Systems and Methods for Application Based Interception of SSL/VPN Traffic

US 20080034419A1
Filed: 08/03/2006
Published: 02/07/2008
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:

(a) establishing, by an appliance, a virtual private network connection between an application on a client on a first network and a server on a second network;

(b) receiving, by the appliance, an identifier of the application;

(c) associating, by the appliance, with the virtual private network connection an authorization policy based on the identifier of the application;

(d) receiving, by an appliance, a request from the application on the client to access via the virtual private network connection a resource on a second network; and

(e) determining, by the appliance, from the authorization policy to one of allow or deny access by the application to the resource based on the identifier of the application.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Citations

26 Claims

1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:
- (a) establishing, by an appliance, a virtual private network connection between an application on a client on a first network and a server on a second network;
  
  (b) receiving, by the appliance, an identifier of the application;
  
  (c) associating, by the appliance, with the virtual private network connection an authorization policy based on the identifier of the application;
  
  (d) receiving, by an appliance, a request from the application on the client to access via the virtual private network connection a resource on a second network; and
  
  (e) determining, by the appliance, from the authorization policy to one of allow or deny access by the application to the resource based on the identifier of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, comprising denying, by the appliance, access by the application to the resource.
  - 3. The method of claim 2, comprising transmitting, by the appliance, to one of the client or the application a communication indicating access to the resource is denied.
  - 4. The method of claim 1, comprising allowing, by the appliance, access by the application to the resource.
  - 5. The method of claim 4, comprising transmitting, by the appliance, the request on the second network.
  - 6. The method of claim 1, comprising transmitting, by an agent on the client, a name of the application to the appliance.
  - 7. The method of claim 1, comprising establishing, by an agent on the client, the virtual private network connection to the second network via the appliance.
  - 8. The method of claim 1, wherein the identifier of the application comprises a name of the application.
  - 9. The method of claim 1, comprising intercepting, by an agent of the client, a connection request from the application to connect to the server.
  - 10. The method of claim 9, determining, by the agent, from the connection request the identifier of the application.
  - 11. The method of claim 1, comprising specifying, by the authorization policy, a name of the application and an authorization of one of access or deny.
  - 12. The method of claim 1, comprising associating, by the appliance, the authorization policy of the application with a user of the client.
  - 13. The method of claim 1, comprising identifying, by the appliance, the authorization policy of the application based on a user of the client.

14. A system for allowing or denying a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the system comprising:
- a means for establishing, by an appliance, a virtual private network connection between an application on a client on a first network and a server on a second network;
  
  a means for receiving, by the appliance, an identifier of the application;
  
  a means for associating, by the appliance, with the virtual private network connection an authorization policy based on the identifier of the application;
  
  a means for receiving, by an appliance, a request from the application on the client to access via the virtual private network connection a resource on a second network; and
  
  a means for determining, by the appliance, from the authorization policy to one of allow or deny access by the application to the resource based on the identifier of the application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, comprising a means for denying, by the appliance, access by the application to the resource.
  - 16. The system of claim 15, comprising a means for transmitting, by the appliance, to one of the client or the application a communication indicating access to the resource is denied.
  - 17. The system of claim 14, comprising a means for allowing, by the appliance, access by the application to the resource.
  - 18. The system of claim 17, comprising a means for transmitting, by the appliance, the request on the second network.
  - 19. The system of claim 14, comprising a means for transmitting, by an agent on the client, a name of the application to the appliance.
  - 20. The system of claim 14, comprising a means for establishing, by an agent on the client, the virtual private network connection to the second network via the appliance.
  - 21. The system of claim 14, wherein the identifier of the application comprises a name of the application.
  - 22. The system of claim 14, comprising a means for intercepting, by an agent of the client, a connection request from the application to connect to the server.
  - 23. The system of claim 22, comprising a means for determining, by the agent, from the connection request the identifier of the application.
  - 24. The system of claim 14, comprising a means for specifying, by the authorization policy, a name of the application and an authorization of one of access or deny.
  - 25. The system of claim 14, comprising a means for associating, by the appliance, the authorization policy of the application with a user of the client.
  - 26. The system of claim 14, comprising a means for identifying, by the appliance, the authorization policy of the application based on a user of the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nanjundaswami, Shashi, Soni, Ajay, Venkatraman, Charu, Harris, James, He, Junxiao, Mullick, Amarnath

Granted Patent

US 8,869,262 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Systems and Methods for Application Based Interception of SSL/VPN Traffic

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Application Based Interception of SSL/VPN Traffic

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links