公开(公告)号：US09948608B2

公开(公告)日：2018-04-17

申请号：US14594963

申请日：2015-01-12

Applicant: Citrix Systems, Inc.

Inventor： Junxiao He ,  Charu Venkatraman ,  Ajay Soni

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0272 ,  H04L63/0227 ,  H04L63/08 ,  H04L67/02 ,  H04L67/42

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HyperText Transfer Protocol (HTTP) communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

公开(公告)号：US09497198B2

公开(公告)日：2016-11-15

申请号：US14498816

申请日：2014-09-26

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20150020220A1

公开(公告)日：2015-01-15

申请号：US14498816

申请日：2014-09-26

Applicant: CITRIX SYSTEMS, INC.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 用于通过设备允许或拒绝由客户端上的应用程序通过虚拟专用网络连接访问资源的方法包括基于允许或拒绝对应用的标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20140344345A1

公开(公告)日：2014-11-20

申请号：US14448265

申请日：2014-07-31

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  Nicholas Stavrakos ,  Jeff Monks ,  Fred Koopmans ,  Chris Koopmans ,  Kapil Dakhane

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L61/6009 ,  G06F17/30899 ,  H03M7/30 ,  H04L67/02 ,  H04L67/2804 ,  H04L67/2823 ,  H04L67/2852 ,  H04L67/289 ,  H04L69/321 ,  H04W8/245

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract translation: 描述了使用在虚拟专用网络环境中操作的客户端代理拦截HTTP通信的系统和方法。 方法包括：在客户端上执行的客户端代理在网络层拦截来自在客户机上执行的应用的HTTP请求; 修改HTTP请求; 以及经由传输层连接将经修改的HTTP请求发送到服务器。 附加方法可以包括在HTTP请求中添加，删除或修改至少一个cookie。 还有其他方法可以包括修改包含在HTTP请求中的至少一个名称 - 值对。 还描述了相应的系统。

公开(公告)号：US20140109202A1

公开(公告)日：2014-04-17

申请号：US14042354

申请日：2013-09-30

Applicant: Citrix Systems, Inc.

Inventor： Junxiao He ,  Charu Venkatraman ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L63/145 ,  H04L67/02 ,  H04L67/2842

Abstract: Systems and methods are described for using a client agent to manage HTTP authentication cookies. One method includes intercepting, by a client agent executing on a client, a connection request from the client; establishing, by the client agent, a transport layer virtual private network connection with a network appliance; transmitting, by the client agent via the established connection, an HTTP request comprising an authentication cookie; and transmitting, by the client agent via the connection, the connection request. A second method includes intercepting, by a client agent executing on a client, an HTTP communication comprising a cookie from an appliance on a virtual private network to the client; removing, by the client agent, the cookie from the HTTP communication; storing, by the client agent, the received cookie; transmitting, by the client agent, the modified HTTP communication to an application executing on the client; intercepting, by the client agent, an HTTP request from the client; inserting, by the client agent in the HTTP request, the received cookie; and transmitting the modified HTTP request to the appliance. Corresponding systems are also described.

Abstract translation: 描述了使用客户端代理来管理HTTP身份验证cookie的系统和方法。 一种方法包括由在客户端上执行的客户端代理截取来自客户端的连接请求; 由客户端代理建立与网络设备的传输层虚拟专用网络连接; 由所述客户端代理经由建立的连接发送包括认证cookie的HTTP请求; 以及由所述客户端代理经由所述连接发送所述连接请求。 第二种方法包括由在客户端上执行的客户端代理拦截包括来自虚拟专用网络上的设备到客户端的cookie的HTTP通信; 由客户端代理从HTTP通信中删除该cookie; 由客户代理存储接收到的cookie; 由客户端代理将经修改的HTTP通信传送到在客户机上执行的应用程序; 由客户端代理拦截来自客户端的HTTP请求; 由客户端代理在HTTP请求中插入接收到的cookie; 以及将修改的HTTP请求发送到所述设备。 还描述了相应的系统。

公开(公告)号：US09544285B2

公开(公告)日：2017-01-10

申请号：US14042354

申请日：2013-09-30

Applicant: Citrix Systems, Inc.

Inventor： Junxiao He ,  Charu Venkatraman ,  Ajay Soni

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/145 ,  H04L67/02 ,  H04L67/2842

Abstract: Systems and methods are described for using a client agent to manage HTTP authentication cookies. One method includes intercepting, by a client agent executing on a client, a connection request from the client; establishing, by the client agent, a transport layer virtual private network connection with a network appliance; transmitting, by the client agent via the established connection, an HTTP request comprising an authentication cookie; and transmitting, by the client agent via the connection, the connection request. A second method includes intercepting, by a client agent executing on a client, an HTTP communication comprising a cookie from an appliance on a virtual private network to the client; removing, by the client agent, the cookie from the HTTP communication; storing, by the client agent, the received cookie; transmitting, by the client agent, the modified HTTP communication to an application executing on the client; intercepting, by the client agent, an HTTP request from the client; inserting, by the client agent in the HTTP request, the received cookie; and transmitting the modified HTTP request to the appliance. Corresponding systems are also described.

Abstract translation: 描述了使用客户端代理来管理HTTP身份验证cookie的系统和方法。 一种方法包括由在客户端上执行的客户端代理截取来自客户端的连接请求; 由客户端代理建立与网络设备的传输层虚拟专用网络连接; 由所述客户端代理经由建立的连接发送包括认证cookie的HTTP请求; 以及由所述客户端代理经由所述连接发送所述连接请求。 第二种方法包括由在客户端上执行的客户端代理拦截包括来自虚拟专用网络上的设备到客户端的cookie的HTTP通信; 由客户端代理从HTTP通信中删除该cookie; 由客户代理存储接收到的cookie; 由客户端代理将经修改的HTTP通信传送到在客户机上执行的应用程序; 由客户端代理拦截来自客户端的HTTP请求; 由客户端代理在HTTP请求中插入接收到的cookie; 以及将修改的HTTP请求发送到所述设备。 还描述了相应的系统。

公开(公告)号：US08904475B2

公开(公告)日：2014-12-02

申请号：US13760898

申请日：2013-02-06

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni

IPC: G06F17/00 ,  G06F7/04 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/105

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract translation: 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US20150128227A1

公开(公告)日：2015-05-07

申请号：US14594963

申请日：2015-01-12

Applicant: Citrix Systems, Inc.

Inventor： Junxiao He ,  Charu Venkatraman ,  Ajay Soni

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0272 ,  H04L63/0227 ,  H04L63/08 ,  H04L67/02 ,  H04L67/42

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract translation: 描述了使用在虚拟专用网络环境中操作的客户端代理拦截HTTP通信的系统和方法。 方法包括：在客户端上执行的客户端代理在网络层拦截来自在客户机上执行的应用的HTTP请求; 修改HTTP请求; 以及经由传输层连接将经修改的HTTP请求发送到服务器。 附加方法可以包括在HTTP请求中添加，删除或修改至少一个cookie。 还有其他方法可以包括修改包含在HTTP请求中的至少一个名称 - 值对。 还描述了相应的系统。

公开(公告)号：US20140344891A1

公开(公告)日：2014-11-20

申请号：US14448298

申请日：2014-07-31

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni ,  Nicholas Stavrakos ,  Chris Koopmans

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  G06F17/00 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract translation: 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US09692725B2

公开(公告)日：2017-06-27

申请号：US14448265

申请日：2014-07-31

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  Nicholas Stavrakos ,  Jeff Monks ,  Fred Koopmans ,  Chris Koopmans ,  Kapil Dakhane

IPC: H04L29/12 ,  H03M7/30 ,  H04L29/08 ,  H04W8/24

CPC classification number: H04L61/6009 ,  G06F17/30899 ,  H03M7/30 ,  H04L67/02 ,  H04L67/2804 ,  H04L67/2823 ,  H04L67/2852 ,  H04L67/289 ,  H04L69/321 ,  H04W8/245

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.