Method and system for providing persistence in a secure network access
First Claim
Patent Images
1. A load balancing system comprising:
- a first load balancer;
a second load balancer;
a plurality of SSL proxies communicating with the first load balancer; and
a processor operable to execute an action with at least one of a plurality of modules, including;
a first module for communicating first identifying data associated with a client from an SSL proxy of the plurality of SSL proxies to the first load balancer, the first identifying data comprising a first client certificate;
a second module for determining a target server associated with the client; and
a third module for maintaining a persistent communication between the client and the target server, based on the first client certificate;
a fourth module for communicating a second identifying data associated with the client from the SSL proxy to the second load balancer, the second identifying data comprising a second client certificate; and
a fifth module for maintaining persistent communications between the client and the target server, based on the first identifying data and the second identifying data, wherein at least a portion of the persistent communications is processed at the first load balancer, and at least a portion of the persistent communications is processed at the second load balancer.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.
160 Citations
5 Claims
-
1. A load balancing system comprising:
-
a first load balancer; a second load balancer; a plurality of SSL proxies communicating with the first load balancer; and a processor operable to execute an action with at least one of a plurality of modules, including; a first module for communicating first identifying data associated with a client from an SSL proxy of the plurality of SSL proxies to the first load balancer, the first identifying data comprising a first client certificate; a second module for determining a target server associated with the client; and a third module for maintaining a persistent communication between the client and the target server, based on the first client certificate; a fourth module for communicating a second identifying data associated with the client from the SSL proxy to the second load balancer, the second identifying data comprising a second client certificate; and a fifth module for maintaining persistent communications between the client and the target server, based on the first identifying data and the second identifying data, wherein at least a portion of the persistent communications is processed at the first load balancer, and at least a portion of the persistent communications is processed at the second load balancer. - View Dependent Claims (2, 3)
-
-
4. A method of maintaining a communication with a client device on a network having a plurality of targets, comprising:
-
receiving a first secure communication protocol handshake message from the client device; determining a target from the plurality of targets; determining an identifier that directly identifies the target based on at least a portion of a client certificate from the client device; maintaining a persistent communication between the client and the target server, based on the identifier; receiving a second message from the client device, the second message comprising the client certificate; and maintaining a second persistent communication between the client device and the target, based on the identifier, wherein at least a different portion of the second persistent communication is processed at a different one of a plurality of load balancers, and wherein maintaining the second persistent communication further comprises hashing the portion of the client certificate to directly determine the target. - View Dependent Claims (5)
-
Specification