公开(公告)号：US10778684B2

公开(公告)日：2020-09-15

申请号：US15482423

申请日：2017-04-07

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Saurabh Singh ,  Ravi Ganesh, V ,  Jong Kann

IPC: H04L9/32 ,  H04W12/06 ,  H04W12/08 ,  G06F16/95 ,  G06F21/41 ,  H04L29/06 ,  H04L29/08

Abstract: Disclosed embodiments provide access to an application. An intermediary device may provide access to an application hosted by the server. The access may be provided to the client via a link that generates a first HTTP request for the application. The device may receive, from the client, the first HTTP request generated via the provided link. The device may rewrite an absolute URL of the application indicated in the first HTTP request, by replacing a first hostname of the server included in the absolute URL, with a URL segment generated by combining a unique string assigned to the first hostname with a second hostname of the device. The device may redirect the client to the rewritten absolute URL of the application.

公开(公告)号：US20150046997A1

公开(公告)日：2015-02-12

申请号：US14140843

申请日：2013-12-26

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Bharat Bhushan ,  Jong Kann ,  Pierre Rafiq

IPC: H04L29/06

CPC classification number: H04L63/083 ,  G06F21/31 ,  H04L9/32 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/1458

Abstract: A method for accessing enterprise resources while providing denial-of-service attack protection. The method may include receiving, at a gateway from a client device, a request for a resource, the request comprising a location identifier associated with the resource. The method may further include redirecting, by a redirection message, the request to an authentication device that requests credentials for authentication, the redirection message comprising the location identifier. The method may also include retrieving, after authentication of the credentials, the location identifier from the client device. The method may additionally include providing access to the resource based on the location identifier.

Abstract translation: 一种在提供拒绝服务攻击保护的同时访问企业资源的方法。 该方法可以包括在来自客户机设备的网关处接收对资源的请求，所述请求包括与资源相关联的位置标识符。 该方法还可以包括通过重定向消息将请求重定向到请求认证凭证的认证设备，该重定向消息包括位置标识符。 该方法还可以包括在认证凭证之后从客户端设备检索位置标识符。 该方法可以另外包括基于位置标识符提供对资源的访问。

公开(公告)号：US11533289B2

公开(公告)日：2022-12-20

申请号：US17029366

申请日：2020-09-23

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Pintu Kumar

IPC: H04L61/3015 ,  H04L9/40 ,  H04L61/301 ,  H04L61/4511 ,  H04L61/2514 ,  H04L101/35 ,  H04L101/345

Abstract: Described embodiments provide systems and methods for rewriting an URL in a message transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via the session, an absolute URL that includes a hostname of the server. The device may determine that the absolute URL includes an intranet domain name. The device may generate, responsive to the determination, a URL segment by combining a unique string corresponding to the hostname of the server, with a hostname of the device. The device may rewrite, responsive to the determination, the absolute URL by replacing the server hostname in the absolute URL with the generated URL segment. A DNS server for the client may be configured with a DNS entry comprising a wildcard combined with the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.

公开(公告)号：US20170331789A1

公开(公告)日：2017-11-16

申请号：US15154227

申请日：2016-05-13

Applicant: Citrix Systems, Inc.

Inventor： Pintu Kumar ,  Punit Gupta ,  Vignesh Rajendran

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/46 ,  H04L29/12

CPC classification number: H04L63/0272 ,  G06F16/95 ,  H04L61/1511 ,  H04L61/301 ,  H04L61/3045 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/168 ,  H04L63/20 ,  H04L67/02 ,  H04L67/141

Abstract: The present disclosure is directed towards systems and methods for rewriting a HTTP response transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via a clientless SSL VPN session, an absolute URL that includes a first hostname of the server. The device may provide a unique string corresponding to the first hostname of the server. The device may generate a URL segment by combining the unique string with a second hostname of the device. The device may rewrite the absolute URL by replacing the first hostname in the absolute URL with the generated URL segment. A domain name system (DNS) server for the client may be configured with a DNS entry comprising a wildcard combined with the second hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.

公开(公告)号：US20170126664A1

公开(公告)日：2017-05-04

申请号：US14925410

申请日：2015-10-28

Applicant: Citrix Systems, Inc.

Inventor： Jaydeep Khandelwal ,  Punit Gupta ,  Arkesh Kumar

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/0272

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

公开(公告)号：US20210377294A1

公开(公告)日：2021-12-02

申请号：US17063230

申请日：2020-10-05

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Sandilya Sangabathula ,  Kenneth Bell

IPC: H04L29/06 ,  H04L12/26

Abstract: Implementations of the systems and methods discussed herein provide for distributed HTTP proxy services with synchronization of per-server or per-tenant resource allocation counters amongst the proxy devices, allowing devices to quickly identify denial of service attacks or other malicious or erroneous behavior. In some implementations, a database server may receive resource consumption notifications from each of a plurality of proxy devices and may aggregate the notifications or increment a counter on a per-server or per-tenant basis, and provide updated counter values to proxy devices via callbacks. Each proxy device may check the counter value before utilizing resources, and may disable or block proxy processing responsive to the counter exceeding a threshold.

公开(公告)号：US20200274867A1

公开(公告)日：2020-08-27

申请号：US16871192

申请日：2020-05-11

Applicant: Citrix Systems, Inc.

Inventor： Jaydeep Khandelwal ,  Punit Gupta ,  Arkesh Kumar

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

公开(公告)号：US20140359728A1

公开(公告)日：2014-12-04

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Raymond Li ,  Ravindranath Thakur ,  Puneet Agarwal ,  Punit Gupta

IPC: H04L29/06

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。

公开(公告)号：US10812448B2

公开(公告)日：2020-10-20

申请号：US15880930

申请日：2018-01-26

Applicant: Citrix Systems, Inc.

Inventor： Punit Gupta ,  Pintu Kumar

IPC: H04L29/12 ,  H04L29/06

Abstract: Described embodiments provide systems and methods for rewriting an URL in a message transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via the session, an absolute URL that includes a hostname of the server. The device may determine that the absolute URL includes an intranet domain name. The device may generate, responsive to the determination, a URL segment by combining a unique string corresponding to the hostname of the server, with a hostname of the device. The device may rewrite, responsive to the determination, the absolute URL by replacing the server hostname in the absolute URL with the generated URL segment. A DNS server for the client may be configured with a DNS entry comprising a wildcard combined with the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.

公开(公告)号：US10484336B2

公开(公告)日：2019-11-19

申请号：US15154227

申请日：2016-05-13

Applicant: Citrix Systems, Inc.

Inventor： Pintu Kumar ,  Punit Gupta ,  Vignesh Rajendran

IPC: H04L9/00 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  G06F16/95

Abstract: The present disclosure is directed towards systems and methods for rewriting a HTTP response transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via a clientless SSL VPN session, an absolute URL that includes a first hostname of the server. The device may provide a unique string corresponding to the first hostname of the server. The device may generate a URL segment by combining the unique string with a second hostname of the device. The device may rewrite the absolute URL by replacing the first hostname in the absolute URL with the generated URL segment. A domain name system (DNS) server for the client may be configured with a DNS entry comprising a wildcard combined with the second hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.