Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment

US 9,009,327 B2
Filed: 08/03/2007
Issued: 04/14/2015
Est. Priority Date: 08/03/2007
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a user'"'"'s intranet internet protocol address upon failover of a client'"'"'s secure socket layer virtual private network (SSL VPN) session from a first appliance to a second appliance, the method comprising the steps of:

(a) receiving, by a second appliance, information from a first appliance, the information identifying one or more intranet internet protocol addresses assigned to a first user for accessing a network via a first secure socket layer virtual private network (SSL VPN) session provided by the first appliance, each of the one or more intranet internet protocol addresses of the first user is independent from an internet protocol address assigned to a device operated by the first user;

(b) detecting, by the second appliance, that the first appliance is unavailable to provide the first SSL VPN session to the network, and providing, by the second appliance, SSL VPN connectivity to the network in response to the detection;

(c) receiving, by the second appliance, a request from the client operated by the first user to establish a second SSL VPN session with the network; and

(d) assigning, by the second appliance, to the first user a first intranet internet protocol address previously assigned to the first user from the one or more intranet internet protocol addresses as an internet protocol address on the network.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.

Citations

22 Claims

1. A method of maintaining a user'"'"'s intranet internet protocol address upon failover of a client'"'"'s secure socket layer virtual private network (SSL VPN) session from a first appliance to a second appliance, the method comprising the steps of:
- (a) receiving, by a second appliance, information from a first appliance, the information identifying one or more intranet internet protocol addresses assigned to a first user for accessing a network via a first secure socket layer virtual private network (SSL VPN) session provided by the first appliance, each of the one or more intranet internet protocol addresses of the first user is independent from an internet protocol address assigned to a device operated by the first user;
  
  (b) detecting, by the second appliance, that the first appliance is unavailable to provide the first SSL VPN session to the network, and providing, by the second appliance, SSL VPN connectivity to the network in response to the detection;
  
  (c) receiving, by the second appliance, a request from the client operated by the first user to establish a second SSL VPN session with the network; and
  
  (d) assigning, by the second appliance, to the first user a first intranet internet protocol address previously assigned to the first user from the one or more intranet internet protocol addresses as an internet protocol address on the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (d) comprises assigning, by the second appliance, one of a least recently or a most recently used intranet internet protocol address of the one or more intranet internet protocol addresses as the first intranet internet protocol address.
  - 3. The method of claim 1, wherein step (d) comprises assigning, by the second appliance, one of a least used or a most used intranet internet protocol address of the one or more intranet internet protocol addresses as the first intranet internet protocol address.
  - 4. The method of claim 1, wherein step (d) comprises assigning, by the second appliance, the first intranet internet protocol address from the one or more intranet internet protocol addresses responsive to a policy of a policy engine.
  - 5. The method of claim 1, wherein step (d) comprises determining, by the second appliance, an inactive intranet internet protocol address from the plurality of multiple intranet internet protocol addresses as the first intranet internet protocol address.
  - 6. The method of claim 1, comprising identifying, by the second appliance, a policy specifying a domain name suffix to append to an identifier of the user to provide a user domain name.
  - 7. The method of claim 6, comprising associating, by the second appliance, the user domain name with the first intranet internet protocol address.
  - 8. The method of claim 1, wherein step (c) comprises receiving, by the second appliance, one or more client-side attributes of the client.
  - 9. The method of claim 8, comprising assigning, by the second appliance, the client to an authorization group based on the one or more client-side attributes.
  - 10. The method of claim 1, wherein step (c) comprises transmitting, by the second appliance, a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression associated with a client-side attribute.
  - 11. The method of claim 10, comprising receiving, by the second appliance, a result of the client'"'"'s evaluation of the at least one clause, and assigning, by the second appliance, the client to an authorization group based on the result.

12. A system for maintaining a user'"'"'s intranet internet protocol address upon failover of a client'"'"'s secure socket layer virtual private network (SSL VPN) session from a first appliance to a second appliance, the system comprising the steps of:
- means for receiving by a second appliance information from a first appliance, the information identifying one or more intranet internet protocol addresses assigned to a first user for accessing a network via a first secure socket layer virtual private network (SSL VPN) session provided by the first appliance, each of the one or more intranet internet protocol addresses of the first user is independent from an internet protocol address assigned to a device operated by the first user;
  
  means for detecting by the second appliance that the first appliance is unavailable to provide the first SSL VPN session to the network, wherein the second appliance provides SSL VPN connectivity to the network in response to the detection;
  
  means for receiving by the second appliance a request from the client operated by the first user to establish a second SSL VPN session with the network; and
  
  means for assigning by the second appliance to the first user a first intranet internet protocol address previously assigned to the first user from the one or more intranet internet protocol addresses as an internet protocol address on the network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the second appliance assigns one of a least recently or a most recently used intranet internet protocol address of the one or more intranet internet protocol addresses as the first intranet internet protocol address.
  - 14. The system of claim 12, wherein the second appliance assigns one of a least used or a most used intranet internet protocol address of the one or more intranet internet protocol addresses as the first intranet internet protocol address.
  - 15. The system of claim 12, wherein the second appliance assigns the first intranet internet protocol address from the one or more intranet internet protocol addresses responsive to a policy of a policy engine.
  - 16. The system of claim 12, wherein the second appliance determines an inactive intranet internet protocol address from the plurality of multiple intranet internet protocol addresses as the first intranet internet protocol address.
  - 17. The system of claim 12, wherein the second appliance identifies a policy specifying a domain name suffix to append to an identifier of the user to provide a user domain name.
  - 18. The system of claim 17, wherein the second appliance associates the user domain name with the first intranet internet protocol address.
  - 19. The system of claim 12, wherein the second appliance receives one or more client-side attributes of the client.
  - 20. The system of claim 19, wherein the second appliance assigns the client to an authorization group based on the one or more client-side attributes.
  - 21. The system of claim 12, wherein the second appliance transmits a request to the client to evaluate at least one clause of the security string, the at least one clause including an expression associated with a client-side attribute.
  - 22. The system of claim 12, wherein the second appliance receives a result of the client'"'"'s evaluation of the at least one clause, and assigns the client to an authorization group based on the result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Adhya, Saibal, Choudhary, Akshat, Nanjundaswamy, Shashi, Verzunov, Sergey, Kumar, Arkesh, Mullick, Amarnath
Primary Examiner(s)
Jagannathan, Melanie
Assistant Examiner(s)
CHANG, STEPHANIE L

Application Number

US11/833,581
Publication Number

US 20090037763A1
Time in Patent Office

2,811 Days
Field of Search

709/227, 709/224, 709/239, 370/338
US Class Current

709/227
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/166   at the transport layer

H04L 67/14   Session management for real...

H04L 69/40   for recovering from a failu...

Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links