Systems and Methods for Policy Based Triggering of Client-Authentication at Directory Level Granularity

US 20080034410A1
Filed: 08/03/2006
Published: 02/07/2008
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for an appliance to authenticate access of a client to a protected resource on a server via the appliance, the method comprising the steps of:

(a) receiving, by an appliance, a client request to access a protected resource of a server;

(b) determining, by the appliance, a portion of the client request matches a corresponding specification of a client authentication policy of the appliance;

(c) queuing, by the appliance, the client request upon determining the portion of the client request matches the client authentication policy;

(d) determining, by the appliance, the client authentication policy identifies an action to request an authentication certificate from the client in order to access the server via the appliance, and(e) transmitting, by the appliance in response to the client authentication policy, a request to the client for an authentication certificate.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client'"'"'s access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

122 Citations

View as Search Results

24 Claims

1. A method for an appliance to authenticate access of a client to a protected resource on a server via the appliance, the method comprising the steps of:
- (a) receiving, by an appliance, a client request to access a protected resource of a server;
  
  (b) determining, by the appliance, a portion of the client request matches a corresponding specification of a client authentication policy of the appliance;
  
  (c) queuing, by the appliance, the client request upon determining the portion of the client request matches the client authentication policy;
  
  (d) determining, by the appliance, the client authentication policy identifies an action to request an authentication certificate from the client in order to access the server via the appliance, and(e) transmitting, by the appliance in response to the client authentication policy, a request to the client for an authentication certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising determining, by the appliance one or more of the following portions of the client request matches a corresponding specification of the client authentication policy:
    - a Uniform Resource Locator (URL) pattern, an identifier of one of a method or function, a directory, a client network identifier, a server network identifier, a network port, and a Secure Socket Layer (SSL) parameter.
  - 3. The method of claim 1, comprising determining, by the appliance, the client has been previously authenticated to access the protected resource, and allowing access, by the appliance, to the protected resource.
  - 4. The method of claim 1, specifying, by the client authentication policy, that the authentication certificate is mandatory
  - 5. The method of claim 4, comprising not transmitting, by the appliance, the client request to the server upon one of receiving an invalid authentication certificate or not receiving an authentication certificate.
  - 6. The method of claim 1, specifying, by the authentication policy, that the authentication certificate is optional
  - 7. The method of claim 6, comprising transmitting, by the appliance, the client request to the server upon one of not receiving an authentication certificate from the client or receiving an invalid authentication certificate from the client.
  - 8. The method of claim 6, comprising inserting, by the appliance, into the client request a portion of the client'"'"'s response to the request for the authentication certificate, and transmitting the client request to the server.
  - 9. The method of claim 1, comprising inserting, by the appliance in response to the client authentication policy, data related to the authentication certificate into a Hypertext Transfer Protocol (HTTP) header of the client request, and transmitting the client request to the server.
  - 10. The method of claim 1, comprising inserting, by the appliance in response to the client authentication policy, Secure Socket Layer (SSL) information into a Hypertext Transfer Protocol (HTTP) header of the client request, and transmitting the client request to the server.
  - 11. The method of claim 1, comprising identifying, by the client authentication policy, a pattern for associating a portion of the client request with the client authentication policy
  - 12. The method of claim 1, wherein step (c) comprises preventing, by the appliance, establishment of a transport layer connection with the server.

13. An appliance for providing finer control for authenticating access of a client to a protected resource on a server, the appliance comprising:
- means for receiving a client request to access a protected resource of a server;
  
  means for determining a portion of the client request matches a corresponding specification of a client authentication policy of the appliance;
  
  means for queuing the client request upon determining the portion of the client request matches the client authentication policy;
  
  means for determining the client authentication policy identifies an action to request an authentication certificate from the client in order to access the server via the appliance, andmeans for transmitting, in response to the client authentication policy, a request to the client for an authentication certificate.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The appliance of claim 13, comprising means for determining one or more of the following portions of the client request matches a corresponding specification of the client authentication policy:
    - a Uniform Resource Locator (URL) pattern, an identifier of one of a method or function, a directory, a client network identifier, a server network identifier, a network port, and a Secure Socket Layer (SSL) parameter.
  - 15. The appliance of claim 13, comprising means for determining the client has been previously authenticated to access the protected resource, and allowing access, by the appliance, to the protected resource.
  - 16. The appliance of claim 13, comprising means for specifying, by the client authentication policy, that the authentication certificate is mandatory
  - 17. The appliance of claim 16, comprising means for not transmitting, by the appliance, the client request to the server upon one of receiving an invalid authentication certificate or not receiving an authentication certificate.
  - 18. The appliance of claim 13, comprising means for specifying, by the authentication policy, that the authentication certificate is optional
  - 19. The appliance of claim 18, comprising means for transmitting the client request to the server upon one of not receiving an authentication certificate or receiving an invalid authentication certificate from the client.
  - 20. The appliance of claim 18, comprising means for inserting, into the client request a portion of the client'"'"'s response to the request for the authentication certificate, and transmitting the client request to the server.
  - 21. The appliance of claim 13, comprising means for inserting, in response to the client authentication policy, data related to the authentication certificate into a Hypertext Transfer Protocol (HTTP) header of the client request, and transmitting the client request to the server
  - 22. The appliance of claim 13, comprising means for inserting, by the appliance in response to the client authentication policy, Secure Socket Layer (SSL) information into a Hypertext Transfer Protocol (HTTP) header of the client request, and transmitting the client request to the server.
  - 23. The appliance of claim 13, comprising means for identifying, by the client authentication policy, a pattern for associating a portion of the client request with the client authentication policy
  - 24. The appliance of claim 13, comprising means for preventing establishment of a transport layer connection with the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Udupa, Sivaprasad, Ag, Tejus, Kanekar, Tushar

Granted Patent

US 8,566,925 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Systems and Methods for Policy Based Triggering of Client-Authentication at Directory Level Granularity

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Policy Based Triggering of Client-Authentication at Directory Level Granularity

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links