Scalable gateway for multiple data streams

US 8,639,842 B1
Filed: 06/30/2006
Issued: 01/28/2014
Est. Priority Date: 06/30/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a plurality of incoming data streams at a gateway, whereinthe gateway comprises a dispatch processor coupled to a plurality of sub-processors;

load balancing the incoming data streams, whereinthe load balancing is performed by the dispatch processor,the load balancing comprisesassigning a first data stream of the incoming data streams to a first sub-processor of the plurality of sub-processors, andthe assigning comprisesidentifying a first sub-processor identifier in the first data stream, whereinthe first sub-processor identifier is associated with the first sub-processor, andthe identifying is performed by the dispatch processor;

transforming the first data stream of the incoming data streams, whereinthe transforming the first data stream is performed by the first sub-processor, andthe transforming the first data stream comprises converting a first mangled address in the first data stream into a standard address;

forwarding the first data stream to a first server of a plurality of servers, whereinthe forwarding is performed by the first sub-processor, in response to the transforming, andthe first server corresponds to the standard address; and

responding to the incoming data streams with a plurality of outgoing data streams, whereineach of the outgoing data streams comprises a sub-processor identifier,each of the sub-processor identifiers identifies a respective sub-processor of the plurality of sub-processors,each of the outgoing data streams comprises a respective mangled address,each of the mangled addresses comprises information identifying an address of a corresponding server among the plurality of servers,each of the plurality of servers is coupled to the gateway,each of the mangled addresses indicates an address of the gateway, andthe first sub-processor is configured to generate the mangled addresses in the outgoing data streams.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and procedures are presented for communicating multiple data streams through an SSLVPN gateway. One implementation of a method includes receiving a plurality of incoming data streams and load balancing the incoming data streams. The load balancing includes assigning a first set of one or more incoming data streams to a first subprocessor, and responding to the first set of incoming data streams with outgoing data streams that include a first identifier that indicates the first subprocessor. One implementation of a network element includes a plurality of subprocessors and a dispatcher module. The dispatcher module is coupled to the plurality of subprocessors, and is configured to recognize an identifier in a received data stream. The dispatcher module dispatches the received data stream to a corresponding subprocessor of the plurality of processors in response to the identifier in the received data stream.

28 Citations

View as Search Results

29 Claims

1. A method comprising:
- receiving a plurality of incoming data streams at a gateway, whereinthe gateway comprises a dispatch processor coupled to a plurality of sub-processors;
  
  load balancing the incoming data streams, whereinthe load balancing is performed by the dispatch processor,the load balancing comprisesassigning a first data stream of the incoming data streams to a first sub-processor of the plurality of sub-processors, andthe assigning comprisesidentifying a first sub-processor identifier in the first data stream, whereinthe first sub-processor identifier is associated with the first sub-processor, andthe identifying is performed by the dispatch processor;
  
  transforming the first data stream of the incoming data streams, whereinthe transforming the first data stream is performed by the first sub-processor, andthe transforming the first data stream comprises converting a first mangled address in the first data stream into a standard address;
  
  forwarding the first data stream to a first server of a plurality of servers, whereinthe forwarding is performed by the first sub-processor, in response to the transforming, andthe first server corresponds to the standard address; and
  
  responding to the incoming data streams with a plurality of outgoing data streams, whereineach of the outgoing data streams comprises a sub-processor identifier,each of the sub-processor identifiers identifies a respective sub-processor of the plurality of sub-processors,each of the outgoing data streams comprises a respective mangled address,each of the mangled addresses comprises information identifying an address of a corresponding server among the plurality of servers,each of the plurality of servers is coupled to the gateway,each of the mangled addresses indicates an address of the gateway, andthe first sub-processor is configured to generate the mangled addresses in the outgoing data streams.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 28, 29)
- - 2. The method of claim 1, wherein the sub-processor identifier comprises a session cookie in the outgoing data streams.
  - 3. The method of claim 1, wherein the sub-processor identifier comprises information in a mangled address in the outgoing data streams.
  - 4. The method of claim 1, wherein the sub-processor identifier comprises information in a mangled uniform resource locator (URL) address in the outgoing data streams.
  - 5. The method of claim 1, wherein each one of the plurality of incoming data streams comprises data received from a corresponding remote application.
  - 6. The method of claim 1, wherein each one of the plurality of incoming data streams comprises data received through a uniquely corresponding virtual private network (VPN).
  - 7. The method of claim 1, further comprising:
    - decrypting a first encrypted data stream of the first set of incoming data streams into a first decrypted data stream, whereinthe decrypting is performed by a dispatch processor;
      
      detecting the sub-processor identifier in the first decrypted data stream; and
      
      dispatching the first decrypted data stream to the first sub-processor in response to the detecting the first identifier.
  - 8. The method of claim 1,wherein the load balancing further comprises:
    - assigning a second set of the one or more incoming data streams from the plurality of incoming data streams to a second sub-processor of the plurality of sub-processors; and
      
      responding to the second set of incoming data streams with outgoing data streams, whereineach of the outgoing data streams comprises a second identifier indicates the second sub-processor.
  - 9. The method of claim 8, further comprising:
    - decrypting a second encrypted data stream of the second set of incoming data streams into a second decrypted data stream;
      
      detecting the second identifier in the second decrypted data stream;
      
      dispatching the second decrypted data stream to the second sub-processor;
      
      transforming the second decrypted data stream to generate a second transformed data stream, wherein the transforming the second decrypted data stream is performed by the second sub-processor; and
      
      forwarding the second transformed data stream to a second server corresponding to the second transformed data stream.
  - 10. The method of claim 9, wherein the first server comprises the second server.
  - 11. The method of claim 7, wherein the detecting the sub-processor identifier comprises detecting the first identifier in a mangled address.
  - 12. The method of claim 11, wherein the mangled address is a uniform resource locator (URL) in the first decrypted data stream.
  - 28. The method of claim 1, wherein the responding comprises:
    - receiving data comprising the first identifier in the incoming data streams through the gateway; and
      
      transmitting data in the outgoing data streams through the gateway.
  - 29. The method of claim 1, wherein the first processor is configured to convert a plurality of mangled addresses in the first set of incoming data streams into standard addresses.

13. A method comprising:
- receiving, at a gateway, a plurality of data streams, whereinthe gateway comprises a dispatch processor coupled to a plurality of sub-processors;
  
  decrypting a first data stream and a second data stream of the data streams;
  
  load balancing the incoming data streams, whereinthe load balancing is performed by the dispatch processor, andthe load balancing comprisesassigning the first data stream to a first sub-processor of the plurality of sub-processors, whereinthe assigning comprisesidentifying a first sub-processor identifier in the first data stream, wherein
  
  the first sub-processor identifier is associated with the first sub-processor, and
  
  the identifying is performed by the dispatch processor;
  
  assigning the second data stream to a second sub-processor of the plurality of sub-processors, wherein the second sub-processor is a sub-processor other than the first sub-processor;
  
  transforming the first data stream, whereinthe transforming the first data stream is performed by the first sub-processor,the transforming the first data stream comprises converting a first mangled address in the first data stream into a standard address,the first data stream comprises a plurality of different mangled addresses,each of the mangled addresses relates to an address of a corresponding node among a plurality of different nodes,each of the plurality of different nodes is coupled to the gateway,each of the mangled addresses indicates an address of the gateway, andthe first sub-processor is configured to convert the mangled addresses in the first data stream into a standard address;
  
  forwarding the first data stream to a first server of a plurality of servers, whereinthe forwarding is performed by the first sub-processor, in response to the transforming, andthe first server corresponds to the standard address; and
  
  transforming the second data stream, wherein the transforming the second data stream is performed by the second sub-processor.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, further comprising:
    - caching a first set of session information in support of the first sub-processor for the transforming the first data stream; and
      
      caching a second set of session information in support of the second sub-processor for the transforming the second data stream.
  - 15. The method of claim 14, wherein:
    - the first set of session information comprises a user information for a first user; and
      
      the second set of session information comprises a user information for a second user.
  - 16. The method of claim 14, wherein:
    - the first set of session information comprises a user policy for a first user; and
      
      the second set of session information comprises a user policy for a second user.
  - 17. The method of claim 13, wherein the transforming the second data stream comprises converting a mangled address in the second data stream into a standard address.
  - 18. The method of claim 13, further comprising:
    - detecting a sub-processor identifier in the second data stream, wherein the sub-processor identifier is indicative of the second processor.
  - 19. The method of claim 13, further comprising:
    - forwarding the second data stream to a second server after the transforming the second data stream.
  - 20. The method of claim 19, wherein the first server comprises a server indicated in the first data stream, and the second server comprises a server indicated in the second data stream.
  - 21. The method of claim 18, wherein the detecting the sub-processor identifier comprises detecting the sub-processor identifier in a mangled address within the first data stream, and the assigning the first data stream to the first sub-processor is performed using load-balancing considerations.

22. A hardware network element comprising:
- a plurality of sub-processors; and
  
  a dispatcher module coupled to the plurality of sub-processors, whereinthe dispatcher module is configured to load balance a plurality of incoming data streams,the load balancing comprisesassigning a first data stream of the incoming data streams to a first sub-processor of the plurality of sub-processors,the assigning comprisesidentifying a first sub-processor identifier in the first data stream, whereinthe first sub-processor identifier is associated with the first sub-processor, andthe identifying is performed by the dispatch processor;
  
  the first sub-processor is configured to transform the first data stream of the incoming data streams, whereintransforming the first data stream comprises converting a first mangled address in the first data stream into a standard address;
  
  the first sub-processor is configured to forward the first data stream to a first server of a plurality of servers in response to transforming the first data stream, whereinthe first server corresponds to the standard address,the plurality of sub-processors are configured to respond to the incoming data streams with a plurality of outgoing data streams, whereineach of the outgoing data streams comprises a sub-processor identifier,each of the sub-processor identifiers identifies a respective sub-processor of the plurality of sub-processors,each of the outgoing data streams comprises a respective mangled address,each of the mangled addresses comprises information identifying an address of a corresponding server among the plurality of servers,each of the plurality of servers is coupled to the network element,each of the mangled addresses indicates an address of the network element, andthe first sub-processor is configured to generate the mangled addresses in the outgoing data streams.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The network element of claim 22, wherein each sub-processor in the plurality of sub-processors comprises:
    - a transformation module configured to transform addresses in the incoming data streams.
  - 24. The network element of claim 23, wherein each sub-processor in the plurality of sub-processors further comprises:
    - a forwarding module coupled to the transformation module and configured to forward the incoming data streams to a corresponding server.
  - 25. The network element of claim 23, further comprising:
    - a decryption module configured to decrypt an incoming encrypted stream into the first data stream.
  - 26. The network element of claim 25, wherein the decryption module is configured to perform secure socket layer (SSL) decryption.
  - 27. The network element of claim 23, wherein the dispatcher module comprises a dispatch processor, wherein the dispatch processor is a processor other than the plurality of processors and the dispatch module is executed on the dispatch processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bagepalli, Nagaraj A., Patra, Abhijit, Bashyam, Murali, Chang, David Wei-Shen, Jethanandani, Mahesh
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
Ahmed, Mohammed

Application Number

US11/479,981
Time in Patent Office

2,769 Days
Field of Search

709/217
US Class Current

709/238
CPC Class Codes

G06F 9/5033   considering data affinity

H04L 63/0272   Virtual private networks

H04L 65/765   intermediate

H04L 67/1027   Persistence of sessions dur...

H04L 67/1038   Load balancing arrangements...

Scalable gateway for multiple data streams

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable gateway for multiple data streams

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links