公开(公告)号：US08904475B2

公开(公告)日：2014-12-02

申请号：US13760898

申请日：2013-02-06

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni

IPC: G06F17/00 ,  G06F7/04 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/105

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract translation: 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US20140344891A1

公开(公告)日：2014-11-20

申请号：US14448298

申请日：2014-07-31

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni ,  Nicholas Stavrakos ,  Chris Koopmans

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  G06F17/00 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract translation: 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US08819809B2

公开(公告)日：2014-08-26

申请号：US13850848

申请日：2013-03-26

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC: H04L29/00

CPC classification number: H04L63/0823 ,  H04L63/0272 ,  H04L63/10 ,  H04L67/1002 ,  H04L67/1008 ,  H04L67/1012 ,  H04L67/1029

Abstract: In a method and appliance for authenticating, by an appliance, a client to access a virtual network connection, based on an attribute of a client-side certificate, a client authentication certificate is requested from a client. A value of at least one field in the client authentication certificate received from the client is identified. One of a plurality of types of access is assigned responsive to an application of a policy to the identified value of the at least one field, each of the plurality of access types associated with at least one connection characteristic.

Abstract translation: 在用于通过设备认证客户端以访问虚拟网络连接的方法和设备中，基于客户端证书的属性，从客户端请求客户端认证证书。 识别从客户端接收的客户端认证证书中至少一个字段的值。 响应于对至少一个字段的标识值的策略的应用来分配多种类型的访问中的一种，所述多个访问类型中的每一个与至少一个连接特征相关联。

公开(公告)号：US09497198B2

公开(公告)日：2016-11-15

申请号：US14498816

申请日：2014-09-26

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20150020220A1

公开(公告)日：2015-01-15

申请号：US14498816

申请日：2014-09-26

Applicant: CITRIX SYSTEMS, INC.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Junxiao He ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract translation: 用于通过设备允许或拒绝由客户端上的应用程序通过虚拟专用网络连接访问资源的方法包括基于允许或拒绝对应用的标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US09407608B2

公开(公告)日：2016-08-02

申请号：US14448298

申请日：2014-07-31

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Charu Venkatraman ,  Shashi Nanjundaswamy ,  Junxiao He ,  Ajay Soni ,  Nicholas Stavrakos ,  Chris Koopmans

IPC: G06F17/00 ,  H04L29/06

CPC classification number: H04L63/0272 ,  G06F17/00 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract translation: 基于客户端属性来授权客户端访问虚拟专用网络连接的级别的设备和方法包括以下步骤：当设备在接收到建立客户端请求时建立与客户端的控制连接 与网络的虚拟专用网络连接。 该设备经由控制连接向客户端发送请求以评估安全字符串的至少一个子句，所述至少一个子句包括与客户端属性相关联的表达式。 客户端经由控制连接发送对设备的响应，包括由客户端评估至少一个子句的结果。 该设备基于至少一个子句的评估结果将客户端分配给授权组。

公开(公告)号：US09294439B2

公开(公告)日：2016-03-22

申请号：US13943662

申请日：2013-07-16

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

Abstract: A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

Abstract translation: 用于由客户的代理拦截要通过虚拟专用网络连接发送的通信的方法包括基于来自该通信的应用的识别来拦截通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US20130304881A1

公开(公告)日：2013-11-14

申请号：US13943662

申请日：2013-07-16

Applicant: Citrix Systems, Inc.

Inventor： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

Abstract: A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

Abstract translation: 用于由客户的代理拦截要通过虚拟专用网络连接发送的通信的方法包括基于来自该通信的应用的识别来拦截通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US20130212667A1

公开(公告)日：2013-08-15

申请号：US13850848

申请日：2013-03-26

Applicant: Citrix Systems, Inc.

Inventor： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/0272 ,  H04L63/10 ,  H04L67/1002 ,  H04L67/1008 ,  H04L67/1012 ,  H04L67/1029

Abstract: In a method and appliance for authenticating, by an appliance, a client to access a virtual network connection, based on an attribute of a client-side certificate, a client authentication certificate is requested from a client. A value of at least one field in the client authentication certificate received from the client is identified. One of a plurality of types of access is assigned responsive to an application of a policy to the identified value of the at least one field, each of the plurality of access types associated with at least one connection characteristic.

Abstract translation: 在用于通过设备认证客户端以访问虚拟网络连接的方法和设备中，基于客户端证书的属性，从客户端请求客户端认证证书。 识别从客户端接收的客户端认证证书中至少一个字段的值。 响应于对至少一个字段的标识值的策略的应用来分配多种类型的访问中的一种，所述多个访问类型中的每一个与至少一个连接特征相关联。