Access and control system for network-enabled devices

US 7,120,692 B2
Filed: 11/19/2002
Issued: 10/10/2006
Est. Priority Date: 12/02/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system configured for remote point-to multipoint communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:

a first computer connectable to the public network over a first secure channel through a first firewall element, said first firewall element adapted to protect said first computer from hostile intrusion from the public network;

a second computer connectable to the public network over a second secure channel through a second firewall element, said second firewall element adapted to protect said second computer from hostile intrusion from the public network; and

a connection server operatively coupled to the public network, outside of said first and second firewall elements, said connection server including means for authenticating at least one of said first and second computers, means for forming a first, secure, firewall compliant connection with said first computer, means for forming a second, secure, firewall compliant connection with said second computer, means for forming a third, secure, firewall compliant connection with a third computer;

means for sending communications received from said first computer to said second computer while maintaining second firewall compliance, means for sending communications received from said second computer to said first computer while maintaining first firewall compliance; and

means for sending communications received from said first or second computer as point-to multipoint communications to multiple computers while maintaining firewall compliance of firewalls associated with communications sent to multiple computers, respectively.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for remote access of network-enabled devices that provide seamless, firewall-compliant connectivity between multiple users and multiple devices, that allow collaborative operations by multiple users of remote devices, that allow point to multipoint control of multiple devices and which allow rapid, secure transmission of data between remote users and devices. In general terms, the system includes at least one connection server, and at least two computers operatively coupled to the connection server via a public or global network. In an example where at least one client computer is operatively connected to at least one network-enabled device through a connection server via the public or global network, the connection server is configured to route control instructions from the client to the network-enabled device, and route data from the network-enabled device to the client.

274 Citations

128 Claims

1. A system configured for remote point-to multipoint communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:
- a first computer connectable to the public network over a first secure channel through a first firewall element, said first firewall element adapted to protect said first computer from hostile intrusion from the public network;
  
  a second computer connectable to the public network over a second secure channel through a second firewall element, said second firewall element adapted to protect said second computer from hostile intrusion from the public network; and
  
  a connection server operatively coupled to the public network, outside of said first and second firewall elements, said connection server including means for authenticating at least one of said first and second computers, means for forming a first, secure, firewall compliant connection with said first computer, means for forming a second, secure, firewall compliant connection with said second computer, means for forming a third, secure, firewall compliant connection with a third computer;
  
  means for sending communications received from said first computer to said second computer while maintaining second firewall compliance, means for sending communications received from said second computer to said first computer while maintaining first firewall compliance; and
  
  means for sending communications received from said first or second computer as point-to multipoint communications to multiple computers while maintaining firewall compliance of firewalls associated with communications sent to multiple computers, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The system of claim 1, wherein said first and second firewall elements use different criteria for restriction of communications traffic therethrough.
  - 3. The system of claim 2, further comprising at least a second client computer, wherein at least two said client computers may simultaneously establish connection to said at least one network-enabled device through said connection server and said device control computer for simultaneous, collaborative use of said at least one network-enabled device.
  - 4. The system of claim 3, wherein said connection server establishes full duplex connections between at least said client computers and said device control computer.
  - 5. The system of claim 1, wherein said first computer comprises a client computer and said second computer comprises a device control computer, said system further comprising at least one network-enabled device privately networked to said device control computer behind said second firewall element.
  - 6. The system of claim 1, wherein said first computer comprises a first client computer and said second computer comprises a second client computer.
  - 7. The system of claim 1, wherein said first computer comprises a first device control computer and said second computer comprises a second device control computer, said system further comprising at least one first network-enabled device privately networked to said first device control computer behind said first firewall element, and at least one second network-enabled device privately networked to said second device control computer behind said second firewall element.
  - 8. The system of claim 1, wherein said first computer is connected to a first private network behind said first firewall element, and said second computer is connected to a second private network behind said second firewall element.
  - 9. The system of claim 1, wherein said connection server is located within a private network that is operatively coupled to the public network via a third firewall element.
  - 10. The system of claim 1, further comprising at least a third computer connectable to the public network through a third firewall element, said third firewall element adapted to protect said third computer from hostile intrusion from the public network, wherein at least three of said computers may simultaneously establish secure connections with each other through said connection server for simultaneous, collaborative communications therebetween, wherein communications sent and received by said first computer are first firewall compliant, communications sent and received by said second computer are second firewall compliant, and communications sent and received by said third computer are third firewall compliant, and wherein said connection server provides multi-point data routing platforms for transmission of collaborative communications and for said point-to-multipoint communications.
  - 11. The system of claim 9, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 12. The system of claim 10, wherein said connection server establishes full duplex connection among said at least three computers.
  - 13. The system of claim 10, wherein said means for authenticating authenticates said third computer before a secure connection is established with said first and second computers.
  - 14. The system of claim 1, wherein said means for authenticating comprises means for authorizing a secure connection with said first computer, wherein said means for authorizing a secure connection with said first computer is adapted to receive authentication data from said first computer and to determine whether said authentication data verifies a user of said first computer, and wherein said second, secure, firewall compliant connection with said second computer is made according to instructions received from said first computer, only after said first firewall compliant connection with said first computer is made and said first computer user has been verified.
  - 15. The system of claim 14, wherein said authentication data is encrypted, and said connection server further comprises means for decrypting said authentication data.
  - 16. The system of claim 14, wherein said connection server further comprises means for determining whether or not said authentication data has been altered during transmission from said first computer to said connection server.
  - 17. The system of claim 14, wherein said connection server further comprises means for preparing and verifying encryption keys for the user of the first computer when said first computer user has been verified.
  - 18. The system of claim 1, wherein said means for authenticating comprises means for authorizing a connection with said second computer, wherein said means for authorizing a connection with said second computer is adapted to receive authentication data from said second computer and to determine whether said authentication data verifies a user of said second computer, and wherein said first firewall compliant connection with said first computer is made according to instructions received from said second computer, only after said second firewall compliant connection with said second computer is made and said second computer user has been verified.
  - 19. The system of claim 18, wherein said authentication data is encrypted, and said connection server further comprises means for decrypting said authentication data.
  - 20. The system of claim 18, wherein said connection server further comprises means for determining whether or not said authentication data has been altered during transmission from said second computer to said connection server.
  - 21. The system of claim 18, wherein said connection server further comprises means for preparing and verifying encryption keys for the user of the second computer when said second computer user has been verified.
  - 22. The system of claim 1, wherein said connection server establishes a full duplex connection between said first and second computers.
  - 23. The system of claim 1, further comprising a distributed control infrastructure coupled to the private network, wherein said connection server operates as a primary connection server, said distributed control infrastructure further comprising at least one secondary connection server operatively coupled to said primary connection server.
  - 24. The system of claim 23, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by said first or second computer, to one of said at least one secondary connection servers.
  - 25. The system of claim 23, wherein said distributed control infrastructure is scalable such that connection servers may be added or taken away from said distributed control infrastructure based upon a number of computers to be connected and characteristics of communications to be directed between said computers.
  - 26. The system of claim 23, wherein said distributed control infrastructure further comprises at least one database operatively coupled to each of said connection servers.
  - 27. The system of claim 26, wherein said distributed control infrastructure comprises a plurality of said databases, wherein said connection servers are adapted to store data related to users of said computers in said databases and to store data relating to the operation of remote devices which are operably coupled to at least one of said computers.
  - 28. The system of claim 27, wherein said stored data may be accessed by users through said computers.
  - 29. The system of claim 1, wherein said means for authenticating authenticates both of said first and second computers before sending secure, firewall compliant communications from said first computer to said second computer or from said second computer to said first computer.

30. A system for remote communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:
- a client computer securely connectable to the public network through a first firewall element, said first firewall element adapted to protect said client computer from hostile intrusion from the public network;
  
  a device control computer securely connectable to the public network through a second firewall element, and at least one network-enabled device privately networked to said device control computer, said second firewall element adapted to protect said device control computer and said at least one network-enabled device from hostile intrusion from the public network; and
  
  at least one connection server operatively coupled to the public network, outside of said first and second firewall elements, said at least one connection server including means for authorizing at least one of said client computer and said device control computer, means for forming a secure, first firewall compliant connection with said client computer, means for forming a secure, second firewall compliant connection with said device control computer and said at least one network-enabled device, means for securely sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance, and means for securely sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance, wherein after authorizing said at least one of said client computer and said device control computer with said first firewall-compliant connection and said device control computer with said second firewall-compliant connection, subsequent transmissions between said at least one of said client computer and said device control computer through said first firewall-compliant connection and said device control computer with said second firewall-compliant computer are sendable with or without being encrypted.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 31. The system of claim 30, wherein said first and second firewall elements use different criteria for restriction of communications traffic therethrough.
  - 32. The system of claim 30, wherein said communications from said client computer comprise user instructions for said at least one network-enabled device.
  - 33. The system of claim 30, wherein said communications from said at least one network-enabled device comprise data characterizing an operating state of said at least one network-enabled device.
  - 34. The system of claim 30, wherein a full duplex connection is established between said client computer and each said at least one network-enabled device.
  - 35. The system of claim 30, wherein said client computer is connected to a first private network behind said first firewall element, and said device control computer is connected to a second private network behind said second firewall element.
  - 36. The system of claim 35, further comprising at least one additional client computer connected to said first private network, wherein said at least one connection server is capable of establishing full duplex communications between a plurality of said client computers and said at least one network-enabled device via said device control computer.
  - 37. The system of claim 35, further comprising at least one additional client computer connected to a third private network behind a third firewall element, wherein said at least one connection server further comprises means for forming a secure, third firewall compliant connection with said at least one additional client computer, means for sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance and to said at least one additional client computer while maintaining third firewall compliance, means for sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance and to said at least one additional client computer while maintaining third firewall compliance, and means for sending communications from said at least one additional client computer to said at least one network-enabled device, via said device control computer, while maintaining second firewall compliance and to said client computer while maintaining first firewall compliance.
  - 38. The system of claim 37, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 39. The system of claim 35, further comprising at least one additional device control computer connected to said second private network, and at least one additional network-enabled device connected to said at least one additional device control computer wherein said at least one connection server is capable of establishing full duplex communications between said client computer, said device control computer and said at least one additional device control computer, enabling simultaneous point-to-multipoint instructions to be provided by said client computer to said network-enabled devices.
  - 40. The system of claim 35, further comprising at least one additional device control computer connected to a third private network and at least one additional network-enabled device connected to said at least one additional device control computer behind a third firewall element, wherein said at least one connection server further comprises means for forming a secure, third firewall compliant connection with said at least one additional device control computer, means for sending communications from said client computer to said at least one network-enabled device via said device control computer while maintaining second firewall compliance and to said at least one additional device control computer while maintaining third firewall compliance, means for sending communications from said at least one network-enabled device, received from said device control computer, to said client computer while maintaining first firewall compliance and to said at least one additional device control computer while maintaining third firewall compliance, and means for sending communications from said at least one additional device control computer to said at least one network-enabled device, via said device control computer, while maintaining second firewall compliance and to said client computer while maintaining first firewall compliance.
  - 41. The system of claim 40, wherein at least two of said first, second and third firewall elements use different criteria for restriction of communications traffic therethrough.
  - 42. The system of claim 40, wherein said at least one connection server is capable of establishing full duplex communications between said client computer, said device control computer and said at least one additional device control computer, enabling simultaneous point-to-multipoint instructions to be provided by said client computer to said network-enabled devices.
  - 43. The system of claim 42, further comprising at least one additional client computer in a fourth private network protected by a fourth firewall, wherein said at least one connection server is capable of establishing full duplex communications between said client computers and said device control computers, while maintaining all firewall compliances, enabling real-time collaborative control of said network-enabled devices by users of said client computers.
  - 44. The system of claim 35, wherein said means for authenticating authenticates said at least one additional client computer before a secure connection is established with said client computer or said device control computer.
  - 45. The system of claim 30, wherein said at least one connection server is located within a private network that is operatively coupled to the public network via a third firewall element.
  - 46. The system of claim 30, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, wherein a first of said connection servers operates as a primary connection server, and the remainder of said plurality of connection servers operate secondarily to said primary connection server.
  - 47. The system of claim 46, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by said client control computer or said device control computer, to a secondary connection server.
  - 48. The system of claim 46, wherein said distributed control infrastructure is scalable such that connection servers may be added or taken away from said distributed control infrastructure based upon a number of computers to be connected and characteristics of communications to be directed between said computers.
  - 49. The system of claim 46, wherein said distributed control infrastructure further comprises at least one database operatively coupled to each of said connection servers.
  - 50. The system of claim 49, wherein said distributed control infrastructure comprises a plurality of said databases, wherein said connection servers are adapted to store data related to users of said computers in said databases and to store data relating to the operation of said network-enabled devices which are operably coupled to said device control computer.
  - 51. The system of claim 50, wherein said stored data may be accessed by users through said computers.
  - 52. The system of claim 30, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, said distributed control infrastructure further including a security server operatively coupled to said plurality of connection servers, and wherein a plurality of said client computers are operably connectable to said security server and said device control computer is operably connectable to said security server.
  - 53. The system of claim 52, further comprising a plurality of said device control computers, each having at least one network-enabled device connected thereto, each said device control computer being operably connectable to said security server.
  - 54. The system of claim 53, wherein said security server comprises means for authorizing a connection with any of said client and device control computers upon receiving contact from said client computer or device control computer, wherein said means for authorizing a connection with said client computer or device control computer is adapted to receive authentication data from said client computer or device control computer and to determine whether said authentication data verifies a user of said client computer or device control computer.
  - 55. The system of claim 54, wherein said contact from said client computer or device control computer comprises an HTTP request.
  - 56. The system of claim 55, wherein said HTTP request contains embedded user authentication data.
  - 57. The system of claim 56, wherein said embedded user authentication data is encrypted, and said security server further comprises means for decrypting said encrypted authentication data.
  - 58. The system of claim 54, wherein said security server comprises a load balancing algorithm adapted to assign communications, initiated by said client control computer or said device control computer, to one of said connection servers when said client control computer or said device control computer has been verified.
  - 59. The system of claim 58, wherein said load balancing algorithm assigns the communications based on at least one of user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 60. The system of claim 58, wherein said load balancing algorithm assigns the communications based on user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 61. The system of claim 58, wherein said security server further comprises means for establishing a connection with at least another of said client computers and device control computers, after said assignment of communications to one of said connection servers.
  - 62. The system of claim 61, wherein said security server establishes connections with at least one other of said client computers and device control computers as requested by the verified computer.
  - 63. The system of claim 61, wherein said distributed control infrastructure establishes full duplex connections between said verified computer and said at least one other of said client computer and device control computers.
  - 64. The system of claim 61, wherein said distributed control infrastructure further comprises at least one database operatively coupled to the assigned connection server, and wherein communications between said verified computer and said at least one other of said client computers and device control computers are stored in said at least one database, to provide access to other authorized users or the verified computer user at a later time.
  - 65. The system of claim 54, wherein said security server further comprises means for determining whether or not said authentication data has been altered during transmission from said client computer or device control computer to said connection server.
  - 66. The system of claim 54, wherein said security server further comprises means for preparing and verifying encryption keys for the user of the computer from which the authentication data was received, when said computer user has been verified.
  - 67. The system of claim 54, wherein said security server further comprises means for assigning a said client computer or device control computer to one of said connection servers when said computer user has been verified.
  - 68. The system of claim 52, wherein said distributed control infrastructure further comprises a plurality of databases operatively coupled to each of said connection servers.
  - 69. The system of claim 30, wherein said at least one connection server comprises a plurality of said connection servers networked within a distributed control infrastructure, said distributed control infrastructure further including a security server operatively coupled to said plurality of connection servers, and wherein a plurality of said device control computers, each having at least one network-enabled device connected thereto, are operably connectable to said security server and said client computer is operably connectable to said security server.
  - 70. The system of claim 30, wherein said means for authenticating authenticates both of said client and device control computers before sending secure, firewall compliant communications from said client computer to said device control computer or from said device control computer to said client computer.
  - 71. The system of claim 30, further comprising at least one of:
    - means for sending communications received from said client control computer as point-to multipoint communications to said device control computer and at least one other computer while maintaining firewall compliance of firewalls associated with said computers; and
      
      means for sending communications received from said device control computer as point-to multipoint communications to said client control computer and said at least one other computer while maintaining firewall compliance of firewalls associated with said computers.

72. A distributed control structure providing for secure transmission of communications over a public network between two or more computers protected by two or more firewall elements using different criteria for restriction of communications traffic therethrough, said distributed control structure comprising:
- a plurality of connection servers networked within said distributed control structure and operatively coupled to the public network, wherein a first of said connection servers operates as a primary connection server, and the remainder of said plurality of connection servers operate secondarily to said primary connection server, said connection servers including means for authenticating at least two of said two or more computers, wherein an encryption key is securely shared by said at least two of said two or more computers;
  
  means for forming a first firewall compliant connection with a first of the computers, means for forming a second firewall compliant connection with a second of the computers, means for sending communications from the first computer to the second computer while maintaining second firewall compliance, and means for sending communications from the second computer to the first computer while maintaining first firewall compliance.
- View Dependent Claims (73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99)
- - 73. The distributed control structure of claim 72, wherein a full duplex connection is established between the first and second computers.
  - 74. The distributed control structure of claim 72, wherein said at least one connection server of said plurality of connection servers is located within a private network that is operatively coupled to the public network via a connection server firewall element.
  - 75. The distributed control structure of claim 72, wherein said at least one connection server of said plurality of connection servers is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 76. The distributed control structure of claim 72, wherein said distributed control structure is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 77. The distributed control structure of claim 72, wherein said primary connection server comprises a load balancing algorithm adapted to assign communications, initiated by one of the computers, to a secondary connection server.
  - 78. The distributed control structure of claim 72, further comprising at least one database operatively coupled to each of said connection servers.
  - 79. The distributed control structure of claim 72, further comprising a plurality of databases operatively coupled to each of said connection servers, wherein said connection servers are adapted to store data related to users of the computers and to the computers in said databases and to network-enabled devices connected to the computers.
  - 80. The distributed control structure of claim 72, further comprising a security server operatively coupled to said plurality of connection servers, and wherein said distributed control structure is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.
  - 81. The distributed control structure of claim 80, wherein said security server comprises means for authorizing a connection with any one of the client and device control computers upon receiving contact from the client computer or device control computer, wherein said means for authorizing a connection with the client computer or device control computer is adapted to receive authentication data from the client computer or device control computer and to determine whether the authentication data verifies a user of the client computer or device control computer.
  - 82. The distributed control structure of claim 81, wherein said security server is adapted to receive contact from the client computer or device control computer in the form of an HTTP request.
  - 83. The distributed control structure of claim 82, wherein said security server is adapted to separate authentication data embedded in an HTTP request received from the client computer or device control computer.
  - 84. The distributed control structure of claim 81, wherein said security server further comprises means for decrypting encrypted authentication data.
  - 85. The distributed control structure of claim 81, wherein said security server further comprises means for determining whether or not authentication data received has been altered during transmission from the client computer or device control computer to said security server.
  - 86. The distributed control structure of claim 81, wherein said security server further comprises means for preparing and verifying encryption keys for the user of the computer from which the authentication data was received, when the computer user has been verified.
  - 87. The distributed control structure of claim 81, wherein said security server further comprises means for assigning the client computer or device control computer to one of said connection servers when the computer user has been verified.
  - 88. The distributed control structure of claim 81, wherein said security server comprises a load balancing algorithm adapted to assign communications, initiated by the client control computer or the device control computer, to one of said connection servers when the client control computer or the device control computer has been verified.
  - 89. The distributed control structure of claim 88, wherein said load balancing algorithm assigns the communications based on at least one of user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 90. The distributed control structure of claim 88, wherein said load balancing algorithm assigns the communications based on user type, session type, availability of said connection servers and relative current workload of said connection servers.
  - 91. The distributed control structure of claim 88, wherein said security server further comprises means for establishing a connection with at least another of the client computers and device control computers, after said assignment of communications to one of said connection servers.
  - 92. The distributed control structure of claim 91, wherein said security server establishes connections with at least one other of the client computers and device control computers as requested by the verified computer.
  - 93. The distributed control structure of claim 92, wherein full duplex connections are established between the verified computer and the at least one other of the client computers and device control computers.
  - 94. The distributed control structure of claim 80, further comprising a plurality of databases operatively coupled to each of said connection servers.
  - 95. The system of claim 72, wherein said means for authenticating authenticates all of said two or more computers to be securely connected, before sending or receiving secure, firewall compliant communications through said connection server.
  - 96. The distributed control structure of claim 72, wherein, subsequent to authentication of said at least two of said two or more computers, communications between said at least two of said two or more computers are securely transmitted without encryption, while maintaining firewall compliance.
  - 97. The distributed control structure of claim 72, wherein said authentication is carried out using a public key algorithm, and subsequent to authentication of said at least two of said two or more computers, communications between said at least two of said two or more computers are securely transmitted using a secret key algorithm.
  - 98. The distributed control structure of claim 72, further comprising means for sending communications received from at least one of said at least two computers as point-to multipoint communications to at least two others of said at least two computers, while maintaining firewall compliance of firewalls associated with said computers.
  - 99. The distributed control structure of claim 72, wherein at least one of said two or more computers functions as at least one of said connection servers.

100. A method of establishing a private-to-public-to-private communications tunnel, wherein at least the private addresses of the communications tunnel are firewall protected, said method comprising:
- authenticating, at a location having a public address, a first computer having a first, firewall protected private address;
  
  creating a first firewall compliant connection between a publicly addressed connection server and said first computer upon authentication of said first computer;
  
  authenticating, at a location having a public address, a second computer having a second, firewall protected private address;
  
  establishing a second firewall compliant connection between said publicly addressed connection server and a said second computer having a second firewall protected private address, wherein an encryption key is securely shared by said first and second computers; and
  
  establishing the private-to-public-to-private communications tunnel, wherein said connection server routes communications from said first computer through said first firewall compliant connection and said second firewall compliant connection to said second computer, and from said second computer through said second firewall compliant connection and said first firewall compliant connection to said first computer;
  
  wherein said first computer is a client computer and said second computer is a device control computer, said device control computer being operably connected to at least one network-enabled device, wherein said communications from said first computer to said second computer include control instructions for operating said at least one network-enable device, and wherein said communications from said second computer to said first computer include data received by said second computer from said at least one network-enabled device.
- View Dependent Claims (101, 102, 103, 104, 105, 106, 107, 108)
- - 101. The method of claim 100, wherein said communications comprises HTTP requests and responses, said HTTP requests and responses being compliant with said first or second firewall associated with said first or second computer to which the communications are directed.
  - 102. The method of claim 100, wherein said authenticating a first computer comprises receiving a request from said first computer, said request including user authentication data;
    - and verifying whether or not the authentication data matches authentication data of said first computer as stored in association with said connection server.
  - 103. The method of claim 102, wherein said user authentication data is embedded in said request, and wherein said authenticating a first computer further comprises determining whether or not the authentication data has been altered during transmission from said first computer to said connection server.
  - 104. The method of claim 102, wherein said authentication data is encrypted, and wherein said authenticating a first computer further comprises decrypting said encrypted authentication data prior to said verifying.
  - 105. The method of claim 104, further comprising preparing and verifying encryption keys for a user of the first computer after said authenticating step.
  - 106. The method of claim 100, wherein said connection server comprises a plurality of connection servers networked as a publicly addressable distributed control infrastructure, said method further comprising assigning one of said plurality of connection servers to create said first and second firewall compliant connections, wherein said assigning is based on at least one of:
    - a type of user using said first computer, a type of session requested to be established by the first computer;
      
      configuration of connection servers for a particular type or types of sessions;
      
      availability of connection servers;
      
      statuses of connection servers; and
      
      relative work loads of connection servers at time that session is to occur.
  - 107. The method of claim 100, further comprising storing at least a portion of said communications in at least one database associated with said connection server, wherein the stored communications may be accessed by the first computer, second computer or other computers that are authorized access to said connection computer and the stored data.
  - 108. The method of claim 107, wherein said access is allowed contemporaneously during the communications and in subsequent sessions.

109. A method for establishing a secure connection for rapid transfer of data between privately addressed, firewall protected locations over a public network, said method comprising:
- preparing authentication data on a first computer having a first, firewall protected private address;
  
  encrypting the authentication data using a public security key;
  
  sending a request over the public network to a publicly addressed server, wherein the request includes the encrypted authentication data;
  
  decrypting the encrypted authentication data at the location of the publicly addressed server using a private security key;
  
  verifying the decrypted authentication data to determine whether the authentication data represents an authorized user;
  
  authorizing the first computer to proceed if the authentication data represents an authorized user;
  
  generating a secret security key on the first computer for encryption of data to be sent over the secure connection;
  
  encrypting the secret key using the public security key and sending the encrypted secret security key to the publicly addressed server;
  
  decrypting the encrypted secret security key at the location of the publicly addressed server using the private security key; and
  
  establishing a second firewall compliant connection between said publicly addressed server and a second computer having a second firewall protected private address; and
  
  establishing a private-to-public-to-private communications tunnel connecting said first computer, said publicly addressed server and said second computer.
- View Dependent Claims (110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121)
- - 110. The method of claim 109, further comprising transmitting data from said first computer to said second computer via said publicly addressed server.
  - 111. The method of claim 110, further comprising transmitting data from said second computer to said first computer via said publicly addressed server.
  - 112. The method of claim 111, wherein said private-to-public-to-private communications tunnel comprises full duplex connections between said first computer and said publicly addressed server and between said publicly addressed server and said second computer.
  - 113. The method of claim 111, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is encrypted using the secret key.
  - 114. The method of claim 111, wherein the data transmitted from the first computer is encrypted using the secret key, and the data transmitted from the second computer encrypted using a second secret key generated by the second computer.
  - 115. The method of claim 111, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is unencrypted.
  - 116. The method of claim 110, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is encrypted using the secret key.
  - 117. The method of claim 110, wherein the data transmitted subsequent to establishing the private-to-public-to-private communications tunnel is unencrypted.
  - 118. The method of claim 109, wherein the encrypted authentication data is embedded in the request.
  - 119. The method of claim 118, wherein the request is an HTTP request.
  - 120. The method of claim 109, further comprising:
    - calculating a message digest value on the first computer for the authentication data;
      
      encrypting the calculated message digest value together with said encrypting the authentication data; and
      
      embedding the encrypted authentication data and message digest value in the request;
      
      wherein said decrypting the encrypted authentication data further comprises decrypting the message digest value;
      
      said method further comprising computing a message digest value for the decrypted authentication data, and comparing the computed message digest value with the decrypted message digest value to determine whether the authentication data has been altered or corrupted; and
      
      allowing said verifying to proceed only if the computed message digest value and the decrypted digest value are the same.
  - 121. The method of claim 109, further comprising:
    - generating a message digest value for the secret security key;
      
      encrypting said message digest value with said encrypting the secret key, and sending the encrypted message digest value with the encrypted secret key to the publicly addressed server;
      
      wherein said decrypting the encrypted security key further comprises decrypting the message digest value;
      
      said method further comprising computing a message digest value for the decrypted secret key, and comparing the computed message digest value with the decrypted message digest value to determine whether the secret key has been altered or corrupted; and
      
      allowing said establishing a second firewall compliant connection to proceed only if the computed message digest value and the decrypted digest value are the same.

122. A process for remotely controlling one or more network-enabled devices by one or more client computers over a public network, wherein the one or more network-enabled devices are operatively connected within one or more different private networks and the one or more client computers are operatively connected within one or more other different private networks, at least one of the private networks being protected by a firewall element, said process comprising:
- accessing at least one connection server by at least one of the client computers, said at least one connection server being operably connected to the public network;
  
  authenticating, at a site of the at least one connection server, and establishing a secure connection between each of the at least one client computers and the at least one connection server, after which, the at least one connection server establishes a secure connection between the at least one connection server and each of the network-enabled devices requested to be connected with the at least one client computer, through at least one device control computer connected with said network-enabled devices, wherein secure, full-duplex, persistent communications are established through the connection server without the need for any of the computers to know or address a private address of any of the other computers between which the communications take place;
  
  wherein the connections are configured to carry out at least one of the following further steps;
  
  sending point-to-multipoint control instructions from said at least one client computer to at least two of the connected network-enabled devices, via the at least one connection server;
  
  receiving point-to-multipoint transmissions of data at at least two of said at least one client computers from said at least one connected network-enabled device via said at least one connection server; and
  
  sending point-to-multipoint communications from said at least one client computer to at least two others of said at least one client computer.
- View Dependent Claims (123, 124)
- - 123. The process of claim 122, wherein a plurality of the client computers send control instructions to collaboratively control at least one of said network-enabled devices.
  - 124. The process of claim 122, wherein one or more of said client computers send control instructions for point to multipoint delivery of said instructions to a plurality of said network-enabled devices.

125. A system for remote, point-to-multi-point communications between private users through a public network while providing seamless, firewall-compliant connectivity, said system comprising:
- a first computer connectable to the public network over a first secure channel through a first firewall element, said first firewall element adapted to protect said first computer from hostile intrusion from the public network;
  
  a second computer connectable to the public network over a second secure channel through a second firewall element, said second firewall element adapted to protect said second computer from hostile intrusion from the public network;
  
  at least one additional computer connectable to the public network over at least one additional secure channel; and
  
  a connection server operatively coupled to the public network, said connection server including means for forming a first, secure, firewall compliant connection with said first computer, means for forming a second, secure, firewall compliant connection with said second computer, means for forming at least one additional secure, firewall compliant connection with said at least one additional computer, and means for multi-point, secure, firewall compliant routing of data from one of said first, second and at least one additional computers to at least two other of said first, second and at least one additional computers, thereby facilitating at least one of collaborative communications among users;
  
  collaborative control of one or more devices, collaborative monitoring of one or more devices, and other forms of collaborative communication, including leaming or teaching sessions.
- View Dependent Claims (126)
- - 126. The system of claim 125, wherein said connection server centrally authorizes said secure connections prior to making said secure connections.

127. A distributed control structure providing for secure transmission of communications over a public network between two or more computers protected by two or more firewall elements using different criteria for restriction of communications traffic therethrough, said distributed control structure comprising:
- a plurality of connection servers networked within said distributed control structure and operatively coupled to the public network, and a security server operatively connected to said plurality of connection servers, said distributed control structure including means for authenticating at least two of said two or more computers, wherein an encryption key is securely shared by said at least two of said two or more computers;
  
  means for forming a first firewall compliant connection with a first of the computers, means for forming a second firewall compliant connection with a second of the computers, means for sending communications from the first computer to the second computer while maintaining second firewall compliance, and means for sending communications from the second computer to the first computer while maintaining first firewall compliance; and
  
  wherein said distributed control structure is configured to operatively connect with a plurality of client computers as well as a plurality of device control computers, each having at least one network-enabled device connected thereto.

128. A distributed control structure providing for secure transmission of communications over a public network between two or more computers protected by two or more firewall elements using different criteria for restriction of communications traffic therethrough, said distributed control structure comprising:
- at least one connection server operatively coupled to the public network, said at least one connection server including means for authenticating at least two of said two or more computers, wherein an encryption key is securely shared by said at least two of said two or more computers;
  
  means for forming a first firewall compliant connection with a first of the computers, means for forming a second firewall compliant connection with a second of the computers, means for sending communications from the first computer to the second computer while maintaining second firewall compliance, means for sending communications from the second computer to the first computer while maintaining first firewall compliance; and
  
  means for sending communications received from at least one of said at least two computers as point-to multipoint communications to at least two others of said at least two computers, while maintaining firewall compliance of firewalls associated with said computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Original Assignee
Senvid, Inc. (Western Digital Corporation)
Inventors
Rizal, Dharmarus, Hesselink, Lambertus, Bjornson, Eric S.
Primary Examiner(s)
WINDER, PATRICE L

Application Number

US10/300,500
Publication Number

US 20030191848A1
Time in Patent Office

1,421 Days
Field of Search

709/226, 709/227, 709/228, 709/225, 709/229, 713/201, 345/619
US Class Current

709/225
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 67/02   based on web technology, e....

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/1023   based on a hash applied to ...

H04L 67/125   involving control of end-de...

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

Access and control system for network-enabled devices

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

274 Citations

128 Claims

Specification

Use Cases

Quick Links

Others

Access and control system for network-enabled devices

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

274 Citations

128 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others