Systems and methods for application based interception of SSL/VPN traffic
First Claim
Patent Images
1. A system comprising:
- a device having one or more processors, that is intermediary to a first network and a second network, the device configured to allow or deny a level of access by an application via the first network to a resource on the second network;
wherein the device is configured to receive an identifier of the application from an agent on the client, the identifier of the application transmitted to the device responsive to a determination that a routing table of the client provided by the device includes the identifier of the application; and
wherein the device is configured to identify a policy based on the identifier of the application, receive a request from the client on the first network to access by the application the resource on the second network, and determine based on the policy to one of allow or deny access by the application to the resource on the second network.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.
102 Citations
20 Claims
-
1. A system comprising:
-
a device having one or more processors, that is intermediary to a first network and a second network, the device configured to allow or deny a level of access by an application via the first network to a resource on the second network; wherein the device is configured to receive an identifier of the application from an agent on the client, the identifier of the application transmitted to the device responsive to a determination that a routing table of the client provided by the device includes the identifier of the application; and wherein the device is configured to identify a policy based on the identifier of the application, receive a request from the client on the first network to access by the application the resource on the second network, and determine based on the policy to one of allow or deny access by the application to the resource on the second network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
an agent executing on a processor of a client on a first network in communication with a device that is intermediary to the client and a server of a second network; an application routing table of the client provided by the device and comprising identifiers of applications allowed access to the second network via the device; an agent of the client configured to determine an identifier of an application via a request from the client to access a resource on the second network is in the application routing table and to transmit the identifier of the application to the device responsive to the determination; and wherein the agent is configured to receive from the device a communication indicating that a request to access by the application the resource on the second network is one of allowed or denied responsive to the agent transmitting the identifier of the application and the device identifying a policy to apply to the request based on the identifier of the application. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification