Systems and methods for authorizing a client in an SSL VPN session failover environment
First Claim
1. A method of performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising:
- (a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network;
(b) detecting, by the second appliance comprising a hardware processor, that the first appliance is unavailable to continue the SSL VPN session;
(c) providing, by the second appliance, the SSL VPN session for the client device in response to the detection;
(d) placing, by the second appliance, the SSL VPN session on hold until the client device is authorized by the second appliance; and
(e) transmitting, by the second appliance, a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value.
7 Assignments
0 Petitions
Accused Products
Abstract
The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.
66 Citations
24 Claims
-
1. A method of performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising:
-
(a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network; (b) detecting, by the second appliance comprising a hardware processor, that the first appliance is unavailable to continue the SSL VPN session; (c) providing, by the second appliance, the SSL VPN session for the client device in response to the detection; (d) placing, by the second appliance, the SSL VPN session on hold until the client device is authorized by the second appliance; and (e) transmitting, by the second appliance, a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the system comprising:
-
a first appliance comprising a first hardware processor, to provide information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network; and a second appliance comprising a second hardware processor, in communication with the first appliance, the second appliance to receive the information, detect that the first appliance is unavailable to continue the SSL VPN session, provide the SSL VPN session for the client device in response to the detection, place the SSL VPN session on hold until the client device is authorized by the second appliance, and transmit a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification