Systems and methods for securely and transparently proxying SAAS applications through a cloud-hosted or on-premise network gateway for enhanced security and visibility

US 10,778,684 B2
Filed: 04/07/2017
Issued: 09/15/2020
Est. Priority Date: 04/07/2017
Status: Active Grant

First Claim

Patent Images

1. A method for providing access to an application, the method comprising:

providing, by a device intermediary between a client and a server, access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;

receiving, by the device from the client, the first HTTP request generated via the provided link;

rewriting, by the device, an absolute uniform resource locator (URL) of the application indicated in the first HTTP request by replacing a server hostname of the server included in the absolute URL with a URL segment to obfuscate the server hostname in the rewritten absolute URL and hide the server hostname from at least the client, the URL segment generated by prefixing a unique string assigned to the obfuscated server hostname to a device hostname of the device; and

redirecting, by the device, the client to the rewritten absolute URL with the server hostname obfuscated, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression, the expression of the DNS entry including a wildcard prefixed to the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments provide access to an application. An intermediary device may provide access to an application hosted by the server. The access may be provided to the client via a link that generates a first HTTP request for the application. The device may receive, from the client, the first HTTP request generated via the provided link. The device may rewrite an absolute URL of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device. The device may redirect the client to the rewritten absolute URL of the application.

47 Citations

View as Search Results

20 Claims

1. A method for providing access to an application, the method comprising:
- providing, by a device intermediary between a client and a server, access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;
  
  receiving, by the device from the client, the first HTTP request generated via the provided link;
  
  rewriting, by the device, an absolute uniform resource locator (URL) of the application indicated in the first HTTP request by replacing a server hostname of the server included in the absolute URL with a URL segment to obfuscate the server hostname in the rewritten absolute URL and hide the server hostname from at least the client, the URL segment generated by prefixing a unique string assigned to the obfuscated server hostname to a device hostname of the device; and
  
  redirecting, by the device, the client to the rewritten absolute URL with the server hostname obfuscated, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression, the expression of the DNS entry including a wildcard prefixed to the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the link comprises a link presented in a browser executing on the client, and the first HTTP request for the application is received from the browser.
  - 3. The method of claim 1, registering, by the device, the DNS server with the DNS entry comprising the expression, the expression of the DNS entry including the wildcard prefixed to the device hostname of the device.
  - 4. The method of claim 1, further comprising receiving, by the device, a second HTTP request from the client comprising the rewritten absolute URL, the rewritten absolute URL causing the DNS to direct the second HTTP request to the device.
  - 5. The method of claim 1, further comprising identifying, by the device, the unique string from a host header of a second HTTP request from the client, and decoding the unique string to obtain the server hostname of the server.
  - 6. The method of claim 5, further comprising performing, by the device, single sign-on (SSO) for a user of the client by sending a security assertion mark-up language (SAML) assertion to the server.
  - 7. The method of claim 6, further comprising receiving, by the device in response to the SAML assertion, an authentication token from the server.
  - 8. The method of claim 4, further comprising:
    - identifying, by the device from the rewritten absolute URL, a URL portion identifying the application; and
      
      sending, by the device, a third HTTP request comprising the identified URL portion to the server to access the application.
  - 9. The method of claim 8, further comprising:
    - receiving, by the device, a response to the third HTTP request comprising the identified URL portion;
      
      rewriting, by the device, a second absolute URL identified in the response, by replacing a hostname in the second absolute URL with a second URL segment generated by combining a second unique string assigned to the hostname, with the device hostname of the device; and
      
      sending, by the device, the response updated with the rewritten second absolute URL, to the client.
  - 10. The method of claim 1, wherein providing the unique string comprises generating the unique string from the server hostname using an encoding scheme comprising one of:
    - symmetric key encryption or base-32 encoding.

11. A system for providing access to an application, the system comprising:
- a device that is intermediary between a client and a server, the device having a memory and at least one processor configured to;
  
  provide access to an application hosted by the server, the access provided to the client via a link that generates a first hypertext transfer protocol (HTTP) request for the application;
  
  receive from the client the first HTTP request generated via the provided link;
  
  rewrite an absolute uniform resource locator (URL) of the application indicated in the first HTTP request by replacing a server hostname of the server included in the absolute URL with a URL segment to obfuscate the server hostname in the rewritten absolute URL and hide the server hostname from at least the client, the URL segment generated by prefixing a unique string assigned to the obfuscated server hostname to a device hostname of the device; and
  
  redirect the client to the rewritten absolute URL with the server hostname obfuscated, wherein a domain name system (DNS) server for the client is configured with a DNS entry comprising an expression, the expression of the DNS entry including a wildcard prefixed to the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an internet protocol (IP) address of the device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the link comprises a link presented in a browser executing on the client, and the first HTTP request for the application is received from the browser.
  - 13. The system of claim 11, wherein the device is further configured to register the DNS server with the DNS entry comprising the expression, the expression of the DNS entry including the wildcard prefixed to the device hostname of the device.
  - 14. The system of claim 11, wherein the device is further configured to receive a second HTTP request from the client comprising the rewritten absolute URL, the rewritten absolute URL causing the DNS to direct the second HTTP request to the device.
  - 15. The system of claim 11, wherein the device is further configured to identify the unique string from a host header of a second HTTP request from the client, and decode the unique string to obtain the server hostname of the server.
  - 16. The system of claim 15, wherein the device is further configured to perform single sign-on (SSO) for a user of the client by sending a security assertion mark-up language (SAML) assertion to the server.
  - 17. The system of claim 16, wherein the device is further configured to receive, in response to the SAML assertion, an authentication token from the server.
  - 18. The system of claim 14, wherein the device is further configured to identify, from the rewritten absolute URL, a URL portion identifying the application, and send a third HTTP request comprising the identified URL portion to the server to access the application.
  - 19. The system of claim 18, wherein the device is further configured to receive a response to the third HTTP request comprising the identified URL portion, rewrite a second absolute URL identified in the response by replacing a hostname in the second absolute URL with a second URL segment generated by combining a second unique string assigned to the hostname, with the device hostname of the device, and send the response updated with the rewritten second absolute URL to the client.
  - 20. The system of claim 11, wherein the device is further configured to generate the unique string from the server hostname using an encoding scheme comprising one of:
    - symmetric key encryption or base-32 encoding.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Gupta, Punit, Singh, Saurabh, Ganesh, V, Ravi, Kann, Jong
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Bell, Kalish K

Application Number

US15/482,423
Publication Number

US 20180295134A1
Time in Patent Office

1,257 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/12   Details relating to cryptog...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

Systems and methods for securely and transparently proxying SAAS applications through a cloud-hosted or on-premise network gateway for enhanced security and visibility

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securely and transparently proxying SAAS applications through a cloud-hosted or on-premise network gateway for enhanced security and visibility

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links