FILTERING TLS CONNECTION REQUESTS USING TLS EXTENSION AND FEDERATED TLS TICKETS

摘要

A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

主权项

1. A system to deliver an application, hosted by a private application provider, over a network to a user device comprising:
A. an application delivery system that includes,
a frontend network interface that includes at least one first traffic director (FTD) instance;a network security interface that includes a plurality of traffic processing server (TPS) instances;a backend network interface that includes at least one backend traffic director (BTD) instance; and B. at least one agent that is associated with the application and that is disposed within the private application provider system; C. wherein the at least one of the FTD instance is configured to receive an encrypted request for access to the application sent over the network and to, in a first mode,
send the encrypted request to a TPS instance with priority that is independent of whether the sender of the request is known; in a second mode,
determine whether the request includes an outer transaction level security (TLS) ticket encrypted with a second key that includes attribute information indicating that a sender of the request is sufficiently known, wherein determining includes decrypting the outer TLS ticket using the second key;send the encrypted request, including the inner TLS ticket, to a TPS instance with a first priority level in response to a determination that the request includes attribute information indicating that the sender of the request is sufficiently known; andsend the encrypted request, including the inner TLS ticket, to a TPS instance with a second priority level in response to a determination that the request does not include attribute information indicating that the sender of the request is sufficiently known, wherein requests in the second priority level have a higher priority level than requests in the first priority level; D. wherein the TPS instance is configured to, in response to receiving the request sent from the at least one FTD instance, engaging in a TLS handshake with a sender of the request, that includes,
producing an inner TLS extension and encrypting the inner TLS extension with a first key that is not shared with the at least one FTD instance;producing an outer TLS extension that includes attribute information indicative of whether the connection is associated with a sufficiently known sender and that includes the inner TLS extension and encrypting the outer TLS extension with the second key;sending the outer TLS extension over the network to the sender of the request; and decrypting the encrypted request to determine whether the received request is valid, and in response to determining that the request is valid, re-encrypting the request and to using a preconfigured connection to send the encrypted, validated request to the at least one agent; E. wherein the at least one BTD instance is configured to, in response to a request to receive from the at least one agent to create a preconfigured connection for the application, sends the request to a TPS instance; F. wherein the at least one agent is configured to send one or more requests, to the at least one BTD instance, to create one or more preconfigured connections to associate with the application.