Systems and methods of providing server initiated connections on a virtual private network

US 7,769,869 B2
Filed: 08/21/2006
Issued: 08/03/2010
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the method comprising the steps of:

(a) receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;

(b) establishing, by the appliance, a first transport layer connection to the server on the first network;

(c) determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;

(d) transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;

(e) establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network;

(f) establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection;

(g) linking, by the appliance, the first transport layer connection to the server with the third transport layer connection to the agent of the client; and

(h) associating, by the appliance, a first connection record for the first transport layer connection to the server with a second connection record for the third transport layer connection.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

Citations

22 Claims

1. A method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the method comprising the steps of:
- (a) receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;
  
  (b) establishing, by the appliance, a first transport layer connection to the server on the first network;
  
  (c) determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;
  
  (d) transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;
  
  (e) establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network;
  
  (f) establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection;
  
  (g) linking, by the appliance, the first transport layer connection to the server with the third transport layer connection to the agent of the client; and
  
  (h) associating, by the appliance, a first connection record for the first transport layer connection to the server with a second connection record for the third transport layer connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, comprising generating, by the appliance, the first connection record for the first transport layer connection to the server, and receiving, by the appliance, the second connection record from the agent for the third transport layer connection.
  - 3. The method of claim 1, comprising forwarding, by the appliance, data received from a server internet protocol address and server source port to an internet protocol address and port used by the agent for the third transport layer connection.
  - 4. The method of claim 3, comprising forwarding, by the agent, the data to an application via the second transport layer connection.
  - 5. The method of claim 1, wherein the connection information comprises one of a protocol, a server internet protocol address, or a server source port.
  - 6. The method of claim 1, wherein the agent comprises a web browser plug-in.
  - 7. The method of claim 1, wherein step (d) comprising transmitting, by the appliance, to the agent via a control channel connection established between the appliance and the agent.
  - 8. The method of claim 1, comprising transmitting, by the client, via the appliance a request to the server to transmit the transport layer connection request.
  - 9. The method of claim 1, comprising determining, by the appliance, via content of an application layer protocol used for communications between the client and the server one of a server destination internet protocol address and server port or the client destination internet protocol address and client destination port.
  - 10. The method of claim 9, comprising modifying, by the appliance, the content of the application layer protocol transmitted to the server to identify an internet protocol address of the client on the first network.
  - 11. The method of claim 1, comprising determining, by the appliance, a second server initiated transport layer connection request to the client exceeds a predetermined threshold identifying a number of server initiated transport layer connections allowed to the client, and in response to the determination the appliance does not establish the second server initiated transport layer connection.

12. A system for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection, the system comprising:
- means for receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network, the transport layer connection request identifying a client destination internet protocol address and a client destination port on the first network;
  
  means for establishing, by the appliance, a first transport layer connection to the server on the first network;
  
  means for determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network;
  
  means for transmitting, by the appliance, connection information identifying the client destination port to an agent on the client;
  
  means for establishing, by the agent, a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network;
  
  means for establishing, by the agent, a third transport layer connection to the appliance and associating the third transport layer connection with the second transport layer connection;
  
  means for linking, by the appliance, the first transport layer connection to the server with the third transport layer connection to the agent of the client; and
  
  means for associating, by the appliance, a first connection record for the first transport layer connection to the server with a second connection record for the third transport layer connection.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the appliance generates a first connection record for the first transport layer connection to the server, and receives the second connection record from the agent for the third transport layer connection.
  - 14. The system of claim 12, wherein the appliance forwards data received from a server internet protocol address and server source port to an internet protocol address and port used by the agent for the third transport layer connection.
  - 15. The system of claim 14, wherein the agent forwards the data to an application via the second transport layer connection.
  - 16. The system of claim 12, wherein the connection information comprises one of a protocol, a server internet protocol address, or a server source port.
  - 17. The system of claim 12, wherein the agent comprises a web browser plug-in.
  - 18. The system of claim 12, wherein the appliance transmits connection information to the agent via a control channel connection established between the appliance and the agent.
  - 19. The system of claim 12, wherein the client transmits via the appliance a request to the server to transmit the transport layer connection request.
  - 20. The system of claim 12, wherein the appliance determines via content of an application layer protocol used for communications between the client and the server one of a server destination internet protocol address and server port or the client destination internet protocol address and client destination port.
  - 21. The system of claim 18, wherein the appliance identifies the content of the application layer protocol transmitted to the server to identify an internet protocol address of the client on the first network.
  - 22. The system of claim 12, wherein the appliance determines a second server initiated transport layer connection request to the client exceeds a predetermined threshold identifying a number of server initiated transport layer connections allowed to the client, and in response to the determination does not establish the second server initiated transport layer connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Soni, Ajay, Venkatraman, Charu, Harris, James, He, Junxiao, Kumar, Arkesh
Primary Examiner(s)
WON, MICHAEL YOUNG

Application Number

US11/465,950
Publication Number

US 20080043760A1
Time in Patent Office

1,443 Days
Field of Search

709/202, 709/203, 709/227, 709/230, 709/244, 709/246
US Class Current

709/227
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/164   Adaptation or special uses ...

Systems and methods of providing server initiated connections on a virtual private network

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of providing server initiated connections on a virtual private network

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links