Providing virtualized private network tunnels

US 8,914,845 B2
Filed: 09/17/2013
Issued: 12/16/2014
Est. Priority Date: 10/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a mobile device, policy information that describes one or more policies for providing an application of the mobile device with access to at least one resource accessible through an access gateway;

determining that a ticket stored by the mobile device is valid, wherein the ticket is configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to the at least one resource, wherein the ticket includes a validity duration;

analyzing policy information to determine that network access to the at least one resource is permitted;

transmitting the ticket to the access gateway as part of a process of establishing the per-application policy-controlled VPN tunnel that is inaccessible to other applications of the mobile device;

accessing the at least one resource via the per-application policy-controlled VPN tunnel;

transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;

closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and

after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

282 Citations

19 Claims

1. A method, comprising:
- receiving, at a mobile device, policy information that describes one or more policies for providing an application of the mobile device with access to at least one resource accessible through an access gateway;
  
  determining that a ticket stored by the mobile device is valid, wherein the ticket is configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to the at least one resource, wherein the ticket includes a validity duration;
  
  analyzing policy information to determine that network access to the at least one resource is permitted;
  
  transmitting the ticket to the access gateway as part of a process of establishing the per-application policy-controlled VPN tunnel that is inaccessible to other applications of the mobile device;
  
  accessing the at least one resource via the per-application policy-controlled VPN tunnel;
  
  transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - performing an initial authentication with the access gateway, resulting in the mobile device receiving the ticket; and
      
      wherein determining that the ticket is valid includes determining that the ticket has not expired based on the validity duration.
  - 3. The method of claim 1, further comprising:
    - receiving the policy information from the access gateway; and
      
      storing the policy information in a secure container of the mobile device.
  - 4. The method of claim 3, further comprising:
    - storing the ticket in the secure container; and
      
      wherein determining that the ticket is valid includes searching the secure container for the ticket.
  - 5. The method of claim 1, further comprising:
    - determining that the ticket has expired;
      
      obtaining a new ticket;
      
      determining that the new ticket is valid; and
      
      transmitting the new ticket to the access gateway.
  - 6. The method of claim 1, further comprising:
    - determining that the ticket has not expired; and
      
      transmitting, responsive to determining that the ticket has not expired, the ticket to the access gateway an additional time.
  - 7. The method of claim 1, further comprising:
    - using the ticket in connection with re-establishing the per-application policy-controlled VPN tunnel to the at least one resource without requiring a user of the mobile device to input or select a credential for authentication.
  - 8. The method of claim 1, further comprising:
    - based on the ticket, providing one or more servers accessible through the access gateway with information required to enable presence-related functionality that informs of a user'"'"'s presence, wherein the user is associated with the mobile device.
  - 9. The method of claim 1, wherein the application is a managed application.

10. An apparatus, comprising:
- at least one processor; and
  
  memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to;
  
  receive policy information that describes one or more policies for providing an application of the apparatus with access to at least one resource that is accessible through an access gateway,determine that a ticket stored by the apparatus is valid, wherein the ticket is configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to the at least one resource, wherein the ticket includes a validity duration,analyze policy information to determine that network access to the at least one resource is permitted,transmit the ticket to the access gateway as part of a process of establishing the per-application policy-controlled VPN tunnel that is inaccessible to other applications of the apparatus,access the at least one resource via the per-application policy-controlled VPN tunnel,transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time,close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time, andafter closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to perform an initial authentication with the access gateway, resulting in the apparatus receiving the ticket;
    - andwherein determining that the ticket is valid includes determining that the ticket has not expired based on the validity duration.
  - 12. The apparatus of claim 10, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - determine that the ticket has expired;
      
      obtain a new ticket;
      
      determine that the new ticket is valid;
      
      transmit the new ticket to the access gateway.
  - 13. The apparatus of claim 10, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - determine that the ticket has not expired; and
      
      transmit, responsive to determining that the ticket has not expired, the ticket to the access gateway an additional time.
  - 14. The apparatus of claim 10, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - use the ticket in connection with re-establishing the per-application policy-controlled VPN tunnel to the at least one resource without requiring a user of the apparatus to input or select a credential for authentication.
  - 15. The apparatus of claim 10, wherein the executable instructions are configured to, when executed by the at least one processor, cause the apparatus to:
    - based on the ticket, provide one or more servers accessible through the access gateway with information required to enable presence-related functionality that informs of a user'"'"'s presence, wherein the user is associated with the apparatus.

16. One or more non-transitory computer-readable media storing instructions configured to, when executed, cause a computing device to:
- receive policy information that describes one or more policies for providing an application of the computing device with access to at least one resource accessible through an access gateway;
  
  determine that a ticket stored by the computing device is valid, wherein the ticket is configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to said at least one resource, wherein the ticket includes a validity duration;
  
  analyze policy information to determine that network access to the at least one resource is permitted;
  
  transmit the ticket to the access gateway as part of a process of establishing the per-application policy-controlled VPN tunnel that is inaccessible to other applications of the computing device;
  
  access the at least one resource via the per-application policy-controlled VPN tunnel;
  
  transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
  
  close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
  
  after closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
- View Dependent Claims (17, 18, 19)
- - 17. The one or more non-transitory computer-readable media of claim 16, wherein the instructions are configured to, when executed, cause the computing device to perform an initial authentication with the access gateway, resulting in the computing device receiving the ticket;
    - andwherein determining that the ticket is valid includes determining that the ticket has not expired based on the validity duration.
  - 18. The one or more non-transitory computer-readable media of claim 16, wherein the instructions are configured to, when executed, cause the computing device to:
    - determine that the ticket has expired;
      
      obtain a new ticket;
      
      determine that the new ticket is valid; and
      
      transmit the new ticket to the access gateway.
  - 19. The one or more non-transitory computer-readable media of claim 16, wherein the instructions are configured to, when executed, cause the computing device to:
    - determine that the ticket has not expired; and
      
      transmit the ticket to the access gateway an additional time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Desai, Nitin, Walker, James Robert
Primary Examiner(s)
Davis, Zachary A
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/029,068
Publication Number

US 20140109172A1
Time in Patent Office

455 Days
Field of Search

726/1, 726/4, 726/15
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

H04W 12/086   using security domains

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

H04W 12/64   using geofenced areas

Providing virtualized private network tunnels

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

282 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Providing virtualized private network tunnels

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

282 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others