Patent application number | Description | Published |
20090037763 | Systems and Methods for Providing IIP Address Stickiness in an SSL VPN Session Failover Environment - The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session. | 02-05-2009 |
20090037998 | Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment - The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session. | 02-05-2009 |
20120290732 | METHODS FOR ASSOCIATING AN IP ADDRESS TO A USER VIA AN APPLIANCE - The present disclosure describes methods and systems for efficiently assigning, managing and querying virtual private network (VPN) addresses intranet IP (IIP) addresses of users, such as SSL VPN users on an enterprise network. The disclosure describes techniques and policies for assigning previously-assigned VPN addresses of a user to subsequent sessions of the user as the user logs in multiple times or roams between access points. The disclosure also describes a configurable user domain naming policy so that one can query the VPN address of a user by an easily referable host name identifying the user. The appliance and/or client agent provides techniques for applications to seamlessly and transparently communicate on the VPN using the VPN address of the user or client on the private network. | 11-15-2012 |
20130152162 | METHOD AND SYSTEM FOR AUTHORIZING A LEVEL OF ACCESS OF A CLIENT TO A VIRTUAL PRIVATE NETWORK CONNECTION, BASED ON A CLIENT-SIDE ATTRIBUTE - An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause. | 06-13-2013 |
20130212667 | METHOD AND APPLIANCE FOR AUTHENTICATING, BY AN APPLIANCE, A CLIENT TO ACCESS A VIRTUAL PRIVATE NETWORK CONNECTION, BASED ON AN ATTRIBUTE OF A CLIENT-SIDE CERTIFICATE - In a method and appliance for authenticating, by an appliance, a client to access a virtual network connection, based on an attribute of a client-side certificate, a client authentication certificate is requested from a client. A value of at least one field in the client authentication certificate received from the client is identified. One of a plurality of types of access is assigned responsive to an application of a policy to the identified value of the at least one field, each of the plurality of access types associated with at least one connection characteristic. | 08-15-2013 |
20130304881 | SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection. | 11-14-2013 |
20140344891 | SYSTEMS AND METHODS FOR ENHANCED CLIENT SIDE POLICY - An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause. | 11-20-2014 |
20150020220 | SYSTEMS AND METHODS FOR APPLICATION BASED INTERCEPTION OF SSL/VPN TRAFFIC - A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource. | 01-15-2015 |
Patent application number | Description | Published |
20100241846 | SYSTEM AND METHOD FOR ESTABLISHING A VIRTUAL PRIVATE NETWORK - A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a—Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network. | 09-23-2010 |
20140301388 | SYSTEMS AND METHODS TO CACHE PACKET STEERING DECISIONS FOR A CLUSTER OF LOAD BALANCERS - The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device. | 10-09-2014 |
20140304798 | SYSTEMS AND METHODS FOR HTTP-BODY DOS ATTACK PREVENTION WITH ADAPTIVE TIMEOUT - The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold. | 10-09-2014 |
Patent application number | Description | Published |
20100020967 | HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT - Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch manager that is used to generate authentication and authorization data that remain valid only for an epoch. The epoch manager can generate an epoch key pair that can be used to encrypt and decrypt the authentication and authorization data during the epoch that the key is valid. The epoch manager can also associate the contents of the data with the epoch in which it was created, so that at decrypting the epoch that the data was generated in can be identified. | 01-28-2010 |
20100023762 | HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT - Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch processor that is used to validate authentication and authorization data that is valid only for an epoch. The epoch processor can maintain a public key that can be used to decrypt the authentication and authorization data during the epoch that the key is valid. The epoch processor can receive a new public key during each epoch. The epoch processor can also determine if the authentication or authorization data was fraudulently generated based on the contents of the data, and verifying whether the data is valid for the epoch in which it was decrypted. | 01-28-2010 |
20100024006 | HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT - Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a state manager that is used to identify and maintain the source associated with a client browser that submits requests to the state manager. The state manager can allow requests that are authorized and request authorization for requests that are not. The state manager can maintain the states associated with each domain to reduce the number of transaction needed to authenticate and/or authorize subsequent requests to the same domain or to different domains. | 01-28-2010 |
20100024014 | HTTP AUTHENTICATION AND AUTHORIZATION MANAGEMENT - Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a source processor that is used to identify the source associated with a request for authentication or authorization. The source processor can maintain the initial source associated with the request through the use of an association token. The associate token can be transmitted with each subsequent request that includes authentication or authorization data. The source processor can use the associate token to verify that the source associated with the initial request is the same as the source associated with subsequent authentication and authorization requests. | 01-28-2010 |
Patent application number | Description | Published |
20110047415 | DEBUGGING OF BUSINESS FLOWS DEPLOYED IN PRODUCTION SERVERS - Facilitating debugging of business flows deployed on a production server. An aspect of the present invention processes some service requests (received from a client system) in a normal mode and some other service requests in a debug mode concurrently, all according to a business flow. According to another aspect, the debug mode supports a single step debug operation, in which each step corresponds to a single activity of the business flow. Accordingly, an administrator of the production server is enabled to better determine, the problems in the execution of business flows deployed on a production server at runtime. | 02-24-2011 |
20110258579 | BUSINESS PROCESS DEBUGGER WITH PARALLEL-STEP DEBUG OPERATION - A system for enabling a developer to concurrently debug parallel activities in a business process or workflow, or other software process. A production server includes a business process, which includes a parallel activity. The production server is operable to receive a request to debug the business process, present a graphical representation of the business process, receive input which indicates where a breakpoint is to be added to the business process, and insert the breakpoint. When a request to debug the business process is received, the production server instantiates the business process and executes the instance, and pauses execution of the instance when a breakpoint is reached and enters debug mode. It can then receive an instruction to perform a parallel-step operation on the parallel activity, execute a plurality of current activities in the parallel activity concurrently, and pause execution before executing a next activity and waits for further input. | 10-20-2011 |