Associating Service Tags with Remote Data Message Flows Based on Remote Device Management Attributes
US-2017064749-A1 · Mar 2, 2017 · US
Enterprise mobility management and network micro-segmentation
US10523636B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10523636-B2 |
| Application number | US-201615015686-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 4, 2016 |
| Priority date | Feb 4, 2016 |
| Publication date | Dec 31, 2019 |
| Grant date | Dec 31, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a gateway receives network traffic from a client device through a virtual private network (VPN) tunnel. The gateway determines one or more device management attributes associated with the client device in response to receiving the network traffic. The gateway then determines a particular network virtual segment based at least in part on the device management attribute(s). The gateway forwards the network traffic to the particular virtual network segment.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A non-transitory computer-readable medium embodying at least one program executable in at least one gateway computing device, the at least one program, when executed by the at least one gateway computing device, being configured to cause the at least one gateway computing device to at least: divide an internal network into a plurality of virtual network segments, wherein the plurality of virtual network segments comprise different configurations of network resources; receive network traffic from a client device through a virtual private network (VPN) tunnel of an external network, wherein the at least one gateway computing device is coupled to the external network and the internal network; determine at least one device management attribute associated with the client device, wherein the at least one device management attribute is provided to the gateway computing device by a management application executed by the client device; embed, by the at least one gateway computing device, the at least one device management attribute in a header of a packet comprising the network traffic; determine a particular virtual network segment of the plurality of virtual network segments based at least in part on the at least one device management attribute; and forward the packet comprising the network traffic to the particular virtual network segment, wherein a network device in the internal network receives the packet and evaluates the at least one device management attribute in the header of the packet in order to forward the packet within the internal network. 2. The non-transitory computer-readable medium of claim 1 , wherein when executed to determine the particular virtual network segment of the plurality of virtual network segments based at least in part on the at least one device management attribute further comprises evaluating a compliance status of the client device by applying at least one compliance rule to the at least one device management attribute. 3. The non-transitory computer-readable medium of claim 1 , wherein the VPN tunnel is associated with a single client application executed by the client device. 4. The non-transitory computer-readable medium of claim 1 , wherein the at least one device management attribute includes a jailbreak status of the client device. 5. The non-transitory computer-readable medium of claim 1 , wherein the at least one device management attribute includes a location of the client device. 6. The non-transitory computer-readable medium of claim 1 , wherein the at least one device management attribute includes an identifier of a client application executed by the client device. 7. The non-transitory computer-readable medium of claim 1 , wherein when executed the at least one program further causes the at least one gateway computing device to at least: receive additional network traffic from the client device through the VPN tunnel; determine at least one updated device management attribute associated with the client device in response to receiving the additional network traffic; determine a different virtual network segment of the plurality of virtual network segments based at least in part on the at least one updated device management attribute; and forward the network traffic to the different virtual network segment. 8. A system, comprising: at least one gateway computing device; and a gateway executable by the at least one gateway computing device, the gateway configured to cause the at least one gateway computing device to at least: divide an internal network into a plurality of virtual network segments, wherein the plurality of virtual network segments comprise different configurations of network resources; receive network traffic from a client device through a virtual private network (VPN) tunnel of an external network, wherein the at least one gateway computing device is coupled to the external network and the internal network; determine at least one device management attribute associated with the client device, wherein the at least one device management attribute is provided to the gateway computing device by a management application executed by the client device; embed, by the at least one gateway computing device, the at least one device management attribute in a header of a packet comprising the network traffic; determine a particular virtual network segment of the plurality of virtual network segments based at least in part on the at least one device management attribute; and forward the packet comprising the network traffic to the particular virtual network segment, wherein a network device in the internal network receives the packet and evaluates the at least one device management attribute in the header of the packet in order to forward the packet within the internal network. 9. The system of claim 8 , wherein the network traffic is associated with a destination network resource that is unreachable through the particular virtual network segment. 10. The system of claim 8 , wherein the at least one device management attribute includes a jailbreak status of the client device. 11. The system of claim 8 , wherein the at least one device management attribute includes at least one of: a user identifier or an identifier of the client device. 12. The system of claim 8 , wherein the at least one device management attribute includes a location of the client device. 13. The system of claim 8 , wherein when executed the gateway is further configured to cause the at least one gateway computing device to at least determine a port address associated with the particular virtual network segment, wherein the network traffic is forwarded to the particular virtual network segment using the port address as a source port address. 14. The system of claim 8 , wherein when executed the gateway is further configured to cause the at least one gateway computing device to at least determine an internet protocol (IP) address associated with the particular virtual network segment, wherein the network traffic is forwarded to the particular virtual network segment using the IP address as a source IP address. 15. A method for forwarding network traffic using a gateway device, the method comprising: dividing an internal network into a plurality of virtual network segments, wherein the plurality of virtual network segments comprise different configurations of network resources; receiving network traffic from a client device through a virtual private network (VPN) tunnel of an external network, wherein the gateway computing device is coupled to the external network and the internal network; determining at least one device management attribute associated with the client device, wherein the at least one device management attribute is provided to the gateway computing device by a management application executed by the client device; embedding, by the gateway computing device, the at least one device management attribute in a header of a packet comprising the network traffic; determining a particular virtual network segment of the plurality of virtual network segments based at least in part on the at least one device management attribute; and forwarding the packet comprising the network traffic to the particular virtual network segment, wherein a network device in the internal network receives the packet and evaluates the at least one device management attribute in the header of the packet in order to forward the packet within the internal network. 16. The method of claim 15 , wherein the at least one device management attribute includ
Assignees
Inventors
Classifications
Access security · CPC title
- H04L63/0272Primary
Virtual private networks · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Filtering by information in the payload · CPC title
Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10523636B2 cover?
- Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a gateway receives network traffic from a client device through a virtual private network (VPN) tunnel. The gateway determines one or more device management attributes associated with the client device in response to receiving the network traffic. The gateway then determin…
- Who is the assignee on this patent?
- Airwatch Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0272. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 31 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).