公开(公告)号：US11470076B2

公开(公告)日：2022-10-11

申请号：US16871192

申请日：2020-05-11

Applicant: Citrix Systems, Inc.

Inventor： Jaydeep Khandelwal ,  Punit Gupta ,  Arkesh Kumar

IPC: H04L9/40

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

公开(公告)号：US20220158831A1

公开(公告)日：2022-05-19

申请号：US17097255

申请日：2020-11-13

Applicant: Citrix Systems, Inc.

Inventor： Daniel G. Wing ,  Ratnesh Singh Thakur ,  Arkesh Kumar ,  Raghukrishna Hegde ,  Nivedita Jagdale ,  Ramachandra Kasyap Marmavula ,  Joseph Hoelbrandt ,  Girish Chandra Padhi

IPC: H04L9/08 ,  H04L29/08

Abstract: Described embodiments provide systems and methods for morphing or regenerating validation information. A client can receive, via a device, an authentication cookie for access to a server. The device may maintain a sequence number and a cryptographic secret. The client may use the cryptographic secret and a cookie engine to generate validation cookie information with an updated sequence number. The client may send the authentication cookie to the device via a hypertext transfer protocol (HTTP) message to validate the authentication cookie. The client may send the validation cookie information with the updated sequence number to the device via a HTTP message to validate the authentication cookie

公开(公告)号：US10924468B2

公开(公告)日：2021-02-16

申请号：US16047109

申请日：2018-07-27

Applicant: Citrix Systems, Inc.

Inventor： Viswanath Yarangatta Suresh ,  Arkesh Kumar ,  Dileep Reddem ,  Anil Kumar Gavini

IPC: H04L29/06 ,  H04L29/08

Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

公开(公告)号：US10652229B2

公开(公告)日：2020-05-12

申请号：US15923977

申请日：2018-03-16

Applicant: Citrix Systems, Inc.

Inventor： Jaydeep Khandelwal ,  Punit Gupta ,  Arkesh Kumar

IPC: H04L29/06

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

公开(公告)号：US20200036699A1

公开(公告)日：2020-01-30

申请号：US16047109

申请日：2018-07-27

Applicant: Citrix Systems, Inc.

Inventor： Viswanath Yarangatta Suresh ,  Arkesh Kumar ,  Dileep Reddem ,  Anil Kumar Gavini

IPC: H04L29/06

Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

公开(公告)号：US09948633B2

公开(公告)日：2018-04-17

申请号：US14925410

申请日：2015-10-28

Applicant: Citrix Systems, Inc.

Inventor： Jaydeep Khandelwal ,  Punit Gupta ,  Arkesh Kumar

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/0272

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

公开(公告)号：US09264429B2

公开(公告)日：2016-02-16

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Rui Li ,  Arkesh Kumar ,  Ravindranath Thakur ,  Puneet Agarwal ,  Akshat Choudhary ,  Punit Gupta

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/53 ,  G06F9/455 ,  H04L29/08

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。

公开(公告)号：US08856369B2

公开(公告)日：2014-10-07

申请号：US14081483

申请日：2013-11-15

Applicant: Citrix Systems, Inc.

Inventor： Pratap Ramachandra ,  Akshat Choudhary ,  Mugdah Agarwal ,  Arkesh Kumar

IPC: G06F15/16 ,  H04L29/12 ,  H04L12/24 ,  H04L29/06

CPC classification number: H04L41/0806 ,  H04L29/12207 ,  H04L61/20 ,  H04L63/166

Abstract: In a multi-core system, multiple packet engines across corresponding cores may be working concurrently processing data packets from data flows of SSL VPN sessions. For example, a first core may establish a SSL VPN session with a client. Any one of the other cores, such as a second core, may received packets related to the session owned by the first core. Embodiments of the systems and method described below provide management of IIP addresses for the multi-core/multi-packet engine approach to providing SSL VPN service. In some embodiments, the approach to managing IIP addresses is to have one packet engine on a core act as a master or controller of the IIPs for the remaining packet engines and cores. The packet engines/cores use a protocol for communications regarding IIP management.

Abstract translation: 在多核系统中，跨相应内核的多个数据包引擎可能同时处理来自SSL VPN会话数据流的数据包。 例如，第一个核心可以与客户端建立SSL VPN会话。 诸如第二核心的其他核心中的任何一个可以接收与由第一核心拥有的会话相关的分组。 下面描述的系统和方法的实施例提供了用于提供SSL VPN服务的多核/多分组引擎方法的IIP地址的管理。 在一些实施例中，管理IIP地址的方法是使核上的一个分组引擎作为剩余分组引擎和核心的IIP的主机或控制器。 分组引擎/内核使用关于IIP管理的通信协议。

公开(公告)号：US20140041014A1

公开(公告)日：2014-02-06

申请号：US14045922

申请日：2013-10-04

Applicant: Citrix Systems, Inc.

Inventor： Arkesh Kumar ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L12/4641 ,  H04L63/166

Abstract: In a method and system for routing packets between clients, a packet is received from a first client connected to a secure sockets layer virtual private network (an SSL/VPN) network appliance. An identification is made, responsive to an inspection of the received packet, of i) a type of connection required for transmission of the received packet to a destination address identified by the received packet and ii) a second client connected via an SSL/VPN connection to the SSL/VPN network appliance and associated with the identified destination address. A request is made for establishment by the second client of a connection of the identified type within the SSL/VPN connection. The received packet is transmitted to the second client via the established connection of the identified type.

Abstract translation: 在用于在客户端之间路由分组的方法和系统中，从连接到安全套接层层虚拟专用网（SSL / VPN）网络设备的第一客户端接收分组。 响应于所接收的分组的检查，进行识别i）将接收的分组传输到由接收分组识别的目的地地址所需的连接类型，以及ii）经由SSL / VPN连接连接的第二客户端 到SSL / VPN网络设备并与所识别的目的地址相关联。 请求由第二客户端建立SSL / VPN连接中识别类型的连接。 所接收的分组经由所识别类型的建立的连接被发送到第二客户端。