Systems and methods for application based interception of SSL/VPN traffic

US 8,869,262 B2
Filed: 08/03/2006
Issued: 10/21/2014
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:

(a) establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table;

(b) receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination;

(c) associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application;

(d) receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and

(e) determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

122 Citations

View as Search Results

26 Claims

1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:
- (a) establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table;
  
  (b) receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination;
  
  (c) associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application;
  
  (d) receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and
  
  (e) determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, comprising denying, by the appliance, access by the application to the resource.
  - 3. The method of claim 2, comprising transmitting, by the appliance, to one of the client or the application a communication indicating access to the resource is denied.
  - 4. The method of claim 1, comprising allowing, by the appliance, access by the application to the resource.
  - 5. The method of claim 4, comprising transmitting, by the appliance, the request on the second network.
  - 6. The method of claim 1, comprising transmitting, by an agent on the client, a name of the application to the appliance.
  - 7. The method of claim 1, comprising establishing, by an agent on the client, the virtual private network connection to the second network via the appliance.
  - 8. The method of claim 1, wherein the identifier of the application comprises a name of the application.
  - 9. The method of claim 1, comprising intercepting, by an agent of the client, a connection request from the application to connect to the server.
  - 10. The method of claim 9, determining, by the agent, from the connection request the identifier of the application.
  - 11. The method of claim 1, comprising specifying, by the authorization policy, a name of the application and an authorization of one of access or deny.
  - 12. The method of claim 1, comprising associating, by the appliance, the authorization policy of the application with a user of the client.
  - 13. The method of claim 1, comprising identifying, by the appliance, the authorization policy of the application based on a user of the client.

14. A system for allowing or denying a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the system comprising:
- a means for establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table;
  
  a means for receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination;
  
  a means for associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application;
  
  a means for receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and
  
  a means for determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, comprising a means for denying, by the appliance, access by the application to the resource.
  - 16. The system of claim 15, comprising a means for transmitting, by the appliance, to one of the client or the application a communication indicating access to the resource is denied.
  - 17. The system of claim 14, comprising a means for allowing, by the appliance, access by the application to the resource.
  - 18. The system of claim 17, comprising a means for transmitting, by the appliance, the request on the second network.
  - 19. The system of claim 14, comprising a means for transmitting, by an agent on the client, a name of the application to the appliance.
  - 20. The system of claim 14, comprising a means for establishing, by an agent on the client, the virtual private network connection to the second network via the appliance.
  - 21. The system of claim 14, wherein the identifier of the application comprises a name of the application.
  - 22. The system of claim 14, comprising a means for intercepting, by an agent of the client, a connection request from the application to connect to the server.
  - 23. The system of claim 22, comprising a means for determining, by the agent, from the connection request the identifier of the application.
  - 24. The system of claim 14, comprising a means for specifying, by the authorization policy, a name of the application and an authorization of one of access or deny.
  - 25. The system of claim 14, comprising a means for associating, by the appliance, the authorization policy of the application with a user of the client.
  - 26. The system of claim 14, comprising a means for identifying, by the appliance, the authorization policy of the application based on a user of the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Mullick, Amarnath, Nanjundaswamy, Shashi, Venkatraman, Charu, He, Junxiao, Harris, James, Soni, Ajay
Primary Examiner(s)
Algibhah, Hamza
Assistant Examiner(s)
COX, NATISHA D

Application Number

US11/462,329
Publication Number

US 20080034419A1
Time in Patent Office

3,001 Days
Field of Search

726/1
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Systems and methods for application based interception of SSL/VPN traffic

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for application based interception of SSL/VPN traffic

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others