Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

US 8,667,146 B2
Filed: 01/26/2009
Issued: 03/04/2014
Est. Priority Date: 01/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method for rewriting by an intermediary content transmitted via a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the method comprising:

a) identifying, by an intermediary, an access profile for a request from a client to access content from a server if a clientless SSL VPN session is established between the client and the server, the access profile identified from a plurality of access profiles based on a rule applied on content of the request, the access profile comprising (i) a first rewrite policy for rewriting uniform resource locators (URLs) based on a type of the content transmitted by the server via the clientless SSL VPN session, the transmitted content comprising one or more types of content from a plurality of types of content accessible from the server, and (ii) one or more regular expressions to detect one or more URLs in the type of content served by the server via the clientless SSL VPN session, the intermediary bypassing the access profile for rewriting the URLs if a client based SSL VPN session is established between the client and the server;

b) detecting, by the intermediary responsive to the one or more regular expressions of the identified access profile, one or more URLs in content served by the server in response to the request if the clientless SSL VPN session is established; and

c) rewriting, by the intermediary responsive to the detection, the one or more detected URLs in accordance with a URL transformation specified by the first rewrite policy if the clientless SSL VPN session is established.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client'"'"'s requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients'"'"' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

32 Citations

View as Search Results

20 Claims

1. A method for rewriting by an intermediary content transmitted via a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the method comprising:
- a) identifying, by an intermediary, an access profile for a request from a client to access content from a server if a clientless SSL VPN session is established between the client and the server, the access profile identified from a plurality of access profiles based on a rule applied on content of the request, the access profile comprising (i) a first rewrite policy for rewriting uniform resource locators (URLs) based on a type of the content transmitted by the server via the clientless SSL VPN session, the transmitted content comprising one or more types of content from a plurality of types of content accessible from the server, and (ii) one or more regular expressions to detect one or more URLs in the type of content served by the server via the clientless SSL VPN session, the intermediary bypassing the access profile for rewriting the URLs if a client based SSL VPN session is established between the client and the server;
  
  b) detecting, by the intermediary responsive to the one or more regular expressions of the identified access profile, one or more URLs in content served by the server in response to the request if the clientless SSL VPN session is established; and
  
  c) rewriting, by the intermediary responsive to the detection, the one or more detected URLs in accordance with a URL transformation specified by the first rewrite policy if the clientless SSL VPN session is established.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprises identifying by the intermediary the access profile comprising a plurality of regular expressions, each of the plurality of regular expressions for detecting one or more URLs in a type of content of a plurality of different types of content and step (b) further comprises identifying one or more types of content in the content served by the server.
  - 3. The method of claim 1, wherein step (a) further comprises identifying by the intermediary the access profile comprising a regular expression for detecting a URL in content comprising JavaScript.
  - 4. The method of claim 1, wherein step (a) further comprises identifying by the intermediary the access profile comprising a regular expression for detecting a URL in content comprising Extensible Markup Language (XML).
  - 5. The method of claim 1, wherein step (a) further comprises identifying by the intermediary the access profile comprising a regular expression for detecting a URL in content comprising Cascading Style Sheets (CSS).
  - 6. The method of claim 1, wherein step (b) further comprises detecting, by the intermediary responsive to a first regular expression identified by the access profile, one or more uniform resource locators (URLs) in a first type of content of the response and detecting, responsive to a second regular expression identified by the access profile, one or more URLs in a second type of content of the response.
  - 7. The method of claim 1, wherein step (c) further comprises rewriting, by the intermediary, portions of JavaScript of the content in accordance with a JavaScript transformation specified by a second rewrite policy associated with the identified access profile.
  - 8. The method of claim 1, wherein step (a) further comprising identifying, by the intermediary, the access profile comprising a second rewrite policy to rewrite a header of the request header and rewriting the header of the request in accordance with a transformation specified by the rewrite policy prior to transmission to the server.
  - 9. The method of claim 1, wherein step (a) further comprising identifying, by the intermediary, the access profile comprising a second rewrite policy to rewrite a header of the response and step (c) further comprises rewriting the header of the response in accordance with a transformation specified by the second rewrite policy prior to transmission to the client.
  - 10. The method of claim 1, wherein step (a) comprises identifying, by the intermediary, the access profile from a plurality of access profiles based on determining an application requested via the request.

11. An intermediary for rewriting content transmitted via a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the intermediary comprising:
- a policy engine executing on a hardware processor, for identifying an access profile for a request from a client to access content from a server if a clientless SSL VPN session is established between the client and the server, the access profile identified from a plurality of access profiles based on a rule applied on content of the request, the access profile comprising (i) a first rewrite policy for rewriting uniform resource locators (URLs) based on a type of the content transmitted by the server via the clientless SSL VPN session, the transmitted content comprising one or more types of content from a plurality of types of content accessible from the server, and (ii) one or more regular expressions to detect one or more URLs in the type of content served by the server via the clientless SSL VPN session, the intermediary bypassing the access profile for rewriting the URLs if a client based SSL VPN session is established between the client and the server;
  
  a detector for detecting responsive to the one or more regular expressions of the identified access profile, one or more URLs in content served by the server in response to the request if the clientless SSL VPN session is established; and
  
  a rewriter for rewriting responsive to the detector the one or more detected URLs in accordance with a URL transformation specified by the first rewrite policy if the clientless SSL VPN session is established.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a plurality of regular expressions, each of the plurality of regular expressions for detecting one or more URLs in a type of content of a plurality of different types of content and the detector determines one or more types of content in the content served by the server.
  - 13. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a regular expression for detecting a URL in content comprising JavaScript.
  - 14. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a regular expression for detecting a URL in content comprising Extensible Markup Language (XML).
  - 15. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a regular expression for detecting a URL in content comprising Cascading Style Sheets (CSS).
  - 16. The intermediary of claim 11, wherein the detector detects responsive to a first regular expression identified by the access profile, one or more uniform resource locators (URLs) in a first type of content of the response and detects responsive to a second regular expression identified by the access profile, one or more URLs in a second type of content of the response.
  - 17. The intermediary of claim 11, wherein the rewriter rewrites portions of JavaScript of the content in accordance with a JavaScript transformation specified by a second rewrite policy associated with the identified access profile.
  - 18. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a second rewrite policy to rewrite a header of the request header and rewriting the header of the request in accordance with a transformation specified by the rewrite policy prior to transmission to the server.
  - 19. The intermediary of claim 11, wherein the policy engine identifies the access profile comprising a second rewrite policy to rewrite a header of the response and the rewriter rewrites the header of the response in accordance with a transformation specified by the second rewrite policy prior to transmission to the client.

20. A method for rewriting by an intermediary content transmitted via a clientless secure socket layer virtual private network (SSL VPN) session between a client and a server, the method comprising:
- a) identifying, by an intermediary, an access profile for a request from a client to access content from a server if a clientless SSL VPN session established between the client and the server, the access profile identified from a plurality of access profiles based on a rule applied on content of a request from the client, the access profile comprising a plurality of rewrite policies and a plurality of regular expressions, each of the plurality of rewrite policies specifying a transformation for a type of content transmitted by the server via the clientless SSL VPN session, the transmitted content comprising one or more types of content from a plurality of types of content accessible from the server, and each of the plurality of regular expressions specify a regular expression to detect uniform resource locators (URLs) in each of the plurality of types of content, the intermediary bypassing the access profile for transformation of the URLs if a client based SSL VPN session is established between the client and the server;
  
  b) determining, by the intermediary, the type of content served by the server in response to the request if the clientless SSL VPN session is established;
  
  c) detecting, by the intermediary, one or more URLs in the content based on the regular expression specified for the determined type of content via the identified access profile if the clientless SSL VPN session is established; and
  
  d) rewriting, by the intermediary, a portion of the content based on the type of content and a rewrite policy from the plurality of rewrite policies for the type of content if the clientless SSL VPN session is established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Agarwal, Puneet, Thirunarayanan, Srinivasan, Khemani, Prakash, Mirani, Rajiv, Reddy, Anoop, Korrapati, Vamsi
Primary Examiner(s)
BIAGINI, CHRISTOPHER D

Application Number

US12/359,998
Publication Number

US 20090193126A1
Time in Patent Office

1,863 Days
Field of Search

709/228
US Class Current

709/228
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/563   Data redirection of data ne...

H04L 67/59   Providing operational suppo...

Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for configuration driven rewrite of SSL VPN clientless sessions

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links