Method and system for providing secure access to private networks

US 8,326,981 B2
Filed: 06/23/2010
Issued: 12/04/2012
Est. Priority Date: 09/26/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving a login request from a user for access to an intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;

accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to authenticate the user in response to the login request;

receiving a resource request from the authenticated user at the intermediary server, the resource request requesting a particular operation with respect to a resource from a private network; and

performing the particular operation at the private network to determine a response to the resource request.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved approaches for providing secure access to resources maintained on private networks are disclosed. The secure access can be provided through a public network using a standard network browser. Multiple remote users are able to gain restricted and controlled access to at least portions of a private network through a common access point. The solution provided by the invention is not only easily set up and managed, but also able to support many remote users in a cost-effective manner.

Citations

20 Claims

1. A method comprising:
- receiving a login request from a user for access to an intermediary server, the intermediary server storing an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server;
  
  accessing, based on the authentication identifier, an authentication server, where the authentication server is separate and distinct from the intermediary server, to authenticate the user in response to the login request;
  
  receiving a resource request from the authenticated user at the intermediary server, the resource request requesting a particular operation with respect to a resource from a private network; and
  
  performing the particular operation at the private network to determine a response to the resource request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where the accessing the authentication server comprises:
    - determining a type of the authentication server; and
      
      generating authentication information for the user based on the type and the login request.
  - 3. The method of claim 2,where the login request comprises a username of the user and a password of the user, andwhere the generating the authentication information comprises encrypting the username and the password using a shared secret key when the type is a first type.
  - 4. The method of claim 2,where the login request comprises a password, andwhere the generating the authentication information, when the type is a second type, comprises:
    - obtaining a value from the authentication server, andhashing the password with the value.
  - 5. The method of claim 1, further comprising:
    - determining whether the response is of a type that is to be modified;
      
      modifying the response in a predetermined way when the response is of the type that is to be modified; and
      
      delivering the modified response to the user.
  - 6. The method of claim 5, where the predetermined way comprises at least one of adding a toolbar to the response, modifying host name portions of one or more hyperlinks in the response, or adding suffixes to one or more of the hyperlinks in the response.
  - 7. The method of claim 1, where the performing the particular operation at the private network comprises:
    - obtaining an identifier of a remote server in the private network based on the resource request; and
      
      opening a connection between the intermediary server and the remote server using the identifier.

8. A method comprising:
- receiving, by an intermediary server, a login request from a user at a client machine;
  
  obtaining, by the intermediary server, an authentication identifier identifying an authentication server based on the login request;
  
  sending, by the intermediary server, authentication information based on the login request to the authentication server;
  
  receiving, by the intermediary server, an authentication response based on the authentication information from the authentication server; and
  
  returning, by the intermediary server, an access page to the client machine when the authentication response indicates success, where the access page allows the user to access resources available on a private network connected to the intermediary server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising:
    - receiving, after returning the access page, a resource request from the user;
      
      determining whether the user is permitted access to a remote server on the private network needed to process the resource request based on access privileges given to the user; and
      
      transmitting the resource request to the remote server when the user is permitted access to the remote server.
  - 10. The method of claim 9, where the determining whether the user is permitted access to the remote server comprises:
    - determining whether an Internet Protocol address of the client machine is authorized;
      
      determining whether the resource request is made during a permitted time period; and
      
      determining whether an operation associated with the resource request is permitted.
  - 11. The method of claim 9, further comprising:
    - receiving a resource response from the remote server in response to the resource request;
      
      determining whether the resource response is of a type that is to be modified; and
      
      modifying the response based on a predetermined way when the response is of the type that is to be modified.
  - 12. The method of claim 9, where the transmitting the resource request to the remote server comprises:
    - obtaining a host name of the remote server based on the resource request;
      
      obtaining an Internet Protocol address of the remote server based on the host name; and
      
      performing, by the intermediary server, a secure handshake with the remote server.
  - 13. The method of claim 12, where the host name is stored in a data store of the intermediary server or is specified in a hyperlink associated with the resource request.
  - 14. The method of claim 8, further comprising determining whether external authentication is required to authenticate the user,where the authentication server is identified based on the login request only when the external authentication is required.
  - 15. The method of claim 8, where the sending the authentication information comprises:
    - determining a type of the authentication server; and
      
      generating the authentication information based on the type of the authentication server and the login request, where the login request comprises a password of the user.

16. An intermediary server comprising:
- a memory to store an authentication identifier for each of a plurality of users, the authentication identifier identifying an authentication server; and
  
  a processor, connected to the memory, to;
  
  receive a login request from a user,obtain the authentication identifier identifying the authentication server based on the login request,send authentication information based on the login request to the authentication server,receive an authentication response based on the authentication information from the authentication server,receive a resource request from the user when the authentication response indicates success, andprocess the resource request using a remote server located on a private network connected to the intermediary server.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The intermediary server of claim 16,where the intermediary server communicates with the authentication server and the remote server through a firewall, andwhere communications between the intermediary server and the user at a client machine are encrypted.
  - 18. The intermediary server of claim 16, where the processor is further to:
    - parse content received from the remote server in response to the resource request; and
      
      modify the content in a predetermined way.
  - 19. The intermediary server of claim 16, where the processor is further to couple to an operating backup intermediary server that performs one or more functions of the intermediary server when the intermediary server fails.
  - 20. The intermediary server of claim 16, where the processor is further to:
    - determine whether a stored hashed password is available for the user;
      
      determine whether the stored hashed password is equal to a password in the login request when the stored hashed password is available; and
      
      authenticate the user when the stored hashed password is equal to the password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Tock, Theron, Srinivas, Sampath
Primary Examiner(s)
Meky, Moustafa M

Application Number

US12/821,928
Publication Number

US 20100263035A1
Time in Patent Office

895 Days
Field of Search

709200-203, 709217-227
US Class Current

709/224
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

Method and system for providing secure access to private networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing secure access to private networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links