Systems and methods for fine grain policy driven clientless SSL VPN access

US 9,571,456 B2
Filed: 11/12/2014
Issued: 02/14/2017
Est. Priority Date: 01/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

a) determining, by a device intermediary to a client and a server according to a session policy, whether to establish a client-based secure socket layer virtual private network (SSL VPN) session or a clientless SSL VPN session for the client to access the server responsive to a request from the client;

b) identifying, by the device responsive to determining to establish the clientless SSL VPN session between the client and the server, an access profile for the clientless SSL VPN session based on an application executing on the server providing content to the client, the access profile specifying one or more rewrite policies for modifying content from the application;

c) receiving, by the device, from the server, content provided by the application to be communicated to the client; and

d) modifying, by the device, the content of the application based on the one or more rewrite policies.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.

23 Citations

View as Search Results

18 Claims

1. A method comprising:
- a) determining, by a device intermediary to a client and a server according to a session policy, whether to establish a client-based secure socket layer virtual private network (SSL VPN) session or a clientless SSL VPN session for the client to access the server responsive to a request from the client;
  
  b) identifying, by the device responsive to determining to establish the clientless SSL VPN session between the client and the server, an access profile for the clientless SSL VPN session based on an application executing on the server providing content to the client, the access profile specifying one or more rewrite policies for modifying content from the application;
  
  c) receiving, by the device, from the server, content provided by the application to be communicated to the client; and
  
  d) modifying, by the device, the content of the application based on the one or more rewrite policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein (a) further comprises receiving, by the device, a request from the client to access an application provided by the server.
  - 3. method of claim 1, wherein (a) further comprises identifying, by the device, the session policy based on a request from the client, the session policy indicating whether to establish the client-based SSL VPN session or the clientless SSL VPN session with the server.
  - 4. The method of claim 1, wherein (b) further comprises identifying, by the device based on the application and a user of the client, the access profile from a plurality of access profiles configured on the device.
  - 5. The method of claim 1, wherein the one or more rewrite policies includes one or more pattern classes for detecting one or more uniform resource locators (URLs) within content of the application.
  - 6. The method of claim 5, further comprising detecting, by the device, a URL in the content of the application based on the one or more pattern classes.
  - 7. The method of claim 6, further comprising modifying the content of the application by rewriting the URL based on the one or more rewrite policies.
  - 8. The method of claim 1, further comprising receiving, by the device, a second request from the client to access a second application and identifying a second access profile specifying one or more rewrite policies for modifying content from the second application.
  - 9. The method of claim 1, further comprising communicating, by the device, the modified content of the application to the client.

10. A system comprising:
- a device intermediary to a client and a server, the device comprising a hardware processor and configured to determine whether to establish a client-based secure socket layer virtual private network (SSL VPN) session or a clientless SSL VPN session for the client to access the server according to a session policy;
  
  a policy engine configured to execute on the device and to identify, responsive to determining to establish the clientless SSL VPN session between the client and the server, an access profile for the clientless SSL VPN session based on an application executing on the server providing content to the client, the access profile specifying one or more rewrite policies for modifying content from the application;
  
  wherein the device is configured to receive, from the server, content provided by the application to be communicated to the client and modify the content of the application based on the one or more rewrite policies.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the device is further configured to receive a request from the client to access an application provided by the server.
  - 12. The system of claim 10, wherein the device is further configured to identify the session policy based on a request from the client, the session policy indicating whether to establish the client-based SSL VPN session or the clientless SSL VPN session with the server.
  - 13. The system of claim 10, wherein the device is further configured to identify, based on the application and a user of the client, the access profile from a plurality of access profiles configured on the device.
  - 14. The system of claim 10, wherein the one or more rewrite policies includes one or more pattern classes for detecting one or more uniform resource locators (URLs) within content of the application.
  - 15. The system of claim 14, wherein the device is further configured to detect a URL in the content of the application based on the one or more pattern classes.
  - 16. The system of claim 15, wherein the device is further configured to modify the content of the application by rewriting the URL based on the one or more rewrite policies.
  - 17. The system of claim 10, wherein the device is further configured to receive a second request from the client to access a second application and identifying a second access profile specifying one or more rewrite policies for modifying content from the second application.
  - 18. The system of claim 10, wherein the device is further configured to communicate the modified content of the application to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Agarwal, Puneet, Thirunarayanan, Srinivasan, Adhya, Saibal Kumar, Choudhary, Akshat
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US14/539,681
Publication Number

US 20150074751A1
Time in Patent Office

825 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

H04L 67/59   Providing operational suppo...

Systems and methods for fine grain policy driven clientless SSL VPN access

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for fine grain policy driven clientless SSL VPN access

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others