Systems and methods for fine grain policy driven clientless SSL VPN access

US 8,893,259 B2
Filed: 01/26/2009
Issued: 11/18/2014
Est. Priority Date: 01/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method for establishing, via policy, a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the method comprising:

a) receiving, by an intermediary, a request from a client to access a server, the intermediary establishing SSL VPN sessions between clients and the server,b) identifying, by the intermediary, a session policy based on the request, the session policy indicating whether to establish a client based SSL VPN session or clientless SSL VPN session with the server;

c) determining, by the intermediary responsive to the session policy, to establish a clientless SSL VPN session between the client and the server; and

d) identifying, by the intermediary responsive to the establishment of the clientless SSL VPN session, a first access profile for the clientless SSL VPN session from a plurality of access profiles for controlling access via the clientless SSL VPN session, the first access profile (i) specifying one or more rewrite policies for modifying content from the server and (ii) identified based on at least one of;

a user of the client and an application providing the content.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.

Citations

21 Claims

1. A method for establishing, via policy, a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the method comprising:
- a) receiving, by an intermediary, a request from a client to access a server, the intermediary establishing SSL VPN sessions between clients and the server,b) identifying, by the intermediary, a session policy based on the request, the session policy indicating whether to establish a client based SSL VPN session or clientless SSL VPN session with the server;
  
  c) determining, by the intermediary responsive to the session policy, to establish a clientless SSL VPN session between the client and the server; and
  
  d) identifying, by the intermediary responsive to the establishment of the clientless SSL VPN session, a first access profile for the clientless SSL VPN session from a plurality of access profiles for controlling access via the clientless SSL VPN session, the first access profile (i) specifying one or more rewrite policies for modifying content from the server and (ii) identified based on at least one of;
  
  a user of the client and an application providing the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, comprising establishing, by the intermediary responsive to the determination, the clientless SSL VPN session with the server.
  - 3. The method of claim 1, wherein step (a) further comprising receiving, by the intermediary, the request from the client to access an application on the server and wherein step (b) further comprises the session policy indicating whether to establish the client based or clientless SSL VPN session with the server based on the application.
  - 4. The method of claim 3, wherein the access profile specifies one or more rewrite policies for the application.
  - 5. The method of claim 1, wherein step (a) further comprises receiving, by the intermediary, the request from a user to access the server and wherein step (b) further comprises the session policy indicating whether to establish the client based or clientless SSL VPN session with the server based on the user.
  - 6. The method of claim 1, wherein step (c) further comprises identifying, by the intermediary, the first access profile for establishing the clientless SSL VPN session, the first access profile specifying the one or more rewrite policies.
  - 7. The method of claim 1, wherein step (c) further comprises identifying the first access profile, the one or more rewrite policies of the first access profile configured differently from one or more rewrite policies of a second access profile of the plurality of access profiles.
  - 8. The method of claim 1, wherein step (c) further comprises identifying, responsive to one or more policies, the first access profile from the plurality of access profiles for controlling access via the clientless SSL VPN session.
  - 9. The method of claim 1, further comprising identifying the first access profile based on one or more of the following:
    - information about the client, and the server identified by the request.
  - 10. The method of claim 1, wherein step (c) further comprises identifying the first access profile comprising a first rewrite policy for rewriting a uniform resource locator in a first specified type of content from the server and a second rewrite policy for rewriting a uniform resource locator in a second specified type of content from the server.

11. An intermediary for establishing via policy a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the intermediary comprising:
- a packet engine executing on a hardware processor, for receiving a request from a client to access a server, the intermediary establishing SSL VPN sessions between clients and the server,a policy engine for identifying a session policy based on the request, the session policy indicating whether to establish a client based SSL VPN session or clientless SSL VPN session with the server; and
  
  wherein the intermediary determines responsive to the session policy to establish a clientless SSL VPN session between the client and the server, and identifies, responsive to the establishment of the clientless SSL VPN session, a first access profile for the clientless SSL VPN session from a plurality of access profiles for controlling access via the clientless SSL VPN session, the access profile (i) specifying one or more rewrite policies for modifying content from the server and (ii) identified based on at least one of;
  
  a user of the client and an application providing the content.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The intermediary of claim 11, wherein the intermediary establishes, responsive to the determination, the clientless SSL VPN session with the server.
  - 13. The intermediary of claim 11, further comprising the packet engine receiving the request from the client to access an application on the server and the session policy indicating whether to establish the client based or clientless SSL VPN session with the server based on the application.
  - 14. The intermediary of claim 11, further comprising the policy engine responsive to one or more policies identifying an access profile for controlling access via the clientless SSL VPN session, the access profile specifying one or more rewrite policies for the application.
  - 15. The intermediary of claim 11, further comprising the packet engine receiving the request from a user to access the server and the session policy indicating whether to establish the client based or clientless SSL VPN session with the server based on the user.
  - 16. The intermediary of claim 11, further comprising the policy engine identifying an access profile for controlling access to the clientless SSL VPN session, the access profile specifying one or more rewrite policies.
  - 17. The intermediary of claim 11, further comprising the policy engine identifying the first access profile, the one or more rewrite policies of the first access profile configured differently from one or more rewrite policies of a second access profile of the plurality of access profiles.
  - 18. The intermediary of claim 11, further comprising the policy engine identifying, responsive to one or more policies, a first access profile from a plurality of access profiles for controlling access via the clientless SSL VPN session.
  - 19. The intermediary of claim 11, further comprising the policy engine identifying the first access profile based on one or more of the following:
    - information about the client, and the server identified by the request.

20. An intermediary for establishing via policy a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the intermediary comprising:
- means for receiving a request from a client to access a server, the intermediary establishing SSL VPN sessions between clients and the server,means for identifying a session policy based on the request, the session policy indicating whether to establish a client based or clientless SSL VPN session with the server;
  
  means for determining, responsive to the session policy, to establish a clientless SSL VPN session between the client and the server; and
  
  means for identifying, by the intermediary responsive to the establishment of the clientless SSL VPN session, a first access profile for the clientless SSL VPN session from a plurality of access profiles for controlling access via the clientless SSL VPN session, the first access profile (i) specifying one or more rewrite policies for modifying content from the server, and (ii) identified based on at least one of;
  
  a user of the client and an application providing the content.
- View Dependent Claims (21)
- - 21. The intermediary of claim 20, further comprising means for establishing, responsive to the determination, one of the client based or the clientless SSL VPN session with the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Agarwal, Puneet, Adhya, Saibal Kumar, Choudhary, Akshat, Thirunarayanan, Srinivasan
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US12/359,982
Publication Number

US 20090193498A1
Time in Patent Office

2,122 Days
Field of Search

726/15, 713/153
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

H04L 67/59   Providing operational suppo...

Systems and methods for fine grain policy driven clientless SSL VPN access

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for fine grain policy driven clientless SSL VPN access

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links