Providing virtualized private network tunnels

US 8,910,239 B2
Filed: 09/17/2013
Issued: 12/09/2014
Est. Priority Date: 10/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting that an application is capable of running in both a first mode and a second mode on a mobile device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the mobile device;

running, on the mobile device, the application in the first mode;

when the application is running in the first mode under the control of the one or more policies;

transmitting, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and providing the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;

transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;

closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and

after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

298 Citations

19 Claims

1. A method, comprising:
- detecting that an application is capable of running in both a first mode and a second mode on a mobile device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the mobile device;
  
  running, on the mobile device, the application in the first mode;
  
  when the application is running in the first mode under the control of the one or more policies;
  
  transmitting, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and providing the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;
  
  transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein running the application in the first mode is responsive to comparing the application against policy information that defines the one or more policies.
  - 3. The method of claim 2, wherein the second mode is a second managed mode that operates under control of one or more additional policies different from the one or more policies.
  - 4. The method of claim 3, wherein the policy information defines that the application is to run in the second managed mode under the control of the one or more additional policies if the ticket is not valid or has expired, and wherein the method further comprises:
    - determining that the ticket is not valid or has expired;
      
      responsive to determining that the ticket is not valid or has expired, switching from the first mode to the second managed mode; and
      
      running the application in the second managed mode under the control of the one or more additional policies.
  - 5. The method of claim 2, wherein the policy information defines that the application is to run in the first mode if the ticket is valid or is stored in a secure container of the mobile device, and wherein the at least one resource is accessible only if the application is running in the first mode and only if the per-application policy-controlled VPN tunnel is established.
  - 6. The method of claim 1, further comprising:
    - monitoring the application;
      
      determining a change in running the application in the first mode or the second mode based on the monitoring; and
      
      switching between the first mode or the second mode.
  - 7. The method of claim 6, wherein switching between the first mode or the second mode includes switching from the first mode to the second mode, andwherein determining the change in running the application in the first mode or the second mode based on the monitoring is conditioned upon a determination that the ticket is stored by the mobile device and is valid.
  - 8. The method of claim 6, wherein switching between the first mode or the second mode includes switching from the first mode to the second mode, wherein the second mode is an unmanaged mode, and wherein the method further comprises:
    - responsive to the switching from the first mode to the second mode, performing a selective wipe.

9. An apparatus, comprising:
- at least one processor; and
  
  memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to;
  
  detect that an application is capable of running in both a first mode and a second mode on the apparatus, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the apparatus,run the application in the first mode,when the application is running in the first mode under the control of the one or more policies;
  
  transmit, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and provide the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;
  
  transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time,close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time, andafter closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein running the application in the first mode is responsive to comparing the application against policy information that defines the one or more policies.
  - 11. The apparatus of claim 10, wherein the second mode is a second managed mode that operates under control of one or more additional policies different from the one or more policies.
  - 12. The apparatus of claim 11, wherein the policy information defines that the application is to run in the second managed mode under the control of the one or more additional policies if the ticket is not valid or has expired, and wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - determine that the ticket is not valid or has expired;
      
      responsive to determining that the ticket is not valid or has expired, switch from the first mode to the second managed mode; and
      
      run the application in the second managed mode under the control of the one or more additional policies.
  - 13. The apparatus of claim 10, wherein the policy information defines that the application is to run in the first mode if the ticket is valid or is stored in a secure container of the apparatus, and wherein the at least one resource is accessible only if the application is running in the first mode and only if the per-application policy-controlled VPN tunnel is established.
  - 14. The apparatus of claim 9, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - monitor the application;
      
      determine a change in running the application in the first mode or the second mode based on the monitoring; and
      
      switch between the first mode or the second mode.
  - 15. The apparatus of claim 14, wherein switching between the first mode or the second mode includes switching from the first mode to the second mode, andwherein determining the change in running the application in the first mode or the second mode based on the monitoring is conditioned upon a determination that the ticket is stored by the apparatus and is valid.

16. One or more non-transitory computer-readable media storing instructions configured to, when executed, cause a computing device to:
- detect that an application is capable of running in both a first mode and a second mode on the computing device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the computing device;
  
  run the application in the first mode; and
  
  when the application is running in the first mode under the control of the one or more policies;
  
  transmit, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and provide the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;
  
  transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (17, 18, 19)
- - 17. The one or more non-transitory computer-readable media of claim 16, wherein running the application in the first mode is responsive to comparing the application against policy information that defines the one or more policies.
  - 18. The one or more non-transitory computer-readable media of claim 17, wherein the policy information defines that the application is to run in the first mode if the ticket is valid or is stored in a secure container of the computing device, wherein the policy information defines that the application is to run in the second mode if the ticket is not valid or has expired,wherein the at least one resource is accessible only if the application is run in the first mode and only if the VPN tunnel is established, andwherein the second mode is a second managed mode that operates under control of one or more additional policies different from the one or more policies.
  - 19. The one or more non-transitory computer-readable media of claim 16, wherein the instructions are configured to, when executed, cause the computing device to:
    - monitor the application;
      
      determine a change in running the application in the first mode or the second mode based on the monitoring, wherein determining the change in running the application in the first mode or the second mode based on the monitoring is conditioned upon a determination that the ticket is stored by the computing device and is valid; and
      
      switch between the first mode or the second mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Desai, Nitin, Walker, James Robert
Primary Examiner(s)
Davis, Zachary A
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/029,088
Publication Number

US 20140109174A1
Time in Patent Office

448 Days
Field of Search

726/1, 726/4, 726/15
US Class Current

726/1
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/30   Security of mobile devices;...

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

Providing virtualized private network tunnels

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

298 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Providing virtualized private network tunnels

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others