Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment

US 20090037998A1
Filed: 08/03/2007
Published: 02/05/2009
Est. Priority Date: 08/03/2007
Status: Active Grant

First Claim

Patent Images

1. A method of performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising the steps of:

(a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network;

(b) detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session;

(c) providing, by the second appliance, the SSL VPN session for the client in response to the detection;

(d) placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and

(e) transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.

Citations

24 Claims

1. A method of performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising the steps of:
- (a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network;
  
  (b) detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session;
  
  (c) providing, by the second appliance, the SSL VPN session for the client in response to the detection;
  
  (d) placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and
  
  (e) transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising activating, by the second appliance, the on hold SSL VPN session upon receiving a predetermined result from evaluation of the least one clause of the security string.
  - 3. The method of claim 1, comprising assigning, by the second appliance, the client to an authorization group based on a result from evaluation of the at least one clause.
  - 4. The method of claim 1, wherein step (d) comprises transmitting the request to a collection agent on the client, the collection agent gathering information associated with the client-side attribute and evaluating the at least one clause.
  - 5. The method of claim 1, comprising receiving, by the second appliance from the client in response to the request, a result from evaluation of the at least one clause providing the client-side attribute indicating a presence on the client of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 6. The method of claim 1, comprising receiving, by the second appliance from the client in response to the request, a result from evaluation of the at least one clause providing the client-side attribute indicating a presence on the client of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 7. The method of claim 1, comprising determining, by the second appliance, responsive to a result from evaluation of the at least one clause, that the client lacks a desired client-side attribute.
  - 8. The method of claim 7, comprising maintaining, by the second appliance, the SSL VPN session on hold in response to the determination.
  - 9. The method of claim 1, comprising determining, by the second appliance, responsive to a result from evaluation of the at least one clause, that the client-side attribute is not set to a value in accordance with a policy
  - 10. The method of claim 9, comprising maintaining, by the second appliance, the SSL VPN session on hold in response to the determination.
  - 11. The method of claim 1, comprising assigning, by the second appliance, the client to an authorization group providing quarantined access to the network in response to a result from evaluation of the at least one clause, and activating, by the second appliance, the SSL VPN session.
  - 12. The method of claim 1, comprising assigning, by the second appliance, the client to an authorization group responsive to an application of a policy by a policy engine to a result from evaluation of the at least one clause, and activating, by the second appliance, the SSL VPN session.

13. A system for performing authorization of a client'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the system comprising:
- means for receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client and a network;
  
  means for detecting, by the second appliance, the first appliance is unavailable to continue the SSL VPN session;
  
  means for providing, by the second appliance, the SSL VPN session for the client in response to the detection;
  
  means for placing, by the second appliance, the SSL VPN session on hold until the client is authorized by the second appliance; and
  
  means for transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression identifying a client-side attribute.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the second appliance activates the on hold SSL VPN session upon receiving a predetermined result from evaluation of the least one clause of the security string.
  - 15. The system of claim 13, wherein the second appliance assigns the client to an authorization group based on a result from evaluation of the at least one clause.
  - 16. The system of claim 13, wherein the second appliance transmits the request to a collection agent on the client, the collection agent gathering information associated with the client-side attribute and evaluating the at least one clause.
  - 17. The system of claim 13, wherein the second appliance receives from the client in response to the request, a result from evaluation of the at least one clause providing the client-side attribute indicating a presence on the client of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 18. The system of claim 13, wherein the second appliance receives from the client in response to the request, a result from evaluation of the at least one clause providing the client-side attribute indicating a presence on the client of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 19. The system of claim 13, wherein the second appliance determines, responsive to a result from evaluation of the at least one clause, that the client lacks a desired client-side attribute.
  - 20. The system of claim 19, wherein the second appliance maintains the SSL VPN session on hold in response to the determination.
  - 21. The system of claim 13, wherein the second appliance determines, responsive to a result from evaluation of the at least one clause, that the client-side attribute is not set to a value in accordance with a policy
  - 22. The system of claim 21, wherein the second appliance maintains the SSL VPN session on hold in response to the determination.
  - 23. The system of claim 13, wherein the second appliance assigns the client to an authorization group providing quarantined access to the network in response to a result from evaluation of the at least one clause, and activates the SSL VPN session.
  - 24. The system of claim 13, wherein the second appliance assigns the client to an authorization group responsive to an application of a policy by a policy engine to a result from evaluation of the at least one clause, and activates the SSL VPN session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nanjundaswamy, Shashi, Mullick, Amarnath, Verzunov, Sergey, Choudhary, Akshat, Kumar, Arkesh, Adhya, Saibal

Granted Patent

US 8,132,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06Q 20/027   involving a payment switch ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/40   for recovering from a failu...

Y10S 379/901   Virtual networks or virtual...

Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links