Strategies for securely applying connection policies via a gateway
First Claim
1. A method for securely receiving data from a terminal service (TS) client at a TS server via a gateway using a remote-operating protocol, comprising:
- establishing a first secure channel between the gateway and the TS server without involving the TS client;
receiving policy information from the gateway at the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the TS server receives the policy information from the gateway and does not receive the policy information from the TS client;
receiving a token from the gateway at the TS server via the first secure channel;
deactivating the first secure channel;
subsequent to deactivating the first secure channel, establishing a second secure channel between the TS client and the TS server;
receiving data at the TS server from the TS client via the second secure channel, wherein the data includes another token associated with the token, the another token being used by the TS server to identify the TS client and apply the policy information to the TS client; and
taking action on the data at the TS server based on the policy information previously transmitted from the gateway to the TS server.
2 Assignments
0 Petitions
Accused Products
Abstract
A strategy is described for securely applying connection policies in a system that includes a first entity (e.g., a TS client) connected to a second entity (e.g., a TS server) via a gateway using a remote-operating protocol (e.g., RDP). The strategy involves establishing a first secure channel between the gateway and the TS server and transmitting policy information from the gateway to the TS server. The strategy then involves deactivating the first secure channel and setting up a second secure channel between the TS client and the TS server. The strategy uses the second secure channel to transmit RDP data from the TS client to the TS server. The TS server uses the previously-transmitted policy information to determine whether to enable or disable a feature that affects the TS client, such as device redirection.
132 Citations
15 Claims
-
1. A method for securely receiving data from a terminal service (TS) client at a TS server via a gateway using a remote-operating protocol, comprising:
-
establishing a first secure channel between the gateway and the TS server without involving the TS client; receiving policy information from the gateway at the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the TS server receives the policy information from the gateway and does not receive the policy information from the TS client; receiving a token from the gateway at the TS server via the first secure channel; deactivating the first secure channel; subsequent to deactivating the first secure channel, establishing a second secure channel between the TS client and the TS server; receiving data at the TS server from the TS client via the second secure channel, wherein the data includes another token associated with the token, the another token being used by the TS server to identify the TS client and apply the policy information to the TS client; and taking action on the data at the TS server based on the policy information previously transmitted from the gateway to the TS server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more storage devices having stored thereon machine-readable instructions that, when executed on a processor, configure a gateway computing device to:
-
establish a first secure channel between the gateway computing device and a terminal service (TS) server, wherein the first secure channel does not include a TS client; send policy information from the gateway computing device to the TS server via the first secure channel, the policy information identifying a manner in which the TS server is to interact with the TS client, wherein the gateway computing device sends the policy information to the TS server and the TS client does not send the policy information to the TS server; send a token from the gateway computing device to each of the TS server and the TS client, wherein the token sent to the TS server is used by the TS server to identify the TS client and apply the policy information to the TS client when the TS server receives the token sent to the TS client; deactivate the first secure channel; and subsequent to deactivating the first secure channel, establish a second secure channel between the TS server and the TS client, wherein the second secure channel is used to transmit data from the TS client to the TS server so that the data is processed at the TS server in accordance with the policy information previously sent from the gateway computing device to the TS server. - View Dependent Claims (9, 10)
-
-
11. A gateway system for securely transmitting data between a terminal service (TS) server and a TS client using a remote-operating protocol, comprising:
-
a processor; and a memory coupled to the processor storing; a policy module, operable by the processor, configured to generate policy information and a token; and a gateway security filter module, operable by the processor, configured to; send the token to the TS client; establish a first secure channel between the gateway system and the TS server to transmit the policy information and token information from the gateway to the TS server, wherein the first secure channel does not involve the TS client and the TS client does not transmit the policy information to the TS server; deactivate the first secure channel; and subsequent to deactivating the first secure channel, establish a second secure channel between the TS client and the TS server to transmit data from the TS client to the TS server, wherein the transmitted data includes the token which is used by the TS server to identify the TS client and apply the policy information to the TS client such that the TS server takes action on subsequent data transmitted from the TS client to the TS server based on the policy information transmitted via the first secure channel. - View Dependent Claims (12, 13, 14, 15)
-
Specification