Strategies for securely applying connection policies via a gateway

US 8,201,218 B2
Filed: 02/28/2007
Issued: 06/12/2012
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method for securely receiving data from a terminal service (TS) client at a TS server via a gateway using a remote-operating protocol, comprising:

establishing a first secure channel between the gateway and the TS server without involving the TS client;

receiving policy information from the gateway at the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the TS server receives the policy information from the gateway and does not receive the policy information from the TS client;

receiving a token from the gateway at the TS server via the first secure channel;

deactivating the first secure channel;

subsequent to deactivating the first secure channel, establishing a second secure channel between the TS client and the TS server;

receiving data at the TS server from the TS client via the second secure channel, wherein the data includes another token associated with the token, the another token being used by the TS server to identify the TS client and apply the policy information to the TS client; and

taking action on the data at the TS server based on the policy information previously transmitted from the gateway to the TS server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A strategy is described for securely applying connection policies in a system that includes a first entity (e.g., a TS client) connected to a second entity (e.g., a TS server) via a gateway using a remote-operating protocol (e.g., RDP). The strategy involves establishing a first secure channel between the gateway and the TS server and transmitting policy information from the gateway to the TS server. The strategy then involves deactivating the first secure channel and setting up a second secure channel between the TS client and the TS server. The strategy uses the second secure channel to transmit RDP data from the TS client to the TS server. The TS server uses the previously-transmitted policy information to determine whether to enable or disable a feature that affects the TS client, such as device redirection.

132 Citations

15 Claims

1. A method for securely receiving data from a terminal service (TS) client at a TS server via a gateway using a remote-operating protocol, comprising:
- establishing a first secure channel between the gateway and the TS server without involving the TS client;
  
  receiving policy information from the gateway at the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the TS server receives the policy information from the gateway and does not receive the policy information from the TS client;
  
  receiving a token from the gateway at the TS server via the first secure channel;
  
  deactivating the first secure channel;
  
  subsequent to deactivating the first secure channel, establishing a second secure channel between the TS client and the TS server;
  
  receiving data at the TS server from the TS client via the second secure channel, wherein the data includes another token associated with the token, the another token being used by the TS server to identify the TS client and apply the policy information to the TS client; and
  
  taking action on the data at the TS server based on the policy information previously transmitted from the gateway to the TS server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the remote-operating protocol is Remote Desktop Protocol (RDP).
  - 3. The method of claim 1, wherein the first secure channel is formed as a Secure Sockets Layer (SSL) channel.
  - 4. The method of claim 1, wherein the second secure channel is formed as a Secure Sockets Layer (SSL) channel.
  - 5. The method of claim 1, where the policy information indicates enabling or disabling a feature that affects the TS client.
  - 6. The method of claim 5, wherein the feature is device redirection.
  - 7. The method of claim 5, wherein the feature is associated with at least one packet of the remote-operating protocol.

8. One or more storage devices having stored thereon machine-readable instructions that, when executed on a processor, configure a gateway computing device to:
- establish a first secure channel between the gateway computing device and a terminal service (TS) server, wherein the first secure channel does not include a TS client;
  
  send policy information from the gateway computing device to the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the gateway computing device sends the policy information to the TS server and the TS client does not send the policy information to the TS server;
  
  send a token from the gateway computing device to each of the TS server and the TS client, wherein the token sent to the TS server is used by the TS server to identify the TS client and apply the policy information to the TS client when the TS server receives the token sent to the TS client;
  
  deactivate the first secure channel; and
  
  subsequent to deactivating the first secure channel, establish a second secure channel between the TS server and the TS client, wherein the second secure channel is used to transmit data from the TS client to the TS server so that the data is processed at the TS server in accordance with the policy information previously sent from the gateway computing device to the TS server.
- View Dependent Claims (9, 10)
- - 9. The one or more storage devices of claim 8, wherein the policy information indicates enabling or disabling a feature that affects the TS client.
  - 10. The one or more storage devices of claim 9, wherein the feature is device redirection.

11. A gateway system for securely transmitting data between a terminal service (TS) server and a TS client using a remote-operating protocol, comprising:
- a processor; and
  
  a memory coupled to the processor storing;
  
  a policy module, operable by the processor, configured to generate policy information and a token; and
  
  a gateway security filter module, operable by the processor, configured to;
  
  send the token to the TS client;
  
  establish a first secure channel between the gateway system and the TS server to transmit the policy information and token information from the gateway to the TS server, wherein the first secure channel does not involve the TS client and the TS client does not transmit the policy information to the TS server;
  
  deactivate the first secure channel; and
  
  subsequent to deactivating the first secure channel, establish a second secure channel between the TS client and the TS server to transmit data from the TS client to the TS server, wherein the transmitted data includes the token which is used by the TS server to identify the TS client and apply the policy information to the TS client such that the TS server takes action on subsequent data transmitted from the TS client to the TS server based on the policy information transmitted via the first secure channel.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The gateway system of claim 11, wherein the remote-operating protocol is Remote Desktop Protocol (RDP).
  - 13. The gateway system of claim 11, wherein the policy information indicates enabling or disabling a feature that affects the TS client.
  - 14. The gateway system of claim 13, wherein the feature is device redirection.
  - 15. The gateway system of claim 13, wherein the feature is associated with at least one packet of the remote-operating protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Malakapalli, Meher P., Guo, Donghang, Swaminathan, Gautam, Ben-Shachar, Ido
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/680,518
Publication Number

US 20080209538A1
Time in Patent Office

1,931 Days
Field of Search

726/1, 726/2, 726/3, 726/29
US Class Current

726/3
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 67/59   Providing operational suppo...

Strategies for securely applying connection policies via a gateway

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Strategies for securely applying connection policies via a gateway

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others