an agent identity based on the public key;
      
      an agent public key is generated by the gatekeeper router based on the agent identity; and
      
      the validated response is generated by the AD Bridge Gatekeeper device based on the agent public key.
  - 5. The system of claim 3, wherein:
    - the agent key generator generates a private key based on the agent security certificate;
      
      an agent controller generates an agent controller response based on a router request received from the gatekeeper router;
      
      an agent response signer generates a signed response based on the private key and the agent controller response; and
      
      the gatekeeper response signature validation provides the gateway response in response to receiving the signed response.
  - 6. The system of claim 1, wherein:
    - the AD Bridge Gatekeeper device is in networked communication with the AD Bridge Gateway device through a first network boundary;
      
      the AD Bridge Agent is in networked communication with the AD Bridge Gatekeeper device through a second network boundary; and
      
      the first network boundary provides greater network security than the second network boundary.
  - 7. The system of claim 6, wherein the first network boundary includes a network perimeter device to prohibit at least a portion of network traffic traversing the first network boundary.
  - 8. The system of claim 6, wherein the AD Bridge Gatekeeper device is in networked communication with the AD Bridge Gateway device without requiring a virtual private network.
  - 9. The system of claim 1, wherein the external network resource includes at least one of an Internet of Things device, a Software-as-a-Service application, a cloud-hosted virtual machine, and a cloud-hosted computer.

10. An Active Directory Bridge method for joining an external network resource to an internal network, the method comprising:
- validating credentials at an Active Directory (AD) Bridge Gateway device, the credential received from an AD Bridge Agent on an external resource through an AD Bridge Gatekeeper device;
  
  generating a registration token for the AD Bridge Agent based on the validated credentials;
  
  generating a reference object based on the registration token; and
  
  providing the reference object to a domain controller to join the external network resource to the first network;
  
  wherein;
  
  the AD Bridge Gateway device resides in a first network;
  
  the AD Bridge Gatekeeper device resides in a second network, the second network external to the first network, the AD Bridge Gatekeeper device in networked communication with the AD Bridge Gateway device; and
  
  the AD Bridge Agent resides in a third network, the third network external to the second network and to the first network, the external network resource unable to directly join the first network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, the method further including:
    - receiving an AD request from an Active Directory domain; and
      
      providing a gateway response to the Active Directory domain in response to the AD request, the gateway response confirming a file system access for the AD Bridge Agent.
  - 12. The method of claim 11, the method further including:
    - forwarding the AD request to a gatekeeper router on the AD Bridge Gatekeeper device; and
      
      receiving a validated response from the AD Bridge Gatekeeper device.
  - 13. The method of claim 12, the method further including:
    - generating a public key at an agent key generator based on an agent security certificate;
      
      generating an agent identity at a gatekeeper agent identity database based on the public key;
      
      generating an agent public key at the gatekeeper router based on the agent identity; and
      
      generating the validated response at the AD Bridge Gatekeeper device based on the agent public key.
  - 14. The method of claim 12, wherein:
    - generating a private key at the agent key generator based on the agent security certificate;
      
      generating an agent controller response at an agent controller based on a router request received from the gatekeeper router;
      
      generating a signed response at an agent response signer based on the private key and the agent controller response; and
      
      providing the gateway response by the gatekeeper response signature validation in response to receiving the signed response at the gatekeeper response signature validation.
  - 15. The method of claim 10, wherein:
    - the AD Bridge Gatekeeper device is in networked communication with the AD Bridge Gateway device through a first network boundary;
      
      the AD Bridge Agent is in networked communication with the AD Bridge Gatekeeper device through a second network boundary; and
      
      the first network boundary provides greater network security than the second network boundary.
  - 16. The method of claim 15, wherein the first network boundary includes a network perimeter device to prohibit at least a portion of network traffic traversing the first network boundary.
  - 17. The method of claim 15, wherein the AD Bridge Gatekeeper device is in networked communication with the AD Bridge Gateway device without requiring a virtual private network.
  - 18. The method of claim 10, wherein the external network resource includes at least one of an Internet of Things device, a Software-as-a-Service application, a cloud-hosted virtual machine, and a cloud-hosted computer.

19. At least one non-transitory machine-readable storage medium, comprising a plurality of instructions that, responsive to being executed with processor circuitry of a computer-controlled device, cause the computer-controlled device to:
- validate credentials at an Active Directory (AD) Bridge Gateway device, the credential received from an AD Bridge Agent on an external resource through an AD Bridge Gatekeeper device;
  
  generate a registration token for the AD Bridge Agent based on the validated credentials;
  
  generate a reference object based on the registration token; and
  
  provide the reference object to a domain controller to join the external network resource to the first network;
  
  wherein;
  
  the AD Bridge Gateway device resides in a first network;
  
  the AD Bridge Gatekeeper device resides in a second network, the second network external to the first network, the AD Bridge Gatekeeper device in networked communication with the AD Bridge Gateway device; and
  
  the AD Bridge Agent resides in a third network, the third network external to the second network and to the first network, the external network resource unable to directly join the first network.
- View Dependent Claims (20)
- - 20. The non-transitory machine-readable storage medium of claim 19, the instructions further causing the computer-controlled device to:
    - receive an AD request from an Active Directory domain; and
      
      provide a gateway response to the Active Directory domain in response to the AD request, the gateway response confirming a file system access for the AD Bridge Agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FullArmor Corporation
Original Assignee
FullArmor Corporation
Inventors
Davis, Charles A., Kim, Danny, Manlief, Michael Hilton, Dixson-Boles, Christopher Ryan
Primary Examiner(s)
Poltorak, Piotr

Application Number

US16/291,920
Time in Patent Office

274 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/66   Arrangements for connecting...

H04L 41/046   comprising network manageme...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3213   using tickets or tokens, e....

H04W 12/009   specially adapted for netwo...

Active directory bridging of external network resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Active directory bridging of external network resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links