Systems and methods for secured web application data traffic

US 10,574,444 B2
Filed: 01/22/2018
Issued: 02/25/2020
Est. Priority Date: 01/22/2018
Status: Active Grant

First Claim

Patent Images

1. A system for access to an application of a server, the system comprising:

a device intermediary between a client and a server, the device including at least one hardware processor;

an application manager executable on the device, the application manager configured to provide the client access to an application of the server; and

a service node of the device, the service node configured to;

receive a first request from the client via the application manager, the first request specifying a fully qualified domain name of the server to initiate access to the application, wherein the first request includes a content uniform resource locator (URL) and a prelaunch URL;

send a uniform resource locator (URL) prefix generated by the service node, to a predetermined termination node for secure connection to the server, the URL prefix comprising a key for identifying the predetermined termination node;

receive a client hello message from the client that includes a first field incorporating the URL prefix, and send the client hello message to the predetermined termination node having a wildcard certificate of the server matching a hostname of the first field;

send, responsive to identifying the predetermined termination node using the URL prefix incorporated in the first field, the client hello message to the predetermined termination node to initiate a handshake with the client using the wildcard certificate, for establishing a secure session layer (SSL) channel between the client and the predetermined termination node for a SSL session of the application; and

direct, to the predetermined termination node for decryption, a communication of the SSL session from the client to the predetermined termination node using the established SSL channel, according to the URL prefix incorporated in a server name indication (SNI) field of the communication.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for secured access to cloud-based applications or services include a service node that may receive a request from client including a URL associated with an application manager. The service node may send a URL prefix identifying a termination to the termination node. The service node may receive a client hello message from the client that includes a first field incorporating the URL prefix, and may send the client hello message to the termination node to initiate a handshake with the client using a wildcard certificate of server, for establishing a SSL channel between the client and the termination node for a session of the application. The service node can direct a communication of the session from the client to the predetermined termination node, for decryption, using the established SSL channel, according to the URL prefix incorporated in a server name indication (SNI) field of the communication.

Citations

20 Claims

1. A system for access to an application of a server, the system comprising:
- a device intermediary between a client and a server, the device including at least one hardware processor;
  
  an application manager executable on the device, the application manager configured to provide the client access to an application of the server; and
  
  a service node of the device, the service node configured to;
  
  receive a first request from the client via the application manager, the first request specifying a fully qualified domain name of the server to initiate access to the application, wherein the first request includes a content uniform resource locator (URL) and a prelaunch URL;
  
  send a uniform resource locator (URL) prefix generated by the service node, to a predetermined termination node for secure connection to the server, the URL prefix comprising a key for identifying the predetermined termination node;
  
  receive a client hello message from the client that includes a first field incorporating the URL prefix, and send the client hello message to the predetermined termination node having a wildcard certificate of the server matching a hostname of the first field;
  
  send, responsive to identifying the predetermined termination node using the URL prefix incorporated in the first field, the client hello message to the predetermined termination node to initiate a handshake with the client using the wildcard certificate, for establishing a secure session layer (SSL) channel between the client and the predetermined termination node for a SSL session of the application; and
  
  direct, to the predetermined termination node for decryption, a communication of the SSL session from the client to the predetermined termination node using the established SSL channel, according to the URL prefix incorporated in a server name indication (SNI) field of the communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the application manager is further configured to:
    - perform authentication for the received first request; and
      
      provide access to the application of the server responsive to the authentication.
  - 3. The system of claim 1, wherein the application manager is further configured to send, responsive to the client initiating access to the published application, a second request to the service node.
  - 4. The system of claim 1, wherein the service node is further configured to:
    - generate a one-time-password (OTP) and the URL prefix, the URL prefix comprising a key for a hash table of the service node corresponding to a value specifying the predetermined termination node; and
      
      send the OTP and URL prefix to the predetermined termination node.
  - 5. The system of claim 4, wherein the service node is further configured to send the OTP and the URL prefix to the client.
  - 6. The system of claim 4, wherein the service node is further configured to identify, according to the hash table of the service node and the URL prefix incorporated in the first field of the client hello message, the predetermined termination node, the first field comprising the server name indication (SNI) field.
  - 7. The system of claim 4, wherein the service node is further configured to send the client hello message to the termination node via a proxy connection between the service node and the predetermined termination node, the client hello message further causing the predetermined termination node to validate using the OTP the client'"'"'s request for establishing the session of the application within the established SSL channel.
  - 8. The system of claim 1, wherein the predetermined termination node has private keys of the server.
  - 9. The system of claim 8, wherein the service node is further configured to bypass decryption of the communication at the service node, wherein the communication is decrypted at the predetermined termination node using the private keys.
  - 10. The system of claim 7, wherein the service node is further configured to forward, via the proxy connection to the client for decryption, a response from the predetermined termination node to the communication.

11. A method for accessing an application of a server, the method comprising:
- providing, by an application manager of a device intermediary between a client and a server, access to the application of the server;
  
  receiving, by a service node of the device via the application manager, a first request from the client specifying a fully qualified domain name of the server, wherein the first request includes a content uniform resource locator (URL) and a prelaunch URL;
  
  sending, by the service node, a uniform resource locator (URL) prefix generated by the service node, to a predetermined termination node for secure connection to the server, the URL prefix comprising a key for identifying the predetermined termination node;
  
  receiving, by the service node, a client hello message from the client that includes a first field, and send the client hello message to the predetermined termination node having a wildcard certificate of the server matching a hostname of the first field;
  
  sending, by the service node responsive to identifying the predetermined termination node using the URL prefix incorporated in the first field, the client hello message to the predetermined termination node to initiate a handshake with the client using the wildcard certificate, for establishing a secure session layer (SSL) channel between the client and the predetermined termination node for a SSL session of the application; and
  
  directing, by the service node to the predetermined termination node for decryption, a communication of the SSL session from the client to the predetermined termination node using the established SSL channel, according to the URL prefix incorporated in a SNI field of the communication.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising:
    - performing, by the application manager responsive to the first request, authentication for the received first request; and
      
      providing, by the application manager responsive to the authentication, access to the application of the server.
  - 13. The method of claim 11, further comprising sending, by the application manager responsive to the client initiating access to the published application, a second request to the service node.
  - 14. The method of claim 11, further comprising:
    - generating, by the service node, a one-time-password (OTP) and the URL prefix, the URL prefix comprising a key for a hash table of the service node corresponding to a value specifying the predetermined termination node; and
      
      sending, by the service node, the OTP and URL prefix to the predetermined termination node.
  - 15. The method of claim 14, further comprising sending, by the service node, the OTP and the URL prefix to the client.
  - 16. The method of claim 11, further comprising identifying, by the service node according to the hash table of the service node and the URL prefix incorporated in the first field of the client hello message, the predetermined termination node, the first field comprising a server name indication (SNI) field.
  - 17. The method of claim 14, further comprising sending the client hello message to the termination node via a proxy connection between the service node and the predetermined termination node, the client hello message further causing the predetermined termination node to validate using the OTP the client'"'"'s request for establishing the session of the application within the established SSL channel.
  - 18. The method of claim 11, wherein the predetermined termination node has private keys of the server.
  - 19. The method of claim 18, further comprising bypassing, by the service node, decryption of the communication at the service node, wherein the communication is decrypted at the predetermined termination node using the private keys.
  - 20. The method of claim 17, further comprising forwarding, by the service node via the proxy connection to the client for decryption, a response from the predetermined termination node to the communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Khristi, Keyoor, Agarwal, Mukul, Ganesh, V, Ravi, Singh, Saurabh, Prateek, Vishnu
Primary Examiner(s)
Chang, Kenneth W
Assistant Examiner(s)
Champakesan, Badri

Application Number

US15/876,828
Publication Number

US 20190229900A1
Time in Patent Office

764 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

H04L 9/006   involving public key infras...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3228   One-time or temporary data,...

H04L 9/3236   using cryptographic hash fu...

Systems and methods for secured web application data traffic

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secured web application data traffic

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links