Method and systems for routing packets from a gateway to an endpoint

US 8,897,299 B2
Filed: 01/11/2013
Issued: 11/25/2014
Est. Priority Date: 07/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for routing packets by a device intermediary to a client and a server, the method comprising:

(a) establishing, by a device intermediary to a client on a public network and a server on a private network, for the client a private internet protocol (IP) address on the private network, the client having a public IP address on the public network, the device not providing the private IP address to the client;

(b) receiving, by a management process executing in user mode memory space of the device from a driver operating in kernel mode of the device, a packet originating from the server and addressed to the private IP address of the client; and

(c) applying, by a policy engine executing on the device responsive to the management process, a policy to the packet to determine whether to transmit the packet to the client based on source of the packet.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for routing packets from a gateway to an endpoint includes the step of associating a private internet protocol (IP) address with an endpoint having a public IP address. A packet addressed to the private IP address of the endpoint is captured. A policy is applied to the packet. The packet is transmitted to the public IP address of the endpoint, responsive to the application of the policy to the packet.

776 Citations

20 Claims

1. A method for routing packets by a device intermediary to a client and a server, the method comprising:
- (a) establishing, by a device intermediary to a client on a public network and a server on a private network, for the client a private internet protocol (IP) address on the private network, the client having a public IP address on the public network, the device not providing the private IP address to the client;
  
  (b) receiving, by a management process executing in user mode memory space of the device from a driver operating in kernel mode of the device, a packet originating from the server and addressed to the private IP address of the client; and
  
  (c) applying, by a policy engine executing on the device responsive to the management process, a policy to the packet to determine whether to transmit the packet to the client based on source of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprises assigning, by an addressing element executing in user mode memory space of the device, the private network address to the client.
  - 3. The method of claim 1, wherein step (b) further comprises intercepting, by the driver, the packet at a Media Access Control (MAC) layer.
  - 4. The method of claim 1, wherein step (b) further comprises intercepting, by the driver, at a layer below a transport layer, the packet communicated via a transport layer connection between the device and the server.
  - 5. The method of claim 1, wherein step (b) further comprising communicating, by the driver, the packet to the management process responsive to the management process requesting the driver to forward packets addressed to the private IP address.
  - 6. The method of claim 1, wherein step (c) further comprises applying, by the policy engine executing in user mode memory space of the device, the policy to the packet to determine whether the packet originated from the source comprising one of a trusted source or a protected server.
  - 7. The method of claim 1, further comprising determining, by the policy engine, to transmit the packet to the client, and responsive to the determination, the device modifying the packet to be addressed to the public IP address of the client.
  - 8. The method of claim 7, further comprising transmitting, by the device, the packet to the public IP address of the client via a transport layer connection between the device and the client.
  - 9. The method of claim 8, further comprising transmitting, by the device, the packet to a client application on the device that terminates the transport layer connection to the device.
  - 10. The method of claim 9, wherein the client application terminates a second transport layer connection with an application on the client to which the packet is destined.

11. A system intermediary to a client and a server for routing packet, the system comprising:
- a device intermediary to a client on a public network and a server on a private network, the device to establish for the client a private internet protocol (IP) address on the private network, the client having a public IP address on the public network, the device not providing the private IP address to the client;
  
  a management process executable in user mode memory space of the device to receive from a driver operating in kernel mode of the device a packet originating from the server and addressed to the private IP address of the client; and
  
  a policy engine executable on the device to apply, responsive to the management process, a policy to the packet to determine whether to transmit the packet to the client based on source of the packet.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, further comprising an addressing element executable in user mode memory space of the device to assign the private network address to the client.
  - 13. The system of claim 11, wherein the driver is configured to intercept the packet at a Media Access Control (MAC) layer.
  - 14. The system of claim 11, wherein the driver is configured to intercept at a layer below a transport layer, the packet communicated via a transport layer connection between the device and the server.
  - 15. The system of claim 11, wherein the driver is configured to communicate the packet to the management process responsive to the management process requesting the driver to forward packets addressed to the private IP address.
  - 16. The system of claim 11, wherein the policy engine executable in user mode memory space of the device to apply the policy to the packet to determine whether packet originated from the source comprising one of a trusted source or a protected server.
  - 17. The system of claim 11, wherein the policy engine is configured to determine to transmit the packet to the client, and responsive to the determination, the device is configured to modify the packet to be addressed to the public IP address of the client.
  - 18. The system of claim 17, wherein the device is configured to transmit the packet to the public IP address of the client via a transport layer connection between the device and the client.
  - 19. The system of claim 18, wherein the device is configured to transmit the packet to a client application on the device that terminates the transport layer connection to the device.
  - 20. The system of claim 19, wherein the client application is configured to terminate a second transport layer connection with an application on the client to which the packet is destined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Rao, Goutham P., Rodriguez, Robert A., Brueggemann, Eric R.
Primary Examiner(s)
Rinehart, Mark
Assistant Examiner(s)
BROCKMAN, ANGEL T

Application Number

US13/739,895
Publication Number

US 20130128892A1
Time in Patent Office

683 Days
Field of Search

370/389, 370/391
US Class Current

370/389
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2898   Subscriber equipments DSL m...

H04L 45/00   Routing or path finding of ...

H04L 45/72   Routing based on the source...

H04L 47/20   Traffic policing

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Method and systems for routing packets from a gateway to an endpoint

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

776 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and systems for routing packets from a gateway to an endpoint

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

776 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links