公开(公告)号：US08271661B2

公开(公告)日：2012-09-18

申请号：US12823643

申请日：2010-06-25

申请人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

发明人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器发起的传输层协议连接到通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20100281162A1

公开(公告)日：2010-11-04

申请号：US12823643

申请日：2010-06-25

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US07769869B2

公开(公告)日：2010-08-03

申请号：US11465950

申请日：2006-08-21

申请人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

发明人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20080043760A1

公开(公告)日：2008-02-21

申请号：US11465950

申请日：2006-08-21

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

IPC分类号： H04L12/56

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20080046371A1

公开(公告)日：2008-02-21

申请号：US11465948

申请日：2006-08-21

申请人： Junxiao He ,  Charu Venkatraman ,  Arkesh Kumar ,  Ajay Soni

发明人： Junxiao He ,  Charu Venkatraman ,  Arkesh Kumar ,  Ajay Soni

IPC分类号： H04L9/00

CPC分类号： H04L67/34 ,  G06F8/65 ,  H04L63/0272 ,  H04L63/104 ,  H04L63/166

摘要： A method for automatically changing a version of a client agent for a non-administrative user account without rebooting the user's machine uses a service having installation privileges. The service executes on the client and installs a client agent. The client agent communicates with a network appliance. The client agent detects a difference between its version and a version of the client agent identified by the network appliance. The agent signals the service that it has detected the difference and, in response, the service executes an installation program that installs, without rebooting the client, the version of the client agent identified by the appliance. A corresponding system is also described.

摘要翻译： 用于自动更改非管理用户帐户的客户端代理的版本而不重新启动用户的计算机的方法将使用具有安装权限的服务。 服务在客户端上执行并安装客户端代理。 客户端代理与网络设备进行通信。 客户端代理检测其版本与由网络设备识别的客户端代理的版本之间的差异。 该代理向该服务发出信号，它检测到该差异，作为响应，该服务执行安装程序，而不重新启动客户机，该设备将由该设备识别的客户端代理的版本。 还描述了相应的系统。

公开(公告)号：US08769522B2

公开(公告)日：2014-07-01

申请号：US11465948

申请日：2006-08-21

申请人： Charu Venkatraman ,  Arkesh Kumar ,  Junxiao He ,  Ajay Soni

发明人： Charu Venkatraman ,  Arkesh Kumar ,  Junxiao He ,  Ajay Soni

IPC分类号： G06F9/44

CPC分类号： H04L67/34 ,  G06F8/65 ,  H04L63/0272 ,  H04L63/104 ,  H04L63/166

摘要： A method for automatically changing a version of a client agent for a non-administrative user account without rebooting the user's machine uses a service having installation privileges. The service executes on the client and installs a client agent. The client agent communicates with a network appliance. The client agent detects a difference between its version and a version of the client agent identified by the network appliance. The agent signals the service that it has detected the difference and, in response, the service executes an installation program that installs, without rebooting the client, the version of the client agent identified by the appliance. A corresponding system is also described.

摘要翻译： 用于自动更改非管理用户帐户的客户端代理的版本而不重新启动用户的计算机的方法将使用具有安装权限的服务。 服务在客户端上执行并安装客户端代理。 客户端代理与网络设备进行通信。 客户端代理检测其版本与由网络设备识别的客户端代理的版本之间的差异。 该代理向该服务发出信号，它检测到该差异，作为响应，该服务执行安装程序，而不重新启动客户机，该设备将由该设备识别的客户端代理的版本。 还描述了相应的系统。

公开(公告)号：US08869262B2

公开(公告)日：2014-10-21

申请号：US11462329

申请日：2006-08-03

申请人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

发明人： Amarnath Mullick ,  Shashi Nanjundaswamy ,  Charu Venkatraman ,  Junxiao He ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L63/10 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

摘要： A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

摘要翻译： 允许或拒绝由设备通过虚拟专用网络连接在客户端上的应用访问资源的方法包括基于允许或拒绝对应用标识的访问的决定。 设备拦截来自第一网络上的客户端上的应用的请求，以经由虚拟专用网络连接在第二网络上访问资源。 设备识别应用程序，并根据应用程序的身份将截获的请求与授权策略相关联。 设备使用授权策略和应用程序的身份来确定应用程序是否允许或拒绝资源访问。

公开(公告)号：US20080031235A1

公开(公告)日：2008-02-07

申请号：US11462312

申请日：2006-08-03

申请人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

发明人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC分类号： H04L12/56

CPC分类号： H04L12/4679 ,  H04L63/0272 ,  H04L63/102 ,  H04L69/16 ,  H04L69/163

摘要： A method for intercepting communication of a client to a destination on a virtual private network includes an agent executing on the client that intercepts a network communication of the client. The agent provides a virtual private network connection from a first network to a second network. The decision to intercept is based on a network destination description or an identification of an application authorized to be accessed via the virtual private network. In one case, the agent determines that a destination specified by the intercepted communication corresponds to a network identifier and a port of a network destination description of an application on the second network authorized for access via the virtual private network. In response to this determination, the agent transmits the intercepted communication.

摘要翻译： 用于拦截客户端到虚拟专用网络上的目的地的通信的方法包括在客户端上执行的代理，其拦截客户端的网络通信。 代理提供从第一网络到第二网络的虚拟专用网络连接。 拦截的决定基于网络目的地描述或被授权经由虚拟专用网络访问的应用的标识。 在一种情况下，代理确定由截取的通信指定的目的地对应于被授权用于经由虚拟专用网访问的第二网络上的应用的网络标识符和网络目的地描述的端口。 响应于该确定，代理发送被拦截的通信。

公开(公告)号：US08495181B2

公开(公告)日：2013-07-23

申请号：US11462321

申请日：2006-08-03

申请人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

发明人： Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/0227 ,  H04L63/0272 ,  H04L63/0876 ,  H04L63/102

摘要： A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

摘要翻译： 用于由客户代理截取通过虚拟专用网络连接发送的客户端的通信的方法包括基于来自该通信的应用的识别来截取通信的步骤。 代理接收标识第一应用的信息。 代理确定由客户端发送的网络通信源自第一应用，并拦截该通信。 该代理通过虚拟专用网络连接发送被拦截的通信。

公开(公告)号：US07843912B2

公开(公告)日：2010-11-30

申请号：US11462312

申请日：2006-08-03

申请人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

发明人： James Harris ,  Charu Venkatraman ,  Junxiao He ,  Amarnath Mullick ,  Shashi Nanjundaswamy ,  Ajay Soni

IPC分类号： H04L12/28

CPC分类号： H04L12/4679 ,  H04L63/0272 ,  H04L63/102 ,  H04L69/16 ,  H04L69/163

摘要： A method for intercepting communication of a client to a destination on a virtual private network includes an agent executing on the client that intercepts a network communication of the client. The agent provides a virtual private network connection from a first network to a second network. The decision to intercept is based on a network destination description or an identification of an application authorized to be accessed via the virtual private network. In one case, the agent determines that a destination specified by the intercepted communication corresponds to a network identifier and a port of a network destination description of an application on the second network authorized for access via the virtual private network. In response to this determination, the agent transmits the intercepted communication.

摘要翻译： 用于拦截客户端到虚拟专用网络上的目的地的通信的方法包括在客户端上执行的代理，其拦截客户端的网络通信。 代理提供从第一网络到第二网络的虚拟专用网络连接。 拦截的决定基于网络目的地描述或被授权经由虚拟专用网络访问的应用的标识。 在一种情况下，代理确定由截取的通信指定的目的地对应于被授权用于经由虚拟专用网访问的第二网络上的应用的网络标识符和网络目的地描述的端口。 响应于该确定，代理发送被拦截的通信。