Remote Access to Hosted Virtual Machines By Enterprise Users
First Claim
1. A method for allowing a remote presentation session between a virtual machine hosted in a first domain and a client computer in a second domain, the method comprising:
- establishing, at a server in the second domain, a communication session with the client computer;
receiving, by the server, a virtual machine identifier indicative of the virtual machine hosted in the first domain;
receiving from the virtualization manager in the second domain a cookie including a signed token and public key;
authenticating the token using the public key and verifying that the token maps to a user account in the first domain;
sending the virtual machine identifier to a virtualization system in the first domain;
receiving, from the virtualization system in the first domain, a confirmation that the identified virtual machine is valid and an identity of a target resource associated with the identified virtual machine;
sending to an intermediary listening service in the virtualization system the virtual machine identifier and received token; and
forwarding remote presentation session data to the intermediary listener service.
2 Assignments
0 Petitions
Accused Products
Abstract
An end user of an enterprise is enabled to receive secure remote presentation access to the assigned virtual machines in a hosted public cloud through the cloud provider'"'"'s virtualization hosts and remote presentation gateway. Thus an enterprise administrator may purchase computing capacity from the cloud provider and further sub-divide the purchased computing capacity among enterprise end users. The cloud provider need not create shadow accounts for each end user of the enterprise. The cloud provider AD and the enterprise AD do not need to trust each other. The cloud provider also need not expose host information to the tenants. Authorization may be provided by using a combination of a custom authorization plug-in at the terminal services gateway and an indirection listener component at the virtualization host. The host details may also be abstracted when the client connects to the remote presentation gateway so as to protect the fabric from attack and enabling the tenant virtual machines to freely move across the cloud provider'"'"'s virtualization hosts.
302 Citations
20 Claims
-
1. A method for allowing a remote presentation session between a virtual machine hosted in a first domain and a client computer in a second domain, the method comprising:
-
establishing, at a server in the second domain, a communication session with the client computer; receiving, by the server, a virtual machine identifier indicative of the virtual machine hosted in the first domain; receiving from the virtualization manager in the second domain a cookie including a signed token and public key; authenticating the token using the public key and verifying that the token maps to a user account in the first domain; sending the virtual machine identifier to a virtualization system in the first domain; receiving, from the virtualization system in the first domain, a confirmation that the identified virtual machine is valid and an identity of a target resource associated with the identified virtual machine; sending to an intermediary listening service in the virtualization system the virtual machine identifier and received token; and forwarding remote presentation session data to the intermediary listener service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for allowing access to a virtual machine hosted in a first domain to a client computer in a second domain, comprising:
-
a computing device comprising at least one processor; a memory communicatively coupled to said processor when said system is operational;
said memory having stored therein computer instructions that upon execution by the at least one processor cause;receiving a first virtual machine identifier, signed token with public key, and a request for a virtual machine host associated with the virtual machine identifier; instantiating a remote presentation session with the client computer; receiving via the remote presentation session a target virtual machine identifier and correlating and authorizing the target virtual machine identifier with the first virtual machine identifier; and determining that the target and first virtual machine identifiers match and forwarding data received via the remote presentation session to the target virtual machine. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer readable storage medium storing thereon computer executable instructions for accessing a virtual machine hosted in a first domain by a client computer in a second domain, said instructions for:
-
establishing a communication session with a virtualization host in the first domain; sending to a virtualization host in the first domain a virtual machine identifier and a claim requesting authorization for access to the identified virtual machine; receiving a signed token from the virtualization manager in the second domain; establishing a remote presentation session through the virtualization host in the first domain and sending an indication that a cookie-based authorization will be performed; sending to the virtualization host in the first domain a cookie including a signed token and public key; and establishing a remote presentation session with the requested virtual machine. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification