Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

US 8,904,475 B2
Filed: 02/06/2013
Issued: 12/02/2014
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for assigning a client to an authorization group based on a client-side attribute, the method comprising:

(a) identifying, by a device intermediary to a plurality of clients and a server, a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client;

(b) transmitting, by the device to the client, a second request to the client to have the client evaluate the plurality of clauses;

(c) receiving, by the device from the client, a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression;

(d) assigning, by the device, the client to an authorization group responsive to applying the policy to the result of the evaluation; and

(e) establishing, by the device, a virtual private network connection with the client responsive to the assigned authorization group.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Citations

18 Claims

1. A method for assigning a client to an authorization group based on a client-side attribute, the method comprising:
- (a) identifying, by a device intermediary to a plurality of clients and a server, a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client;
  
  (b) transmitting, by the device to the client, a second request to the client to have the client evaluate the plurality of clauses;
  
  (c) receiving, by the device from the client, a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression;
  
  (d) assigning, by the device, the client to an authorization group responsive to applying the policy to the result of the evaluation; and
  
  (e) establishing, by the device, a virtual private network connection with the client responsive to the assigned authorization group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each clause comprises an object identifying the client, an attribute of the object and a prerequisite of the attribute.
  - 3. The method of claim 2, wherein the attribute identifies an application of the client and the prerequisite identifies a predetermined version level of the application.
  - 4. The method of claim 2, wherein the attribute identifies a process of the client and the prerequisite identifies a status of execution of the process.
  - 5. The method of claim 1, wherein the plurality of clauses comprises disjunctive clauses in which the client may satisfy each clause to satisfy the expression.
  - 6. The method of claim 1, wherein step (b) further comprising transmitting the second request to the client via a control connection between the client and the device.
  - 7. The method of claim 1, wherein step (c) further comprises receiving, by the device, the response comprising the result of the evaluation, the result comprising an indication whether or not the client satisfies each clause.
  - 8. The method of claim 1, wherein step (d) further comprises determining, by the device, whether a prerequisite of each clause is satisfied based on the result from the response.
  - 9. The method of claim 1, further assigning, by the device, the client to the authorization group providing one level of access from a plurality of levels of access.

10. A system for assigning a client to an authorization group based on a client-side attribute, the system comprising:
- a device intermediary to a plurality of clients and a server;
  
  wherein the device is configured to identify a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client;
  
  wherein the device is configured to transmit to the client a second request to the client to have the client evaluate the plurality of clauses;
  
  wherein the device is configured to receive a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression; and
  
  wherein the device is configured to assign the client to an authorization group responsive to applying the policy to the result of the evaluation, and to establish a virtual private network connection with the client responsive to the assigned authorization group.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein each clause comprises an object identifying the client, an attribute of the object and a prerequisite of the attribute.
  - 12. The system of claim 11, wherein the attribute identifies an application of the client and the prerequisite identifies a predetermined version level of the application.
  - 13. The system of claim 11, wherein the attribute identifies a process of the client and the prerequisite identifies a status of execution of the process.
  - 14. The system of claim 10, wherein the plurality of clauses comprises disjunctive clauses in which the client may satisfy each clause to satisfy the expression.
  - 15. The system of claim 10, wherein the device is configured to transmit the second request to the client via a control connection between the client and the device.
  - 16. The system of claim 10, wherein the device is configured to receive the response comprising the result of the evaluation, the result comprising an indication whether or not the client satisfies each clause.
  - 17. The system of claim 10, wherein the device is configured to determine whether a prerequisite of each clause is satisfied based on the result from the response.
  - 18. The system of claim 10, wherein the device is configured to assign the client to the authorization group providing one level of access from a plurality of levels of access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Mullick, Amarnath, Venkatraman, Charu, Nanjundaswamy, Shashi, He, Junxiao, Soni, Ajay
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US13/760,898
Publication Number

US 20130152162A1
Time in Patent Office

664 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links