Method and system for providing secure access to private networks

US 7,774,455 B1
Filed: 01/29/2002
Issued: 08/10/2010
Est. Priority Date: 09/26/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for accessing resources on a private network via an intermediary server, said method comprising:

receiving a login request from a user for access to the intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;

accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to authenticate the user in response to the login request;

receiving a resource request from the authenticated user at the intermediary server, the resource request requesting a particular operation with respect to a resource from the private network;

obtaining access privileges for the authenticated user in response to the resource request;

determining whether the access privileges for the authenticated user permit the authenticated user to perform the particular operation at the private network; and

preventing, by the intermediary server, performance of the particular operation at the private network if the access privileges for the authenticated user do not permit the authenticated user to perform the particular operation at the private network.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved approaches for providing secure access to resources maintained on private networks are disclosed. The secure access can be provided through a public network using a standard network browser. Multiple remote users are able to gain restricted and controlled access to at least portions of a private network through a common access point. The solution provided by the invention is not only easily set up and managed, but also able to support many remote users in a cost-effective manner.

82 Citations

View as Search Results

40 Claims

1. A method for accessing resources on a private network via an intermediary server, said method comprising:
- receiving a login request from a user for access to the intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;
  
  accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to authenticate the user in response to the login request;
  
  receiving a resource request from the authenticated user at the intermediary server, the resource request requesting a particular operation with respect to a resource from the private network;
  
  obtaining access privileges for the authenticated user in response to the resource request;
  
  determining whether the access privileges for the authenticated user permit the authenticated user to perform the particular operation at the private network; and
  
  preventing, by the intermediary server, performance of the particular operation at the private network if the access privileges for the authenticated user do not permit the authenticated user to perform the particular operation at the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, where the particular operation is one of a file access operation or an email operation.
  - 3. The method of claim 1, where the intermediary server stores the access privileges for a plurality of users.
  - 4. The method of claim 1, where the authentication server is within the private network.
  - 5. The method of claim 4, where the authentication identifier comprises a network address for the authentication server.
  - 6. The method of claim 1, where the resource request is from a client-side application running on a client machine.
  - 7. The method of claim 6, where the client-side application is one of:
    - a web browser, an email application or a file access application.
  - 8. The method of claim 1, where the user is a remote user.
  - 9. The method of claim 1, where the resource request is from a client-side application running on a remote client machine.
  - 10. The method of claim 1, where the private network is an intranet or a corporate network.
  - 11. The method of claim 1, where the resource request is from a network browser.
  - 12. The method of claim 1, where said method further comprises:
    - performing the particular operation at the private network to determine a response to the resource request if the access privileges for the authenticated user permit the authenticated user to perform the particular operation at the private network.
  - 13. The method of claim 1, where the authenticated user has an Internet Protocol (IP) address andwhere said determining if the access privileges for the authenticated user permit the authenticated user to perform the particular operation comprises:
    - determining whether the access privileges for the authenticated user permit the authenticated user to perform the particular operation at the private network; and
      
      determining whether the IP address is authorized.
  - 14. The method of claim 13, where said determining if the access privileges for the authenticated user permit the authenticated user to perform the particular operation further comprises:
    - determining whether time-of-day restrictions are satisfied.
  - 15. The method of claim 14, where the access privileges comprise permitted operations, authorized IP addresses, and time-of-day restrictions for the authenticated user.

16. A method for providing remote access to a private network via an intermediary server, said method comprising:
- receiving a login request from a remote user for access to the intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;
  
  accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to determine whether the remote user is permitted access to the intermediary server based on the login request;
  
  granting the remote user access to the intermediary server if the remote user is permitted access to the intermediary server, the granted access carrying access privileges to a portion of the private network;
  
  receiving a resource request from the remote user at the intermediary server if the remote user is granted access to the intermediary server, the resource request requesting a particular resource on the private network;
  
  determining whether the resource request from the remote user is permitted by the access privileges;
  
  supplying the particular resource to the remote user through the intermediary server if the resource request from the remote user is permitted by the access privileges; and
  
  denying the remote user from access to the particular resource by the intermediary server if the resource request from the remote user is not permitted by the access privileges.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16, where said supplying the particular resource comprises:
    - retrieving the particular resource from a content server;
      
      modifying at least one URL within the retrieved particular resource; and
      
      sending the modified particular resource to the remote user.
  - 18. The method of claim 16, where said supplying the particular resource comprises:
    - obtaining a response to the request for the particular resource;
      
      modifying the response so that links within the response point to the intermediary server; and
      
      sending the modified response to the remote user.
  - 19. The method of claim 16, where said supplying the particular resource comprises:
    - determining a host name for a remote server hosting the particular resource being requested;
      
      sending a request for the particular resource to the remote server based on the determined host name; and
      
      receiving, at the intermediary server, a response to the request from the remote server.
  - 20. The method of claim 19, where said supplying the particular resource comprises:
    - modifying the response so that links within the response point to the intermediary server; and
      
      sending the modified response to the remote user.
  - 21. The method of claim 16, where the private network is an intranet.
  - 22. The method of claim 16, where the resource request is from a network browser.
  - 23. The method of claim 16, where the resource request is from a client-side application running on a remote client machine.
  - 24. The method of claim 23, where the client-side application includes one of:
    - a web browser, an email application or a file access application.
  - 25. The method of claim 16, where the private network is a corporate network.

26. A computer readable memory device including computer-executable program code for enabling access to resources on a private network via an intermediary server, said computer readable memory device comprising:
- computer program code for receiving a login request from a user for access to the intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;
  
  computer program code for accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to determine whether the user is permitted access to the intermediary server in response to the login request;
  
  computer program code for receiving a resource request from the user at the intermediary server after it has been determined that the user is permitted access to the intermediary server, the resource request requesting a particular operation with respect to a resource from the private network;
  
  computer program code for obtaining access privileges for the user in response to the resource request;
  
  computer program code for determining whether the access privileges for the user permit the user to perform the particular operation at the private network; and
  
  computer program code for preventing performance of the particular operation at the private network if said computer code for determining determines that the access privileges for the user do not permit the user to perform the particular operation at the private network.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The computer readable memory device of claim 26, where the particular operation is one of a file access operation or an email operation.
  - 28. The computer readable memory device of claim 26, where the intermediary server stores the access privileges for a plurality of users.
  - 29. The computer readable memory device of claim 26, where the resource request is from a client-side application running on a client machine, andwhere the client-side application includes one of:
    - a web browser, an email application or a file access application.
  - 30. The computer readable memory device of claim 26, where said computer readable memory device further comprises:
    - computer program code for performing the particular operation at the private network to determine a response to the resource request when said computer program code for determining whether the access privileges for the user permit the user to perform the particular operation determines that the access privileges for the user permit the user to perform the particular operation at the private network.
  - 31. The computer readable memory device of claim 26, where the user has an Internet Protocol (IP) address, andwhere said computer program code for determining whether the access privileges for the user permit the user to perform the particular operation includes computer program code for determining whether the IP address is authorized.
  - 32. The computer readable memory device of claim 31, where said computer program code for determining whether the access privileges for the user permit the user to perform the particular operation further includes computer program code for determining whether time-of-day restrictions are satisfied.
  - 33. The computer readable memory device of claim 32, where the access privileges comprise permitted operations, authorized IP addresses, and time-of-day restrictions for a plurality of users.

34. A computer readable memory device including computer-executable program code to facilitate access to a private network via an intermediary server, said computer readable memory device comprising:
- computer program code for receiving a login request from a user for access to the intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;
  
  computer program code for accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to determine whether the user is permitted access to the intermediary server in response to the login request;
  
  computer program code for granting the user access to the intermediary server when said computer program code for determining whether the user is permitted access to the intermediary server determines that the user is permitted access, the granted access carrying access privileges to a portion of the private network;
  
  computer program code for receiving a resource request from the user at the intermediary server when the user is granted access to the intermediary server, the resource request requesting a particular resource;
  
  computer program code for determining whether the resource request from the user is permitted by the access privileges;
  
  computer program code for supplying the particular resource to the user through the intermediary server when said computer program code for determining whether the resource request from the user is permitted determines that the resource request from the user is permitted; and
  
  computer program code for denying the user from access to the particular resource when said computer program code for determining whether the resource request from the user is permitted determines that the resource request from the user is not permitted.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The computer readable memory device of claim 34, where said computer program code for supplying comprises:
    - computer program code for retrieving the particular resource from a content server;
      
      computer program code for modifying the particular resource by replacing at least one URL within the particular resource; and
      
      computer program code for sending the modified particular resource to the user.
  - 36. The computer readable memory device of claim 34, where said computer program code for supplying comprises:
    - computer program code for modifying a response to the resource request so that links within the response point to the intermediary server; and
      
      computer program code for sending the modified response to the user.
  - 37. The computer readable memory device of claim 34, where said computer program code for supplying comprises:
    - computer program code for determining a host name for a remote server hosting the particular resource;
      
      computer program code for sending a request for the particular resource to the remote server based on the determined host name; and
      
      computer program code for receiving, at the intermediary server, a response to the request for the particular resource from the remote server.
  - 38. The computer readable memory device of claim 37, where said computer program code for supplying comprises:
    - computer program code for modifying the response so that links within the response point to the intermediary server; and
      
      computer program code for sending the modified response to the user.
  - 39. The computer readable memory device of claim 34, where the resource request is from a client-side application running on a remote client machine.
  - 40. The computer readable memory device of claim 39, where the client-side application includes one of a web browser, an email application or a file access application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Srinivas, Sampath, Tock, Theron
Primary Examiner(s)
Meky; Moustafa M

Application Number

US10/060,792
Time in Patent Office

3,115 Days
Field of Search

709200-203, 709217-227, 713168-170
US Class Current

709/224
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

Method and system for providing secure access to private networks

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

Method and system for providing secure access to private networks

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others