Systems and Methods of Providing Server Initiated Connections on a Virtual Private Network

US 20080043760A1
Filed: 08/21/2006
Published: 02/21/2008
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the method comprising the steps of:

(a) receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;

(b) establishing, by the appliance, a first transport layer connection to the server on the first network;

(c) determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;

(d) transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;

(e) establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network; and

(f) establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

114 Citations

24 Claims

1. A method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the method comprising the steps of:
- (a) receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;
  
  (b) establishing, by the appliance, a first transport layer connection to the server on the first network;
  
  (c) determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;
  
  (d) transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;
  
  (e) establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network; and
  
  (f) establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising linking, by the appliance, the first transport layer connection to the server with the third transport layer connection to the agent of the client.
  - 3. The method of claim 2, comprising generating, by the appliance, a first connection record for the first transport layer connection to the server, receiving, by the appliance, a second connection record from the agent for the third transport layer connection, and associating, by the appliance, the first connection record with the second connection record.
  - 4. The method of claim 1, comprising forwarding, by the appliance, data received from a server internet protocol address and server source port to an internet protocol address and port used by the agent for the third transport layer connection.
  - 5. The method of claim 4, comprising forwarding, by the agent, the data to the application via the second transport layer connection.
  - 6. The method of claim 1, wherein the connection information comprises one of a protocol, a server internet protocol address, or a server source port.
  - 7. The method of claim 1, wherein the agent comprises a web browser plug-in.
  - 8. The method of claim 1, wherein step (d) comprising transmitting, by the appliance, to the agent via a control channel connection established between the appliance and the agent.
  - 9. The method of claim 1, comprising transmitting, by the client, via the appliance a request to the server to transmit the transport layer connection request.
  - 10. The method of claim 1, comprising determining, by the appliance, via content of an application layer protocol used for communications between the client and the server one of a server destination internet protocol address and server port or the client destination internet protocol address and client destination port.
  - 11. The method of claim 10, comprising modifying, by the appliance, the content of the application layer protocol transmitted to the server to identify an internet protocol address of the client on the first network.
  - 12. The method of claim 1, comprising determining, by the appliance, a second server initiated transport layer connection request to the client exceeds a predetermined threshold identifying a number of server initiated transport layer connections allowed to the client, and in response to the determination the appliance does not establish the second server initiated transport layer connection.

13. A system for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the system comprising:
- means for receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;
  
  means for establishing, by the appliance, a first transport layer connection to the server on the first network;
  
  means for determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;
  
  means for transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;
  
  means for establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network; and
  
  means for establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the appliance associates the first transport layer connection to the server with the third transport layer connection to the agent of the client.
  - 15. The system of claim 14, wherein the appliance generates a first connection record for the first transport layer connection to the server, receives a second connection record from the agent for the third transport layer connection, and associates the first connection record with the second connection record.
  - 16. The system of claim 13, wherein the appliance forwards data received from a server internet protocol address and server source port to an internet protocol address and port used by the agent for the third transport layer connection.
  - 17. The system of claim 16, wherein the agent forwards the data to the application via the second transport layer connection.
  - 18. The system of claim 13, wherein the connection information comprises one of a protocol, a server internet protocol address, or a server source port.
  - 19. The system of claim 13, wherein the agent comprises a web browser plug-in.
  - 20. The system of claim 13, wherein the appliance transmits connection information to the agent via a control channel connection established between the appliance and the agent.
  - 21. The system of claim 13, wherein the client transmits via the appliance a request to the server to transmit the transport layer connection request.
  - 22. The system of claim 13, wherein the appliance determines via content of an application layer protocol used for communications between the client and the server one of a server destination internet protocol address and server port or the client destination internet protocol address and client destination port.
  - 23. The system of claim 20, wherein the appliance identifies the content of the application layer protocol transmitted to the server to identify an internet protocol address of the client on the first network.
  - 24. The system of claim 13, wherein the appliance determines a second server initiated transport layer connection request to the client exceeds a predetermined threshold identifying a number of server initiated transport layer connections allowed to the client, and in response to the determination does not establish the second server initiated transport layer connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Soni, Ajay, Venkatraman, Charu, Harris, James, He, Junxiao, Kumar, Arkesh

Granted Patent

US 7,769,869 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/164   Adaptation or special uses ...

Systems and Methods of Providing Server Initiated Connections on a Virtual Private Network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Systems and Methods of Providing Server Initiated Connections on a Virtual Private Network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others