Resource access system and method

US 9,762,563 B2
Filed: 10/14/2015
Issued: 09/12/2017
Est. Priority Date: 10/14/2015
Status: Active Grant

First Claim

Patent Images

1. A system for enabling an endpoint residing in an external network to perform resource operations on an internal resource, the endpoint is a computing device associated with a user, the system comprising:

a directory service managing authentication and authorization operations for the internal resource;

a gatekeeper device residing in the external network; and

a gateway device residing in an internal network,the gatekeeper device is configured to;

receive a resource operation request from the endpoint, the resource operation request is associated with the user, the resource operation request including credentials of the user; and

transmit the resource operation request to the gateway device, the gateway device is configured to;

receive the resource operation request from the gatekeeper device;

authenticate with the directory service as the user, using credentials of the user;

receive an internal token associated with the user from the directory service based on authentication by the directory service;

authorize the resource operation request, using the internal token received from the directory service, with the directory service as the user, the gateway device impersonating the user using the internal token; and

initiate the resource operation request with the internal resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for enabling an endpoint residing in an external network to perform resource operations on an internal resource, the system including a directory service managing authentication and authorization operations for the internal resource, a gatekeeper device residing in the external network, and a gateway device residing in an internal network. The gatekeeper device is configured to receive a resource operation request from the endpoint, the resource operation request is associated with a user and transmit the resource operation request to the gateway device. The gateway device is configured to receive the resource operation request from the gatekeeper device, authenticate with the directory service as the user, using credentials of the user, authorize the resource operation request with the directory service, and initiate the resource operation request with the internal resource.

Citations

19 Claims

1. A system for enabling an endpoint residing in an external network to perform resource operations on an internal resource, the endpoint is a computing device associated with a user, the system comprising:
- a directory service managing authentication and authorization operations for the internal resource;
  
  a gatekeeper device residing in the external network; and
  
  a gateway device residing in an internal network,the gatekeeper device is configured to;
  
  receive a resource operation request from the endpoint, the resource operation request is associated with the user, the resource operation request including credentials of the user; and
  
  transmit the resource operation request to the gateway device, the gateway device is configured to;
  
  receive the resource operation request from the gatekeeper device;
  
  authenticate with the directory service as the user, using credentials of the user;
  
  receive an internal token associated with the user from the directory service based on authentication by the directory service;
  
  authorize the resource operation request, using the internal token received from the directory service, with the directory service as the user, the gateway device impersonating the user using the internal token; and
  
  initiate the resource operation request with the internal resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the resource operation request includes a domain name, wherein the gatekeeper device is further configured to select the gateway device from a plurality of gateways based on the domain name, wherein transmitting the resource operation request to the gateway device is based on the selecting.
  - 3. The system of claim 1, wherein the gatekeeper device is further configured to:
    - receive the resource operation request through a web service; and
      
      reformat the resource operation request into an application program interface (API) format prior to transmitting the resource operation request to the gateway device.
  - 4. The system of claim 1 further comprising:
    - a network address translation traversal (NAT-T) client; and
      
      a NAT-T server, wherein the NAT-T client is configured to establish a first connection to the NAT-T server, the first connection is initially unused, wherein the gatekeeper device is configured to use the first connection to communicate the resource operation request to the gateway, wherein the NAT-T client is configured to establish a second connection to the NAT-T server when the first connection becomes used by the gatekeeper device.
  - 5. The system of claim 1, wherein the resource operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 6. The system of claim 1, wherein the directory service is configured to generate the internal token associated with the user during the authentication.
  - 7. The system of claim 6, wherein the gateway device is further configured to:
    - generate an external token associated with the endpoint;
      
      associate the external token with the internal token; and
      
      identify the internal token for use in the authorizing after receiving the resource operation request without receiving the internal token from the endpoint.

8. A method for enabling an endpoint residing in an external network to perform resource operations on an internal resource, the endpoint is a computing device associated with a user, the method comprising:
- receiving, by a gatekeeper device residing in an external network, a resource operation request from the endpoint, the resource operation request is associated with the user, the resource operation request including credentials of the user;
  
  transmitting the resource operation request from the gatekeeper device to a gateway device residing in an internal network;
  
  receiving, by the gateway device, the resource operation request;
  
  authenticating with a directory service as the user, using credentials of the user;
  
  receiving an internal token associated with the user from the directory service based on authentication by the directory service;
  
  authorizing the resource operation request, using the internal token received from the directory service, with the directory service as the user, the gateway device impersonating the user using the internal token; and
  
  initiating the resource operation request with the internal resource.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the resource operation request includes a domain name, the method further comprising selecting, by the gatekeeper device, the gateway device from a plurality of gateways based on the domain name, wherein transmitting the resource operation request to the gateway device is based on the selecting.
  - 10. The method of claim 8, wherein receiving the resource operation request further includes receiving the resource operation request through a web service, the method further comprising reformatting the resource operation request into an application program interface (API) format prior to transmitting the resource operation request to the gateway device.
  - 11. The method of claim 8 further comprising:
    - establishing a first connection from the gateway device to the gatekeeper device, wherein the first connection is initially unused;
      
      using the first connection, by the gatekeeper device, to transmit the resource operation request to the gateway device; and
      
      establishing a second connection from the gateway device to the gatekeeper device based on the using the first connection.
  - 12. The method of claim 8, wherein the resource operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 13. The method of claim 8, further comprising:
    - generating an external token associated with the endpoint;
      
      associating the external token with the internal token; and
      
      identifying the internal token for use in the authorizing after receiving the resource operation request without receiving the internal token from the endpoint.

14. A non-transitory machine-readable storage medium storing a set of instructions that, when executed by at least one processor, causes the at least one processor to perform operations comprising:
- receiving, by a gatekeeper device residing in an external network, a resource operation request from an endpoint residing in an external network, the resource operation request is associated with a user, the endpoint is a computing device associated with the user, the resource operation request including credentials of the user;
  
  transmitting the resource operation request from the gatekeeper device to a gateway device residing in an internal network;
  
  receiving, by the gateway device, the resource operation request;
  
  authenticating with a directory service as the user, using credentials of the user;
  
  receiving an internal token associated with the user from the directory service based on authentication by the directory service;
  
  authorizing the resource operation request, using the internal token received from the directory service, with the directory service as the user, the gateway device impersonating the user using the internal token; and
  
  initiating the resource operation request with the internal resource.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory machine-readable medium of claim 14, wherein the resource operation request includes a domain name, the operations further comprising selecting, by the gatekeeper device, the gateway device from a plurality of gateways based on the domain name, wherein transmitting the resource operation request to the gateway device is based on the selecting.
  - 16. The non-transitory machine-readable medium of claim 14, wherein receiving the resource operation request further includes receiving the resource operation request through a web service, the operations further comprising reformatting the resource operation request into an application program interface (API) format prior to transmitting the resource operation request to the gateway device.
  - 17. The non-transitory machine-readable medium of claim 14, the operations further comprising:
    - establishing a first connection from the gateway device to the gatekeeper device, wherein the first connection is initially unused;
      
      using the first connection, by the gatekeeper device, to transmit the resource operation request to the gateway device; and
      
      establishing a second connection from the gateway device to the gatekeeper device based on the using the first connection.
  - 18. The non-transitory machine-readable medium of claim 14, wherein the resource operation request is an application program interface (API) message formatted as a hypertext transfer protocol (HTTP) representational state transfer (REST) message.
  - 19. The non-transitory machine-readable medium of claim 14, the operations further comprising:
    - generating an external token associated with the endpoint;
      
      associating the external token with the internal token; and
      
      identifying the internal token for use in the authorizing after receiving the resource operation request without receiving the internal token from the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FullArmor Corporation
Original Assignee
FullArmor Corporation
Inventors
Davis, Charles A., Kim, Danny, Manlief, Michael Hilton, Sousley, Matthew Randall
Primary Examiner(s)
LWIN, MAUNG T

Application Number

US14/883,032
Publication Number

US 20170111336A1
Time in Patent Office

699 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 61/2564   for a higher-layer protocol...

H04L 61/2571   for identification, e.g. fo...

H04L 61/2592   using tunnelling or encapsu...

H04L 61/4523   using lightweight directory...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

Resource access system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Resource access system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links