公开(公告)号：US08151323B2

公开(公告)日：2012-04-03

申请号：US11566975

申请日：2006-12-05

申请人： James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

发明人： James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

IPC分类号： H04L29/06

CPC分类号： H04L67/06 ,  H04L63/0272 ,  H04L63/105 ,  H04L63/166 ,  H04L67/02 ,  H04L67/2842 ,  H04L67/34 ,  H04L69/10 ,  H04L69/16 ,  H04L69/165

摘要： The present invention relates to systems and methods to identify a level of access for a resource being accessed via a secure socket layer virtual private network (SSL VPN) connection to a network, and to control the action on the resource based on the identified level of access. The appliance described herein provides intelligent secure access and action control to resources based on a sense and respond mechanism. When a user requests access to a resource via the SSL VPN connection of the appliance, the appliance obtains information about the client to determine the user access scenario—the location, device, connection and identify of the user or client. Based on the collected information, the appliance responds to the detected user scenario by identifying a level of access to the resource for the user/client, such as rights to view, print, edit or save a document, Based on the identified level of access, the appliance controls the actions performs on the resource by various techniques described herein so that the user can only perform the allowed action n accordance with the level of access. As such, the present invention allows organization to control and provide the appropriate level of access to valuable, confidential or business critical information accessed remotely or via a pubic network while protecting such information by controlling the types of actions performed or allowed to be performed remotely on the information.

摘要翻译： 本发明涉及用于识别经由到网络的安全套接字层虚拟专用网（SSL VPN）连接被访问的资源的访问级别的系统和方法，并且基于所识别的级别来控制对资源的动作 访问。 本文所述的设备基于感测和响应机制来提供对资源的智能安全访问和动作控制。 当用户通过设备的SSL VPN连接请求访问资源时，设备将获取有关客户端的信息，以确定用户访问场景 - 用户或客户端的位置，设备，连接和标识。 基于收集的信息，设备通过识别用户/客户端对资源的访问级别（例如查看，打印，编辑或保存文档的权限）来响应所检测的用户场景。基于所识别的访问级别 ，设备通过本文描述的各种技术控制对资源执行的操作，使得用户只能根据访问级别执行允许的动作。 因此，本发明允许组织控制并提供对远程访问或通过公共网络访问的有价值的，机密的或业务关键信息的适当级别的访问，同时通过控制远程执行或允许执行的动作的类型来保护这些信息， 信息。

公开(公告)号：US20070245409A1

公开(公告)日：2007-10-18

申请号：US11566975

申请日：2006-12-05

申请人： James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

发明人： James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

IPC分类号： H04L9/32

CPC分类号： H04L67/06 ,  H04L63/0272 ,  H04L63/105 ,  H04L63/166 ,  H04L67/02 ,  H04L67/2842 ,  H04L67/34 ,  H04L69/10 ,  H04L69/16 ,  H04L69/165

摘要： The present invention relates to systems and methods to identify a level of access for a resource being accessed via a secure socket layer virtual private network (SSL VPN) connection to a network, and to control the action on the resource based on the identified level of access. The appliance described herein provides intelligent secure access and action control to resources based on a sense and respond mechanism. When a user requests access to a resource via the SSL VPN connection of the appliance, the appliance obtains information about the client to determine the user access scenario—the location, device, connection and identify of the user or client. Based on the collected information, the appliance responds to the detected user scenario by identifying a level of access to the resource for the user/client, such as rights to view, print, edit or save a document, Based on the identified level of access, the appliance controls the actions performs on the resource by various techniques described herein so that the user can only perform the allowed action n accordance with the level of access. As such, the present invention allows organization to control and provide the appropriate level of access to valuable, confidential or business critical information accessed remotely or via a pubic network while protecting such information by controlling the types of actions performed or allowed to be performed remotely on the information.

摘要翻译： 本发明涉及用于识别经由到网络的安全套接字层虚拟专用网（SSL VPN）连接被访问的资源的访问级别的系统和方法，并且基于所识别的级别来控制对资源的动作 访问。 本文所述的设备基于感测和响应机制来提供对资源的智能安全访问和动作控制。 当用户通过设备的SSL VPN连接请求访问资源时，设备将获取有关客户端的信息，以确定用户访问场景 - 用户或客户端的位置，设备，连接和标识。 基于收集的信息，设备通过识别用户/客户端对资源的访问级别（例如查看，打印，编辑或保存文档的权限）来响应所检测的用户场景。基于所识别的访问级别 ，设备通过本文描述的各种技术控制对资源执行的操作，使得用户只能根据访问级别执行允许的动作。 因此，本发明允许组织控制并提供对远程访问或通过公共网络访问的有价值的，机密的或业务关键信息的适当级别的访问，同时通过控制远程执行或允许执行的动作的类型来保护这些信息， 信息。

公开(公告)号：US20100281162A1

公开(公告)日：2010-11-04

申请号：US12823643

申请日：2010-06-25

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US07769869B2

公开(公告)日：2010-08-03

申请号：US11465950

申请日：2006-08-21

申请人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

发明人： Charu Venkatraman ,  Arkesh Kumar ,  James Harris ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US08271661B2

公开(公告)日：2012-09-18

申请号：US12823643

申请日：2010-06-25

申请人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

发明人： James Harris ,  Arkesh Kumar ,  Charu Venkatraman ,  Ajay Soni ,  Junxiao He

IPC分类号： G06F15/16

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器发起的传输层协议连接到通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20080043760A1

公开(公告)日：2008-02-21

申请号：US11465950

申请日：2006-08-21

申请人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

发明人： Charu Venkatraman ,  Junxiao He ,  Ajay Soni ,  James Harris ,  Arkesh Kumar

IPC分类号： H04L12/56

CPC分类号： H04L12/4641 ,  H04L63/0272 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/164

摘要： The present invention is related to a method for establishing via an appliance a transport layer protocol connection initiated by a server on a first network to a client connected from a second network to the first network via a secure socket layer virtual private network (SSL VPN) connection. The method includes the step of receiving, by an appliance, a transport layer connection request from a server on a first network to connect to a client connected to the first network via a SSL VPN connection from a second network. The transport layer connection request identifies a client destination internet protocol address and a client destination port on the first network. The method includes establishing, by the appliance, a first transport layer connection to the server on the first network, determining, by the appliance, the client on the second network associated with the client destination internet protocol address on the first network, and transmitting, by the appliance, connection information identifying the client destination port to an agent on the client. The agent establishes a second transport layer connection to the client destination port using a local internet protocol address of the client on the second network and establishes a third transport layer connection to the appliance, which it associates with the second transport layer connection.

摘要翻译： 本发明涉及一种用于经由设备建立由第一网络上的服务器通过安全套接层虚拟专用网（SSL VPN）从第二网络连接到第一网络的客户端发起的传输层协议连接的方法， 连接。 该方法包括以下步骤：通过设备从第一网络的服务器接收传输层连接请求，以经由来自第二网络的SSL VPN连接连接到连接到第一网络的客户端。 传输层连接请求标识第一网络上的客户端目标网络协议地址和客户端目的端口。 该方法包括由设备建立与第一网络上的服务器的第一传输层连接，由设备确定与第一网络上的客户端目的地网际协议地址相关联的第二网络上的客户端， 由设备将连接信息标识到客户机上的代理的客户端目的地端口。 代理使用第二网络上的客户端的本地互联网协议地址建立与客户端目的地端口的第二传输层连接，并建立与设备相关联的第三传输层连接，其与第二传输层连接相关联。

公开(公告)号：US20080046371A1

公开(公告)日：2008-02-21

申请号：US11465948

申请日：2006-08-21

申请人： Junxiao He ,  Charu Venkatraman ,  Arkesh Kumar ,  Ajay Soni

发明人： Junxiao He ,  Charu Venkatraman ,  Arkesh Kumar ,  Ajay Soni

IPC分类号： H04L9/00

CPC分类号： H04L67/34 ,  G06F8/65 ,  H04L63/0272 ,  H04L63/104 ,  H04L63/166

摘要： A method for automatically changing a version of a client agent for a non-administrative user account without rebooting the user's machine uses a service having installation privileges. The service executes on the client and installs a client agent. The client agent communicates with a network appliance. The client agent detects a difference between its version and a version of the client agent identified by the network appliance. The agent signals the service that it has detected the difference and, in response, the service executes an installation program that installs, without rebooting the client, the version of the client agent identified by the appliance. A corresponding system is also described.

摘要翻译： 用于自动更改非管理用户帐户的客户端代理的版本而不重新启动用户的计算机的方法将使用具有安装权限的服务。 服务在客户端上执行并安装客户端代理。 客户端代理与网络设备进行通信。 客户端代理检测其版本与由网络设备识别的客户端代理的版本之间的差异。 该代理向该服务发出信号，它检测到该差异，作为响应，该服务执行安装程序，而不重新启动客户机，该设备将由该设备识别的客户端代理的版本。 还描述了相应的系统。

公开(公告)号：US08769522B2

公开(公告)日：2014-07-01

申请号：US11465948

申请日：2006-08-21

申请人： Charu Venkatraman ,  Arkesh Kumar ,  Junxiao He ,  Ajay Soni

发明人： Charu Venkatraman ,  Arkesh Kumar ,  Junxiao He ,  Ajay Soni

IPC分类号： G06F9/44

CPC分类号： H04L67/34 ,  G06F8/65 ,  H04L63/0272 ,  H04L63/104 ,  H04L63/166

摘要： A method for automatically changing a version of a client agent for a non-administrative user account without rebooting the user's machine uses a service having installation privileges. The service executes on the client and installs a client agent. The client agent communicates with a network appliance. The client agent detects a difference between its version and a version of the client agent identified by the network appliance. The agent signals the service that it has detected the difference and, in response, the service executes an installation program that installs, without rebooting the client, the version of the client agent identified by the appliance. A corresponding system is also described.

摘要翻译： 用于自动更改非管理用户帐户的客户端代理的版本而不重新启动用户的计算机的方法将使用具有安装权限的服务。 服务在客户端上执行并安装客户端代理。 客户端代理与网络设备进行通信。 客户端代理检测其版本与由网络设备识别的客户端代理的版本之间的差异。 该代理向该服务发出信号，它检测到该差异，作为响应，该服务执行安装程序，而不重新启动客户机，该设备将由该设备识别的客户端代理的版本。 还描述了相应的系统。

公开(公告)号：US08572721B2

公开(公告)日：2013-10-29

申请号：US11462174

申请日：2006-08-03

申请人： Arkesh Kumar ,  James Harris ,  Ajay Soni

发明人： Arkesh Kumar ,  James Harris ,  Ajay Soni

IPC分类号： H04L29/06

CPC分类号： H04L63/0272 ,  H04L12/4641 ,  H04L63/166

摘要： In a method and system for routing packets between clients, a packet is received from a first client connected to a secure sockets layer virtual private network (an SSL/VPN) network appliance. An identification is made, responsive to an inspection of the received packet, of i) a type of connection required for transmission of the received packet to a destination address identified by the received packet and ii) a second client connected via an SSL/VPN connection to the SSL/VPN network appliance and associated with the identified destination address. A request is made for establishment by the second client of a connection of the identified type within the SSL/VPN connection. The received packet is transmitted to the second client via the established connection of the identified type.

摘要翻译： 在用于在客户端之间路由分组的方法和系统中，从连接到安全套接层层虚拟专用网（SSL / VPN）网络设备的第一客户端接收分组。 响应于所接收的分组的检查，进行识别i）将接收的分组传输到由接收分组识别的目的地地址所需的连接类型，以及ii）经由SSL / VPN连接连接的第二客户端 到SSL / VPN网络设备并与所识别的目的地址相关联。 请求由第二客户端建立SSL / VPN连接中识别类型的连接。 所接收的分组经由所识别类型的建立的连接被发送到第二客户端。

公开(公告)号：US08108525B2

公开(公告)日：2012-01-31

申请号：US11462341

申请日：2006-08-03

申请人： Arkesh Kumar ,  James Harris ,  Ajay Soni

发明人： Arkesh Kumar ,  James Harris ,  Ajay Soni

IPC分类号： G06F15/16

CPC分类号： H04L63/0272 ,  H04L12/4641 ,  H04L67/14

摘要： Methods for establishing an SSL/VPN session on behalf of a user of a client where the user has a previously existing session are described. Methods include receiving, by an appliance, a request from a first client operated by a user to establish a virtual private network session; creating, by the appliance, a temporary virtual private network session with the client; identifying, by the appliance, an existing virtual private network session previously established on behalf of the user; terminating the previous session; and creating a new virtual private network session with the client using the temporary session. Other methods may further include transmitting a request to a user corresponding to whether to terminate one or more previous sessions, and transferring session data from a previously existing session to a current session. Corresponding systems are also described.

摘要翻译： 描述代表用户具有先前存在的会话的客户端的用户建立SSL / VPN会话的方法。 方法包括由设备接收来自用户操作的第一客户机的请求以建立虚拟专用网络会话; 由设备创建与客户端的临时虚拟专用网络会话; 由设备识别以前代表用户建立的现有虚拟专用网络会话; 终止前一届会议; 并使用临时会话与客户端创建新的虚拟专用网络会话。 其他方法还可以包括：向用户发送对应于是否终止一个或多个先前会话的请求，以及将会话数据从先前存在的会话传送到当前会话。 还描述了相应的系统。