Providing consistent application aware firewall traversal

US 20060195899A1
Filed: 01/05/2006
Published: 08/31/2006
Est. Priority Date: 02/25/2005
Status: Active Grant

First Claim

Patent Images

1. At a gateway server in a computerized environment in which a client computer system accesses a resource at the gateway server through a firewall, the gateway server providing application layer connections through a firewall, a method comprising the acts of:

receiving a connection request from a client, wherein the connection request identifies a resource with which the client would like to connect;

quarantining a connection with the client to determine if the client has installed a minimum set of one or more features;

identifying a protocol processor plug-in based on a resource type of the identified resource; and

forwarding the connection with the client to the identified protocol processor plug-in.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present invention relate to a communication framework that is readily adaptable to a wide variety of resources intended to be accessible through a firewall. In general, a communication framework at a gateway server can provide a specific connection to a requested resource in accordance with a wide range of resource and/or network access policies. In one instance, a client requests a connection to a specific resource behind a firewall. The communication framework authenticates the connection, and quarantines the connection until determining, for example, that the client is using an appropriate resource features. If appropriately authenticated, the communication framework can pass control of the connection to an appropriately identified protocol plug-in processor, which facilitates a direct connection to the requested resource at an application layer of a communication stack.

Citations

20 Claims

1. At a gateway server in a computerized environment in which a client computer system accesses a resource at the gateway server through a firewall, the gateway server providing application layer connections through a firewall, a method comprising the acts of:
- receiving a connection request from a client, wherein the connection request identifies a resource with which the client would like to connect;
  
  quarantining a connection with the client to determine if the client has installed a minimum set of one or more features;
  
  identifying a protocol processor plug-in based on a resource type of the identified resource; and
  
  forwarding the connection with the client to the identified protocol processor plug-in.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method as recited in claim 1, further comprising authenticating the client based on authentication information provided in the client request compared with one or more access policies.
  - 3. The method as recited in claim 2, further comprising an act of identifying the one or more access policies from a communication framework installed at the gateway server.
  - 4. The method as recited in claim 1, wherein forwarding the connection to the identified protocol processor plug-in comprises an act of providing control of a channel of a connection tunnel to the protocol processor plug-in at the server.
  - 5. The method as recited in claim 4, further comprising the acts of:
    - receiving a different connection request for a different resource from the client; and
      
      establishing a different connection channel between the client and the different resource through the same connection tunnel.
  - 6. The method as recited in claim 4, further comprising an act of receiving a different connection request for the resource, such that multiple connections have been requested to the same resource from any of the client, or the client and one or more different clients outside of the firewall.
  - 7. The method as recited in claim 6, further comprising an act of providing control of a different channel to the identified protocol processor plug-in with the client making the different connection request.
  - 8. The method as recited in claim 6, further comprising the acts of:
    - identifying from a granular access policy setting that the different connection request is inappropriate; and
      
      denying the different connection request.
  - 9. The method as recited in claim 8, wherein the access policy comprises a network access policy for determining whether the client is authorized to connect to the server, and a resource access policy for determining whether the client is access to create a channel with the requested resource through the server connection.
  - 10. The method as recited in claim 8, wherein the access policy setting comprises an indication limiting access by the client to the resource during a time of day, and wherein the different connection request is outside of the time of day.
  - 11. The method as recited in claim 8, wherein the access policy setting comprises an indication limiting access by the client to the resource at a specific port of a resource server behind a firewall, wherein the different connection request requests a connection to the resource at the specific port of the resource server.
  - 12. The method as recited in claim 8, wherein the access policy setting is a network access policy that limits the number of connection tunnels through the firewall at the gateway server, such that the different connection request requires creation of a new connection tunnel that exceeds the limit.
  - 13. The method as recited in claim 8, wherein the access policy setting requires that the client request be made by a client having a smartcard, wherein the different connection request indicates that the client does not have the smartcard.
  - 14. The method as recited in claim 8, wherein the access policy setting limits access to the same resource to a permitted class of users, wherein the different connection request originates from a different user that is not a member of the permitted class of users.

15. At a client computer system in a computerized environment in which the client accesses a resource through a gateway server firewall, the gateway server providing application layer connections through a firewall, a method comprising the acts of:
- sending a request for a connection at a gateway server, wherein the request identifies a server resource to connect with a corresponding client resource;
  
  receiving a request from the gateway server for a minimum set of one or more features supported by the client;
  
  sending a feature response to the gateway server, the feature response indicating which of the requested set of one or more features are supported by the client; and
  
  connecting to an application layer of a communication stack at the gateway server, such that the client resource communicates data with a protocol processor plug-in associated with the server resource.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method as recited in claim 15, further comprising an act of sending authentication information with the request for the connection, wherein the authentication information includes an indication that the client has a smartcard.
  - 17. The method as recited in claim 15, wherein connecting to an application layer further comprises the acts of:
    - establishing a connection tunnel through the firewall of the gateway server at the application layer; and
      
      establishing a connection channel within the connection tunnel to the requested resource.
  - 18. The method as recited in claim 15, further comprising the acts of:
    - sending a different connection request for the resource to the gateway server; and
      
      communicating with the protocol processor plug-in through a different channel that is different from a channel created from the request for the connection at a gateway server.
  - 19. The method as recited in claim 15, further comprising the acts of:
    - sending a different connection request for a different resource associated with the protocol processor plug-in; and
      
      communicating with the different resource through the protocol processor plug-in, such that the protocol processor plug-in handles multiple connection channels between the client and multiple resources at the gateway server.

20. At a gateway server in a computerized environment in which a client computer system accesses a resource at the gateway server through a firewall, the gateway server having at least a remote procedure call layer and a secure hypertext transfer protocol layer in a communication framework, a computer program product having computer-executable instructions stored thereon that, when executed, cause one or more processes at the gateway server to perform a method comprising the following:
- receiving a connection request from a client, wherein the connection request identifies a resource with which the client would like to connect;
  
  quarantining a connection with the client to determine if the client has installed a minimum set of one or more features;
  
  identifying a protocol processor plug-in based on a resource type of the identified resource; and
  
  forwarding the connection with the client to the identified protocol processor plug-in.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chik, Joy, Ben-Shachar, Ido, Malakapalli, Meher P., Palekar, Ashwin, Steere, David C., Baraboi, Tudor A.

Granted Patent

US 7,685,633 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Providing consistent application aware firewall traversal

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Providing consistent application aware firewall traversal

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links