SYSTEMS AND METHODS FOR SECURELY AND TRANSPARENTLY PROXYING SAAS APPLICATIONS THROUGH A CLOUD-HOSTED OR ON-PREMISE NETWORK GATEWAY FOR ENHANCED SECURITY AND VISIBILITY

US 20180295134A1
Filed: 04/07/2017
Published: 10/11/2018
Est. Priority Date: 04/07/2017
Status: Active Grant

First Claim

Patent Images

1. A method for providing access to an application, the method comprising:

providing, by a device intermediary between a client and a server, access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;

receiving, by the device from the client, the first HTTP request generated via the provided link;

rewriting, by the device, an absolute uniform resource locator (URL) of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device; and

redirecting, by the device, the client to the rewritten absolute URL of the application, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments provide access to an application. An intermediary device may provide access to an application hosted by the server. The access may be provided to the client via a link that generates a first HTTP request for the application. The device may receive, from the client, the first HTTP request generated via the provided link. The device may rewrite an absolute URL of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device. The device may redirect the client to the rewritten absolute URL of the application.

120 Citations

20 Claims

1. A method for providing access to an application, the method comprising:
- providing, by a device intermediary between a client and a server, access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;
  
  receiving, by the device from the client, the first HTTP request generated via the provided link;
  
  rewriting, by the device, an absolute uniform resource locator (URL) of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device; and
  
  redirecting, by the device, the client to the rewritten absolute URL of the application, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the link comprises a link presented in a browser executing on the client, and the first HTTP request for the application is received from the browser.
  - 3. The method of claim 1, wherein the expression comprises a wildcard combined with the second hostname of the device.
  - 4. The method of claim 1, further comprising receiving, by the device, a second HTTP request from the client comprising the rewritten absolute URL, the rewritten absolute URL causing the DNS to direct the second HTTP request to the device.
  - 5. The method of claim 1, further comprising identifying, by the device, the unique string from a host header of a second HTTP request from the client, and decoding the unique string to obtain the first hostname of the server.
  - 6. The method of claim 5, further comprising performing, by the device, single sign-on (SSO) for a user of the client by sending a security assertion mark-up language (SAML) assertion to the server.
  - 7. The method of claim 6, further comprising receiving, by the device in response to the SAML assertion, an authentication token from the server.
  - 8. The method of claim 4, further comprising:
    - identifying, by the device from the rewritten absolute URL, a URL portion identifying the application; and
      
      sending, by the device, a third HTTP request comprising the identified URL portion to the server to access the application.
  - 9. The method of claim 8, further comprising:
    - receiving, by the device, a response to the third HTTP request comprising the identified URL portion;
      
      rewriting, by the device, a second absolute URL identified in the response, by replacing a third hostname in the second absolute URL with a second URL segment generated by combining a second unique string assigned to the third hostname, with a second hostname of the device; and
      
      sending, by the device, the response updated with the rewritten second absolute URL, to the client.
  - 10. The method of claim 1, wherein providing the unique string comprises generating the unique string from the first hostname using an encoding scheme comprising one of:
    - symmetric key encryption or base-32 encoding.

11. A system for providing access to an application, the system comprising:
- a proxy engine executing on a device intermediary between a client and a server, the proxy engine configured to;
  
  provide access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;
  
  receive from the client the first HTTP request generated via the provided link;
  
  rewrite an absolute uniform resource locator (URL) of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device; and
  
  redirect the client to the rewritten absolute URL of the application, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the link comprises a link presented in a browser executing on the client, and the first HTTP request for the application is received from the browser.
  - 13. The system of claim 11, wherein the expression comprises a wildcard combined with the second hostname of the device.
  - 14. The system of claim 11, wherein the proxy engine is further configured to receive a second HTTP request from the client comprising the rewritten absolute URL, the rewritten absolute URL causing the DNS to direct the second HTTP request to the device.
  - 15. The system of claim 11, wherein the proxy engine is further configured to identify the unique string from a host header of a second HTTP request from the client, and decode the unique string to obtain the first hostname of the server.
  - 16. The system of claim 15, wherein the proxy engine is further configured to perform single sign-on (SSO) for a user of the client by sending a security assertion mark-up language (SAML) assertion to the server.
  - 17. The system of claim 16, wherein the proxy engine is further configured to receive, in response to the SAML assertion, an authentication token from the server.
  - 18. The system of claim 14, wherein the proxy engine is further configured to identify, from the rewritten absolute URL, a URL portion identifying the application, and send a third HTTP request comprising the identified URL portion to the server to access the application.
  - 19. The system of claim 18, wherein the proxy engine is further configured to receive a response to the third HTTP request comprising the identified URL portion, rewrite a second absolute URL identified in the response by replacing a third hostname in the second absolute URL with a second URL segment generated by combining a second unique string assigned to the third hostname, with a second hostname of the device, and send the response updated with the rewritten second absolute URL to the client.
  - 20. The system of claim 11, wherein the proxy engine is further configured to generate the unique string from the first hostname using an encoding scheme comprising one of:
    - symmetric key encryption or base-32 encoding.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Gupta, Punit, Singh, Saurabh, Ganesh, V, Ravi, Kann, Jong

Granted Patent

US 10,778,684 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/12   Details relating to cryptog...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

SYSTEMS AND METHODS FOR SECURELY AND TRANSPARENTLY PROXYING SAAS APPLICATIONS THROUGH A CLOUD-HOSTED OR ON-PREMISE NETWORK GATEWAY FOR ENHANCED SECURITY AND VISIBILITY

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURELY AND TRANSPARENTLY PROXYING SAAS APPLICATIONS THROUGH A CLOUD-HOSTED OR ON-PREMISE NETWORK GATEWAY FOR ENHANCED SECURITY AND VISIBILITY

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links