Multi-service VPN network client for mobile device

US 8,949,968 B2
Filed: 02/23/2012
Issued: 02/03/2015
Est. Priority Date: 06/30/2010
Status: Active Grant

First Claim

Patent Images

1. A cellular mobile device comprising:

a transmitter and receiver to send and receive cellular communications in the form of radio frequency signals;

a microprocessor;

an operating system executing on the microprocessor to provide an operating environment for application software; and

a multi-service network client registered with the operating system as a single application, wherein the multi-service network client comprises;

a virtual private network (VPN) handler to establish a VPN connection with a remote VPN security device, wherein the VPN handler encrypts outbound network packets for transmission through the VPN connection and decrypts inbound network packets received from the VPN connection to securely tunnel the network packets between the cellular mobile device and the remote VPN security device;

a security manager to receive the decrypted inbound network packets from the VPN handler and apply one or more security services to the decrypted network packets received by the VPN handler through the VPN connection; and

a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the security manager.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client integrates with an operating system of the device to provide a single entry point for user authentication for secure enterprise connectivity, endpoint security services including endpoint compliance with respect to anti-virus and spyware software, and comprehensive integrity checks. That is, the multi-service client provides a common user interface to the integrated services, and provides a VPN handler that interfaces with the operating system to provide an entry point for network traffic to which the integrated services can be seamlessly applied.

Citations

37 Claims

1. A cellular mobile device comprising:
- a transmitter and receiver to send and receive cellular communications in the form of radio frequency signals;
  
  a microprocessor;
  
  an operating system executing on the microprocessor to provide an operating environment for application software; and
  
  a multi-service network client registered with the operating system as a single application, wherein the multi-service network client comprises;
  
  a virtual private network (VPN) handler to establish a VPN connection with a remote VPN security device, wherein the VPN handler encrypts outbound network packets for transmission through the VPN connection and decrypts inbound network packets received from the VPN connection to securely tunnel the network packets between the cellular mobile device and the remote VPN security device;
  
  a security manager to receive the decrypted inbound network packets from the VPN handler and apply one or more security services to the decrypted network packets received by the VPN handler through the VPN connection; and
  
  a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the security manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The cellular mobile device of claim 1, wherein the multi-service network client is deployed from a single downloadable distribution package.
  - 3. The cellular mobile device of claim 1, wherein the VPN control application presents a unified user interface for configuring anti-virus settings and personal firewall settings of the security manager.
  - 4. The cellular mobile device of claim 1,wherein the security manager applies anti-virus and spyware services to the network packets,wherein the security manager provides an interface by which the VPN handler determines whether a user of the cellular mobile device has activated and registered the security manager to apply the anti-virus and spyware services to the network packets, andwherein the VPN handler requires an affirmative indication from the security manager prior to establishing the VPN connection with the VPN gateway.
  - 5. The cellular mobile device of claim 1,wherein the VPN handler comprises a host checker module that inventories a state of the cellular mobile device and builds a health status report, wherein the health status report provides an indication of anti-virus software installed on the mobile device, andwherein the host checker outputs the health status report to the VPN gateway prior to establishing the VPN connection for determining whether the cellular mobile device is compliant with corporate policies.
  - 6. The cellular mobile device of claim 1, wherein the multi-service network client further comprises a data acceleration module that receives the decrypted inbound network packets from the VPN handler and applies at least one acceleration service to the decrypted inbound network packets received through the VPN connection.
  - 7. The cellular mobile device of claim 6, wherein the data acceleration module provides a local content cache.
  - 8. The cellular mobile device of claim 6, wherein the data acceleration module provides a client-side decompression service that operates in conjunction with an upstream acceleration device to provide real-time, continuous pattern recognition and compression of data flows within the network packets.
  - 9. The cellular mobile device of claim 6, wherein the data acceleration module provides application-specific protocol optimization for control flows within the network packets.
  - 10. The cellular mobile device of claim 1, wherein the multi-service network client further comprises one or more collaboration components that process the packets from the VPN handler, wherein collaboration components provide collaboration services including at least one of a network meeting, a secure desktop or a document sharing service.
  - 11. The cellular mobile device of claim 1,wherein the VPN control application provides a user interface that allows a user to disable VPN connectivity, andwherein, when VPN connectivity is disabled, the VPN handler exchanges the network packets with the operating system and transparently provides the packets to the security manager for application of the security services.
  - 12. The cellular mobile device of claim 1, wherein the user interface of the VPN control applications allows the user to submit credentials and instruct the VPN handler to dynamically instantiate the secure VPN connection or deconstruct an existing VPN connection.
  - 13. The cellular mobile device of claim 1,wherein upon establishing the VPN connection the VPN control application receives a web-based home page from the secure VPN device via an Hypertext Transfer Protocol Secure (HTTPS) response,wherein the secure VPN connection dynamically parses HyperText Markup Language (HTML) bookmark links from the HTTPS response and renders a bookmark window using input controls native to the cellular mobile device, where each of the input controls corresponds to a different one of the bookmarks parsed from the HTML response received from the secure VPN gateway, andwherein, upon selection of one of the input controls, the VPN control application formulates and outputs an appropriate HTTP string to the secure VPN device as if a corresponding HTML link were selected by the user.
  - 14. The cellular mobile device of claim 13,wherein the VPN control application detects within the HTTPS response one of the bookmarks that provides a link to a webmail for the user, andwherein, upon detecting the bookmark for the webmail, the VPN control application dynamically constructs the user interface to have an input control for launching a native email client of the cellular mobile device to access the email without launching a web browser.
  - 15. The cellular mobile device of claim 13,wherein the VPN handler establishes an Secure Socket Layer (SSL) control channel with the secure VPN gateway and, upon a successful authentication, receives a session cookie with a unique identifier,wherein, in the event communication with the secure VPN gateway is temporarily lost, the VPN handler performs a fast reconnect by issuing the session cookie to the secure VPN gateway, andwherein, when performing the fast reconnect, the VPN handler identifies a set of transport mechanisms currently available to the cellular mobile device and, when only a cellular network is available and not a wireless packet-based connection, the VPN handler defers the fast reconnect until application-layer data is received from a user application and ready to be sent via the VPN connection.
  - 16. The cellular mobile device of claim 1, wherein the VPN handler and the VPN control application are configured to be independently upgradable.
  - 17. The cellular mobile device of claim 1,wherein the VPN handler establishes the VPN connection as an Internet Protocol Security (IPSec) connection over User Datagram Protocol (UDP), andwherein the VPN handler includes a compression module that applies Lempel-Ziv (LZ) compression in conjunction with the IPSec connection to tunnel encrypted IP packets to the secure VPN gateway.
  - 18. The cellular mobile device of claim 1,wherein after decrypting the inbound packets received over the VPN connection, the VPN handler forwards the decrypted inbound packets to the security manager for application of the one or more security services,wherein the security manager receives the decrypted inbound network packets from the VPN handler and applies the one or more security services to the decrypted network packets prior to delivery of application-layer data carried by the decrypted inbound network packets to the application software, andwherein, after the security manager applies the security services to the decrypted network packets, the VPN handler extracts the application-layer data from the decrypted network packets and delivers the application-layer data to the application software.

19. A method comprising:
- receiving, with a cellular mobile device from an electronic repository, a single distribution software package that includes a multi-service network client, wherein the multi-service network client includes a virtual private network (VPN) handler, a security manager; and
  
  a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the security manager; and
  
  installing the multi-service network client on the cellular mobile device including registering the VPN handler with an operating system of the cellular mobile device, wherein the VPN handler provides a single point of entry for network packets from the operating system to apply VPN services with the VPN handler and security services with the security manager,wherein the VPN handler is configured to encrypt outbound network packets for transmission through a VPN connection and decrypt inbound network packets received from the VPN connection, andwherein the security manager is configured to apply the security services to outbound network packets prior to encryption of the outbound network packets and transmission through the VPN connection by the VPN handler and configured to apply the security services to inbound network packets received through the VPN connection after decryption of the inbound network packets by the VPN handler.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further comprising:
    - establishing, with the VPN handler, a VPN connection with a remote VPN security device of an enterprise; and
      
      exchanging network packets between the VPN handler the operating system for communication via the VPN connection.
  - 21. The method of claim 20, further comprising:
    - processing the network packets with the VPN handler to tunnel the packets between the cellular mobile device and the remote VPN security device over the VPN connection; and
      
      while processing the packets with the VPN handler, routing the packets to the security manager and applying at least one security service to the network packets with the security manager.

22. A non-transitory computer-readable medium storing a downloadable distribution package comprising software program code to execute a multi-service network client on a processor within a cellular device, wherein the multi-service network client comprises:
- a virtual private network (VPN) handler to establish a VPN connection with a remote VPN security device, wherein the VPN handler encrypts outbound network packets for transmission through the VPN connection and decrypts inbound network packets received from the VPN connection to securely tunnel the network packets between the cellular mobile device and the remote VPN security device;
  
  a security manager to receive the decrypted inbound network packets from the VPN handler and apply at least one security service to the decrypted network packets received by the VPN handler through the VPN connection; and
  
  a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the security manager.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 23. The non-transitory computer-readable storage medium of claim 22, wherein the VPN control application presents a unified user interface for configuring anti-virus settings and personal firewall settings of the security manager.
  - 24. The non-transitory computer-readable storage medium of claim 22,wherein the security manager applies anti-virus and spyware services to the network packets,wherein the security manager provides an interface by which the VPN handler determines whether a user of the cellular mobile device has activated and registered the security manager, andwherein the VPN handler requires an affirmative indication from the security manager prior to establishing the VPN connection with the VPN gateway.
  - 25. The non-transitory computer-readable storage medium of claim 22, wherein the multi-service network client further comprises a data acceleration module that applies at least one acceleration service to the network packets from the VPN handler.
  - 26. The non-transitory computer-readable storage medium of claim 25, wherein the data acceleration module provides a local content cache.
  - 27. The non-transitory computer-readable storage medium of claim 25, wherein the data acceleration module provides a client-side decompression service that operates in conjunction with an upstream acceleration device to provide real-time, continuous pattern recognition and compression of data flows within the network packets.
  - 28. The non-transitory computer-readable storage medium of claim 25, wherein the data acceleration module provides application-specific protocol optimization for control flows within the network packets.
  - 29. The non-transitory computer-readable storage medium of claim 22, wherein the multi-service network client further comprises one or more collaboration components that process the packets from the VPN handler, wherein collaboration components provide collaboration services including at least one of a network meeting, a secure desktop or a document sharing service.
  - 30. The non-transitory computer-readable storage medium of claim 22,wherein the VPN control application provides a user interface that allows a user to disable VPN connectivity, andwherein, when VPN connectivity is disabled, the VPN handler exchanges the network packets with the operating system and transparently provides the packets to the security manager for application of the security service.
  - 31. The non-transitory computer-readable storage medium of claim 22,wherein the user interface of the VPN control applications allows the user to submit credentials and instruct the VPN handler to dynamically instantiate the secure VPN connection or deconstruct an existing VPN connection.
  - 32. The non-transitory computer-readable storage medium of claim 22,wherein upon establishing the VPN connection the VPN control application receives a web-based home page from the secure VPN device via an Hypertext Transfer Protocol Secure (HTTPS) response,wherein the secure VPN connection dynamically parses HyperText Markup Language (HTML) bookmark links from the HTTPS response and renders a bookmark window using input controls native to the cellular mobile device, where each of the input controls corresponds to a different one of the bookmarks parsed from the HTML response received from the secure VPN gateway, andwherein, upon selection of one of the input controls, the VPN control application formulates and outputs an appropriate HTTP string to the secure VPN device as if a corresponding HTML link were selected by the user.
  - 33. The non-transitory computer-readable storage medium of claim 32,wherein the VPN control application detects within the HTTPS response one of the bookmarks that provides a link to a webmail for the user, andwherein, upon detecting the bookmark for the webmail, the VPN control application dynamically constructs the user interface to have an input control for launching a native email client of the cellular mobile device to access the email without launching a web browser.
  - 34. The non-transitory computer-readable storage medium of claim 22, wherein the VPN handler and the VPN control application are configured to be independently upgradable.
  - 35. The non-transitory computer-readable storage medium of claim 22,wherein the VPN handler establishes the VPN connection as an Internet Protocol Security (IPSec) connection over User Datagram Protocol (UDP), andwherein the VPN handler includes a compression module that applies Lempel-Ziv (LZ) compression in conjunction with the IPSec connection to tunnel encrypted IP packets to the secure VPN gateway.
  - 36. The non-transitory computer-readable storage medium of claim 22,wherein the VPN handler establishes an Secure Socket Layer (SSL) control channel with the secure VPN gateway and, upon a successful authentication, receives a session cookie with a unique identifier,wherein, in the event communication with the secure VPN gateway is temporarily lost, the VPN handler performs a fast reconnect by issuing the session cookie to the secure VPN gateway, andwherein, when performing the fast reconnect, the VPN handler identifies a set of transport mechanisms currently available to the cellular mobile device and, when only a cellular network is available and not a wireless packet-based connection, the VPN handler defers the fast reconnect until application-layer data is received from a user application and ready to be sent via the VPN connection.

37. A method comprising:
- receiving, from a cellular mobile device, a request to download a single distribution software package that includes a multi-service network client, wherein the multi-service network client includes a virtual private network (VPN) handler, a security manager, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the security manager, wherein the VPN handler is configured to encrypt outbound network packets for transmission through a VPN connection and decrypt inbound network packets received from the VPN connection, and wherein the security manager is configured to apply security services to outbound network packets prior to encryption of the outbound network packets and transmission through the VPN connection by the VPN handler and configured to apply the security services to inbound network packets received through the VPN connection after decryption of the inbound network packets by the VPN handler, and wherein the security services applied by the security manager include anti-virus and spyware services; and
  
  outputting the multi-service network client from a software repository to be installed on the cellular mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Wei, Vikki Yin, Iyer, Subramanian, Campagna, Richard, Wood, James
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Su, Sarah

Application Number

US13/403,436
Publication Number

US 20120159607A1
Time in Patent Office

1,076 Days
Field of Search

726/11, 726/15, 726/23, 726/24, 713/152, 709/225, 709/227, 379/901
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 4/00   Services specially adapted ...

H04W 76/10   Connection setup

H04W 88/02   Terminal devices

Y10S 379/901   Virtual networks or virtual...

Multi-service VPN network client for mobile device

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-service VPN network client for mobile device

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links