公开(公告)号：US10270740B2

公开(公告)日：2019-04-23

申请号：US14175616

申请日：2014-02-07

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC: H04L29/06 ,  H04L29/08

Abstract: The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

公开(公告)号：US09059966B2

公开(公告)日：2015-06-16

申请号：US14306354

申请日：2014-06-17

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Saibal Kumar Adhya ,  Srinivasan Thirunarayanan ,  James Harris

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/28 ,  H04L67/2842

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract translation: 本应用使得企业能够基于与客户端，服务器或客户端与服务器之间的交互的细节和性质相关的各种信息来配置各种策略来处理流量的各种子集。 部署在客户端和服务器之间的中介可以在客户端和服务器之间建立SSL VPN会话。 中间人可以通过无客户端SSL VPN会话从服务器接收到客户端的请求的响应。 响应可以包括一个或多个cookie。 中介可以识别无客户端SSL VPN会话的访问配置文件。 访问配置文件可以标识用于代理Cookie的一个或多个策略。 中介可以响应于访问简档的一个或多个策略来确定是否为客户端代理或绕过代理一个或多个cookie。

公开(公告)号：US08966603B2

公开(公告)日：2015-02-24

申请号：US13902612

申请日：2013-05-24

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Dileep Reddem ,  Anil Kumar Gavini

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/0281 ,  H04L63/0884

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract translation: 本发明涉及用于期望访问一个或多个受保护资源（例如受保护的网页，受保护的web服务应用程序等）的用户的基于表单的单一登录的系统和方法。在各种实施例中，单个符号 -on（SSO）模块在中间设备上运行，该中间设备被布置在网络中以管理多个客户端与多个服务器之间的互联网业务。 中间设备可以识别来自服务器的认证响应，并将认证响应转发给SSO模块。 SSO模块可以使用客户端的认证数据在认证响应中完成登录表单，将完成的登录表单返回到服务器，并将与认证响应相关联的cookie转发给客户端。 在各种实施例中，代表客户端的SSO模块可以透明地向客户端完成多个登录表单，并且减少客户端获得对受保护资源的访问所花费的时间。

公开(公告)号：US20140298410A1

公开(公告)日：2014-10-02

申请号：US14306354

申请日：2014-06-17

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Saibal Kumar Adhya ,  Srinivasan Thirunarayanan ,  James Harris

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0272 ,  H04L63/0281 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/28 ,  H04L67/2842

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract translation: 本应用使得企业能够基于与客户端，服务器或客户端与服务器之间的交互的细节和性质相关的各种信息来配置各种策略来处理流量的各种子集。 部署在客户端和服务器之间的中介可以在客户端和服务器之间建立SSL VPN会话。 中间人可以通过无客户端SSL VPN会话从服务器接收到客户端的请求的响应。 响应可以包括一个或多个cookie。 中介可以识别无客户端SSL VPN会话的访问配置文件。 访问配置文件可以标识用于代理Cookie的一个或多个策略。 中介可以响应于访问简档的一个或多个策略来确定是否为客户端代理或绕过代理一个或多个cookie。

公开(公告)号：US09009813B2

公开(公告)日：2015-04-14

申请号：US14172385

申请日：2014-02-04

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Ravindra Nath Thakur ,  Anil Kumar Gavini

IPC: G06F9/00 ,  G06F15/16 ,  G06F17/00 ,  H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/0227 ,  H04L63/105 ,  H04L63/1441 ,  H04L63/166

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract translation: 本公开提供了通过代理从无客户端安全套接字层虚拟专用网（SSL VPN）的多个编码方案中确定统一资源位置（URL）的编码方案的方法，系统和中介​​。 中介可以从包含URL的服务器接收响应。 来自服务器的响应可以经由SSL VPN会话并且经由中介向客户端发送。 中介可以响应于编码策略来确定用于对URL进行编码的透明，不透明或加密的编码方案之一。 中介可以根据所确定的编码方案重写用于传送给客户端的URL。

公开(公告)号：US09264429B2

公开(公告)日：2016-02-16

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Rui Li ,  Arkesh Kumar ,  Ravindranath Thakur ,  Puneet Agarwal ,  Akshat Choudhary ,  Punit Gupta

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/53 ,  G06F9/455 ,  H04L29/08

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。

公开(公告)号：US20150074751A1

公开(公告)日：2015-03-12

申请号：US14539681

申请日：2014-11-12

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Saibal Kumar Adhya ,  Akshat Choudhary

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0272 ,  H04L29/08846 ,  H04L63/0281 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/14 ,  H04L67/2814

Abstract: The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.

公开(公告)号：US20130263241A1

公开(公告)日：2013-10-03

申请号：US13902612

申请日：2013-05-24

Applicant: Citrix Systems, Inc.

Inventor： Puneet Agarwal ,  Dileep Reddem ,  Anil Kumar Gavini

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/0281 ,  H04L63/0884

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract translation: 本发明涉及用于期望访问一个或多个受保护资源（例如受保护的网页，受保护的web服务应用程序等）的用户的基于表单的单一登录的系统和方法。在各种实施例中，单个符号 -on（SSO）模块在中间设备上运行，该中间设备被布置在网络中以管理多个客户端与多个服务器之间的互联网业务。 中间设备可以识别来自服务器的认证响应，并将认证响应转发给SSO模块。 SSO模块可以使用客户端的认证数据在认证响应中完成登录表单，将完成的登录表单返回到服务器，并将与认证响应相关联的cookie转发给客户端。 在各种实施例中，代表客户端的SSO模块可以透明地向客户端完成多个登录表单，并且减少客户端获得对受保护资源的访问所花费的时间。

公开(公告)号：US20140359728A1

公开(公告)日：2014-12-04

申请号：US14462204

申请日：2014-08-18

Applicant: Citrix Systems, Inc.

Inventor： James Harris ,  Raymond Li ,  Ravindranath Thakur ,  Puneet Agarwal ,  Punit Gupta

IPC: H04L29/06

CPC classification number: H04L63/0876 ,  G06F21/31 ,  G06F21/53 ,  G06F2009/4557 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/2814

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract translation: 本发明提供了一种基于终端审计结果来管理遍历中间人的流量的系统和方法。 中介的认证虚拟服务器可以确定客户端的终点分析扫描的结果。 响应确定，流量管理虚拟服务器可以从认证虚拟服务器获取结果。 此外，流量管理虚拟服务器可以将结果应用于一个或多个流量管理策略中，以管理遍历中间件的客户端的连接的网络流量。 在一些实施例中，认证虚拟服务器可以接收由客户端评估的一个或多个表达式。 一个或多个表达式标识客户端的一个或多个属性。 流量管理虚拟服务器还可以基于使用结果应用一个或多个流量管理策略来确定连接的压缩或加密的类型。

公开(公告)号：US20140157361A1

公开(公告)日：2014-06-05

申请号：US14175616

申请日：2014-02-07

Applicant: CITRIX SYSTEMS, INC.

Inventor： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L29/08846 ,  H04L63/0281 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/14 ,  H04L67/2814

Abstract: The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

Abstract translation: 本公开提供了向各种客户端提供服务的企业的解决方案，以使得客户端能够在转发请求之前通过修改所接收的URL和从服务器的响应到客户端的请求来使用企业提供的资源，并且 对预期目的地的回应。 中介可以识别客户端通过无客户端SSL VPN会话访问服务器的请求的访问配置文件。 响应于使用访问简档的一个或多个正则表达式的请求，中介可以检测服务器所服务的内容中的一个或多个URL。 根据由访问简档的一个或多个重写策略指定的URL变换，中介可以响应于检测到一个或多个检测到的URL来重写或修改。 具有修改的URL的响应可以转发给客户端。