Gateway device for terminating a large volume of VPN connections

US 8,997,208 B2
Filed: 08/14/2014
Issued: 03/31/2015
Est. Priority Date: 08/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a VPN gateway, the method comprising:

transmitting an internally unique internet protocol (IP) address from the VPN gateway to the first app;

transmitting an app federation cookie from the VPN gateway to the first app after determining that the first app is in a federation of wrapped apps on the device;

sharing the app federation cookie with a second app in the federation of wrapped apps;

assigning the second app the same internally unique IP address;

transmitting a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to the second app having the same internally unique IP address as the first app;

receiving, at the VPN gateway, a data transmission from the first app; and

determining, at the VPN gateway, that the data transmission originated from the first app based on the source port.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port.

Citations

20 Claims

1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a VPN gateway, the method comprising:
- transmitting an internally unique internet protocol (IP) address from the VPN gateway to the first app;
  
  transmitting an app federation cookie from the VPN gateway to the first app after determining that the first app is in a federation of wrapped apps on the device;
  
  sharing the app federation cookie with a second app in the federation of wrapped apps;
  
  assigning the second app the same internally unique IP address;
  
  transmitting a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to the second app having the same internally unique IP address as the first app;
  
  receiving, at the VPN gateway, a data transmission from the first app; and
  
  determining, at the VPN gateway, that the data transmission originated from the first app based on the source port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1 further comprising:
    - transmitting, from the VPN gateway to the second app, the second port range, wherein the second app uses a port in the second port range as a source port for data transmission from the second app to the VPN gateway;
      
      receiving, at the VPN gateway, a data transmission from the second app; and
      
      determining, at the VPN gateway, that the data transmission originated from the second app based on the source port.
  - 3. A method as recited in claim 1 wherein the unique IP address is used by the federation of apps, wherein individual apps in the federation of apps are not assigned individual unique IP addresses.
  - 4. A method as recited in claim 1 further comprising:
    - configuring the first app with a VPN gateway IP address and a VPN gateway domain name, thereby enabling the first app to contact the VPN gateway when the first app executes.
  - 5. A method as recited in claim 1 further comprising:
    - instructing the first app to share the federation cookie with the second app.
  - 6. A method as recited in claim 5 further comprising:
    - challenging the second app for the federation cookie when the second app executes.
  - 7. A method as recited in claim 1 further comprising:
    - configuring the first app when wrapping the first app to be aware that it may be given a federation cookie or that it may have to retrieve a federation cookie from another app in the federation; and
      
      configuring the second app when wrapping the second app to be aware that it may be given a federation cookie or that it may have to retrieve a federation cookie from another app in the federation.
  - 8. A method as recited in claim 1 further comprising:
    - receiving the federation cookie from the second app.

9. A system of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a VPN gateway, the system comprising:
- logic for transmitting an internally unique internet protocol (IP) address and an app federation cookie from a VPN gateway to the first app on the device after determining that the first app is in a federation of wrapped apps on the device, wherein the app federation cookie is shared with a second app in the federation of wrapped apps after determining that the second app is in the federation of wrapped apps on the device and the second app is assigned the same internally unique IP address;
  
  logic for transmitting a first range of ports from the VPN gateway to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to the second app;
  
  logic for receiving, at the VPN gateway, a data transmission from the first app; and
  
  logic for determining, at the VPN gateway, that the data transmission originated from the first app based on the source port.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system as recited in claim 9 further comprising:
    - logic for transmitting, from the VPN gateway to the second app, the second port range, wherein the second app uses a port in the second port range as a source port for data transmission from the second app to the VPN gateway;
      
      logic for receiving, at the VPN gateway, a data transmission from the second app; and
      
      logic for determining, at the VPN gateway, that the data transmission originated from the second app based on the source port.
  - 11. The system as recited in claim 9 wherein the unique IP address is used by the federation of apps, wherein individual apps in the federation of apps are not assigned individual unique IP addresses.
  - 12. The system as recited in claim 9 further comprising:
    - logic for configuring the first app with a VPN gateway IP address and a VPN gateway domain name, thereby enabling the first app to contact the VPN gateway when the first app executes.
  - 13. The system as recited in claim 9 further comprising:
    - logic for instructing the first app to share the federation cookie with the second app.
  - 14. The system as recited in claim 13 further comprising:
    - logic for challenging the second app for the federation cookie when the second app executes.
  - 15. The system as recited in claim 9 further comprising:
    - logic for configuring the first app when wrapping the first app to be aware that it may be given a federation cookie or that it may have to retrieve a federation cookie from another app in the federation; and
      
      logic for configuring the second app when wrapping the second app to be aware that it may be given a federation cookie or that it may have to retrieve a federation cookie from another app in the federation.
  - 16. The system as recited in claim 9 further comprising:
    - logic for receiving the federation cookie from the second app.

17. A virtual private network (VPN) gateway comprising:
- an output interface configured to transmit an internally unique internet protocol (IP) address and an app federation cookie from the virtual private network (VPN) gateway to a first application (app) on a device app after determining that the first app is in a federation of wrapped apps on the device, wherein the app federation cookie is shared with a second app in the federation of wrapped apps and the second app is assigned the same internally unique IP address, wherein the output interface is further configured to transmit a first range of ports from the VPN gateway to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to the second app;
  
  an input interface, at the VPN gateway, configured to receive a data transmission from the first app;
  
  a mapping mechanism configured to associate the first port range with the first app;
  
  a VPN gateway processor configured to determine that the data transmission originated from the first app based on the source port.
- View Dependent Claims (18, 19, 20)
- - 18. A VPN gateway as recited in claim 17, wherein the output interface is further configured to transmit, from the VPN gateway to the second app, the second port range, wherein the second app uses a port in the second port range as a source port for data transmission from the second app to the VPN gateway.
  - 19. A VPN gateway as recited in claim 18, wherein the mapping mechanism is further configured to associate the second port range with the second app.
  - 20. A VPN gateway as recited in claim 19, wherein the VPN gateway processor is further configured to determine that the data transmission originated from the second app based on the source port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blue Cedar Networks, Inc.
Original Assignee
Mocana Corporation (DigiCert Incorporated)
Inventors
Champagne, Timothy S., Fox, Kevin P., Murphy, Daniel, Pescatore, Brian H., Wante, Kenneth J.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Zoubair, Noura

Application Number

US14/459,976
Publication Number

US 20150052599A1
Time in Patent Office

229 Days
Field of Search

726/1, 726/4, 726/7, 726/9, 726 11- 15, 709/217, 709224-227
US Class Current

726/15
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 61/2517   using port numbers

H04L 61/2528   Translation at a proxy

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5038   for local use, e.g. in LAN ...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0815   providing single-sign-on or...

H04L 63/164   at the network layer

H04W 12/02   Protecting privacy or anony...

H04W 12/37   Managing security policies ...

H04W 12/43   using shared identity modul...

H04W 76/12   Setup of transport tunnels

Gateway device for terminating a large volume of VPN connections

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Gateway device for terminating a large volume of VPN connections

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links