Access and control system for network-enabled devices

US 20030191848A1
Filed: 11/19/2002
Published: 10/09/2003
Est. Priority Date: 12/02/1999
Status: Active Grant

First Claim

Patent Images

1. A system for remote communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:

a first computer connectable to the public network over a first secure channel through a first firewall element, said first firewall element adapted to protect said first computer from hostile intrusion from the public network;

a second computer connectable to the public network over a second secure channel through a second firewall element, said second firewall element adapted to protect said second computer from hostile intrusion from the public network; and

a connection server operatively coupled to the public network, said connection server including means for forming a first, secure, firewall compliant connection with said first computer, and means for forming a second, secure, firewall compliant connection with said second computer, means for sending communications received from said first computer to said second computer while maintaining second firewall compliance, and means for sending communications received from said second computer to said first computer while maintaining first firewall compliance.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for remote access of network-enabled devices that provide seamless, firewall-compliant connectivity between multiple users and multiple devices, that allow collaborative operations by multiple users of remote devices, that allow point to multipoint control of multiple devices and which allow rapid, secure transmission of data between remote users and devices. In general terms, the system includes at least one connection server, and at least two computers operatively coupled to the connection server via a public or global network. In an example where at least one client computer is operatively connected to at least one network-enabled device through a connection server via the public or global network, the connection server is configured to route control instructions from the client to the network-enabled device, and route data from the network-enabled device to the client.

Citations

127 Claims

1. A system for remote communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:
- a first computer connectable to the public network over a first secure channel through a first firewall element, said first firewall element adapted to protect said first computer from hostile intrusion from the public network;
  
  a second computer connectable to the public network over a second secure channel through a second firewall element, said second firewall element adapted to protect said second computer from hostile intrusion from the public network; and
  
  a connection server operatively coupled to the public network, said connection server including means for forming a first, secure, firewall compliant connection with said first computer, and means for forming a second, secure, firewall compliant connection with said second computer, means for sending communications received from said first computer to said second computer while maintaining second firewall compliance, and means for sending communications received from said second computer to said first computer while maintaining first firewall compliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1, wherein said first and second firewall elements use different criteria for restriction of communications traffic therethrough.
  - 3. The system of claim 1, wherein said first computer comprises a client computer and said second computer comprises a device control computer, said system further comprising at least one network-enabled device privately networked to said device control computer behind said second firewall element.
  - 4. The system of claim 1, wherein said first computer comprises a first client computer and said second computer comprises a second client computer.
  - 5. The system of claim 1, wherein said first computer comprises a first device control computer and said second computer comprises a second device control computer, said system further comprising at least one first network-enabled device privately networked to said first device control computer behind said first firewall element, and at least one second network-enabled device privately networked to said second device control computer behind said second firewall element.
  - 6. The system of claim 1, wherein said first computer is connected to a first private network behind said first firewall element, and said second computer is connected to a second private network behind said second firewall element.
  - 7. The system of claim 1, wherein said connection server is located within a private network that is operatively coupled to the public network via a third firewall element.
  - 8. The system of claim 2, further comprising at least a second client computer, wherein at least two said client computers may simultaneously establish connection to said at least one network-enabled device through said connection server and said device control computer for simultaneous, collaborative use of said at least one network-enabled device.
  - 9. The system of claim 1, further comprising at least a third computer connectable to the public network through a third firewall element, said third firewall element adapted to protect said third computer from hostile intrusion from the public network, wherein at least three of said computers may simultaneously establish secure connections with each other through said connection server for simultaneous, collaborative communications therebetween, wherein communications sent and received by said first computer are first firewall compliant, communications sent and received by said second computer are second firewall compliant, and communications sent and received by said third computer are third firewall compliant.
  - 10. The system of claim 9, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 11. The system of claim 1, wherein said connection server comprises means for authorizing a secure connection with said first computer, wherein said means for authorizing a secure connection with said first computer is adapted to receive authentication data from said first computer and to determine whether said authentication data verifies a user of said first computer, and wherein said second, secure, firewall compliant connection with said second computer is made according to instructions received from said first computer, only after said first firewall compliant connection with said first computer is made and said first computer user has been verified.
  - 12. The system of claim 11, wherein said authentication data is encrypted, and said connection server further comprises means for decrypting said authentication data.
  - 13. The system of claim 11, wherein said connection server further comprises means for determining whether or not said authentication data has been altered during transmission from said first computer to said connection server.
  - 14. The system of claim 11, wherein said connection server further comprises means for preparing and verifying encryption keys for the user of the first computer when said first computer user has been verified.
  - 15. The system of claim 1, wherein said connection server comprises means for authorizing a connection with said second computer, wherein said means for authorizing a connection with said second computer is adapted to receive authentication data from said second computer and to determine whether said authentication data verifies a user of said second computer, and wherein said first firewall compliant connection with said first computer is made according to instructions received from said second computer, only after said second firewall compliant connection with said second computer is made and said second computer user has been verified.
  - 16. The system of claim 15, wherein said authentication data is encrypted, and said connection server further comprises means for decrypting said authentication data.
  - 17. The system of claim 15, wherein said connection server further comprises means for determining whether or not said authentication data has been altered during transmission from said second computer to said connection server.
  - 18. The system of claim 15, wherein said connection server further comprises means for preparing and verifying encryption keys for the user of the second computer when said second computer user has been verified.
  - 19. The system of claim 1, wherein said connection server establishes a full duplex connection between said first and second computers.
  - 20. The system of claim 8, wherein said connection server establishes full duplex connections between at least said client computers and said device control computer.
  - 21. The system of claim 9, wherein said connection server establishes full duplex connection among said at least three computers.
  - 22. The system of claim 1, further comprising a distributed control infrastructure coupled to the private network, wherein said connection server operates as a primary connection server, said distributed control infrastructure further comprising at least one secondary connection server operatively coupled to said primary connection server.
  - 23. The system of claim 22, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by said first or second computer, to one of said at least one secondary connection servers.
  - 24. The system of claim 22, wherein said distributed control infrastructure is scalable such that connection servers may be added or taken away from said distributed control infrastructure based upon a number of computers to be connected and characteristics of communications to be directed between said computers.
  - 25. The system of claim 22, wherein said distributed control infrastructure further comprises at least one database operatively coupled to each of said connection servers.
  - 26. The system of claim 25, wherein said distributed control infrastructure comprises a plurality of said databases, wherein said connection servers are adapted to store data related to users of said computers in said databases and to store data relating to the operation of remote devices which are operably coupled to at least one of said computers.
  - 27. The system of claim 26, wherein said stored data may be accessed by users through said computers.

28. A system for remote communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:
- a client computer securely connectable to the public network through a first firewall element, said first firewall element adapted to protect said client computer from hostile intrusion from the public network;
  
  a device control computer securely connectable to the public network through a second firewall element, and at least one network-enabled device privately networked to said device control computer, said second firewall element adapted to protect said device control computer and said at least one network-enabled device from hostile intrusion from the public network; and
  
  at least one connection server operatively coupled to the public network, said at least one connection server including means for forming a secure, first firewall compliant connection with said client computer, and means for forming a secure, second firewall compliant connection with said device control computer and said at least one network-enabled device, means for sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance, and means for sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 29. The system of claim 28, wherein said first and second firewall elements use different criteria for restriction of communications traffic therethrough.
  - 30. The system of claim 28, wherein said communications from said client computer comprise user instructions for said at least one network-enabled device.
  - 31. The system of claim 28, wherein said communications from said at least one network-enabled device comprise data characterizing an operating state of said at least one network-enabled device.
  - 32. The system of claim 28, wherein a full duplex connection is established between said client computer and each said at least one network-enabled device.
  - 33. The system of claim 28, wherein said client computer is connected to a first private network behind said first firewall element, and said device control computer is connected to a second private network behind said second firewall element.
  - 34. The system of claim 33, further comprising at least one additional client computer connected to said first private network, wherein said at least one connection server is capable of establishing full duplex communications between a plurality of said client computers and said at least one network-enabled device via said device control computer.
  - 35. The system of claim 33, further comprising at least one additional client computer connected to a third private network behind a third firewall element, wherein said at least one connection server further comprises means for forming a secure, third firewall compliant connection with said at least one additional client computer, means for sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance and to said at least one additional client computer while maintaining third firewall compliance, means for sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance and to said at least one additional client computer while maintaining third firewall compliance, and means for sending communications from said at least one additional client computer to said at least one network-enabled device, via said device control computer, while maintaining second firewall compliance and to said client computer while maintaining first firewall compliance.
  - 36. The system of claim 35, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 37. The system of claim 33, further comprising at least one additional device control computer connected to said second private network, and at least one additional network-enabled device connected to said at least one additional device control computer wherein said at least one connection server is capable of establishing full duplex communications between said client computer, said device control computer and said at least one additional device control computer, enabling simultaneous point-to-multipoint instructions to be provided by said client computer to said network-enabled devices.
  - 38. The system of claim 33, further comprising at least one additional device control computer connected to a third private network and at least one additional network-enabled device connected to said at least one additional device control computer behind a third firewall element, wherein said at least one connection server further comprises means for forming a secure, third firewall compliant connection with said at least one additional device control computer, means for sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance and to said at least one additional device control computer while maintaining third firewall compliance, means for sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance and to said at least one additional device control computer while maintaining third firewall compliance, and means for sending communications from said at least one additional device control computer to said at least one network-enabled device, via said device control computer, while maintaining second firewall compliance and to said client computer while maintaining first firewall compliance.
  - 39. The system of claim 38, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 40. The system of claim 38, wherein said at least one connection server is capable of establishing full duplex communications between said client computer, said device control computer and said at least one additional device control computer, enabling simultaneous point-to-multipoint instructions to be provided by said client computer to said network-enabled devices.
  - 41. The system of claim 40, further comprising at least one additional client computer in a fourth private network protected by a fourth firewall, wherein said at least one connection server is capable of establishing full duplex communications between said client computers and said device control computers, while maintaining all firewall compliances, enabling real-time collaborative control of said network-enabled devices by users of said client computers.
  - 42. The system of claim 28, wherein said at least one connection server is located within a private network that is operatively coupled to the public network via a third firewall element.
  - 43. The system of claim 28, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, wherein a first of said connection servers operates as a primary connection server, and the remainder of said plurality of connection servers operate secondarily to said primary connection server.
  - 44. The system of claim 43, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by said client control computer or said device control computer, to a secondary connection server.
  - 45. The system of claim 43, wherein said distributed control infrastructure is scalable such that connection servers may be added or taken away from said distributed control infrastructure based upon a number of computers to be connected and characteristics of communications to be directed between said computers.
  - 46. The system of claim 43, wherein said distributed control infrastructure further comprises at least one database operatively coupled to each of said connection servers.
  - 47. The system of claim 46, wherein said distributed control infrastructure comprises a plurality of said databases, wherein said connection servers are adapted to store data related to users of said computers in said databases and to store data relating to the operation of said network-enabled devices which are operably coupled to said device control computer.
  - 48. The system of claim 47, wherein said stored data may be accessed by users through said computers.
  - 49. The system of claim 28, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, said distributed control infrastructure further including a security server operatively coupled to said plurality of connection servers, and wherein a plurality of said client computers are operably connectable to said security server and said device control computer is operably connectable to said security server.
  - 50. The system of claim 49, further comprising a plurality of said device control computers, each having at least one network-enabled device connected thereto, each said device control computer being operably connectable to said security server.
  - 51. The system of claim 28, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, said distributed control infrastructure further including a security server operatively coupled to said plurality of connection servers, and wherein a plurality of said device control computers, each having at least one network-enabled device connected thereto, are operably connectable to said security server and said client computer is operably connectable to said security server.
  - 52. The system of claim 50, wherein said security server comprises means for authorizing a connection with any of one said client and device control computers upon receiving contact from said client computer or device control computer, wherein said means for authorizing a connection with said client computer or device control computer is adapted to receive authentication data from said client computer or device control computer and to determine whether said authentication data verifies a user of said client computer or device control computer.
  - 53. The system of claim 52, wherein said contact from said client computer or device control computer comprises an HTTP request.
  - 54. The system of claim 53, wherein said HTTP request contains embedded user authentication data.
  - 55. The system of claim 54, wherein said embedded user authentication data is encrypted, and said security server further comprises means for decrypting said encrypted authentication data.
  - 56. The system of claim 52, wherein said security server further comprises means for determining whether or not said authentication data has been altered during transmission from said client computer or device control computer to said connection server.
  - 57. The system of claim 52, wherein said security server further comprises means for preparing and verifying encryption keys for the user of the computer from which the authentication data was received, when said computer user has been verified.
  - 58. The system of claim 52, wherein said security server further comprises means for assigning a said client computer or device control computer to one of said connection servers when said computer user has been verified.
  - 59. The system of claim 52, wherein said security server comprises a load balancing algorithm adapted to assign communications, initiated by said client control computer or said device control computer, to one of said connection servers when said client control computer or said device control computer has been verified.
  - 60. The system of claim 59, wherein said load balancing algorithm assigns the communications based on at least one of user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 61. The system of claim 59, wherein said load balancing algorithm assigns the communications based on user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 62. The system of claim 59, wherein said security server further comprises means for establishing a connection with at least another of said client computers and device control computers, after said assignment of communications to one of said connection servers.
  - 63. The system of claim 62, wherein said security server establishes connections with at least one other of said client computers and device control computers as requested by the verified computer.
  - 64. The system of claim 62, wherein said distributed control infrastructure establishes full duplex connections between said verified computer and said at least one other of said client computer and device control computers.
  - 65. The system of claim 49, wherein said distributed control infrastructure further comprises a plurality of databases operatively coupled to each of said connection servers.
  - 66. The system of claim 62, wherein said distributed control infrastructure further comprises at least one database operatively coupled to the assigned connection server, and wherein communications between said verified computer and said at least one other of said client computers and device control computers are stored in said at least one database, to provide access to other authorized users or the verified computer user at a later time.

67. A distributed control structure providing for secure transmission of communications over a public network between two or more computers protected by two or more firewall elements using different criteria for restriction of communications traffic therethrough, said distributed control structure comprising:
- at least one connection server operatively coupled to the public network, said at least one connection server including means for forming a first firewall compliant connection with a first of the computers, means for forming a second firewall compliant connection with a second of the computers, means for sending communications from the first computer to the second computer while maintaining second firewall compliance, and means for sending communications from the second computer to the first computer while maintaining first firewall compliance.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
- - 68. The distributed control structure of claim 67, wherein a full duplex connection is established between the first and second computers.
  - 69. The distributed control structure of claim 67, wherein said at least one connection server is located within a private network that is operatively coupled to the public network via a connection server firewall element.
  - 70. The distributed control structure of claim 67, wherein said at least one connection server is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 71. The distributed control structure of claim 67, wherein said at least one connection server comprises a plurality of said connection servers networked within said distributed control structure, wherein a first of said connection servers operates as a primary connection server, and the remainder of said plurality of connection servers operate secondarily to said primary connection server.
  - 72. The distributed control structure of claim 71, wherein said distributed control structure is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 73. The distributed control structure of claim 71, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by one of the computers, to a secondary connection server.
  - 74. The distributed control structure of claim 71, further comprising at least one database operatively coupled to each of said connection servers.
  - 75. The distributed control structure of claim 71, further comprising a plurality of databases operatively coupled to each of said connection servers, wherein said connection servers are adapted to store data related to users of the computers and to the computers in said databases and to network-enabled devices connected to the computers.
  - 76. The distributed control structure of claim 67, wherein said at least one connection server comprises a plurality of said connection servers networked within said distributed control structure, and a security server operatively coupled to said plurality of connection servers, and wherein said distributed control structure is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 77. The distributed control structure of claim 76, wherein said security server comprises means for authorizing a connection with any of one the client and device control computers upon receiving contact from the client computer or device control computer, wherein said means for authorizing a connection with the client computer or device control computer is adapted to receive authentication data from the client computer or device control computer and to determine whether the authentication data verifies a user of the client computer or device control computer.
  - 78. The distributed control structure of claim 77, wherein said security server is adapted to receive contact from the client computer or device control computer in the form of an HTTP request.
  - 79. The distributed control structure of claim 78, wherein said security server is adapted to separate authentication data embedded in an HTTP request received from the client computer or device control computer.
  - 80. The distributed control structure of claim 77, wherein said security server further comprises means for decrypting encrypted authentication data.
  - 81. The distributed control structure of claim 77, wherein said security server further comprises means for determining whether or not authentication data received has been altered during transmission from the client computer or device control computer to said security server.
  - 82. The distributed control structure of claim 77, wherein said security server further comprises means for preparing and verifying encryption keys for the user of the computer from which the authentication data was received, when the computer user has been verified.
  - 83. The distributed control structure of claim 77, wherein said security server further comprises means for assigning the client computer or device control computer to one of said connection servers when the computer user has been verified.
  - 84. The distributed control structure of claim 77, wherein said security server comprises a load balancing algorithm adapted to assign communications, initiated by the client control computer or the device control computer, to one of said connection servers when the client control computer or the device control computer has been verified.
  - 85. The distributed control structure of claim 84, wherein said load balancing algorithm assigns the communications based on at least one of user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 86. The distributed control structure of claim 84, wherein said load balancing algorithm assigns the communications based on user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 87. The distributed control structure of claim 84, wherein said security server further comprises means for establishing a connection with at least another of the client computers and device control computers, after said assignment of communications to one of said connection servers.
  - 88. The distributed control structure of claim 87, wherein said security server establishes connections with at least one other of the client computers and device control computers as requested by the verified computer.
  - 89. The distributed control structure of claim 88, wherein full duplex connections are established between the verified computer and the at least one other of the client computers and device control computers.
  - 90. The distributed control structure of claim 76, further comprising a plurality of databases operatively coupled to each of said connection servers.

91. A method of establishing a private-to-public-to-private communications tunnel, wherein at least the private addresses of the communications tunnel are firewall protected, said method comprising:
- authenticating a first computer having a first, firewall protected private address;
  
  creating a first firewall compliant connection between a publicly addressed connection server and said first computer upon authentication of said first computer;
  
  establishing a second firewall compliant connection between said publicly addressed connection server and a second computer having a second firewall protected private address; and
  
  establishing the private-to-public-to-private communications tunnel, wherein said connection server routes communications from said first computer through said first firewall compliant connection and said second firewall compliant connection to said second computer, and from said second computer through said second firewall compliant connection and said first firewall compliant connection to said first computer.
- View Dependent Claims (92, 93, 94, 95, 96, 97, 98, 99, 100)
- - 92. The method of claim 91, wherein said first computer is a client computer and said second computer is a device control computer, said device control computer being operably connected to at least one network-enabled device, wherein said communications from said first computer to said second computer include control instructions for operating said at least one network-enable device, and wherein said communications from said second computer to said first computer include data received by said second computer from said at least one network-enabled device.
  - 93. The method of claim 91, wherein said communications comprises HTTP requests and responses, said HTTP requests and responses being compliant with said first or second firewall associated with said first or second computer to which the communications are directed.
  - 94. The method of claim 91, wherein said authenticating comprises receiving a request from said first computer, said request including user authentication data;
    - and verifying whether or not the authentication data matches authentication data of said first computer as stored in association with said connection server.
  - 95. The method of claim 94, wherein said user authentication data is embedded in said request, and wherein said authenticating further comprises determining whether or not the authentication data has been altered during transmission from said first computer to said connection server.
  - 96. The method of claim 94, wherein said authentication data is encrypted, and wherein said authenticating further comprises decrypting said encrypted authentication data prior to said verifying.
  - 97. The method of claim 96, further comprising preparing and verifying encryption keys for a user of the first computer after said authenticating step.
  - 98. The method of claim 91, wherein said connection server comprises a plurality of connection servers networked as a publicly addressable distributed control infrastructure, said method further comprising assigning on of said plurality of connection servers to create said first and second firewall compliant connections, wherein said assigning is based on at least one of:
    - a type of user using said first computer, a type of session requested to be established by the first computer;
      
      configuration of connection servers for a particular type or types of sessions;
      
      availability of connection servers;
      
      statuses of connection servers; and
      
      relative work loads of connection servers at time that session is to occur.
  - 99. The method of claim 91, further comprising storing at least a portion of said communications in at least one database associated with said connection server, wherein the stored communications may be accessed by the first computer, second computer or other computers that are authorized access to said connection computer and the stored data.
  - 100. The method of claim 99, wherein said access is allowed contemporaneously during the communications and in subsequent sessions.

101. A method for establishing a secure connection for rapid transfer of data between privately addressed, firewall protected locations over a public network, said method comprising:
- preparing authentication data on a first computer having a first, firewall protected private address;
  
  encrypting the authentication data using a public security key;
  
  sending a request over the public network to a publicly addressed server, wherein the request includes the encrypted authentication data;
  
  decrypting the encrypted authentication data at the location of the publicly addressed server using a private security key;
  
  verifying the decrypted authentication data to determine whether the authentication data represents an authorized user;
  
  authorizing the first computer to proceed if the authentication data represents an authorized user;
  
  generating a secret security key on the first computer for encryption of data to be sent over the secure connection;
  
  encrypting the secret key using the public security key and sending the encrypted secret security key to the publicly addressed server;
  
  decrypting the encrypted secret security key at the location of the publicly addressed server using the private security key; and
  
  establishing a second firewall compliant connection between said publicly addressed server and a second computer having a second firewall protected private address; and
  
  establishing a private-to-public-to-private communications tunnel connecting said first computer, said publicly addressed server and said second computer.
- View Dependent Claims (102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113)
- - 102. The method of claim 101, further comprising transmitting data from said first computer to said second computer via said publicly addressed server.
  - 103. The method of claim 102, further comprising transmitting data from said second computer to said first computer via said publicly addressed server.
  - 104. The method of claim 103, wherein said private-to-public-to-private communications tunnel comprises full duplex connections between said first computer and said publicly addressed server and between said publicly addressed server and said second computer.
  - 105. The method of claim 103, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is encrypted using the secret key.
  - 106. The method of claim 103, wherein the data transmitted from the first computer is encrypted using the secret key, and the data transmitted from the second computer encrypted using a second secret key generated by the second computer.
  - 107. The method of claim 103, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is unencrypted.
  - 108. The method of claim 102, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is encrypted using the secret key.
  - 109. The method of claim 102, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is unencrypted.
  - 110. The method of claim 101, wherein the encrypted authentication data is embedded in the request.
  - 111. The method of claim 110, wherein the request is an HTTP request.
  - 112. The method of claim 101, further comprising:
    - calculating a message digest value on the first computer for the authentication data;
      
      encrypting the calculated message digest value together with said encrypting the authentication data; and
      
      embedding the encrypted authentication data and message digest value in the request;
      
      wherein said decrypting the encrypted authentication data further comprises decrypting the message digest value;
      
      said method further comprising computing a message digest value for the decrypted authentication data, and comparing the computed message digest value with the decrypted message digest value to determine whether the authentication data has been altered or corrupted; and
      
      allowing said verifying to proceed only if the computed message digest value and the decrypted digest value are the same.
  - 113. The method of claim 101, further comprising:
    - generating a message digest value for the secret security key;
      
      encrypting said message digest value with said encrypting the secret key, and sending the encrypted message digest value with the encrypted secret key to the publicly addressed server;
      
      wherein said decrypting the encrypted security key further comprises decrypting the message digest value;
      
      said method further comprising computing a message digest value for the decrypted secret key, and comparing the computed message digest value with the decrypted message digest value to determine whether the secret key has been altered or corrupted; and
      
      allowing said establishing a second firewall compliant connection to proceed only if the computed message digest value and the decrypted digest value are the same.

114. A method of load balancing communications among a plurality of connection servers networked in a publicly addressable distributed control infrastructure which multiple computers within multiple private networks may access for establishing communications over a public network, said method comprising:
- determining a user type of each computer to be connected by communications through said publicly addressable distributed control infrastructure in a particular session;
  
  determining a session type of the particular session to be established;
  
  comparing user type and session type determinations with server type information stored in at least one database connected to said distributed control infrastructure;
  
  selecting a connection server characterized by server type information that indicates the connection server is capable of handling the determined user types and session type;
  
  determining if the selected server is active;
  
  determining whether or not the selected server, if active, has adequate Power to handle the connections that will be required to establish the communications for the session; and
  
  if the selected server is active and has adequate Power, determining whether the selected server has the best available Power level for carrying out the session, based upon a calculated average Power expected for the session and Utilization Ratios of each capable, active connection server which has adequate Power.
- View Dependent Claims (115)
- - 115. The method of claim 114, further comprising assigning the selected server determined to active and to have the best available Power level to establish connections between the computers to be included in the session.

116. A method of persistent, secure transfer of data between at least two computers over a public network, wherein the computers have separate privately addressed, firewall protected locations, said method comprising:
- accessing a connection server operably connected to the public network by addressing a request from a first of the computers to a public address of the connection server;
  
  establishing a secure connection between the first computer and the connection server, after which, the connection server establishes a secure connection between the connection server and at least a second of the computers, according to instructions received from the first computer as to which computers the first computer desires to communicate with;
  
  wherein secure, full-duplex, persistent communications are established through the connection server without the need for any of the computers to know or address a private address of any of the other computers between which the communications take place.
- View Dependent Claims (117, 118, 119, 120, 121, 122, 123, 124)
- - 117. The method of claim 116, wherein the first computer includes a first data control process, the second computer includes a second data control process and the connection server includes a third data control process;
    - and wherein, after establishment of a secure communication channel between the first and second computers via the connection server, the first data control process adaptively polls a first sending buffer to determine whether any data to be communicated is contained in the first sending buffer, and sends the data, along with a request to the connections server when data is contained in the first sending buffer.
  - 118. The method of claim 117, wherein the third data control process adaptively polls the first computer to determine whether a request has been sent;
    - and upon receiving a request, the third data process reads the request and buffers any data that is included with the request, in a connection server sending buffer associated with the third data process;
      
      the third data control process additionally adaptively polls the connection server sending buffer to determine whether any data to be sent to the first computer is contained in the connection server sending buffer; and
      
      when data to be sent to the first computer is present, the third data control process sends the data along with a response to the request.
  - 119. The method of claim 118, wherein the first data control process reads the response, buffers any data that is contained with the response, and notifies the first computer that data has been received.
  - 120. The method of claim 119, wherein the process steps are iteratively repeated to maintain persistent communications.
  - 121. The method of claim 117, wherein the third data control process adaptively polls the connection server sending buffer to determine whether any data to be sent to the second computer is contained in the connection server sending buffer;
    - and when data to be sent to the second computer is present, the third data control process sends the data along with a response to the second computer.
  - 122. The method of claim 117, wherein the third data control process adaptively polls the second computer to determine whether a request has been sent;
    - and upon receiving a request, the third data process reads the request and buffers any data that is included with the request, in the connection server sending buffer;
      
      the third data control process additionally adaptively polls the connection server sending buffer to determine whether any data to be sent to the second computer is contained in the connection server sending buffer; and
      
      when data to be sent to the second computer is present, the third data control process sends the data along with a response to the request.
  - 123. The method of claim 122, wherein the second data control process reads the response, buffers any data that is contained with the response, and notifies the second computer that data has been received.
  - 124. The method of claim 122, wherein the process steps are iteratively repeated to maintain persistent communications.

125. A process for remotely controlling one or more network-enabled devices by one or more client computers over a public network, wherein the one or more network-enabled devices are operatively connected within one or more different private networks and the one or more client computers are operatively connected within one or more other different private networks, at least one of the private networks being protected by a firewall element, said process comprising:
- accessing at least one connection server by at least one of the client computers, said at least one connection server being operably connected to the public network;
  
  establishing a secure connection between each of the at least one client computers and the at least one connection server, after which, the at least one connection server establishes a secure connection between the at least one connection server and each of the network-enabled devices requested to be connected with the at least one client computer, through at least one device control computer connected with said network-enabled devices, wherein secure, full-duplex, persistent communications are established through the connection server without the need for any of the computers to know or address a private address of any of the other computers between which the communications take place;
  
  sending control instructions from said at least one client computer to at least one of the connected network-enabled devices, via the at least one connection server; and
  
  receiving data at said at least one client computer received from said at least one connected network-enabled device via said at least one connection server.
- View Dependent Claims (126, 127)
- - 126. The process of claim 125, wherein a plurality of the client computers send control instructions to collaboratively control at least one of said network-enabled devices.
  - 127. The process of claim 125, wherein one or more of said client computers send control instructions for point to multipoint delivery of said instructions to a plurality of said network-enabled devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Original Assignee
Senvid, Inc. (Western Digital Corporation)
Inventors
Rizal, Dharmarus, Hesselink, Lambertus, Bjornson, Eric S.

Granted Patent

US 7,120,692 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 67/02   based on web technology, e....

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/1023   based on a hash applied to ...

H04L 67/125   involving control of end-de...

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

Access and control system for network-enabled devices

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

127 Claims

Specification

Solutions

Use Cases

Quick Links

Access and control system for network-enabled devices

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

127 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links