Methods and systems for providing authorized remote access to a computing environment provided by a virtual machine

US 7,949,677 B2
Filed: 01/18/2007
Issued: 05/24/2011
Est. Priority Date: 01/24/2006
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method for providing authorized remote access to resources on desktop computing environments provided by virtual machines, the method comprising:

(a) receiving, by a policy engine, a first request for access to a resource from a user at a first client machine;

(b) directing, by the policy engine, a first collection agent to gather information about the first client machine;

(c) granting, by the policy engine, the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access;

(d) identifying, by a broker machine, a first desktop computing environment already associated with the user,the first desktop computing environmenti) providing the resource according to the first granted level of access,ii) being provided by a first virtual machine selected by the broker machine, andiii) executing in an operating system provided by the first virtual machine,the first virtual machine executing in a first execution machine selected by the broker machine, andthe first execution machine executing a hypervisor providing access to hardware resources required by the first virtual machine; and

(e) establishing, by the broker machine responsive to the first granted level of access, a connection between the first client machine and the first desktop computing environment;

(f) receiving, by the policy engine, a second request for access to the resource from the user at a second client machine;

(g) directing, by the policy engine, a second collection agent to gather information about the second client machine;

(h) granting, by the policy engine, the second client machine a second level of access to the resource responsive to application of a policy to the information about the second client machine, the second level chosen from the plurality of levels of access;

(i) identifying, by the broker machine, a second desktop computing environment already associated with the user,the second desktop computing environmenti) providing the resource according to the second granted level of access,ii) being provided by a second virtual machine selected by the broker machine, andiii) executing in an operating system provided by the second virtual machine,the second virtual machine executing in a second execution machine selected by the broker machine, andthe second execution machine executing a hypervisor providing access to hardware resources required by the second virtual machine; and

(j) establishing, by the broker machine responsive to the second granted level of access a connection between the second client machine and the second desktop computing environment.

View all claims

8 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A method for providing authorized remote access to a computing environment provided by a virtual machine, includes the step of requesting, by a client machine, access to a resource. A collection agent gathers information about the client machine. A policy engine receives the gathered information. The policy engine makes an access control decision based on the received information. A computing environment already associated with the user is identified in response to the received information, the identified computing environment provided by a virtual machine. A broker server establishes, responsive to the access control decision, a connection between the client machine and the identified computing environment.

Citations

21 Claims

1. A method for providing authorized remote access to resources on desktop computing environments provided by virtual machines, the method comprising:
- (a) receiving, by a policy engine, a first request for access to a resource from a user at a first client machine;
  
  (b) directing, by the policy engine, a first collection agent to gather information about the first client machine;
  
  (c) granting, by the policy engine, the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access;
  
  (d) identifying, by a broker machine, a first desktop computing environment already associated with the user,the first desktop computing environmenti) providing the resource according to the first granted level of access,ii) being provided by a first virtual machine selected by the broker machine, andiii) executing in an operating system provided by the first virtual machine,the first virtual machine executing in a first execution machine selected by the broker machine, andthe first execution machine executing a hypervisor providing access to hardware resources required by the first virtual machine; and
  
  (e) establishing, by the broker machine responsive to the first granted level of access, a connection between the first client machine and the first desktop computing environment;
  
  (f) receiving, by the policy engine, a second request for access to the resource from the user at a second client machine;
  
  (g) directing, by the policy engine, a second collection agent to gather information about the second client machine;
  
  (h) granting, by the policy engine, the second client machine a second level of access to the resource responsive to application of a policy to the information about the second client machine, the second level chosen from the plurality of levels of access;
  
  (i) identifying, by the broker machine, a second desktop computing environment already associated with the user,the second desktop computing environmenti) providing the resource according to the second granted level of access,ii) being provided by a second virtual machine selected by the broker machine, andiii) executing in an operating system provided by the second virtual machine,the second virtual machine executing in a second execution machine selected by the broker machine, andthe second execution machine executing a hypervisor providing access to hardware resources required by the second virtual machine; and
  
  (j) establishing, by the broker machine responsive to the second granted level of access a connection between the second client machine and the second desktop computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein step (a) further comprises receiving the first request for access to the resource over a network connection.
  - 3. The method of claim 1, wherein step (b) further comprises directing the first collection agent to gather the information over a network connection.
  - 4. The method of claim 1, wherein step (b) further comprises directing the first collection agent to gather information by executing at least one script on the client machine.
  - 5. The method of claim 1, wherein step (c) further comprises determining if the gathered information satisfies a condition.
  - 6. The method of claim 5, wherein step (c) further comprises determining if the gathered information satisfies a condition by comparing the gathered information to at least one condition.
  - 7. The method of claim 6, wherein step (c) further comprises granting a first level of access by applying a policy to the condition.
  - 8. The method of claim 1, wherein step (d) further comprises identifying a first desktop computing environment providing the resource according to the first level of access granted to the first client machine and a second desktop computing environment providing the resource according to a second level of access not granted to the first client machine, the first and second desktop computing environments already associated with the user.
  - 9. The method of claim 1, wherein step (d) further comprises identifying a first desktop computing environment providing the resource according to the first granted level of access and executing on a first execution machine and a second desktop computing environment providing the resource according to a second level of access not granted to the first client machine and executing on a second execution machine, the first and second desktop computing environments already associated with the user.
  - 10. The method of claim 1, wherein step (d) further comprises identifying a first desktop computing environment already associated with the user, the first desktop computing environment comprising a first application session and identifying a second desktop computing environment already associated with the user, the second desktop computing environment comprising a second application session.
  - 11. The method of claim 10, wherein the first application session executes on a first execution machine and the second application session executes on a second execution machine.
  - 12. The method of claim 1, wherein step (e) further comprises establishing, by the broker machine, a connection between the first client machine and the first desktop computing environment subject to a rule.
  - 13. The method of claim 1, further comprising disconnecting, by the broker machine, the first client machine from the first desktop computing environment in response to receiving a disconnect signal.
  - 14. The method of claim 13, further comprising updating, by the broker machine, at least one data record associated with the first desktop computing environment indicating that the first client machine and the first desktop computing environment are disconnected.

15. A system for providing authorized remote access to resources on desktop computing environments provided by virtual machines, the system comprising:
- a policy engine thati) receives a first request for access to a resource from a user at a first client machine,ii) directs a first collection agent to gather information,iii) grants the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access, andiv) requests an enumeration of desktop computing environments associated with a user of the first client machine, the request including the first granted level of access; and
  
  a broker machine thati) enumerates a first desktop computing environment associated with the client machine,the first desktop computing environmenti) providing the resource according to the first granted level of access,ii) being provided by a first virtual machine selected by the broker machine, andiii) executing in an operating system provided by the first virtual machine,the first virtual machine executing in a first execution machine selected by the broker machine, andthe first execution machine executing a hypervisor providing access to hardware resources required by the first virtual machine; and
  
  ii) establishes a first connection between the first client machine and the first desktop computing environment providing the resource according to the first granted level of access;
  
  whereinthe policy enginei) receives a second request for access to a resource from a user at a second client machine,ii) directs a second collection agent to gather information,iii) grants the second client machine a second level of access to the resource responsive to application of a policy to the information about the second client machine, the second level chosen from a plurality of levels of access, andiv) requests an enumeration of desktop computing environments associated with a user of the second client machine, the request including the second granted level of access; and
  
  the broker machinei) enumerates a second desktop computing environment associated with the client machine, the second desktop computing environmenti) providing the resource according to the second granted level of access,ii) being provided by a second virtual machine selected by the broker machine, andiii) executing in an operating system provided by the second virtual machine,the second virtual machine executing in a second execution machine selected by the broker machine, andthe second execution machine executing a hypervisor providing access to hardware resources required by the second virtual machine; and
  
  ii) establishes a second connection between the second client machine and the second desktop computing environment providing the resource according to the second granted level of access.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the first collection agent executes on the first client machine.
  - 17. The system of claim 15, wherein the policy engine transmits the first collection agent to the first client machine.
  - 18. The system of claim 15, wherein the policy engine transmits instructions to the first collection agent determining the type of information the first collection agent gathers.
  - 19. The system of claim 15, wherein the policy engine grants the first level of access based on applying a policy to the received information.
  - 20. The system of claim 15, wherein the broker machine disconnects the first client machine from the first desktop computing environment upon receipt of a disconnect signal.
  - 21. The system of claim 20, wherein the broker machine updates a data record associated with the first desktop computing environment to indicate that the first client machine and the first desktop computing environment are disconnected.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Robinson, David Neil, Croft, Richard Jason, Mazzaferri, Richard James, Low, Anthony Edward, Pedersen, Bradley J.
Primary Examiner(s)
Robinson; Greta L
Assistant Examiner(s)
Wilcox; James J

Application Number

US11/624,402
Publication Number

US 20070179955A1
Time in Patent Office

1,587 Days
Field of Search

None
US Class Current

707/781
CPC Class Codes

G06F 16/748   Hypervideo linking data to ...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 2209/541   Client-server

G06F 2221/2149   Restricted operating enviro...

G06F 3/1415   with means for detecting di...

G06F 3/1438   using more than one graphic...

G06F 3/1462   with means for detecting di...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/485   Task life-cycle, e.g. stopp...

G06F 9/5027   the resource being a machin...

G06F 9/5055   considering software capabi...

G06F 9/5077   Logical partitioning of res...

G06F 9/5088   involving task migration

G06F 9/54   Interprogram communication

G09G 2354/00   Aspects of interface with d...

G09G 2370/16   Use of wireless transmissio...

G09G 2370/22   Detection of presence or ab...

G09G 5/006   Details of the interface to...

G09G 5/14 : Display of multiple viewports

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0428 : wherein the data content is...

H04L 63/06 : for supporting key manageme...

H04L 63/08 : for authentication of entit...

H04L 63/10 : for controlling access to d...

H04L 63/102 : Entity profiles

H04L 63/105 : Multiple levels of security

H04L 67/02 : based on web technology, e....

H04L 67/08 : specially adapted for termi...

H04L 67/14 : Session management for real...

H04L 67/141 : Setup of application sessio...

H04L 67/303 : Terminal profiles

H04L 67/51 : Discovery or management the...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/563 : Data redirection of data ne...

H04L 67/564 : Enhancement of application ...

H04L 67/568 : Storing data temporarily at...

H04L 67/59 : Providing operational suppo...

H04L 69/24 : Negotiation of communicatio...

View All

Methods and systems for providing authorized remote access to a computing environment provided by a virtual machine

First Claim

8 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for providing authorized remote access to a computing environment provided by a virtual machine

First Claim

8 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links