公开(公告)号：US09246878B2

公开(公告)日：2016-01-26

申请号：US14045922

申请日：2013-10-04

Applicant: Citrix Systems, Inc.

Inventor： Arkesh Kumar ,  James Harris ,  Ajay Soni

IPC: H04L29/06 ,  H04L12/46

CPC classification number: H04L63/0272 ,  H04L12/4641 ,  H04L63/166

Abstract: In a method and system for routing packets between clients, a packet is received from a first client connected to a secure sockets layer virtual private network (an SSL/VPN) network appliance. An identification is made, responsive to an inspection of the received packet, of i) a type of connection required for transmission of the received packet to a destination address identified by the received packet and ii) a second client connected via an SSL/VPN connection to the SSL/VPN network appliance and associated with the identified destination address. A request is made for establishment by the second client of a connection of the identified type within the SSL/VPN connection. The received packet is transmitted to the second client via the established connection of the identified type.

公开(公告)号：US09059966B2

公开(公告)日：2015-06-16

申请号：US14306354

申请日：2014-06-17

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Saibal Kumar Adhya ,  Srinivasan Thirunarayanan ,  James Harris

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/28 ,  H04L67/2842

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract translation: 本应用使得企业能够基于与客户端，服务器或客户端与服务器之间的交互的细节和性质相关的各种信息来配置各种策略来处理流量的各种子集。 部署在客户端和服务器之间的中介可以在客户端和服务器之间建立SSL VPN会话。 中间人可以通过无客户端SSL VPN会话从服务器接收到客户端的请求的响应。 响应可以包括一个或多个cookie。 中介可以识别无客户端SSL VPN会话的访问配置文件。 访问配置文件可以标识用于代理Cookie的一个或多个策略。 中介可以响应于访问简档的一个或多个策略来确定是否为客户端代理或绕过代理一个或多个cookie。

公开(公告)号：US20140298410A1

公开(公告)日：2014-10-02

申请号：US14306354

申请日：2014-06-17

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Saibal Kumar Adhya ,  Srinivasan Thirunarayanan ,  James Harris

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/28 ,  H04L67/2842

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract translation: 本应用使得企业能够基于与客户端，服务器或客户端与服务器之间的交互的细节和性质相关的各种信息来配置各种策略来处理流量的各种子集。 部署在客户端和服务器之间的中介可以在客户端和服务器之间建立SSL VPN会话。 中间人可以通过无客户端SSL VPN会话从服务器接收到客户端的请求的响应。 响应可以包括一个或多个cookie。 中介可以识别无客户端SSL VPN会话的访问配置文件。 访问配置文件可以标识用于代理Cookie的一个或多个策略。 中介可以响应于访问简档的一个或多个策略来确定是否为客户端代理或绕过代理一个或多个cookie。

公开(公告)号：US09294439B2

公开(公告)日：2016-03-22

申请号：US13943662

申请日：2013-07-16

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

Abstract: A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

Abstract translation: 用于由客户的代理拦截要通过虚拟专用网络连接发送的通信的方法包括基于来自该通信的应用的识别来拦截通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US20130304881A1

公开(公告)日：2013-11-14

申请号：US13943662

申请日：2013-07-16

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

Abstract: A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

Abstract translation: 用于由客户的代理拦截要通过虚拟专用网络连接发送的通信的方法包括基于来自该通信的应用的识别来拦截通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US09497198B2

公开(公告)日：2016-11-15

申请号：US14498816

申请日：2014-09-26

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US09264429B2

公开(公告)日：2016-02-16

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Rui Li ,  Arkesh Kumar ,  Ravindranath Thakur ,  Puneet Agarwal ,  Akshat Choudhary ,  Punit Gupta

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/53 ,  G06F9/455 ,  H04L29/08

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。

公开(公告)号：US20150020220A1

公开(公告)日：2015-01-15

申请号：US14498816

申请日：2014-09-26

Applicant: CITRIX SYSTEMS, INC.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 用于通过设备允许或拒绝由客户端上的应用程序通过虚拟专用网络连接访问资源的方法包括基于允许或拒绝对应用的标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20140041014A1

公开(公告)日：2014-02-06

申请号：US14045922

申请日：2013-10-04

Applicant: Citrix Systems, Inc.

Inventor： Arkesh Kumar ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L12/4641 ,  H04L63/166

Abstract: In a method and system for routing packets between clients, a packet is received from a first client connected to a secure sockets layer virtual private network (an SSL/VPN) network appliance. An identification is made, responsive to an inspection of the received packet, of i) a type of connection required for transmission of the received packet to a destination address identified by the received packet and ii) a second client connected via an SSL/VPN connection to the SSL/VPN network appliance and associated with the identified destination address. A request is made for establishment by the second client of a connection of the identified type within the SSL/VPN connection. The received packet is transmitted to the second client via the established connection of the identified type.

Abstract translation: 在用于在客户端之间路由分组的方法和系统中，从连接到安全套接层层虚拟专用网（SSL / VPN）网络设备的第一客户端接收分组。 响应于所接收的分组的检查，进行识别i）将接收的分组传输到由接收分组识别的目的地地址所需的连接类型，以及ii）经由SSL / VPN连接连接的第二客户端 到SSL / VPN网络设备并与所识别的目的地址相关联。 请求由第二客户端建立SSL / VPN连接中识别类型的连接。 所接收的分组经由所识别类型的建立的连接被发送到第二客户端。

公开(公告)号：US20140359728A1

公开(公告)日：2014-12-04

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Raymond Li ,  Ravindranath Thakur ,  Puneet Agarwal ,  Punit Gupta

IPC: H04L29/06

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。