Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment

US 7,907,621 B2
Filed: 08/03/2006
Issued: 03/15/2011
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network, the method comprising:

(a) establishing, via a client agent executing on a client, a transport layer virtual private network (VPN) connection with an appliance;

(b) intercepting, by the client agent at a network layer, an ICMP request originating from the client;

(c) transmitting, by the client agent via the transport layer connection, the ICMP request to the appliance, the ICMP request comprising a destination address and a source address identifying the client;

(d) determining, by the appliance, whether the destination address corresponds to a device having a VPN connection to the appliance; and

(e) modifying, by the appliance, the source address of the ICMP request to identify an address routable back to the appliance if the destination address corresponds to a device not having a VPN connection to the appliance, and if the destination address corresponds to a device having a VPN connection to the appliance, responding by the appliance to the ICMP request on behalf of the device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network Methods include: establishing, via a client agent executing on a client, a transport layer virtual private network connection with an appliance; intercepting, by the client agent at the network layer, an ICMP request originating from the client; and transmitting, by the client agent via a transport layer connection, the ICMP request to the appliance. Addition methods describe determining, by the appliance, the address identified by the ICMP request corresponds to a second client, the second client also connected via a virtual private network to the remote machine; and transmitting, by the appliance to the second client via the virtual private network connection, the ICMP request. Corresponding systems are also described.

Citations

22 Claims

1. A method for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network, the method comprising:
- (a) establishing, via a client agent executing on a client, a transport layer virtual private network (VPN) connection with an appliance;
  
  (b) intercepting, by the client agent at a network layer, an ICMP request originating from the client;
  
  (c) transmitting, by the client agent via the transport layer connection, the ICMP request to the appliance, the ICMP request comprising a destination address and a source address identifying the client;
  
  (d) determining, by the appliance, whether the destination address corresponds to a device having a VPN connection to the appliance; and
  
  (e) modifying, by the appliance, the source address of the ICMP request to identify an address routable back to the appliance if the destination address corresponds to a device not having a VPN connection to the appliance, and if the destination address corresponds to a device having a VPN connection to the appliance, responding by the appliance to the ICMP request on behalf of the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21)
- - 2. The method of claim 1, wherein step (a) comprises establishing, via a client agent executing on a client, an SSL virtual private network connection with an appliance.
  - 3. The method of claim 1, wherein the ICMP request corresponds to a traceroute request.
  - 4. The method of claim 1, wherein the ICMP request corresponds to a ping request.
  - 5. The method of claim 1, wherein step (c) comprises the steps of:
    - (c-a) determining, by the client agent, that the ICMP request contains an address corresponding to the virtual private network; and
      
      (c-b) transmitting, by the client agent via the transport layer connection, the ICMP request to the appliance.
  - 6. The method of claim 1, wherein step (c) comprises the steps of:
    - (c-a) determining, by the client agent, that the ICMP request originated from an application currently communicating via the virtual private network; and
      
      (c-b) transmitting, by the client agent via the transport layer connection, the ICMP request to the appliance.
  - 7. The method of claim 1, further comprising the steps of:
    - (d) receiving, by the client agent via the transport layer connection to the remote machine, an ICMP response; and
      
      (e) transmitting, by the client agent, the ICMP response to the request originator on the local machine.
  - 8. The method of claim 1, further comprising the step of receiving, by the appliance via the transport layer connection, the ICMP request.
  - 9. The method of claim 8, further comprising the steps of:
    - (a) determining, by the appliance, the address identified by the ICMP request corresponds to a second client, the second client also connected via a virtual private network to the remote machine; and
      
      (b) transmitting, by the appliance to the second client via the virtual private network connection, the ICMP request.
  - 10. The method of claim 8, further comprising the steps of:
    - (a) determining, by the appliance, the address identified by the ICMP request corresponds to an address not identified with the virtual private network; and
      
      (b) transmitting, by the appliance to the identified address, the ICMP request.
  - 21. The method of claim 1, wherein step (b) comprises intercepting, by a filter of the client agent operating at the network layer, the ICMP request originating from the client;
    - and communicating, by the filter, the intercepted ICMP request to the client agent.

11. A system for using a client agent residing on a local machine to send ICMP messages to an appliance connected via a virtual private network, the system comprising:
- A client computing device; and
  
  a client agent executing on the client which establishes a virtual private network connection with an appliance;
  
  intercepts, at a network layer, an ICMP request originating from the client; and
  
  transmits, via a transport layer connection, the ICMP request to the appliance, the ICMP request comprising a destination address and a source address identifying the client; and
  
  an appliancedetermining whether the destination address corresponds to a device not having a VPN connection to the appliance,modifying the source address of the ICMP request to identify an address routable back to the appliance if the destination address corresponds to a device not having a VPN connection to the appliance, and if the destination address corresponds to a device having a VPN connection to the appliance, responding to the ICMP request on behalf of the device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the client agent establishes an SSL virtual private network connection with an appliance.
  - 13. The system of claim 11, wherein the ICMP request corresponds to a traceroute request.
  - 14. The system of claim 11, wherein the ICMP request corresponds to a ping request.
  - 15. The system of claim 11, wherein the client agent determines that the ICMP request contains an address corresponding to the virtual private network;
    - and, responsive to said determination, transports via the transport layer connection the ICMP request to the appliance.
  - 16. The system of claim 11, wherein the client agent determines that the ICMP request originated from an application currently communicating via the virtual private network;
    - and, responsive to said determination, transports via the transport layer connection the ICMP request to the appliance.
  - 17. The system of claim 11, wherein the client agent receives, via the transport layer connection to the appliance, an ICMP response;
    - and transmits the ICMP response to the request originator on the local machine.
  - 18. The system of claim 11, further comprising an appliance which receives, via the transport layer connection, the ICMP request.
  - 19. The system of claim 18, wherein the appliance determines the address identified by the ICMP request corresponds to a second client also connected via a virtual private network to the appliance;
    - and wherein the appliance transmits to the second client, via a virtual private network connection, the ICMP request.
  - 20. The system of claim 18, wherein the appliance determines the address identified by the ICMP request corresponds to a second client not identified with the virtual private network;
    - and wherein the appliance transmits, to the identified address, the ICMP request.

22. A method for using a client agent executing on a client to send ICMP messages to a server via a virtual private network (VPN), the method comprising:
- (a) establishing, via a client agent executing on a client, a transport layer virtual private network (VPN) connection with an appliance;
  
  (b) intercepting, by a filter of the client agent operating at a network layer, an ICMP request originating from the client;
  
  (c) communicating, by the filter, the intercepted ICMP request to the client agent at the transport layer;
  
  (d) transmitting, by the client agent via the transport layer connection, the ICMP request to the appliance, the ICMP request comprising a destination address and a source address identifying the client;
  
  (e) determining, by the appliance, whether the destination address corresponds to a device not having a VPN connection to the appliance;
  
  (f) modifying, by the appliance, the source address of the ICMP request to identify an address routable back to the appliance prior to transmission via a network layer connection to the device identified by the destination address of the ICMP request if the destination address corresponds to a device not having a VPN connection to the appliance, and if the destination address corresponds to a device having a VPN connection to the appliance, responding by the appliance to the ICMP request on behalf of the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nanjundaswamy, Shashi, Rajan, Roy, Soni, Ajay, Venkatraman, Charu, He, Junxiao, Mullick, Amarnath
Primary Examiner(s)
Pham; Chi H
Assistant Examiner(s)
Mohebbi; Kouroush

Application Number

US11/462,253
Publication Number

US 20080031265A1
Time in Patent Office

1,685 Days
Field of Search

370/401, 370/329, 370/341, 370/328, 370/338, 370/231, 370/392, 370/235, 370/389, 370/322, 370/468, 709/249, 709/223, 709/250, 709/226, 709/227, 709/203, 709/235
US Class Current

370/401
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/40   using virtualisation of net...

H04L 43/00   Arrangements for monitoring...

H04L 43/0811   by checking connectivity

H04L 43/0817   by checking functioning

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0272   Virtual private networks

H04L 63/166   at the transport layer

Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links