Transparent layer 2 redirection of request to single sign in service based on applying policy to content of request

US 8,745,266 B2
Filed: 06/30/2011
Issued: 06/03/2014
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing by an intermediary device access to a service deployed in parallel to the intermediary device, the method comprising:

(a) receiving, by an intermediary device deployed between a plurality of clients and one or more servers, a request from a client to access a server via a first transport layer connection;

(b) determining, by the intermediary device responsive to applying a single sign on service policy to content of the request, that the request is to be processed by a service provided by a single sign on service provided by a second device, the second device deployed in parallel to the intermediary device;

(c) forwarding, by the intermediary device, the request via a second transport layer connection to the second device for processing by the firewall service, the request modified by the intermediary device to change a Media Access Control (MAC) address of a destination of the request to a MAC address of the second device;

(d) receiving, by the intermediary device, a response to processing the request from the single sign on service of the second device;

(e) identifying, by the intermediary device, that the response is from the second device via one or more properties of a transport layer connection carrying the response; and

(f) continue processing, by the intermediary device, the request responsive to receiving the response from the second device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present solution is directed to providing, transparently and seamlessly to any client or server, layer 2 redirection of client requests to any services of a device deployed in parallel to an intermediary device An intermediary device deployed between the client and the server may intercept a client request and check if the request is to be processed by a service provided by one of the devices deployed in parallel with the intermediary device. The service may be any type and form of service or feature for processing, checking or modifying the request, including a firewall, a cache server, a encryption/decryption engine, a security device, an authentication device, an authorization device or any other type and form of service or device described herein. The intermediary device may select the machine to process the request and use layer 2 redirection to the machine. The intermediary device may change a Media Access Control (MAC) address of a destination of the request to a MAC address of the selected machine. Once the selected machine processes the request, the intermediary device may receive from this machine a response to processing the request. The intermediary device may then continue processing the request of the client responsive to the response from the machine or in response to identifying that the response to the request is from that particular selected machine. The forwarding to and processing by the parallel deployed machine may be performed seamlessly and transparently to the server and/or client.

39 Citations

View as Search Results

17 Claims

1. A method of providing by an intermediary device access to a service deployed in parallel to the intermediary device, the method comprising:
- (a) receiving, by an intermediary device deployed between a plurality of clients and one or more servers, a request from a client to access a server via a first transport layer connection;
  
  (b) determining, by the intermediary device responsive to applying a single sign on service policy to content of the request, that the request is to be processed by a service provided by a single sign on service provided by a second device, the second device deployed in parallel to the intermediary device;
  
  (c) forwarding, by the intermediary device, the request via a second transport layer connection to the second device for processing by the firewall service, the request modified by the intermediary device to change a Media Access Control (MAC) address of a destination of the request to a MAC address of the second device;
  
  (d) receiving, by the intermediary device, a response to processing the request from the single sign on service of the second device;
  
  (e) identifying, by the intermediary device, that the response is from the second device via one or more properties of a transport layer connection carrying the response; and
  
  (f) continue processing, by the intermediary device, the request responsive to receiving the response from the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein step (c) further comprises retaining, by the intermediary device, the destination internet protocol (IP) address of the request when forwarding the request to the second device.
  - 3. The method of claim 1, wherein step (c) further comprises modifying, by the intermediary device, the destination MAC address of the request to the MAC address of the second device while leaving the destination internet protocol (IP) address of the request unchanged.
  - 4. The method of claim 1, wherein step (c) further comprises using, by the intermediary device, the source IP address of the request for communicating to the second device.
  - 5. The method of claim 1, wherein step (d) further comprises receiving from the second device the response comprising the request processed by the service.
  - 6. The method of claim 1, wherein step (d) further comprises receiving by the intermediary device the response via one of the second transport layer connection or a third transport layer connection between the intermediary device and the second device.
  - 7. The method of claim 1, wherein step (e) further comprises identifying by the intermediary device, that the response is from the second device via one or more data link layer properties of the transport layer connection.
  - 8. The method of claim 1, wherein step (f) further comprises forwarding by the intermediary device the request to the server identified by the destination internet protocol (IP) address of the request.

9. A system of providing by access to a service deployed in parallel to an intermediary device, the system comprising:
- an intermediary device, deployed between a plurality of clients and one or more servers, receiving a request from a client to access a server via a first transport layer connection;
  
  a virtual server of the intermediary device determining, responsive to applying a single sign on service policy to content of the request, that the request is to be processed by a single sign on service provided by a second device, the second device deployed in parallel to the intermediary device;
  
  wherein the intermediary device;
  
  forwards the request via a second transport layer connection to the second device for processing by the single sign on service, the request modified by the intermediary device to change a Media Access Control (MAC) address of a destination of the request to a MAC address of the second device;
  
  receives a response to processing the request from the single sign on service of the second device; and
  
  identifies that the response is from the second device via one or more properties of a transport layer connection carrying the response;
  
  wherein the virtual server continues processing the request responsive to the intermediary device receiving the response from the second device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the virtual server forwards the request to a second virtual server for communicating with the second device, the second virtual server managing the service of the second device.
  - 11. The system of claim 9, wherein the intermediary device retains the destination internet protocol (IP) address of the request when forwarding the request to the second device.
  - 12. The system of claim 9, wherein the intermediary device modifies the destination MAC address of the request to the MAC address of the second device while leaving the destination internet protocol (IP) address of the request unchanged.
  - 13. The system of claim 9, wherein the intermediary device uses the source IP address of the request for communicating to the second device.
  - 14. The system of claim 9, wherein the response comprises the request processed by the service.
  - 15. The system of claim 9, wherein the intermediary device receives the response via one of the second transport layer connection or a third transport layer connection between the intermediary device and the second device.
  - 16. The system of claim 9, wherein the intermediary device identifies that the response is from the second device via one or more data link layer properties of the transport layer connection.
  - 17. The system of claim 9, wherein the intermediary device forwards the request to the server identified by the destination internet protocol (IP) address of the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Suganthi, Josephine, Goel, Deepak, Shetty, Anil, Agarwal, Mugdha, Annamalaisami, Saravana, Kurma, Jyotheesh Rao
Primary Examiner(s)
Barry, Lance L

Application Number

US13/173,216
Publication Number

US 20130007239A1
Time in Patent Office

1,069 Days
Field of Search

709/239
US Class Current

709/239
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 45/74   Address processing for routing

H04L 61/103   across network layers, e.g....

H04L 61/4511   using domain name system [DNS]

H04L 63/02   for separating internal fro...

H04L 63/0815   providing single-sign-on or...

H04L 65/40   Support for services or app...

H04L 67/563   Data redirection of data ne...

Transparent layer 2 redirection of request to single sign in service based on applying policy to content of request

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent layer 2 redirection of request to single sign in service based on applying policy to content of request

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links