Systems and methods for application based interception of SSL/VPN traffic

US 9,497,198 B2
Filed: 09/26/2014
Issued: 11/15/2016
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device having one or more processors, that is intermediary to a first network and a second network, the device configured to allow or deny a level of access by an application via the first network to a resource on the second network;

wherein the device is configured to receive an identifier of the application from an agent on the client, the identifier of the application transmitted to the device responsive to a determination that a routing table of the client provided by the device includes the identifier of the application; and

wherein the device is configured to identify a policy based on the identifier of the application, receive a request from the client on the first network to access by the application the resource on the second network, and determine based on the policy to one of allow or deny access by the application to the resource on the second network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

102 Citations

20 Claims

1. A system comprising:
- a device having one or more processors, that is intermediary to a first network and a second network, the device configured to allow or deny a level of access by an application via the first network to a resource on the second network;
  
  wherein the device is configured to receive an identifier of the application from an agent on the client, the identifier of the application transmitted to the device responsive to a determination that a routing table of the client provided by the device includes the identifier of the application; and
  
  wherein the device is configured to identify a policy based on the identifier of the application, receive a request from the client on the first network to access by the application the resource on the second network, and determine based on the policy to one of allow or deny access by the application to the resource on the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the device is further configured to establish a virtual private network connection with the client on the first network.
  - 3. The system of claim 1, wherein the agent is configured to determine that the routing tables includes the identifier of the application.
  - 4. The system of claim 1, wherein the agent is configured to intercept communications from the client based on the identifier of the application being in the routing table.
  - 5. The system of claim 1, wherein the agent is configured to intercept a request to connect to a server on the second network and identify the identifier of the application from the request.
  - 6. The system of claim 1, wherein the device is further configured to transmit the routing table to the client.
  - 7. The system of claim 1, wherein at least a portion of the application executes on a second device of the second network.
  - 8. The system of claim 1, wherein the identifier of the application comprises one or more of the following:
    - a destination network identifier, a destination port, a protocol, a source network identifier, a source port, and an intranet application name.
  - 9. The system of claim 1, wherein the identifier of the application comprises one of the following:
    - a name of the application on the client or a process identifier of the application on the client.
  - 10. The system of claim 1, wherein the policy specifies the identifier of the application and an authorization of one of access or deny.

11. A system comprising:
- an agent executing on a processor of a client on a first network in communication with a device that is intermediary to the client and a server of a second network;
  
  an application routing table of the client provided by the device and comprising identifiers of applications allowed access to the second network via the device;
  
  an agent of the client configured to determine an identifier of an application via a request from the client to access a resource on the second network is in the application routing table and to transmit the identifier of the application to the device responsive to the determination; and
  
  wherein the agent is configured to receive from the device a communication indicating that a request to access by the application the resource on the second network is one of allowed or denied responsive to the agent transmitting the identifier of the application and the device identifying a policy to apply to the request based on the identifier of the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the agent is further configured to establish a virtual private network connection with the device.
  - 13. The system of claim 11, wherein the agent is further configured to use the application routing table to determine which communications of the client to intercept and transmit to the device.
  - 14. The system of claim 11, wherein the agent is further configured to receive the application routing table from the device.
  - 15. The system of claim 11, wherein the identifiers of applications in the application routing tables comprise one or more of the following:
    - a destination network identifier, a destination port, a protocol, a source network identifier, a source port, and an intranet application name.
  - 16. The system of claim 11, wherein the identifiers of applications in the application routing tables comprise one of the following:
    - a name of the application on the client or a process identifier of the application on the client.
  - 17. The system of claim 11, wherein the agent is further configured to intercept a request to connect to a server on the second network and identify the identifier of the application from the request.
  - 18. The system of claim 11, wherein the application executes on one of the client or the server.
  - 19. The system of claim 11, wherein the agent is further configured to intercept the request to access by the application the resource on the second network and transmit the request to the device.
  - 20. The system of claim 11, wherein the agent is further configured to determine the identifier of the application from one of a name or a process identifier of the application executing on the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Mullick, Amarnath, Venkatraman, Charu, He, Junxiao, Nanjundaswamy, Shashi, Harris, James, Soni, Ajay
Primary Examiner(s)
COX, NATISHA D

Application Number

US14/498,816
Publication Number

US 20150020220A1
Time in Patent Office

781 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Systems and methods for application based interception of SSL/VPN traffic

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for application based interception of SSL/VPN traffic

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links