Method and apparatus for providing authorized remote access to application sessions

US 8,613,048 B2
Filed: 09/30/2004
Issued: 12/17/2013
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing a user with authorized remote access to one of one or more application sessions disconnected from one or more client nodes previously operated by the user, the method comprising:

disconnecting a first client node comprising a computing environment operated by a user, by a session server, from a resource provided by an application session provided by an application server providing a plurality of application sessions via a first communication channel;

receiving a request, from a second client node comprising a second computing environment operated by the user, for access to the resource;

receiving, by a first component of the policy engine, characteristics of the second computing environment gathered by a collection agent from the second client node in response to the request to access the resource;

generating, by the first component of the policy engine, a data set from the received characteristics, responsive to applying a first policy to the received characteristics and storing an identifier for each condition satisfied in the data set;

transmitting, by the first component of the policy engine, the data set to a second component of the policy engine;

making, by the second component of the policy engine, an access control decision granting the second computing environment access to the resource based on application of a second policy to the generated data set;

identifying, based on the access control decision, the application session provided by the application server disconnected from the first client node previously operated by the user, from one or more application sessions to which the second client node is permitted to connect;

establishing, by the session server, a connection between the second client node and the identified application session provided by the application server in response to the identification via a second communication channel, wherein the second communication channel is wireless and different from the first communication channel; and

selecting, by the application server responsive to the connection, a format for the presentation of the resource based on application of a second policy to the received characteristics of the second computing environment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing authorized remote access to one or more application sessions includes a client node, a collection agent, a policy engine, and a session server. The client node requests access to a resource. The collection agent gathers information about the client node. The policy engine receives the gathered information, and makes an access control decision based on the received information. The session server establishes a connection between a client computer operated by the user and the one or more application sessions associated with the user of the client node identified in response to the received information.

291 Citations

41 Claims

1. A method for providing a user with authorized remote access to one of one or more application sessions disconnected from one or more client nodes previously operated by the user, the method comprising:
- disconnecting a first client node comprising a computing environment operated by a user, by a session server, from a resource provided by an application session provided by an application server providing a plurality of application sessions via a first communication channel;
  
  receiving a request, from a second client node comprising a second computing environment operated by the user, for access to the resource;
  
  receiving, by a first component of the policy engine, characteristics of the second computing environment gathered by a collection agent from the second client node in response to the request to access the resource;
  
  generating, by the first component of the policy engine, a data set from the received characteristics, responsive to applying a first policy to the received characteristics and storing an identifier for each condition satisfied in the data set;
  
  transmitting, by the first component of the policy engine, the data set to a second component of the policy engine;
  
  making, by the second component of the policy engine, an access control decision granting the second computing environment access to the resource based on application of a second policy to the generated data set;
  
  identifying, based on the access control decision, the application session provided by the application server disconnected from the first client node previously operated by the user, from one or more application sessions to which the second client node is permitted to connect;
  
  establishing, by the session server, a connection between the second client node and the identified application session provided by the application server in response to the identification via a second communication channel, wherein the second communication channel is wireless and different from the first communication channel; and
  
  selecting, by the application server responsive to the connection, a format for the presentation of the resource based on application of a second policy to the received characteristics of the second computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 40, 41)
- - 2. The method of claim 1 wherein step (a) further comprises requesting the resource over a network connection.
  - 3. The method of claim 1 wherein step (b) further comprises gathering the characteristics over a network connection.
  - 4. The method of claim 1 wherein step (b) further comprises gathering the characteristics by executing at least one script on the client node.
  - 5. The method of claim 1 wherein step (d) further comprises determining if the received characteristics satisfies a condition.
  - 6. The method of claim 5 further comprising determining if the received characteristics satisfies a condition by comparing the received information to at least one condition.
  - 7. The method of claim 6 wherein step (d) further comprises making an access control decision by applying a policy to the condition.
  - 8. The method of claim 1 wherein a first one of the application sessions is running on a first server and a second one of the application sessions is running on a second server.
  - 9. The method of claim 1 wherein the step of establishing, by the session server, a connection between the client node and the one or more application sessions is subject to a rule permitting the client node to connect to the one or more application sessions.
  - 10. The method of claim 1 wherein the connection between the client node and the one or more application sessions is triggered by the selection of a single user interface element.
  - 11. The method of claim 1 further comprising the step of receiving, by a session server, a disconnect request to disconnect a first application session associated with the user and a second application session associated with the user;
    - and disconnecting, by the session server, the first and second application sessions.
  - 12. The method of claim 11 further comprising updating, by the session server, at least one data record associated with the first and second application sessions to indicate that the first and second application sessions are disconnected.
  - 13. The method of claim 12 further comprising the step of continuing, by the session server, execution of one or more applications for at least one of the disconnected application sessions.
  - 14. The method of claim 1 wherein the one or more application sessions was connected to a first client node prior to connection and, after connection, the one or more application sessions is reconnected to the first client node.
  - 15. The method of claim 1 wherein the one or more application sessions was associated with a first client node prior to establishing the connection and, after establishing the connection, the one or more application sessions is connected to a second client node.
  - 16. The method of claim 1 wherein at least one application session is disconnected.
  - 17. The method of claim 1 wherein at least one application session is active.
  - 18. The method of claim 1 wherein the identifying one or more applications sessions is automatic upon receipt of authentication information.
  - 19. The method of claim 1 further comprising the step of providing for receiving application output from a one or more previously disconnected application sessions associated with the user in response to the received information.
  - 20. The method of claim 19 further comprising disconnecting at least one active application session associated with the user in response to the received information.
  - 21. The method of claim 19 wherein the one or more active application sessions is initially connected to a first client node and, upon requesting access to the resource, the user is operating a second client node.
  - 22. The method of claim 19, wherein the receipt of application output from the one or more active application sessions is subject to a rule permitting the user to have a client node operated by the user to connect to the one or more active application sessions.
  - 23. The method of claim 19 wherein the receipt of application output from the one or more active application sessions and the receipt of application output from the one or more disconnected application sessions are triggered by the selection of a single user interface element.
  - 24. The method of claim 19 wherein the one or more disconnected application sessions was connected to a first client node prior to disconnection and, at connection, the one or more disconnected application session is reconnected to the first client node.
  - 25. The method of claim 19 wherein the one or more disconnected application sessions was connected to a first client node prior to disconnection and, at connection, the one or more disconnected application session is connected to a second client node.
  - 40. The method of claim 1 wherein step (b) further comprises gathering one or more of the following information about the client node:
    - a machine identification (ID) of the client node, type of an operating system, existence of a patch to the operating system, a Media Access Control (MAC) address of a network card, a digital watermark on the client node, a membership in an Active Directory, an existence of a virus scanner, an existence of a personal firewall, an HTTP header, a browser type, a device type, network connection information, and authorization credentials.
  - 41. The method of claim 1 wherein step (f) further comprises establishing the connection between the client node and the one or more application sessions responsive to the policy engine making the access control decision.

26. A system for providing a user with authorized remote access to one of one or more application sessions disconnected from one or more client nodes previously operated by the user, the system comprising:
- a session server disconnecting a first client node comprising a computing environment operated by a user from a resource provided by an application session provided by an application server providing a plurality of application sessions via a first communication session, and receiving a request from a second client node comprising a second computing environment operated by the user;
  
  a first component of the policy engine;
  
  receiving characteristics of the second computing environment gathered by a collection agent from the second client node in response to the request to access the resource,generating a data set from the received characteristics, responsive to applying a first policy to the received characteristics and storing an identifier for each condition satisfied in the data set,transmitting the data set to a second component of the policy engine;
  
  the second component of the policy engine;
  
  making an access control decision granting the second computing environment access to the resource based on the application of a second policy to the generated data set; and
  
  identifying, based on the access control decision, the application session provided by the application server disconnected from the first client node previously operated by the user, from one or more application sessions to which the second client node is permitted to connect;
  
  wherein the session server establishes a connection between the second client node and the identified application session provided by the application server in response to the identification via a second communication channel that is wireless and different from the first communication channel; and
  
  an application server, responsive to the connection, selects a format for the presentation of the resource based on application of a second policy to the received characteristics of the second computing environment.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 27. The system of claim 26 wherein the collection agent executes on the client node.
  - 28. The system of claim 26 wherein the policy engine transmits the collection agent to the client node.
  - 29. The system of claim 26 wherein the policy engine transmits instructions to the collection agent determining the type of information the collection agent gathers.
  - 30. The system of claim 26 wherein a first one of the application sessions is running on a first server and a second one of the application sessions is running on a second server.
  - 31. The system of claim 26 wherein the session server connects the client node to the one or more application sessions.
  - 32. The system of claim 31 wherein the connection of the client node to the one or more application sessions is triggered by selection of a single user interface element.
  - 33. The system of claim 31 wherein the session server is also configured to receive a disconnect request to disconnect the first application session associated with the user and the second application session associated with the user and disconnect the first and second application sessions in response to the request.
  - 34. The system of claim 33 wherein the session server is further configured to update at least one data record associated with each of the first and second application sessions to indicate that the first and second application sessions are disconnected.
  - 35. The system of claim 26 wherein the policy engine further comprises stored data associated with one or more servers executing application sessions.
  - 36. The system of claim 26 wherein the one or more application sessions was connected to a first client node prior to connection and, after connection, the one or more application sessions is reconnected to the first client node.
  - 37. The system of claim 26 wherein the one or more application sessions was associated with a first client node prior to connection and, after connection, the one or more application sessions is connected to a second client node.
  - 38. The system of claim 26 wherein at least one of the one or more application sessions is disconnected.
  - 39. The system of claim 26 wherein at least one of the one or more application sessions is active.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Braddy, Ricky Gene, Simmons, Timothy Ernest, Stone, David Sean
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US10/711,731
Publication Number

US 20060070131A1
Time in Patent Office

3,365 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

Method and apparatus for providing authorized remote access to application sessions

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

291 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing authorized remote access to application sessions

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

291 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links