Method and system for providing secure access to private networks

US 20030229718A1
Filed: 06/05/2003
Published: 12/11/2003
Est. Priority Date: 06/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for modifying a markup language page to redirect resource requests to an intermediate server, said method comprising the acts of:

identifying, within the markup language page, a predetermined element that includes at least a first network address; and

modifying the first network address within the predetermined element of the markup language page to a second network address that pertains to the intermediate server.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between.

323 Citations

48 Claims

1. A method for modifying a markup language page to redirect resource requests to an intermediate server, said method comprising the acts of:
- identifying, within the markup language page, a predetermined element that includes at least a first network address; and
  
  modifying the first network address within the predetermined element of the markup language page to a second network address that pertains to the intermediate server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, wherein said identifying identifies the predetermined element through use of predetermined tags.
  - 3. A method as recited in claim 2, wherein the markup language page is an HTML page, and wherein the predetermined tags are HTML tags.
  - 4. A method as recited in claim 1, wherein the second network address has a hostname pertaining to the intermediate server.
  - 5. A method as recited in claim 4, wherein the second network address further has a suffix that includes at least a hostname of the first network address.
  - 6. A method as recited in claim 4, wherein the second network address further has a suffix that includes at least the first network address.
  - 7. A method as recited in claim 1, wherein the predetermined element is an applet.
  - 8. A method as recited in claim 1, wherein the predetermined element is a Java applet.
  - 9. A method as recited in claim 1, wherein the predetermined element is a Java object.

10. A method for processing resource requests provided to an intermediate server from a client via a computer network, said method comprising the acts of:
- receiving a resource request for a particular resource, the resource request being provided to the intermediate server from the client via the computer network;
  
  extracting a destination server from the resource request;
  
  requesting the particular resource from the destination server;
  
  receiving the particular resource from the destination server;
  
  modifying the particular resource to redirect internal resource requests to the intermediate server;
  
  sending the modified particular resource to the client;
  
  receiving an applet code request for an applet identified within the modified particular resource;
  
  requesting applet code for the applet from a remote server via the computer network;
  
  receiving the applet code from the remote server in response to said requesting of the applet code;
  
  modifying the applet code to redirect its external communications through the intermediate server; and
  
  sending the modified applet code to the client.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 11. A method as recited in claim 10, wherein the applet code is bytecode for the applet.
  - 12. A method as recited in claim 10, wherein said modifying of the particular resource modifies at least one source file address within the particular resource, the at least one source file address pertaining to the applet.
  - 13. A method as recited in claim 12, wherein the particular resource is a markup language document.
  - 14. A method as recited in claim 13, wherein the markup language document is a HTML page.
  - 15. A method as recited in claim 10, wherein the computer network includes at least a portion of the Internet.
  - 16. A method as recited in claim 10, wherein the remote server is the destination server.
  - 17. A method as recited in claim 10, wherein said modifying of the particular resource comprises the acts of:
    - identifying, within the particular resource, a predetermined element that includes at least a first network address; and
      
      modifying the first network address within the predetermined element of the particular resource to a second network address that pertains to the intermediate server.
  - 18. A method as recited in claim 17, wherein said identifying identifies the predetermined element through use of predetermined tags.
  - 19. A method as recited in claim 17, wherein the particular resource request is a markup language document.
  - 20. A method as recited in claim 18, wherein the markup language document is a HTML page.
  - 21. A method as recited in claim 20, wherein the predetermined tags are HTML tags.
  - 22. A method as recited in claim 16, wherein the second network address includes at least a hostname pertaining to the intermediate server.
  - 23. A method as recited in claim 22, wherein the second network address further has a suffix that includes at least the first network address.
  - 24. A method as recited in claim 16, wherein the predetermined element pertains to an applet.
  - 25. A method as recited in claim 24, wherein the predetermined element is a predetermined attribute of the applet.

26. A method for communicating between a client and a server, the client including an applet, said method comprising:
- determining whether a socket connection between the applet at the client and server is available;
  
  establishing a socket connection between the applet at the client and the server when said determining determines that a socket connection is available;
  
  establishing a pair of unidirectional secure connections provided by said communication layer when said determining determines that a socket connection is not available; and
  
  thereafter communicating data between the applet at the client and the server using whichever of the socket connection and the pair of unidirectional secure connections has been established.
- View Dependent Claims (27)
- - 27. A method as recited in claim 26, wherein the pair of unidirectional secure connections are URL connections.

28. A system for communicating between a client and a server, said system comprising:
- a communication layer at a client, said communication layer transforming one or more socket connections into a pair of unidirectional secure URL connections;
  
  an applet operating at the client to perform operations and to create at least one socket connection with said communication layer; and
  
  a server operatively connected with the pair of unidirectional secure URL connections, said server communicating with said applet via the pair of unidirectional secure URL connections provided by said communication layer.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 29. A system as recited in claim 28, wherein communications between said server and said applet are performed using packets of data.
  - 30. A system as recited in claim 29, wherein the packets include a header and data, and wherein the header includes at least a browser identifier and a socket identifier.
  - 31. A system as recited in claim 28, wherein said server includes one or more server socket connections with remote content servers, and wherein said server receives packets from said applet via one of the unidirectional secure URL connections provided by said communication layer, and wherein said server directs the packets received to an appropriate one of the server socket connections based on at least the browser identifier and the socket identifier.
  - 32. A system as recited in claim 28, wherein communications between said server and said applet are performed using packets of data, wherein the packets include a header and data, and the header includes at least a socket identifier, wherein said server includes one or more server socket connections with remote content servers, and wherein said server receives packets from said applet via one of the unidirectional secure URL connections provided by said communication layer, and directs the packets received to an appropriate one of the server socket connections based on at least the socket identifier.
  - 33. A system as recited in claim 28, wherein said communication layer comprises:
    - an outgoing queue for buffering outgoing packets of data received from the at least one socket connection with said applet; and
      
      a sender thread that sends the packets of data stored in said outgoing queue to said server.
  - 34. A system as recited in claim 33, wherein said communication layer comprises:
    - a reader thread that receives packets of data being sent from said server to said applet via said communication layer; and
      
      at least one incoming queue for buffering incoming packets of data received from said server.
  - 35. A system as recited in claim 34, wherein said at least one incoming queue operatively connects with the at least one socket connection of said applet.
  - 36. A system as recited in claim 34, wherein flow control messages are sent between said communication layer and said server.
  - 37. A system as recited in claim 34, wherein acknowledgement messages are sent between said communication layer and said server.
  - 38. A system as recited in claim 28, wherein one of the pair of the unidirectional secure URL connections is an outgoing unidirectional secure URL connection, and the other of the pair of the unidirectional secure URL connections is an incoming unidirectional secure URL connection.
  - 39. A system as recited in claim 38, wherein the outgoing unidirectional secure URL connection is a transient connection.
  - 40. A system as recited in claim 39, wherein the incoming unidirectional secure URL connection is a persistent connection.
  - 41. A system as recited in claim 28, wherein said communication layer is an applet communication layer.

42. A system for communicating between a client and a server, said system comprising:
- a plurality of browser applications, at least a plurality of said browser applications utilizing at least one operating applet and a communication layer, said applet operating to perform operations and to create at least one socket connection with said communication layer, and said communication layer for each of said browsers operates to transform said socket connections into a pair of unidirectional URL connections; and
  
  a server operatively connected with the pair of unidirectional URL connections associated with said communication layer associated with each of said plurality of browser applications, said server communicating with said at least one operating applet of said plurality of browser applications via the pair of unidirectional URL connections provided by said communication layer corresponding thereto.
- View Dependent Claims (43, 44, 45, 46)
- - 43. A system as recited in claim 42, wherein the pair of unidirectional URL connections are secure connections.
  - 44. A system as recited in claim 42, wherein the pair of unidirectional URL connections are HTTPS connections.
  - 45. A system as recited in claim 42, wherein said server is an intermediate server that is provided as an intermediary between said browser application and remote content servers.
  - 46. A system as recited in claim 42, wherein one of the pair of unidirectional URL connections is a transient connection, and the other of the pair of unidirectional URL connections is a persistent connection.

47. A system for communicating between a client and a server, said system comprising:
- a plurality of browser applications, at least a plurality of said browser applications utilizing at least one operating applet and a communication layer, said applet operating to perform operations and to create at least one socket connection with said communication layer, and said communication layer for each of said browsers operates to form an intermediate socket connection or to transform said socket connections into a pair of unidirectional URL connections; and
  
  a server operatively connected with the intermediate socket connection or the pair of unidirectional URL connections associated with said communication layer associated with each of said plurality of browser applications, said server communicating with said at least one operating applet of said plurality of browser applications via the intermediate socket connection or the pair of unidirectional URL connections provided by said communication layer corresponding thereto.
- View Dependent Claims (48)
- - 48. A system as recited in claim 47, wherein said server communicates with said at least one operating applet of said plurality of browser applications via the intermediate socket connection if such connection can be established, otherwise via the pair of unidirectional URL connections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Neoteris, Inc. (Juniper Networks Incorporated)
Inventors
Tock, Theron, Xia, Zeqing

Granted Patent

US 7,620,719 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/246
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/561   Adding application-function...

H04L 67/563   Data redirection of data ne...

H04L 67/564   Enhancement of application ...

H04L 69/162   involving adaptations of so...

Method and system for providing secure access to private networks

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

323 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing secure access to private networks

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

323 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links