NETWORK LOCATION DETERMINATION FOR DIRECT ACCESS NETWORKS

US 20100107240A1
Filed: 01/22/2009
Published: 04/29/2010
Est. Priority Date: 10/24/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of operating a client device (214, 234) when connected to a network (200) comprising a network firewall defining a network boundary, the client device (214, 234) supporting at least a first (726) and a second (728) behaviors, the method comprising:

directing (712) a request to a network device (352), the network device (352) being connected to the network (200) and being adapted to provide at least a first response (720) or second response (730), different than the first response (720), to the request, the first response being provided when the request is received from a client device (214) within the network firewall connected to the network (200), and the second response (730) being provided when the request is received from a client device (234) connected to the network (200) outside the network firewall;

when the first response is detected, configuring the client device (214) to operate in accordance with the first behavior (726); and

when the second response is detected, configuring the client device (214) to operate in accordance with the second behavior (728).

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client computer that supports different behaviors when connected to a private network behind a network firewall than when outside the network firewall and connected indirectly through an access device. The client computer is configured to attempt communication with a device on the network. Based on the response, the client computer can determine that it is behind the network firewall, and therefore can operate with less restrictive security or settings for other parameters appropriate for when the client is directly connected to the network. Alternatively, the client computer may determine that it is indirectly connected to the network through the Internet or other outside network, and therefore, because it is outside the private network firewall, should operate with more restrictive security or settings of other parameters more appropriate for use in that network location. The described approach operates even if the remote client computer has a direct connection to the network that enables it to authenticate with a domain controller.

96 Citations

View as Search Results

20 Claims

1. A method of operating a client device (214, 234) when connected to a network (200) comprising a network firewall defining a network boundary, the client device (214, 234) supporting at least a first (726) and a second (728) behaviors, the method comprising:
- directing (712) a request to a network device (352), the network device (352) being connected to the network (200) and being adapted to provide at least a first response (720) or second response (730), different than the first response (720), to the request, the first response being provided when the request is received from a client device (214) within the network firewall connected to the network (200), and the second response (730) being provided when the request is received from a client device (234) connected to the network (200) outside the network firewall;
  
  when the first response is detected, configuring the client device (214) to operate in accordance with the first behavior (726); and
  
  when the second response is detected, configuring the client device (214) to operate in accordance with the second behavior (728).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - the first response is detected when the client device (214) receives information authenticating the network device (352); and
      
      the second response is detected when the client device (234) does not receive information authenticating the network device (352) during an interval.
  - 3. The method of claim 2, further comprising, on the network device (352):
    - receiving (716) the request from the client device (214), the request comprising an address of the client device (214);
      
      when the address of the client device (214) identifies a location physically on the network (200) or a location connected to the network through a VPN, responding with the first response; and
      
      when the address of the client device (214) identifies a location not within the network firewall, responding with the second response.
  - 4. The method of claim 2, further comprising, on the network device (352):
    - receiving (716) the request from the client device (214), the request comprising an address of the client device (214);
      
      when the address of the client device (214) identifies a location physically on the network (200), responding with the first response; and
      
      when the address of the client (214) device identifies a location not physically on the network (200) or a location connected to the network through a VPN, responding with the second response.
  - 5. The method of claim 2, wherein the network device (352) comprises a first network device (352) and the network (200) comprises a second network device (442, 652), the method further comprising:
    - on the second network device;
      
      receiving the request from the client device (214), the request comprising an address of the client device (214);
      
      when the address of the client device identifies a location physically or virtually on the network (200), providing the request to the first network device (352); and
      
      when the address of the client device (234) identifies a location not within the network firewall, blocking the request from reaching the first network device (352).
  - 6. The method of claim 3, wherein the network device (352) comprises a first network device (352) and the network (200) comprises a second network device (542), the method further comprising:
    - on the second network device (542);
      
      receiving from the first network device (352) a response to the request, the response comprising an address of the client device (214);
      
      when the address of the client device (214) identifies a location physically on the network (200), providing the response to the client device (214); and
      
      when the address of the client device (214) identifies a location not physically on the network (200), blocking the response from reaching the client device (214).
  - 7. The method of claim 1, wherein the network (200) comprises a corporate network (200) having a corporate address prefix, and the method further comprises:
    - making the first response when the request is identified by a source address including the corporate address prefix; and
      
      making the second response when the request is identified by a source address that does not have the corporate address prefix.
  - 8. The method of claim 7, wherein the configuring the client device (214, 234) to operate in accordance with the first behavior (726) comprises configuring a firewall with a less restrictive policy than when the client device (214, 234) is configured to operate in accordance with the second behavior (728).

9. A client device 214 adapted for being connected to a network (200), the client device (214) comprising:
- a computer storage medium comprising;
  
  a component that affects operations on the client device (214), the component operable in at least a first state and a second state;
  
  computer-executable instructions that, when executed, perform a method comprising;
  
  directing (712) a request to a network device (352), the request comprising a source address, including a source address portion, the network device (352) being adapted to provide at least a first response and a second response (730), the first response (720) to the request being provided when the source address portion matches a network address portion identifying the network and the second response (730) to the request being provided when the source address portion does not match the network address portion;
  
  when the first response is detected, configuring the component to operate in the first state (726); and
  
  when the second response is detected, configuring the component to operate in the second state (728).
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The client device (214) of claim 9, wherein the component comprises a firewall.
  - 11. The client device (214) of claim 9, wherein the computer storage medium further comprises a field adapted to store an identification of the network device (352).
  - 12. The client device (214) of claim 11, wherein:
    - the computer storage medium further comprises at least one field adapted to store authentication information for the network device (352); and
      
      the method performed by the computer executable instructions further comprises ascertaining (724) whether a response is the first response by attempting to authenticate that the response was generated by the network device (352) using the authentication information.
  - 13. The client device (214, 234) of claim 9, wherein the network device (352) comprises a server (250) and the first response comprises an HTTPS page.
  - 14. The client device (214, 234) of claim 9,further comprising a timing component adapted to indicate a time after the request is sent, andwherein:
    - the method performed by the computer executable instructions further comprises detecting (722) the second response (730) when the first response (720) is not received with the time after the request is sent.
  - 15. The client device (214, 234) of claim 9, further comprising a component for accessing a corporate network 200 when the client device is directly connected to the network and when the client device is indirectly connected to the network.

16. A system comprising,a network (200);
- an access device (250) having at least one internal interface (354) and at least one external interface (356), the at least one internal interface being connected to devices within the network, and the at least one external interface being connected to remote devices, the access device adapted to couple network communications between the at least one internal interface and the at least one external interface;
  
  at least one network device (352) coupled to the network, the at least one network device being configured to make a first response (720) to a request received through the at least one internal interface and to make a second response (730) to a request from a device received through the at least one external interface; and
  
  a client device (234) coupled to the network through the at least one external interface, the client device being configured to;
  
  issue (712) the request;
  
  when the first response is received, operate in a first mode (726); and
  
  when the second response is received, operate in a second mode (728).
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein:
    - the client device coupled to the network through the at least one external interface comprises a first client device;
      
      and the system further comprising;
      
      a second client device (214) coupled to the network through the at least one internal interface, the second client device being configured to;
      
      issue (712) the request;
      
      when the first response is received, operate in a first mode (726); and
      
      when the second response is received, operate in a second mode (728),wherein the second client device is operating in the first mode.
  - 18. The system of claim 16, wherein the client device (234) is a portable computer.
  - 19. The system of claim 16, wherein the client device 234 further comprises a network firewall adapted to operate in the first security mode and in the second security mode and the first mode comprises the firewall operating in the first security mode and the second mode comprises the firewall operating in the second security mode.
  - 20. The system of claim 16, wherein the client device is configured to connect to the network through the access device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Roberts, Scott, Buduri, Arun K., Cuellar, Gerardo Diaz, Begorre, Bill, Thaler, David, Trace, Rob M., Brewis, Deon C., Gatta, Srinivas Raghu

Application Number

US12/357,812
Publication Number

US 20100107240A1
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

NETWORK LOCATION DETERMINATION FOR DIRECT ACCESS NETWORKS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK LOCATION DETERMINATION FOR DIRECT ACCESS NETWORKS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links