Systems and methods for authorizing a client in an SSL VPN session failover environment

US 8,132,247 B2
Filed: 08/03/2007
Issued: 03/06/2012
Est. Priority Date: 08/03/2007
Status: Active Grant

First Claim

Patent Images

1. A method of performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising:

(a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network;

(b) detecting, by the second appliance comprising a hardware processor, that the first appliance is unavailable to continue the SSL VPN session;

(c) providing, by the second appliance, the SSL VPN session for the client device in response to the detection;

(d) placing, by the second appliance, the SSL VPN session on hold until the client device is authorized by the second appliance; and

(e) transmitting, by the second appliance, a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.

66 Citations

View as Search Results

24 Claims

1. A method of performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the method comprising:
- (a) receiving, by a second appliance from a first appliance, information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network;
  
  (b) detecting, by the second appliance comprising a hardware processor, that the first appliance is unavailable to continue the SSL VPN session;
  
  (c) providing, by the second appliance, the SSL VPN session for the client device in response to the detection;
  
  (d) placing, by the second appliance, the SSL VPN session on hold until the client device is authorized by the second appliance; and
  
  (e) transmitting, by the second appliance, a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising activating, by the second appliance, the on hold SSL VPN session upon receiving a predetermined result from evaluation of the least one clause of the security string.
  - 3. The method of claim 1, comprising assigning, by the second appliance, the client device to an authorization group based on a result from evaluation of the at least one clause.
  - 4. The method of claim 1, wherein step (d) comprises transmitting the request to a collection agent on the client device, the collection agent gathering information associated with the attribute of the client device and evaluating the at least one clause.
  - 5. The method of claim 1, comprising receiving, by the second appliance from the client device in response to the request, a result from evaluation of the at least one clause indicating a presence on the client device of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 6. The method of claim 1, comprising receiving, by the second appliance from the client device in response to the request, a result from evaluation of the at least one clause indicating a presence on the client device of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 7. The method of claim 1, comprising determining, by the second appliance, responsive to a result from evaluation of the at least one clause, that the client device lacks a desired attribute.
  - 8. The method of claim 7, comprising maintaining, by the second appliance, the SSL VPN session on hold in response to the determination.
  - 9. The method of claim 1, comprising determining, by the second appliance, responsive to a result from evaluation of the at least one clause, that the attribute of the client device is not set to a value in accordance with a policy.
  - 10. The method of claim 9, comprising maintaining, by the second appliance, the SSL VPN session on hold in response to the determination.
  - 11. The method of claim 1, comprising assigning, by the second appliance, the client device to an authorization group providing quarantined access to the network in response to a result from evaluation of the at least one clause, and activating, by the second appliance, the SSL VPN session.
  - 12. The method of claim 1, comprising assigning, by the second appliance, the client device to an authorization group responsive to an application of a policy by a policy engine to a result from evaluation of the at least one clause, and activating, by the second appliance, the SSL VPN session.

13. A system for performing authorization of a client device'"'"'s secure socket layer virtual private network (SSL VPN) session transferred upon failover from a first appliance to a second appliance, the system comprising:
- a first appliance comprising a first hardware processor, to provide information identifying a security string used by the first appliance to authorize a secure socket layer virtual private network (SSL VPN) session established between a client device and a network; and
  
  a second appliance comprising a second hardware processor, in communication with the first appliance, the second appliance to receive the information, detect that the first appliance is unavailable to continue the SSL VPN session, provide the SSL VPN session for the client device in response to the detection, place the SSL VPN session on hold until the client device is authorized by the second appliance, and transmit a request to an evaluation component executing on the client device to evaluate at least one clause of the security string, the at least one clause including one or more expressions comprising a logical operation on a value of an attribute of the client device, the logical operation comprising a comparison between the value of the attribute and a predetermined value.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the second appliance is configured to activate the on hold SSL VPN session upon receiving a predetermined result from evaluation of the least one clause of the security string.
  - 15. The system of claim 13, wherein the second appliance is configured to assign the client device to an authorization group based on a result from evaluation of the at least one clause.
  - 16. The system of claim 13, wherein the second appliance is configured to transmit the request to a collection agent on the client device, the collection agent gathering information associated with the attribute of the client device and evaluating the at least one clause.
  - 17. The system of claim 13, wherein the second appliance is configured to receive from the client device in response to the request, a result from evaluation of the at least one clause indicating a presence on the client device of one of the following:
    - a version of an operating system, a service pack of the operating system, a running service, a running process, and a file.
  - 18. The system of claim 13, wherein the second appliance is configured to receive from the client device in response to the request, a result from evaluation of the at least one clause indicating a presence on the client device of one of the following:
    - antivirus software, personal firewall software, anti-spam software, and internet security software.
  - 19. The system of claim 13, wherein the second appliance is configured to determine, responsive to a result from evaluation of the at least one clause, that the client device lacks a desired attribute.
  - 20. The system of claim 19, wherein the second appliance is configured to maintain the SSL VPN session on hold in response to the determination.
  - 21. The system of claim 13, wherein the second appliance is configured to determine, responsive to a result from evaluation of the at least one clause, that the attribute of the client device is not set to a value in accordance with a policy.
  - 22. The system of claim 21, wherein the second appliance is configured to maintain the SSL VPN session on hold in response to the determination.
  - 23. The system of claim 13, wherein the second appliance is configured to assign the client device to an authorization group providing quarantined access to the network in response to a result from evaluation of the at least one clause, and activate the SSL VPN session.
  - 24. The system of claim 13, wherein the second appliance is configured to assign the client device to an authorization group responsive to an application of a policy by a policy engine to a result from evaluation of the at least one clause, and activate the SSL VPN session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Adhya, Saibal, Choudhary, Akshat, Verzunov, Sergey, Mullick, Amarnath, Nanjundaswamy, Shashi, Kumar, Arkesh
Primary Examiner(s)
SHAN, APRIL YING

Application Number

US11/833,577
Publication Number

US 20090037998A1
Time in Patent Office

1,677 Days
Field of Search

726/2, 726/12, 726/15, 726/11, 380/247, 713/151, 713/153, 713/154, 370/401, 370/351, 705/79, 379/901
US Class Current

726/11
CPC Class Codes

G06Q 20/027   involving a payment switch ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/40   for recovering from a failu...

Y10S 379/901   Virtual networks or virtual...

Systems and methods for authorizing a client in an SSL VPN session failover environment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for authorizing a client in an SSL VPN session failover environment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others