Systems and methods for policy based triggering of client-authentication at directory level granularity

US 9,253,193 B2
Filed: 10/09/2013
Issued: 02/02/2016
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(a) receiving, by a device intermediary to a client and a server, a first request from the client to access a protected resource of the server;

(b) determining, by the device, that a predetermined portion of the first request matches a corresponding portion specified by a policy, the policy applied responsive to the first request to access the protected resource and specifying an action for the device to request an authentication certificate from the client responsive to the determination that the predetermined portion of the first request matches the corresponding portion specified by the policy, wherein the predetermined portion of the first request includes at least one of a uniform resource locator (URL) pattern, an identifier of one of a method or function, a directory identifier, a client network identifier, a server network identifier, a network port, and a secure socket layer (SSL) parameter; and

(c) transmitting, by the device responsive to the action specified by the policy and while queuing the first request, a second request to the client for the authentication certificate.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client'"'"'s access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

34 Citations

View as Search Results

18 Claims

1. A method comprising:
- (a) receiving, by a device intermediary to a client and a server, a first request from the client to access a protected resource of the server;
  
  (b) determining, by the device, that a predetermined portion of the first request matches a corresponding portion specified by a policy, the policy applied responsive to the first request to access the protected resource and specifying an action for the device to request an authentication certificate from the client responsive to the determination that the predetermined portion of the first request matches the corresponding portion specified by the policy, wherein the predetermined portion of the first request includes at least one of a uniform resource locator (URL) pattern, an identifier of one of a method or function, a directory identifier, a client network identifier, a server network identifier, a network port, and a secure socket layer (SSL) parameter; and
  
  (c) transmitting, by the device responsive to the action specified by the policy and while queuing the first request, a second request to the client for the authentication certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the protected resource comprises a directory.
  - 3. The method of claim 1, wherein step (a) further comprises receiving, by the device, the first request via an established first transport layer connection between the device and the client.
  - 4. The method of claim 3, wherein step (c) further comprises preventing, by the device, access to the protected resource via a second transport layer connection between the device and the server until validation of an authentication certificate of the client.
  - 5. The method of claim 1, wherein step (b) further comprises determining, by the device, whether each request of the client matches the policy.
  - 6. The method of claim 1, further comprising receiving, by the device, the authentication certificate from the client responsive to the second request.
  - 7. The method of claim 6, further comprising validating, by the device, the authentication certificate and responsive to validation, transmitting the queued first request to the server.
  - 8. The method of claim 6, further comprising inserting, by the device responsive to the policy, into the first request for transmission to the server, a portion of the client'"'"'s response to the request for the authentication certificate.
  - 9. The method of claim 1, further comprising inserting, by the device responsive to the policy, into the first request for transmission to the server, data related to the authentication certificate.

10. A system comprising:
- a device intermediary to a client and a server, the device is configured to receive a first request from the client to access a protected resource of the server, determine that a predetermined portion of the first request matches a corresponding portion specified by a policy, the policy applied responsive to the first request to access the protected resource and specifying an action for the device to request an authentication certificate from the client responsive to determining that the predetermined portion of the first request matches the corresponding portion specified by the policy, wherein the predetermined portion of the first request includes at least one of a uniform resource locator (URL) pattern, an identifier of one of a method or function, a directory identifier, a client network identifier, a server network identifier, a network port, and a secure socket layer (SSL) parameter; and
  
  wherein the device is configured to transmit, responsive to the action specified by the policy and while queuing the first request, a second request to the client for the authentication certificate.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the protected resource comprises a directory.
  - 12. The system of claim 10, wherein the device is further configured to receive the first request via an established first transport layer connection between the device and the client.
  - 13. The system of claim 12, wherein the device is further configured to prevent access to the protected resource via a second transport layer connection between the device and the server until validation of an authentication certificate of the client.
  - 14. The system of claim 10, wherein the device is further configured to determine whether each request of the client matches the policy.
  - 15. The system of claim 10, wherein the device is further configured to receive the authentication certificate from the client responsive to the second request.
  - 16. The system of claim 15, wherein the device is further configured to validate the authentication certificate and responsive to validation, transmitting the queued first request to the server.
  - 17. The system of claim 15, further comprising inserting, by the device responsive to the policy, into the first request for transmission to the server, a portion of the client'"'"'s response to the request for the authentication certificate.
  - 18. The system of claim 10, further comprising inserting, by the device responsive to the policy, into the first request for transmission to the server, data related to the authentication certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kanekar, Tushar, Ag, Tejus, Udupa, Sivaprasad R.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/049,918
Publication Number

US 20140041010A1
Time in Patent Office

846 Days
Field of Search

726/9, 726/10
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Systems and methods for policy based triggering of client-authentication at directory level granularity

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for policy based triggering of client-authentication at directory level granularity

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links