公开(公告)号：US08869262B2

公开(公告)日：2014-10-21

申请号：US11462329

申请日：2006-08-03

申请人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

发明人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

摘要： A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

摘要翻译： 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20120317411A1

公开(公告)日：2012-12-13

申请号：US13590630

申请日：2012-08-21

申请人： PRABAKAR SUNDARRAJAN ,  Junxiao HE ,  Ajay SONI ,  Shashidhara NANJUNDASWARMY ,  Arkesh KUMAR

发明人： PRABAKAR SUNDARRAJAN ,  Junxiao HE ,  Ajay SONI ,  Shashidhara NANJUNDASWARMY ,  Arkesh KUMAR

IPC分类号： H04L9/00

CPC分类号： H04L63/0272 ,  H04L63/029 ,  H04L63/0428 ,  H04L63/164 ,  H04L63/166 ,  H04L67/2814 ,  H04L67/289 ,  H04L67/34

摘要： A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a-Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.

摘要翻译： 一种用于在客户机和专用数据通信网络之间建立虚拟专用网络（VPN）的系统和方法。 通过公共数据通信网络在网关和客户端之间建立诸如安全套接层（SSL）数据通信会话之类的加密数据通信会话。 网关然后将编程组件发送到客户端，以便在其上进行自动安装和执行。 编程组件用于截取来自专用于专用数据通信网络上的资源的客户端应用程序的通信，并通过加密的数据通信会话而不是私有数据通信网络上的资源将拦截的通信发送到网关。

公开(公告)号：US08271661B2

公开(公告)日：2012-09-18

申请号：US12823643

申请日：2010-06-25

申请人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

发明人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器发起的传输层协议连接到通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20110222535A1

公开(公告)日：2011-09-15

申请号：US13093703

申请日：2011-04-25

申请人： Josephine Suganthi ,  Junxiao He ,  Sergey Verzunov ,  Anil Shetty ,  Charu Venkatraman

发明人： Josephine Suganthi ,  Junxiao He ,  Sergey Verzunov ,  Anil Shetty ,  Charu Venkatraman

IPC分类号： H04L12/56

CPC分类号： H04L63/0272

摘要： Methods for using a client agent to route client requests among a plurality of appliances using transport layer information include the steps of: establishing, by a client agent executing on a client, a first transport layer connection with a first appliance of a plurality of appliances, the first appliance providing access to one or more servers; establishing, by a client agent executing on the client, a second transport layer connection with a second appliance of a plurality of appliances, the second appliance providing access to one or more servers; intercepting, by the client agent, a packet transmitted by the client; selecting, by the client agent, one of the connections to transmit the intercepted packet based on a characteristic of at least one of: the transport layer connections, the plurality of appliances, or the servers; and transmitting the intercepted packet via the selected connection.

摘要翻译： 使用客户端代理使用传输层信息在多个设备之间路由客户端请求的方法包括以下步骤：由在客户端上执行的客户端代理建立与多个设备的第一设备的第一传输层连接， 第一个设备提供对一个或多个服务器的访问; 由在客户端上执行的客户端代理建立与多个设备的第二设备的第二传输层连接，所述第二设备提供对一个或多个服务器的访问; 由客户端代理拦截客户端发送的数据包; 基于以下至少一个的特征，由所述客户端代理选择所述连接之一来发送所截取的分组：传输层连接，所述多个设备或所述服务器; 并通过所选择的连接发送截取的分组。

公开(公告)号：US07907621B2

公开(公告)日：2011-03-15

申请号：US11462253

申请日：2006-08-03

申请人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

发明人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L41/046 ,  H04L41/0893 ,  H04L43/00 ,  H04L43/0811 ,  H04L43/0817 ,  H04L43/10 ,  H04L63/0272 ,  H04L63/166

摘要： Systems and methods are described for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network Methods include: establishing, via a client agent executing on a client, a transport layer virtual private network connection with an appliance; intercepting, by the client agent at the network layer, an ICMP request originating from the client; and transmitting, by the client agent via a transport layer connection, the ICMP request to the appliance. Addition methods describe determining, by the appliance, the address identified by the ICMP request corresponds to a second client, the second client also connected via a virtual private network to the remote machine; and transmitting, by the appliance to the second client via the virtual private network connection, the ICMP request. Corresponding systems are also described.

摘要翻译： 描述了使用在客户端上执行的客户端代理将ICMP消息发送到经由虚拟专用网连接的设备的系统和方法。方法包括：通过在客户端上执行的客户端代理来建立传输层虚拟专用网络连接 器具; 由网络层的客户代理拦截来自客户端的ICMP请求; 以及由所述客户端代理经由传输层连接向所述设备发送所述ICMP请求。 附加方法描述了由设备确定由ICMP请求标识的地址对应于第二客户端，第二客户端还经由虚拟专用网络连接到远程机器; 以及由所述设备经由所述虚拟专用网络连接向所述第二客户端发送所述ICMP请求。 还描述了相应的系统。

公开(公告)号：US08694684B2

公开(公告)日：2014-04-08

申请号：US11465943

申请日：2006-08-21

申请人： Sergey Verzunov ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  Bharath Bhushan ,  Saravana Annamalaisami ,  Josephine Suganthi ,  Anil Shetty

发明人： Sergey Verzunov ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  Bharath Bhushan ,  Saravana Annamalaisami ,  Josephine Suganthi ,  Anil Shetty

IPC分类号： G06F15/16

CPC分类号： H04L69/04 ,  H04L63/0272 ,  H04L63/166 ,  H04L67/28 ,  H04W28/06 ,  H04W80/06

摘要： A method for compressing a stream of application layer network traffic communicated over a transport layer connection of a virtual private network connection between a client and a server using an appliance. The appliance intercepts one or more transport layer packets of a stream of application network traffic communicated via a transport layer connection of a virtual private network connection between a client and a server. The appliance accumulates data from a payload of the intercepted transport layer packets, determines data accumulated for transmission should be compressed based on one or more compression trigger, and compresses the accumulated data into a self-contained compression block for transmission.

摘要翻译： 一种用于压缩通过使用设备的客户端和服务器之间的虚拟专用网络连接的传输层连接上传送的应用层网络流量流的方法。 设备拦截通过客户端和服务器之间的虚拟专用网络连接的传输层连接传送的应用网络业务流的一个或多个传输层分组。 设备从被拦截的传输层分组的有效载荷中积累数据，确定用于传输的数据被压缩，并根据一个或多个压缩触发进行压缩，并将累积的数据压缩为独立的压缩块进行传输。

公开(公告)号：US20100281162A1

公开(公告)日：2010-11-04

申请号：US12823643

申请日：2010-06-25

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US07769869B2

公开(公告)日：2010-08-03

申请号：US11465950

申请日：2006-08-21

申请人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

发明人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US07757074B2

公开(公告)日：2010-07-13

申请号：US11039946

申请日：2005-01-24

申请人： Prabakar Sundarrajan ,  Junxiao He ,  Ajay Soni ,  Shashidhara Nanjundaswamy ,  Arkesh Kumar

发明人： Prabakar Sundarrajan ,  Junxiao He ,  Ajay Soni ,  Shashidhara Nanjundaswamy ,  Arkesh Kumar

IPC分类号： G06F9/00

CPC分类号： H04L63/0272 ,  H04L63/029 ,  H04L63/0428 ,  H04L63/164 ,  H04L63/166 ,  H04L67/2814 ,  H04L67/289 ,  H04L67/34

摘要： A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.

摘要翻译： 一种用于在客户机和专用数据通信网络之间建立虚拟专用网络（VPN）的系统和方法。 通过公共数据通信网络在网关和客户端之间建立加密的数据通信会话，例如安全套接层（SSL）数据通信会话。 网关然后将编程组件发送到客户端，以便在其上进行自动安装和执行。 编程组件用于截取来自专用于专用数据通信网络上的资源的客户端应用程序的通信，并通过加密的数据通信会话而不是私有数据通信网络上的资源将拦截的通信发送到网关。

公开(公告)号：US20080046994A1

公开(公告)日：2008-02-21

申请号：US11465980

申请日：2006-08-21

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/0272 ,  H04L63/166

摘要： The intranet IP address management solution of the appliance and/or client described herein provides an environment for efficiently assigning, managing and querying virtual private network addresses, referred to as intranet IP (IIP) addresses of virtual private network users, such as a multitude of SSL VPN users on an enterprise network. The appliance provides techniques and policies for assigning previously assigned virtual private network addresses of a user to subsequent sessions of the user as the user logs in multiple times or roams between access points. This technique is referred to IIP stickiness as the appliance attempts to provide the same IIP address to a roaming VPN user. The appliance also provides a configurable user domain naming policy so that one can ping or query the virtual private network address of a user by an easily referenceable host name identifying the user. The appliance and/or client agent also provide techniques to allow applications to seamlessly and transparently communicate on the virtual private network using the virtual private network address of the user or client on the private network.

摘要翻译： 本文描述的设备和/或客户端的Intranet IP地址管理解决方案提供了一种用于有效地分配，管理和查询虚拟专用网地址的环境，被称为虚拟专用网络用户的内部网IP（IIP）地址，诸如大量 企业网络上的SSL VPN用户。 该设备提供用于在用户多次登录或者在接入点之间漫游时将用户先前分配的虚拟专用网地址分配给用户的后续会话的技术和策略。 该技术被称为IIP粘性，因为设备试图向漫游VPN用户提供相同的IIP地址。 该设备还提供可配置的用户域命名策略，以便可以通过标识用户的易于引用的主机名来ping或查询用户的虚拟专用网络地址。 设备和/或客户端代理还提供技术，以允许应用程序使用专用网络上的用户或客户端的虚拟专用网地址在虚拟专用网络上无缝和透明地通信。