Providing virtualized private network tunnels

US 8,931,078 B2
Filed: 09/17/2013
Issued: 01/06/2015
Est. Priority Date: 10/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving an authentication challenge at a mobile device in connection with an authentication process for a managed application establishing a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to other applications of the mobile device;

analyzing policy information to determine that the policy information allows the mobile device to respond to the authentication challenge instead of a user or the managed application, wherein the policy information describes one or more policies for providing the managed application with access to at least one resource accessible through an access gateway;

responding, by the mobile device, to the authentication challenge instead of the user or the managed application;

providing the managed application with access to the at least one resource based at least on the per-application policy-controlled VPN tunnel, a ticket configured to provide authentication in connection with establishing the per-application policy-controlled VPN tunnel, and the policy information, wherein the ticket includes a validity duration;

transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;

closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and

after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

298 Citations

19 Claims

1. A method, comprising:
- receiving an authentication challenge at a mobile device in connection with an authentication process for a managed application establishing a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to other applications of the mobile device;
  
  analyzing policy information to determine that the policy information allows the mobile device to respond to the authentication challenge instead of a user or the managed application, wherein the policy information describes one or more policies for providing the managed application with access to at least one resource accessible through an access gateway;
  
  responding, by the mobile device, to the authentication challenge instead of the user or the managed application;
  
  providing the managed application with access to the at least one resource based at least on the per-application policy-controlled VPN tunnel, a ticket configured to provide authentication in connection with establishing the per-application policy-controlled VPN tunnel, and the policy information, wherein the ticket includes a validity duration;
  
  transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the policy information defines that the mobile device is allowed to send responses to authentication challenges based on a listing of allowed sources.
  - 3. The method of claim 1, wherein the policy information defines that the mobile device is allowed to send responses to authentication challenges based on the mobile device having the ticket.
  - 4. The method of claim 1, further comprising:
    - receiving another authentication challenge; and
      
      after receiving said another authentication challenge;
      
      determining that the mobile device is not allowed to respond to said another authentication challenge based on a determination that the ticket has expired, andproviding said another authentication challenge for further processing in accordance with a conventional method of responding to authentication challenges.
  - 5. The method of claim 4, wherein the conventional method of responding to authentication challenges includes providing a notification to the user that directs the user to select credentials to send as a response to said another authentication challenge.
  - 6. The method of claim 1, further comprising:
    - determining that the ticket has expired;
      
      obtaining a new ticket;
      
      determining that the new ticket is valid; and
      
      transmitting the new ticket to the access gateway.
  - 7. The method of claim 1, further comprising:
    - providing the ticket to the access gateway as part of a process of establishing the per-application policy-controlled VPN tunnel.
  - 8. The method of claim 1, wherein responding to the authentication challenges is performed without requiring a user of the mobile device input or select a credential to send as a response to the authentication challenge.
  - 9. The method of claim 1, further comprising:
    - identifying receipt of the authentication challenge at least by monitoring network traffic flowing within the per-application policy-controlled VPN tunnel; and
      
      intercepting the authentication challenge before it is received by the managed application.

10. A method, comprising:
- providing a managed browser executing on a mobile device with access to at least one resource accessible through an access gateway based at least on a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to applications of the mobile device different from the managed browser, a ticket configured to provide authentication in connection with creating the per-application policy-controlled VPN tunnel, and policy information that describes one or more policies for providing the managed browser with access to the at least one resource, wherein the ticket includes a validity duration;
  
  receiving a message representing a demand for a certificate at a mobile device in connection with the managed browser;
  
  analyzing policy information to determine that the policy information allows the mobile device to respond to the message instead of a user or the managed browser;
  
  responding, by the mobile device, to the message instead of the user or the managed browser;
  
  transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the policy information defines that the mobile device is allowed to send responses to the message based on a listing of certificates or a listing of types of certificates.
  - 12. The method of claim 10, wherein the policy information defines that the mobile device is allowed to send responses to the message based on the mobile device having the ticket.
  - 13. The method of claim 10, further comprising:
    - receiving another message representing a demand for another certificate; and
      
      after receiving said another message;
      
      determining that the mobile device is not allowed to respond to said another message based on a determination that the ticket has expired, andproviding said another message for further processing in accordance with a conventional method of responding to certificate demands.
  - 14. The method of claim 13, wherein the conventional method of responding to certificate demands includes providing a notification to the user that directs the user to select credentials to send as a response to said another message.
  - 15. The method of claim 10, further comprising:
    - determining that the ticket has expired;
      
      obtaining a new ticket;
      
      determining that the new ticket is valid; and
      
      transmitting the new ticket to the access gateway.

16. A method, comprising:
- receiving, at an access gateway through which at least one resource is accessible, a message in connection with an initial authentication process that authenticates a user prior to allowing a managed application executing on a mobile device access to the at least one resource;
  
  determining credential information associated with the user, wherein the credential information includes a ticket configured to provide authentication in connection with creating a per-application policy-controlled virtual private network (VPN) tunnel to access the at least one resource, wherein the ticket includes a validity duration;
  
  transmitting the credential information to at least the mobile device;
  
  opening the per-application policy-controlled VPN tunnel to provide the managed application with access to the at least one resource;
  
  receiving, during the validity duration, the ticket at the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, receiving, during the validity duration, the ticket at the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the credential information includes a listing of tickets that have been issued to a plurality of mobile devices associated with the user.
  - 18. The method of claim 17, further comprising:
    - transmitting the credential information to each of the plurality of mobile device.
  - 19. The method of claim 16, wherein the credential information includes a listing of one or more policies that are linked to the user, each policy of the listing of one or more policies being specific to a different application, and wherein one of the listing of one or more policies describes conditions related to when the mobile device is permitted access to the at least one resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Desai, Nitin, Walker, James Robert
Primary Examiner(s)
Davis, Zachary A
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/029,096
Publication Number

US 20140109175A1
Time in Patent Office

476 Days
Field of Search

726/1, 726/4, 726/15
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

H04W 12/086   using security domains

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

H04W 12/64   using geofenced areas

Providing virtualized private network tunnels

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

298 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Providing virtualized private network tunnels

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others