公开(公告)号：US08869262B2

公开(公告)日：2014-10-21

申请号：US11462329

申请日：2006-08-03

申请人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

发明人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

摘要： A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

摘要翻译： 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US08495181B2

公开(公告)日：2013-07-23

申请号：US11462321

申请日：2006-08-03

申请人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

发明人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

摘要： A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

摘要翻译： 用于由客户代理截取通过虚拟专用网络连接发送的客户端的通信的方法包括基于来自该通信的应用的识别来截取通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US20080031235A1

公开(公告)日：2008-02-07

申请号：US11462312

申请日：2006-08-03

申请人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

发明人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC分类号： H04L12/56

CPC分类号： H04L12/4679 ,  H04L63/0272 ,  H04L63/102 ,  H04L69/16 ,  H04L69/163

摘要： A method for intercepting communication of a client to a destination on a virtual private network includes an agent executing on the client that intercepts a network communication of the client. The agent provides a virtual private network connection from a first network to a second network. The decision to intercept is based on a network destination description or an identification of an application authorized to be accessed via the virtual private network. In one case, the agent determines that a destination specified by the intercepted communication corresponds to a network identifier and a port of a network destination description of an application on the second network authorized for access via the virtual private network. In response to this determination, the agent transmits the intercepted communication.

摘要翻译： 用于拦截客户端到虚拟专用网络上的目的地的通信的方法包括在客户端上执行的代理，其拦截客户端的网络通信。 代理提供从第一网络到第二网络的虚拟专用网络连接。 拦截的决定基于网络目的地描述或被授权经由虚拟专用网络访问的应用的标识。 在一种情况下，代理确定由截取的通信指定的目的地对应于被授权用于经由虚拟专用网访问的第二网络上的应用的网络标识符和网络目的地描述的端口。 响应于该确定，代理发送被拦截的通信。

公开(公告)号：US07843912B2

公开(公告)日：2010-11-30

申请号：US11462312

申请日：2006-08-03

申请人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

发明人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC分类号： H04L12/28

CPC分类号： H04L12/4679 ,  H04L63/0272 ,  H04L63/102 ,  H04L69/16 ,  H04L69/163

摘要： A method for intercepting communication of a client to a destination on a virtual private network includes an agent executing on the client that intercepts a network communication of the client. The agent provides a virtual private network connection from a first network to a second network. The decision to intercept is based on a network destination description or an identification of an application authorized to be accessed via the virtual private network. In one case, the agent determines that a destination specified by the intercepted communication corresponds to a network identifier and a port of a network destination description of an application on the second network authorized for access via the virtual private network. In response to this determination, the agent transmits the intercepted communication.

摘要翻译： 用于拦截客户端到虚拟专用网络上的目的地的通信的方法包括在客户端上执行的代理，其拦截客户端的网络通信。 代理提供从第一网络到第二网络的虚拟专用网络连接。 拦截的决定基于网络目的地描述或被授权经由虚拟专用网络访问的应用的标识。 在一种情况下，代理确定由截取的通信指定的目的地对应于被授权用于经由虚拟专用网访问的第二网络上的应用的网络标识符和网络目的地描述的端口。 响应于该确定，代理发送被拦截的通信。

公开(公告)号：US07907621B2

公开(公告)日：2011-03-15

申请号：US11462253

申请日：2006-08-03

申请人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

发明人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

IPC分类号： H04L12/28

CPC分类号： H04L12/4641 ,  H04L41/046 ,  H04L41/0893 ,  H04L43/00 ,  H04L43/0811 ,  H04L43/0817 ,  H04L43/10 ,  H04L63/0272 ,  H04L63/166

摘要： Systems and methods are described for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network Methods include: establishing, via a client agent executing on a client, a transport layer virtual private network connection with an appliance; intercepting, by the client agent at the network layer, an ICMP request originating from the client; and transmitting, by the client agent via a transport layer connection, the ICMP request to the appliance. Addition methods describe determining, by the appliance, the address identified by the ICMP request corresponds to a second client, the second client also connected via a virtual private network to the remote machine; and transmitting, by the appliance to the second client via the virtual private network connection, the ICMP request. Corresponding systems are also described.

摘要翻译： 描述了使用在客户端上执行的客户端代理将ICMP消息发送到经由虚拟专用网连接的设备的系统和方法。方法包括：通过在客户端上执行的客户端代理来建立传输层虚拟专用网络连接 器具; 由网络层的客户代理拦截来自客户端的ICMP请求; 以及由所述客户端代理经由传输层连接向所述设备发送所述ICMP请求。 附加方法描述了由设备确定由ICMP请求标识的地址对应于第二客户端，第二客户端还经由虚拟专用网络连接到远程机器; 以及由所述设备经由所述虚拟专用网络连接向所述第二客户端发送所述ICMP请求。 还描述了相应的系统。

公开(公告)号：US20080046993A1

公开(公告)日：2008-02-21

申请号：US11465915

申请日：2006-08-21

申请人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni

发明人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni

IPC分类号： G06F17/00

CPC分类号： H04L63/20 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/105

摘要： An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

摘要翻译： 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US20080034419A1

公开(公告)日：2008-02-07

申请号：US11462329

申请日：2006-08-03

申请人： Amarnath Mullick ,  Shashi Nanjundaswami ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

发明人： Amarnath Mullick ,  Shashi Nanjundaswami ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

摘要： A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

摘要翻译： 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20080034418A1

公开(公告)日：2008-02-07

申请号：US11462321

申请日：2006-08-03

申请人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswami ,  James Harris ,  Ajay Soni

发明人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswami ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

摘要： A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

摘要翻译： 用于由客户的代理拦截要通过虚拟专用网络连接发送的通信的方法包括基于来自该通信的应用的识别来拦截通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US08397287B2

公开(公告)日：2013-03-12

申请号：US11465915

申请日：2006-08-21

申请人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni ,  Charu Venkatraman ,  Max He

发明人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni ,  Charu Venkatraman ,  Max He

IPC分类号： G06F17/00

CPC分类号： H04L63/20 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/105

摘要： An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

摘要翻译： 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US20080031265A1

公开(公告)日：2008-02-07

申请号：US11462253

申请日：2006-08-03

申请人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswami ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

发明人： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswami ,  Junxiao He ,  Roy Rajan ,  Ajay Soni

IPC分类号： H04L12/56

CPC分类号： H04L12/4641 ,  H04L41/046 ,  H04L41/0893 ,  H04L43/00 ,  H04L43/0811 ,  H04L43/0817 ,  H04L43/10 ,  H04L63/0272 ,  H04L63/166

摘要： Systems and methods are described for using a client agent executing on a client to send ICMP messages to an appliance connected via a virtual private network Methods include: establishing, via a client agent executing on a client, a transport layer virtual private network connection with an appliance; intercepting, by the client agent at the network layer, an ICMP request originating from the client; and transmitting, by the client agent via a transport layer connection, the ICMP request to the appliance. Addition methods describe determining, by the appliance, the address identified by the ICMP request corresponds to a second client, the second client also connected via a virtual private network to the remote machine; and transmitting, by the appliance to the second client via the virtual private network connection, the ICMP request. Corresponding systems are also described.

摘要翻译： 描述了使用在客户端上执行的客户端代理将ICMP消息发送到经由虚拟专用网连接的设备的系统和方法。方法包括：通过在客户端上执行的客户端代理来建立传输层虚拟专用网络连接 器具; 由网络层的客户代理拦截来自客户端的ICMP请求; 以及由所述客户端代理经由传输层连接向所述设备发送所述ICMP请求。 附加方法描述了由设备确定由ICMP请求标识的地址对应于第二客户端，第二客户端还经由虚拟专用网络连接到远程机器; 以及由所述设备经由所述虚拟专用网络连接向所述第二客户端发送所述ICMP请求。 还描述了相应的系统。