Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

US 10,270,740 B2
Filed: 02/07/2014
Issued: 04/23/2019
Est. Priority Date: 01/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method for rewriting by an intermediary content transmitted between a client and a server, the method comprising:

a) identifying, by a device intermediary to a client and a server, responsive to determining that a type of session established between the client and the server is a clientless secured session, an access profile for a request from the client to access content from the server based on applying a rule to content of the request, the access profile for clientless secured sessions, the access profile including a rewrite policy for rewriting uniform resource locators (URLs) and a plurality of pattern sets comprising regular expressions for finding the URLs to rewrite in different types of content transmitted by the server to the client via the clientless secure session;

b) finding, by the device, in response to the access profile identified responsive to determining that the type of session established is the clientless secured session, a URL in content of a response of the server to the request by matching a regular expression of one of the plurality of pattern sets to a portion of the content;

c) rewriting, by the device, in accordance with the rewrite policy the URL found in the content; and

d) transmitting, by the device to the client, via the clientless secured session the response comprising the rewritten URL.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client'"'"'s requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients'"'"' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

24 Citations

View as Search Results

20 Claims

1. A method for rewriting by an intermediary content transmitted between a client and a server, the method comprising:
- a) identifying, by a device intermediary to a client and a server, responsive to determining that a type of session established between the client and the server is a clientless secured session, an access profile for a request from the client to access content from the server based on applying a rule to content of the request, the access profile for clientless secured sessions, the access profile including a rewrite policy for rewriting uniform resource locators (URLs) and a plurality of pattern sets comprising regular expressions for finding the URLs to rewrite in different types of content transmitted by the server to the client via the clientless secure session;
  
  b) finding, by the device, in response to the access profile identified responsive to determining that the type of session established is the clientless secured session, a URL in content of a response of the server to the request by matching a regular expression of one of the plurality of pattern sets to a portion of the content;
  
  c) rewriting, by the device, in accordance with the rewrite policy the URL found in the content; and
  
  d) transmitting, by the device to the client, via the clientless secured session the response comprising the rewritten URL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein (a) further comprises identifying, by the device, the access profile from a plurality of access profiles configured on the device by matching an expression of the rule of the access profile to the content of the request, the access profile applied responsive to determining that the clientless secured session is established between the client and the server, and bypassed responsive to determining that a client-based session is established between the client and the server.
  - 3. The method of claim 1, wherein (a) further comprises identifying, by the device, the access profile configured for a predetermined application, the device determining from the content of the request that the request corresponds to the predetermined application.
  - 4. The method of claim 1, wherein the access profile further includes at least one of a script rewrite policy for rewriting portions of a script in the content or a header rewrite policy for rewriting one or more headers of a protocol of the content.
  - 5. The method of claim 1, wherein (b) further comprises finding the URL in content comprising Extensible Markup Language (XML) by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in XML.
  - 6. The method of claim 1, wherein (b) further comprises finding the URL in content comprising JavaScript by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in JavaScript.
  - 7. The method of claim 1, wherein (b) further comprises finding the URL in content comprising cascading style sheet (CSS) by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in CSS.
  - 8. The method of claim 1, wherein (b) further comprises finding the URL in content comprising a predefined component by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in the predefined component.
  - 9. The method of claim 1, wherein (c) further comprises rewriting the URL by modifying the URL within the content.
  - 10. The method of claim 1, wherein (d) further comprises modifying the response to include the rewritten URL.

11. A system for rewriting by an intermediary content transmitted between a client and a server, the system comprising:
- a device intermediary to a client and a server, the device having one or more processors;
  
  an access profile configured on the device, the access profile including a rewrite policy for rewriting uniform resource locators (URLs) and a plurality of pattern sets comprising regular expressions for finding the URLs to rewrite in different types of content transmitted by the server to the client,wherein the device is configured to identify, responsive to a determination that a type of session established between the client and the server is a clientless secured session, the access profile for clientless secured sessions, the access profile for a request from the client to access content from the server via the clientless secured session based on applying a rule to content of the request;
  
  wherein the device is configured to find, in response to the access profile identified responsive to the determination that the type of session established is the clientless secured session, a URL in content of a response of the server to the request by matching a regular expression of one of the plurality of pattern sets to a portion of the content, rewrite the URL found in the content in accordance with the rewrite policy and transmit to the client the response comprising the rewritten URL via the clientless secured session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the device is further configured to identify the access profile from a plurality of access profiles configured on the device by matching an expression of the rule of the access profile to the content of the request, the access profile applied responsive to the determination that the clientless secured session is established between the client and the server, and bypassed responsive to a determination that a client-based session is established between the client and the server.
  - 13. The system of claim 11, wherein the device is further configured to identify the access profile configured for a predetermined application, the device configured to determine from the content of the request that the request corresponds to the predetermined application.
  - 14. The system of claim 11, wherein the access profile further includes at least one of a script rewrite policy for rewriting portions of a script in the content or a header rewrite policy for rewriting one or more headers of a protocol of the content.
  - 15. The system of claim 11, wherein the device is further configured to find the URL in content comprising Extensible Markup Language (XML) by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in XML.
  - 16. The system of claim 11, wherein the device is further configured to find the URL in content comprising JavaScript by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in JavaScript.
  - 17. The system of claim 11, wherein the device is further configured to find the URL in content comprising cascading style sheet (CSS) by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in CSS.
  - 18. The system of claim 11, wherein the device is further configured to find the URL in content comprising a predefined component by matching the regular expression for a pattern set of the plurality of pattern sets of the access profile configured for finding the URL in the predefined component.
  - 19. The system of claim 11, wherein the device is further configured to rewrite the URL by modifying the URL within the content.
  - 20. The system of claim 11, wherein the device is further configured to modify the response to include the rewritten URL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Agarwal, Puneet, Thirunarayanan, Srinivasan, Korrapatti, Vamsi, Khemani, Prakash, Mirani, Rajiv, Reddy, Anoop
Primary Examiner(s)
Biagini, Christopher

Application Number

US14/175,616
Publication Number

US 20140157361A1
Time in Patent Office

1,901 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

H04L 67/59   Providing operational suppo...

Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others