Secure intranet access
First Claim
1. A border server comprising:
- secure connection software for secure communication with a client computer, said client computer located within an insecure network;
insecure connection software for communication with a target server, said target server located within a secure network; and
a uniform resource locator transformer to transform secure requests received from said client computer to insecure communication requests to send to said target computer within said secure network, said uniform resource locator transformer also transforming insecure data received from said target server into secure communication, within said secure network, for sending to said client computer, and wherein the transforming of the secure requests occurs while the client computer is authenticated.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, signals, devices, and systems are provided for secure access to a network from an external client. Requests for access to confidential data may be redirected from a target server to a border server, after which a secure sockets layer connection between the border server and the external client carries user authentication information. After the user is authenticated to the network, requests may be redirected back to the original target server. Web pages sent from the target server to the external client are scanned for non-secure URLs such as those containing “http://” and modified to make them secure. The target server and the border server utilize various combinations of secure and non-secure caches. Although tunneling may be used, the extensive configuration management burdens imposed by virtual private networks are not required.
250 Citations
39 Claims
-
1. A border server comprising:
-
secure connection software for secure communication with a client computer, said client computer located within an insecure network;
insecure connection software for communication with a target server, said target server located within a secure network; and
a uniform resource locator transformer to transform secure requests received from said client computer to insecure communication requests to send to said target computer within said secure network, said uniform resource locator transformer also transforming insecure data received from said target server into secure communication, within said secure network, for sending to said client computer, and wherein the transforming of the secure requests occurs while the client computer is authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
tunneling software for tunneling between the client computer and the target server, wherein the uniform resource locator transformer is located on the target server.
-
-
3. The apparatus of claim 1 further comprising:
software to allow direct access to the target server from network addresses within the secure network while denying direct access to the target server from network addresses outside the secure network.
-
4. The apparatus of claim 1 further comprising:
secure connection software for secure communication with a multi-user client computer, said multi-user client computer located within an insecure network.
-
5. The apparatus of claim 1 further comprising:
a user authentication system having a directory services database.
-
6. The apparatus of claim 1 further comprising:
a user authentication system having a domain directory.
-
7. The apparatus of claim 1 further comprising:
a user authentication system to authenticate the user to all servers in the secure network after recognizing a single user name and a single corresponding user password.
-
8. The apparatus of claim 1 further comprising:
a redirector for redirecting to a border server a request made by the client computer for direct access to a target server.
-
9. The apparatus of claim 1 further comprising:
at least one cache.
-
10. The apparatus of claim 1 further comprising:
at least one cache having data from a target server which contains non-secure uniform resource locators, and the uniform resource locator transformer introduces secure uniform resource locators on the fly without requiring that the transformed data also be cached on the border server.
-
11. The apparatus of claim 1 further comprising:
-
a non-secure data cache for internal clients for holding data that contains non-secure uniform resource locators; and
a secure data cache for external clients for holding data that does not contain non-secure uniform resource locators.
-
-
12. The apparatus of claim 1 further comprising:
at least one cache, said cache being free of data that contains non-secure uniform resource locators.
-
13. A method for operating a border server, said method comprising:
-
receiving secure requests from a client computer, said client computer located within an insecure network;
transforming secure requests received from a client computer, to insecure communication requests to send to a target computer, said target server located within a secure network;
sending said insecure communication requests to said target computer within said secure network;
receiving insecure data from said target server;
transforming insecure data received from said target server into secure communication for sending to said client computer, within said secure network;
authenticating the client computer while transforming the secure requests; and
sending said secure communication to said client computer, if the client computer was successfully authenticated. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28)
using a uniform resource locator transformer to accomplish the steps of transforming.
-
-
15. The method as in claim 13 further comprising:
-
combining tunneling software and a uniform resource locator transformer for tunneling between the client computer and the target server; and
locating the uniform resource locator transformer on the target server.
-
-
16. The method as in claim 13 further comprising:
configuring the secure network to allow direct access to the target server from network addresses within the secure network, while denying direct access to the target server from network addresses outside the secure network.
-
17. The method as in claim 13 further comprising:
using a uniform resource locator transformer with a secured intranet.
-
18. The method as in claim 13 further comprising:
including a directory services database in a user authentication system.
-
19. The method as in claim 13 further comprising:
including a domain director in a user authentication system.
-
20. The method as in claim 13 further comprising:
-
recognizing a single user name and a single password; and
authenticating a user to all servers in the secure network, in response to recognizing the single user name and single password, by a user authentication system.
-
-
21. The method as in claim 13 further comprising:
redirecting a request by the client computer for direct access to a target server, the request redirected to a border server.
-
22. The method as in claim 13 further comprising:
including at least one cache.
-
23. The method as in claim 13 further comprising:
-
including at least one cache, the at least one cache including data from the target server, the data containing non-secure uniform resource locators; and
introducing secure uniform resource locators on the fly into the data by a uniform resource locator transformer, without requiring that the transformed data also be cached on the border server.
-
-
24. The method as in claim 13 further comprising:
-
including at least one cache, the cache including a non-secure data cache for internal clients and a secure data cache for external clients;
holding in the non-secure data cache data that contains non-secure uniform resource locators; and
holding in the secure data cache data that does not contain non-secure uniform resource locators.
-
-
25. The method as in claim 13 further comprising:
-
including at least one cache; and
maintaining the at least one cache free of non-secure uniform resource locators.
-
-
27. Computer readable media comprising:
said computer readable media containing instructions for execution on a server for the practice of the method of claim 13.
-
28. Electromagnetic signals propagating on a computer network, comprising:
said electromagnetic signals carrying instructions for execution on a server for the practice of the method of claim 13.
-
26. A border server comprising:
-
means for receiving secure requests from a client computer, said client computer located within an insecure network;
means for transforming secure requests received from a client computer, to increase communication requests to send to a target computer, said target server located within a secure network;
means for sending said insecure communication requests to said target computer within said secure network;
means for receiving insecure data from said target server;
means for transforming insecure data received from said target server into secure communication, within said secure network, for sending to said client computer;
means for authenticating said client computer while the means for transforming secure requests processes; and
means for sending said secure communication to said client computer, if said client computer was successfully authenticated. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
a uniform resource locator transformer to accomplish the transforming.
-
-
30. The apparatus as in claim 26 further comprising:
means for configuring the secure network to allow direct access to the server from network addresses within the secure network, while denying direct access to the server from network addresses outside the secure network.
-
31. The apparatus as in claim 26 further comprising:
a directory services database in a user authentication system.
-
32. The apparatus as in claim 26 further comprising:
a domain directory in a user authentication system.
-
33. The apparatus as in claim 26 further comprising:
-
means for recognizing a single user name and a single password; and
means for authenticating a user to all servers in the secure network, in response to recognizing the single user name and single password, by a user authentication system.
-
-
34. The apparatus as in claim 26 further comprising:
means for redirecting a request by a client for direct access to the target server, the request redirected to a border server.
-
35. The apparatus as in claim 26 further comprising:
at least one cache.
-
36. The apparatus as in claim 26 further comprising:
-
at least one cache, the at least one cache having data from the target server, the data containing non-secure uniform resource locators; and
means for introducing secure uniform resource locators on the fly into the data by the resource locator transformer, without requiring that the transformed data also be cached on the border server.
-
-
37. The apparatus as in claim 26 further comprising:
at least one cache, the at least one cache including a non-secure data cache for internal clients and a secure data cache for external clients.
-
38. The apparatus as in claim 26 further comprising:
-
at least one cache, the at least one cache including a non-secure data cache for internal clients and a secure data cache for external clients, means for holding in the non-secure data cache data that contains non-secure uniform resource locators; and
means for holding in the secure data cache data that does not contain non-secure uniform resource locators.
-
-
39. The apparatus as in claim 26 further comprising:
-
means for including at least one cache;
means for maintaining the at least one cache free of non-secure uniform resource locators.
-
Specification