Secure gateway having user identification and password authentication
First Claim
1. A computer system for providing access from a client computer over an insecure public network to a destination server on a secure private network, comprising:
- a firewall system between said insecure network and said secure private network;
a proxy server on said insecure network side of said firewall system;
an authorization server on said private network side of said firewall system for authenticating a user of said client computer based on a user identification (ID) and password from said user of said client computer;
a web server on said insecure network side of said firewall system configured to pass said user ID to said authorization server and to build an authentication cookie when said authorization server authenticates said user of said client computer based on said user ID and password;
a gateway on said private network side of said firewall system; and
wherein said proxy server is further configured to pass a message from said client computer to said destination server via said gateway when said authentication cookie is valid.
14 Assignments
0 Petitions
Accused Products
Abstract
A computer system provides authenticated access for a client computer over an insecure, public network to one of a plurality of destination servers on private, secure network, through the use of a client-side X.509 digital certificate. A firewall is disposed between the insecure, public network and the private network. A demilitarized zone (DMZ) proxy server intercepts messages destined for the destination servers, and forwards the intercepted messages through the firewall to a gateway on the private network. The gateway is configured to create a cookie, based on the selection of one of a several applications available on the private network. The cookie contains an identifier sufficient to identify the destination server corresponding to the selected application. Messages from the client computer include the cookie. The gateway processes the cookie and appends the identifier on a destination URL portion of the messages for routing. An alternate computer system authenticates a user of a remote client computer on the insecure network side of the firewall using a user identification and password.
369 Citations
16 Claims
-
1. A computer system for providing access from a client computer over an insecure public network to a destination server on a secure private network, comprising:
-
a firewall system between said insecure network and said secure private network;
a proxy server on said insecure network side of said firewall system;
an authorization server on said private network side of said firewall system for authenticating a user of said client computer based on a user identification (ID) and password from said user of said client computer;
a web server on said insecure network side of said firewall system configured to pass said user ID to said authorization server and to build an authentication cookie when said authorization server authenticates said user of said client computer based on said user ID and password;
a gateway on said private network side of said firewall system; and
wherein said proxy server is further configured to pass a message from said client computer to said destination server via said gateway when said authentication cookie is valid. - View Dependent Claims (2)
-
-
3. A computer system for providing access from a client computer over an insecure public network to a destination server on a secure private network executing a corresponding application, said computer system comprising:
-
a firewall system between said insecure network and said secure private network;
a proxy server on said insecure network side of said firewall system configured to establish a secure connection over said insecure network with said client computer;
an authorization server on said private network side of said firewall system for authenticating a user of said client computer based on a user identification (ID) and password from said user of said client computer;
a web server disposed on said insecure network side of said firewall system configured to pass said user ID and password over a secure connection to said authorization server, said web server being further configured to build an authentication cookie when said authorization server authenticates said user of said client computer based on said user ID and password;
a gateway disposed between said proxy server and said private network on said private network side of said firewall system; and
wherein said proxy server is further configured to pass a message from said client computer to said gateway over a secure connection when said authentication cookie is valid, said gateway being configured to route said message to said destination server. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for providing access by a client computer over an insecure public network through a proxy server to a destination server residing on a secure private network, said method comprising the steps of:
-
(A) receiving at the proxy server a request for authentication from a user of the client computer;
(B) establishing a first secure connection between the proxy server and the client computer;
(C) obtaining at a web server via the proxy server a user identification (ID) and password from the user of the client computer;
(D) establishing a second secure connection between the web server and an authorization server for transmission of the user ID and password;
(E) obtaining authentication data from the authorization server using the user ID and password;
(F) building an authentication cookie using the authentication data; and
(G) routing messages from the client computer through the proxy server through a gateway to the destination server when the authentication cookie is valid. - View Dependent Claims (13, 14, 15, 16)
providing a firewall system between the insecure public network and the secure private network;
positioning the proxy server and the web server on the insecure network side of the firewall system; and
positioning the authorization server and the gateway server on the private network side of the firewall system.
-
-
14. The method of claim 13 wherein said routing messages step includes the substep of:
establishing a third secure connection between the proxy server and the gateway.
-
15. The method of claim 14 wherein said steps of establishing a second secure connection and receiving authentication data include communication in accordance with a hypertext transfer protocol secure (HTTPS).
-
16. The method of claim 15 wherein said step of routing messages is performed for every message destined for the destination server.
Specification