Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute
First Claim
1. A method for assigning a client to an authorization group based on a client-side attribute, the method comprising:
- (a) identifying, by a device intermediary to a plurality of clients and a server, a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client;
(b) transmitting, by the device to the client, a second request to the client to have the client evaluate the plurality of clauses;
(c) receiving, by the device from the client, a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression;
(d) assigning, by the device, the client to an authorization group responsive to applying the policy to the result of the evaluation; and
(e) establishing, by the device, a virtual private network connection with the client responsive to the assigned authorization group.
8 Assignments
0 Petitions
Accused Products
Abstract
An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.
-
Citations
18 Claims
-
1. A method for assigning a client to an authorization group based on a client-side attribute, the method comprising:
-
(a) identifying, by a device intermediary to a plurality of clients and a server, a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client; (b) transmitting, by the device to the client, a second request to the client to have the client evaluate the plurality of clauses; (c) receiving, by the device from the client, a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression; (d) assigning, by the device, the client to an authorization group responsive to applying the policy to the result of the evaluation; and (e) establishing, by the device, a virtual private network connection with the client responsive to the assigned authorization group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for assigning a client to an authorization group based on a client-side attribute, the system comprising:
-
a device intermediary to a plurality of clients and a server; wherein the device is configured to identify a policy for evaluating a client responsive to a first request of the client to access the server, the policy specifying an expression comprising a plurality of clauses joined by one or more logical operators, each clause of the plurality of clauses identifying a different client-side attribute to be evaluated by the client; wherein the device is configured to transmit to the client a second request to the client to have the client evaluate the plurality of clauses; wherein the device is configured to receive a response to the second request, the response comprising a result of evaluation by the client of the plurality of clauses of the expression; and wherein the device is configured to assign the client to an authorization group responsive to applying the policy to the result of the evaluation, and to establish a virtual private network connection with the client responsive to the assigned authorization group. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification