Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment
First Claim
1. A method of performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising the steps of:
- (a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network;
(b) detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session;
(c) providing, by the second appliance, the SSL VPN session for the client in response to the detection;
(d) placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and
(e) transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute.
8 Assignments
0 Petitions
Accused Products
Abstract
The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.
-
Citations
24 Claims
-
1. A method of performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising the steps of:
-
(a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network; (b) detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session; (c) providing, by the second appliance, the SSL VPN session for the client in response to the detection; (d) placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and (e) transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the system comprising:
-
means for receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network; means for detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session; means for providing, by the second appliance, the SSL VPN session for the client in response to the detection; means for placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and means for transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification