AU2008284338A1 - Methods and apparatus for intermediary device roaming - Google Patents

Methods and apparatus for intermediary device roaming Download PDF

Info

Publication number
AU2008284338A1
AU2008284338A1 AU2008284338A AU2008284338A AU2008284338A1 AU 2008284338 A1 AU2008284338 A1 AU 2008284338A1 AU 2008284338 A AU2008284338 A AU 2008284338A AU 2008284338 A AU2008284338 A AU 2008284338A AU 2008284338 A1 AU2008284338 A1 AU 2008284338A1
Authority
AU
Australia
Prior art keywords
intermediary device
user
intermediary
requesting user
home
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
AU2008284338A
Inventor
Brian Gillespie
Helmut Salmen
David Tracey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SIMtone Corp
Original Assignee
SIMtone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SIMtone Corp filed Critical SIMtone Corp
Publication of AU2008284338A1 publication Critical patent/AU2008284338A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Description

WO 2009/020623 PCT/US2008/009456 METHODS AND APPARATUS FOR INTERMEDIARY DEVICE ROAMING RELATED APPLICATIONS This application claims priority under 35 U.S.C. § 119(e) to U.S. Provisional 5 Application Serial No. 60/964,005 entitled "METHODS AND APPARATUS FOR INTERMEDIARY DEVICE ROAMING," filed on August 8, 2007, which is herein incorporated by reference in its entirety. FIELD OF THE INVENTION 10 The present invention relates to remote computing, and more particularly, to receiving services from one or more remote servers. BACKGROUND OF INVENTION The flexibility of network computing has changed, in certain respects, the way in which 15 remote access and computing is performed and achieved. In particular, strict notions of location may become increasingly unimportant in a highly networked environment, as information, data, computing power, etc., may be accessible from anywhere via the network. For example, a corporate local area network (LAN) may be available to users who are telecommuting, traveling for business (or pleasure), or otherwise not directly connected to the 20 corporate LAN. The increased proliferation of wireless network technologies, and the ever decreasing cost of hi-speed networks based on these technologies, has accelerated trends towards remote computing solutions. Users of portable and mobile devices such as laptop personal computers (PC), cellular telephones, personal desktop assistants (PDA), and other portable computing devices may 25 desire access to, and avail themselves of, the vast resources available over a network (e.g., the Internet), including access to the user's corporate LAN and/or one or more other LANs, private networks, etc. A remote user may want to interact with a LAN and enjoy its many services as if the user were locally connected to the LAN (e.g., use services available from a server connected to the LAN, such as email or other applications executing over the network). 30 However, such remote computing activities involve substantial security risks to the LAN. For example, access to confidential information of the corporate LAN to which the remote user WO 2009/020623 PCT/US2008/009456 -2 intends to interact may render the LAN vulnerable to loss or dissemination of the confidential information. A private LAN may need to protect itself against unauthorized user's access to data, information and/or services stored on, or provided by, the LAN. Conventional solutions to 5 address security issues inherent in remote access include protecting the LAN behind a firewall. The firewall is configured to provide limited access to the LAN and operates as a gatekeeper to prevent unauthorized users from connecting to, or otherwise accessing the LAN. However, conventional firewall solutions severely restrict the type of access permitted to the LAN, and restrict the type of devices that may access the LAN. In addition, remote access via a firewall 10 is often expensive to implement and complicated to administer and maintain. In addition, conventional firewalls may still leave data and information belonging to the LAN vulnerable to theft, unauthorized and/or accidental modification or deletion, etc. Individuals who are away from their office often have a continuing need to gain access to their corporate networks. They may need to access files, e-mail, applications and programs 15 that are typically available when the individual is in the office and directly connected to the corporate network. One conventional approach to facilitate remote access is to use laptop personal computers to enable users to access the corporate network to, for example, remotely access their e-mail accounts. To enable this activity (e.g., to allow users access to services provided behind a firewall), appropriate communications software must be installed on each 20 client laptop PC so that users may remotely access the corporate network to transfer files from/to the network server through a dial-up telephone line (or a broadband connection, such as a digital subscriber line (DSL), TI, cable, etc.). To enable such remote access, all application programs reside and locally execute on the local client laptop PC. While this approach is relatively simple, it necessitates that each 25 and every such software application be installed, configured and then maintained on each laptop PC. Consequently, over time, this approach can become quite expensive, particularly in view of the on-going support costs of the installed software applications, and the relatively short work life of most laptops before upgrade is required. In addition, the above conventional solution requires that the user have with him or her the laptop on which the appropriate 30 software is installed. Another conventional approach uses a traditional virtual private network (VPN) to provide wide area network (WAN) connectivity from a remote user location to a central WO 2009/020623 PCT/US2008/009456 -3 corporate LAN. A VPN WAN connection may implement an Open System Interconnection (OSI) layer 2 extension between the LAN and the remote user location. A remote client PC connected through a VPN to a LAN appears as if it is directly connected to the LAN. However, a VPN connection requires expensive VPN termination equipment (or a client-site 5 VPN router) located at each end of the connection, or VPN client software installed and configured at the client machine. In either case, the VPN terminator provides layer 2 packet processing as well as appropriate packet encryption/decryption functionality. Although either the PC operating system or client based VPN software can mitigate the cost of the VPN terminator, it both requires considerable packet processing to assemble and disassemble 10 packets, imposing a significant processing burden on the PC. Accordingly, a separate dedicated VPN terminator at the remote user location is often required to support VPN connectivity with required levels of security and reliability without imposing an undue processing load on the client PC itself. Thus, VPN equipment is not only expensive, but tedious to configure and costly to administer and maintain. 15 In all of the above cases, sensitive corporate data is transferred to the PC/laptop and duplicated between the secure corporate network and the PC/laptop. Once data is downloaded and physically copied, no access or transport security system can prevent unauthorized, uncontrolled distribution and/or misuse of the data. Accordingly, the legitimate data owner is at risk of having confidential information disseminated, or otherwise used without the 20 knowledge and/or permission of the owner. Still another conventional approach to extending the office environment to remote user locations involves an application service provider (ASP) model requiring the installation of specialized server software on one or more network servers, such as Citrix Corporation's MetaFrameTM software using an independent computing architecture protocol. The network 25 server situated on the LAN functions as an ASP by hosting multiple virtual machines accessible by various different remotely located client PCs. Alternatively, Microsoft Corporation's Windows Terminal ServicesTM (WTS) using remote desktop protocol (RDP) can be utilized to provide multiple virtual machines. However, both the MetaFrameTM and WTSTM software impose considerable processing loads on the client PC, and are vulnerable to network 30 faults and security breaches, such as "man-in-the-middle" attacks. Additionally, the ASP based approach provides relatively limited remote execution functionality.
WO 2009/020623 PCT/US2008/009456 -4 In general, the systems described above were designed and developed, at least in part, to overcome the bandwidth limitations of prior communications networks. Current technological advances have dramatically increased the bandwidth of the communications network. The network bandwidth is increasing faster than microprocessor speed and doubling 5 approximately every nine months, thereby reducing the value of such systems and technologies, effectively rendering them obsolete in some cases. In addition, the above solutions address circumstances where both the client and server are essentially trusted and/or known to one another. For example, in the typical scenario, a network administrator or member of an information technology (IT) group responsible for administering and 10 maintaining the network will install the appropriate software to allow the user to access the particular LAN over which the administrator has control. Conventional approaches do not address the situation where the client is generally unknown or untrusted by the server, the client does not know where the server resides, and/or the client device has been specifically configured to remotely access only a particular LAN. 15 SUMMARY OF THE INVENTION Some embodiments of the present invention include a method of facilitating roaming of a requesting user requesting remote access to one or more services over a network, the method comprising receiving, at a first intermediary device, a request from the requesting user, 20 determining, by the first intermediary device, whether the requesting user is registered with the first intermediary device, identifying, by the first intermediary device, a second intermediary device at which the requesting user is registered if the first intermediary device determines that the requesting user is not registered with the first intermediary device, notifying, by the first intermediary device, the second intermediary device of the requesting user, connecting, by the 25 second intermediary device, to a client device used by the requesting user, and determining, by the second intermediary device, whether the requesting user is registered with the second intermediary device. Some embodiments of the present invention include a roaming enabled intermediary device configured to facilitate connection of a requesting user to a home intermediary device at 30 which the requesting user is registered, the roaming enabled intermediary device comprising at least one database for storing user information that facilitates identifying whether a requesting user is registered with the roaming enabled intermediary device, and for storing intermediary WO 2009/020623 PCT/US2008/009456 -5 device information identifying at least one other intermediary device with which the roaming enabled intermediary device has a roaming agreement, an identification component configured to determine whether the requesting user is registered with the roaming enabled intermediary device based, at least in part, on the user information, and a roaming component configured to 5 assist in identifying the home intermediary device based, at least in part, on the intermediary device information when it is determined that the requesting user is not registered with the roaming enabled intermediary device, the roaming component further configure to notify the home intermediary device of the requesting user. Some embodiments of the present invention include a networked computer system 10 configured to facilitate roaming of a requesting user requesting one or more services over a network, the networked computer system comprising at least one client device capable of communicating over the network, at least one server adapted to provide at least one service via the network, and a plurality of intermediary devices coupled to the network, at least one of the plurality of intermediary devices adapted to facilitate establishing a connection between the at 15 least one client device and the at least one server, each of the plurality of intermediary devices configured to determine whether the requesting user contacting the respective intermediary device via the at least one client device is registered with the respective intermediary device, and further configured to notify one of the plurality of intermediary devices identified as a home intermediary device at which the user is registered when the respective intermediary 20 device determines that the requesting user is not registered with the respective intermediary device. BRIEF DESCRIPTION OF THE DRAWINGS 25 FIGS. 1A-1F illustrate a system architecture for providing remote access of services over a network on which roaming operations may be implemented, in accordance with some embodiments of the present invention; FIG. 2 illustrates a system architecture for providing remote access of services over a network on which roaming operations may be implemented, in accordance with some 30 embodiments of the present invention; FIG. 3 illustrates a method of roaming between a visited intermediary device and a home intermediary device, in accordance with some embodiments of the present invention; and WO 2009/020623 PCT/US2008/009456 -6 FIG. 4 illustrates a system and method for network operating center (NOC) roaming, in accordance with some embodiments of the present invention. DETAILED DESCRIPTION 5 As discussed above, conventional approaches to providing a remote device with access to services from a local area network and/or one or more remote servers connected to a network have drawbacks associated with costs in hardware and software, complexity and cost in administering and maintaining the system, relatively heavy computing burdens on the remote device, limitations on the type of devices that can be serviced, and/or vulnerability to 10 various security threats. Some of these drawbacks derive from the fact that conventional solutions were designed to address network bandwidth limitations which have been loosened or eliminated by modem high-speed networks. In view of the shortcomings of the prior systems and networks, it may be is desirable to provide systems and methods for enabling a user to securely access remote services, including 15 desktop services, software applications, email, data files, etc., from anywhere on a network as if the user was directly connected to the LAN (e.g., connected inside a firewall protecting the LAN), without compromising security or investing in substantial new hardware/software infrastructure. Conventional approaches to remote access may be limited, for example, by allowing access only via client devices having the appropriate (and usually extensive) software 20 platform installed and configured to operate with a particular LAN (e.g., the user's corporate LAN). Thus, conventional solutions fail to provide a remote access solution for situations in which the client is generally unknown or untrusted by the server, the client does not know where the server resides, and/or the client device has not been specifically configured to remotely access a particular LAN or server providing the desired service. 25 Applicant has developed a remote access solution using an intermediate computer, referred to herein as an intermediary device, to facilitate connection between a client and a server even under one or more of the above conditions. The term "intermediary device" refers herein to any device accessible over a network capable of assisting in the establishment of a connection between a client and a server. Typically, both the client and the server are 30 registered with the intermediary device such that the intermediary device is trusted by both parties, although this is not a limitation on the aspects of the invention. In some embodiments, WO 2009/020623 PCT/US2008/009456 -7 the intermediary device may be responsible for authenticating the client before proceeding to assist in connecting the client with the server. Several embodiments of a network architecture employing an intermediary device are described in United States Patent No. 7,363,363, entitled "System and Method for Provisioning 5 Universal Stateless Digital and Computing Services," filed on December 23, 2002, United States Patent Application Serial No. 10/328,660, 11/104,982 ('982), entitled "System and Method for Automatically Initiating and Dynamically Establishing Secure Internet Connections Between a Fire-walled Server and a Fire-walled Client," filed on April 12, 2005, and United States Patent Application Serial No. 60/876,358 ('358), entitled "Service Chaining 10 Methods and Apparatus," filed on December 21, 2006, each of which is herein incorporated by reference in their entirety. The network operating centers, network switching centers, and trusted intermediary devices described in the above incorporated references are examples of devices that operate as intermediary devices, in accordance with some embodiments of the present invention. 15 Although the architectures described in the above incorporated references that use an intermediary device may solve a number of outstanding difficulties with remote service access, Applicant has recognized that for a user to remotely access services using the intermediary device, the client device must be connected to the particular intermediary device at which the user is registered. This may be particularly limiting in view of the increased mobility, ubiquity 20 and general flexibility of modern network environments. Applicant has recognized that users may be enabled to remotely access services from any location and from any device if a user could contact an intermediary device at which the user is not registered (referred to herein as a visited intermediary device) and be connected to an intermediary device at which the user is registered (referred to as a home intermediary device), a process referred to herein as 25 "roaming." The term "registration" or being "registered" when applied to a user and an intermediary device refers herein to the situation wherein a user is known to or identifiable by the intermediary device and the intermediary device is aware of and capable of authenticating the user. A registration does not necessarily mean that payment is being made for the service, 30 but does include such situations. Applicant has developed a modification to the intermediary device architecture to permit roaming, which in turn allows a user to remotely access services from kiosk locations, WO 2009/020623 PCT/US2008/009456 -8 computers provided in corporate or hotel lobbies, or from any appropriate client device currently available to a user seeking access to digital services, wherein the client device is not connected to the user's home intermediary device. The architecture described in the foregoing incorporated references provides a platform on which roaming techniques may be implemented 5 to facilitate remote access to network services via an intermediary device at which the user is not registered. Accordingly, a more universal and flexible solution to remote access may be provided. In some embodiments, a plurality of intermediary devices are provided that are adapted to facilitate establishing a connection between client devices through which a user may be 10 requesting one or more services, and the respective servers providing the requested services. Each of the plurality of intermediary devices may be further adapted to locate and notify another intermediary device at which the requesting user is registered when it is determined that the requesting user does not have a registration with the particular intermediary device connected to the client device through which the requesting user is attempting to access the 15 service. Following below are more detailed descriptions of various concepts related to, and embodiments of, methods and apparatus according to the present invention. It should be appreciated that various aspects of the invention described herein may be implemented in any of numerous ways. Examples of specific implementations are provided herein for illustrative 20 purposes only. In particular, any of various network implementations and configurations using any of various networks, network protocols, etc., may be used, as the aspects of the invention are not limited to any particular type of network, network configurations, and/or network devices. FIGS. lA-IF illustrate a network architecture for facilitating the provision of one or 25 more services to a client device on which various roaming techniques may be implemented, in accordance with some embodiments of the present invention. As shown in FIG. 1A, system 100 includes a server 110 connected to a network 150 (e.g., the Internet). Network 150 may be a combination of networks of different types, such as one or more local area networks (LANs), wide area networks (WANS), private networks, etc. In general, network 150 includes at least 30 one network that allows arbitrary and perhaps untrusted devices to communicate, although this is not a limitation on the aspects of the invention. System 100 also includes a client device 120 connected to network 150 via a wireless link, or via a hardwired connection. For example, WO 2009/020623 PCT/US2008/009456 -9 device 120 may communicate with network 150 via one or more wireless access points that wirelessly connect the client device to network 150. Alternatively, the client device 120 may be connected to the network using a wired connection. For example, client device 120 may be a laptop computer connected to the network via a home office network connection, or some 5 other location offering a wired network port. In addition, the client device may be connected to the network via any combination of wired and wireless connection technology. The client device 120 and/or a user of client device 120 may be unknown to and untrusted by server 110. However, this is not a limitation on the aspects of the invention, as client device 120 and/or the user of client device 120 may be either known, trusted or both. 10 For example, server 110 may be located on the corporate LAN of the user attempting to access the corporate LAN from a remote location using client device 120. In such a scenario, the client device 120 and the user of client device 120 may be generally known and trusted by server 110, but server 110 may have limited ability to ascertain the authenticity of either the client device when it is connected to the network from outside the corporate LAN, or the user 15 of the client device. For example, absent relatively expensive software specifically set up and configured to operate with a specific client and server, there may be no way to identify that a user is indeed authorized access to particular services. In addition, client device may not be able to connect to server 110 because the server is protected by a firewall, or client device may not know the location of server 110 on the 20 network. System 100 also includes an intermediary device 130, which is connected to network 150 to facilitate establishing a communication link between client device 120 and server 110. The server and/or the intermediary device may also be connected to network 150 via a wireless link, a wired link, any combination of wireless and wired links, or any type of suitable network connections. 25 As discussed above, network 150 may be comprised of a plurality of networks of any type and configuration. For example, network 150 may include numerous networks, with each network being identified by a network identifier portion of the network addresses issued by the various network devices connected to the network. Network 150 may include one or more private networks, LANs, WANs, the Internet, etc., as the aspects of the invention are not 30 limited in this respect. Network 150 may include one or more cooperating routers that direct network traffic between different networks, facilitating roaming by client devices connected to the network. In general, network 150 signifies any collection of one or more networks that are WO 2009/020623 PCT/US2008/009456 - 10 capable of communicating with each other, and is not limited to any type, configuration or number of networks. Intermediary device 130 may be known to and trusted by server 110 and may have a trusted link established with the server by which the intermediary device can communicate 5 information to the server. For example, the server may be connected to the intermediary device via a Transport Control Protocol (TCP) connection or in the Secure Sockets Layer (SSL). As shown in FIG. IB, server 110 may initiate and establish a communication link with intermediary device 130. Alternatively, intermediary device 130 can initiate the link. However, by having the server initiate the process, server 110 can have greater control over the 10 process to ensure that intermediary device 130 is trusted. Server 110 may perform any type of security measure or authentication procedure it would like to satisfy itself of the intermediary device's authenticity and trustworthiness. Similarly, intermediary device 130 may be generally known and trusted by client device 120. Client device 120 may be configured to connect to and interact with intermediary 15 device 130 when it desires communication with server 110, for example, to access one or more services provided by server 110. To facilitate this action, intermediary device 130 may broker a connection between client device 120 and server 110. It should be appreciated that intermediary device 130 may be connected to multiple servers and multiple client devices to operate as a general intermediary device between any number of trusted and/or untrusted client 20 device/server pairs, as the aspects of the invention are not limited in this respect. As a general matter, intermediary device is configured to assist connecting client device 120 with server 110 such that server 110 can provide one or more services to client device 120, as discussed in further detail below. As shown in FIG. 1 C, the client device may connect to intermediary device 130 via a 25 network connection 117 (e.g., an encrypted connection such as SSL, or any other type of connection). When the client device connects with intermediary device 130, a temporary identity for the client device may be established for the purposes of authentication. The temporary identity may be comprised of a secret identifier (ID) and a unique network identity (e.g., the client device's IP address). The temporary identity may be comprised of different or 30 additional identifiers that serve to securely identify the client device, as the aspects of the invention are not limited in this respect. That is, the intermediary device may use any of various authentication schemes that can uniquely identify the client device and that facilitate WO 2009/020623 PCT/US2008/009456 - 11 prevention of malicious devices spoofing the identity of the client device (e.g., to prevent a bad actor from representing itself to be the authorized client device to gain access to one or more services and/or to obtain data and/or other confidential information). Intermediary device 130 obtains the network address of the client device used to 5 establish the connection, and generates secret ID 127 to form a unique identifier for the session established for the client device. For example, the intermediary device may generate a random number as the secret ID. In some embodiments, the secret ID is generated randomly and independent of any known or knowable attributes associated with either the intermediary device or the client device to ensure that the secret ID cannot be easily guessed by a malicious 10 attacker attempting to spoof the identity of the client device. For example, the intermediary device may generate a random integer value of at least 128 bits, wherein the integer value is unrelated to the IP address, hardware address, geographical location, etc., of the intermediary device or the client device. The secret ID and the network ID may together operate as proof, to the intermediary device, of the client device's identity and authenticity throughout a session 15 established between the client device and the intermediary device. As shown in FIG. ID, intermediary device 130 may forward secret ID 127 over the link established between the client device and the intermediary device. The intermediary device and the client device may be the only entities in possession of the secret ID, which is retained by both for authentication until the client device restarts, reboots or otherwise undergoes an 20 operation causing the secret ID to expire. That is, the secret ID may be used throughout a session to obviate the need to re-authenticate the user each time a service is requested, and to ensure that no other user/device can spoof the user/device identity of the currently authenticated user/device. While the network address and secret ID operate as the authentication mechanism in system 100, any method of authentication that securely identifies 25 the client device may be used, as the aspects of the invention are not limited in this respect. In FIG. 1E, intermediary device 130 notifies server 110 that client device 120 would like to connect with the server to access one or more services. The notification from intermediary device 130 may include the network address of the client device 120, and may include any additional information needed and/or desired by server 110 (e.g., one or more 30 services that the client device is requesting, various capabilities of the requesting client device, authentication information, etc.). The server 110 may then initiate and establish a communication link with the client device using the information (e.g., the network address) WO 2009/020623 PCT/US2008/009456 - 12 supplied to it by intermediary device 130, as shown in FIG. 1F. The server may then provide the requested service to client device 120. It should be appreciated that once the connection between server 110 and client device 120 is established, the intermediary device may no longer need to be involved in subsequent 5 communication over the established link between the server and the client device. That is, the communication path through the untrusted network may not include intermediary device 130. Thus, the intermediary device operates as an intermediary device to establish the connection, but may not be involved during the resulting communication over the connection. As such, network packets sent between client device 120 and server 110 may not be routed through 10 intermediary device 130 as they are in various tunneling/forwarding techniques. After the connection is established, server 110 provides the indicated or selected service to client device 120. For example, server 110 may provide a desktop service, or provide access to e-mail or other applications local to the server. Media such as a movie may be provided and watched via a display device, or music listened to on a music player. Any 15 service may be provided, as the aspects of the invention are not limited in this respect. It should be appreciated that one or more services may be provided according to any of the methods described in the references incorporated in the foregoing to facilitate flexible and secure remote access (without requiring extensive software to be installed on the client and server, or requiring substantial change to the network infrastructure), even in situations where 20 the server and client are unknown to and/or untrusted by one another. However, a user would be unable to remotely access the one or more services provided by server 110 if the user is not registered with the intermediary device. For example, assume that client device 120 is provided in the lobby of a hotel and the user is a guest that would like to access one or more services, e.g., one or more services provided by the user's corporate 25 LAN, or client device 120 may be a friend's cellular phone through which the user would like to remotely access one or more services. Upon connection, intermediary device 130 may provide an authentication service configured to obtain authentication information from the user. Because the user is not registered with intermediary device 130, access will be denied and the remote services will be unavailable to the user. The requirement that a user connect 30 first to the home intermediary device may limit the flexibility of providing secure remote access from any location and/or device.
WO 2009/020623 PCT/US2008/009456 - 13 Applicant has developed methods and apparatus that permit a user connected to an intermediary device at which the user is not registered (referred to herein as a "visited intermediary device") to access an intermediary device where the user is registered (referred to herein as a "home intermediary device"). In particular, the visited intermediary device may 5 operate as a pass through to the home intermediary device such that the user may access available services as if the user had first connected to his/her home intermediary device. Thus, any available device that is registered with at least one intermediary device may be used by the user to access the user's home intermediary device. FIG. 2 illustrates a networked computer system capable of performing one or more 10 roaming operations between a visited and a home intermediary device to facilitate remote access to one or more services, in accordance with some embodiments of the present invention. The networked computer system includes a network 250 over which various devices in the system may communicate. As with network 150 illustrated in FIG. 1, network 250 may be a collection of multiple networks such as the Internet, one or more private networks, one or more 15 LANS, WANS, etc. A user 200 may be registered with home intermediary device 230a. In particular, home intermediary device 230a may store information about user 200 to facilitate authenticating user 200 and setting up connections with one or more servers 210 so that user 200 may remotely access associated services to which the user subscribes. The home intermediary device may also store information such as available services, default services 20 and/or other information pertinent to the user and/or the user's registration, as discussed in further detail below. In a typical scenario, the requesting user (i.e., the user requesting a service or otherwise connecting to an intermediary device) may be connected to the network via client device 220a, or perhaps client device 220b. For example, client device 220a may be the user's laptop device 25 through which the user may remotely access services provided by one or more servers 210 according to the user's registration and the services to which the user subscribes to. Client device 220b may be a stateless network appliance (SNAP) that the user may use to access one or more services. Client device 220a or 220b may be configured to establish a connection with home intermediary device 230a, e.g., automatically on start-up or upon indication from user 30 200 that he/she would like to access one or more services over the network (e.g., access email, order and watch a video, play music, etc.). Client device 220a or 220b may access the intermediary device either over a LAN 240a (or some other private network/connection) or via WO 2009/020623 PCT/US2008/009456 - 14 network 250 (e.g., the Internet). Since user 200 has a registration with home intermediary device 230a, upon presenting the appropriate identification information (e.g., smart card, login/password), user 200 will be authenticated and one or more selected services provided to the user, for example, as described above in connection with FIG. 1. 5 In other circumstances, however, user 200 may connect to the network via a different client device (e.g., client device 220c). For example, client device 220c may be hotel computer, a friend's computer, cellular phone or PDA, a computer located at an internet caf6, a SNAP provided at a kiosk location, a television in a hotel room, etc. Client device 220c may be configured to connect with visited intermediary device 230b either automatically or upon 10 indication by a user of a desire to access a remotely offered service. When user 200 provides identification information to intermediary device 230b, the intermediary device will determine that user 200 is not registered with intermediary device 230b and will therefore not authenticate the user. Conventionally, the user would be unable to access the desired service(s). 15 According to some embodiments, intermediary device 230b may be configured to initiate a roaming operation to determine whether user 200 is registered with another intermediary device for which the visited intermediary device may avail itself as a pass through so that user 200 can be authenticated by the user's home intermediary device. That is, the visited intermediary device may attempt to locate the user's home intermediary device so 20 that services normally available to user 200 via a device connected to the home intermediary device may be accessed. The roaming operation may be performed in a number of ways, some implementations of which are discussed in the embodiments described herein. FIG. 3 illustrates a method of intermediary device roaming, in accordance with some embodiments of the present invention. The method illustrated in FIG. 3 may be applied in 25 circumstances when a user connects to a visited intermediary device via a client device. In act 310, the visited intermediary device obtains identification information from the user. The process by which identification information is obtained, and the type of identification information may depend on the intermediary device and the client device through which the user is accessing the intermediary device. For example, the intermediary device may present a 30 login screen to the user via the client device and require the user to enter a login/password combination as identification. Alternatively, the client device may include a smart card reader and the user may present a smart card for reading as identification. Other methods of WO 2009/020623 PCT/US2008/009456 - 15 identification may be used, as the aspects of the invention are not limited in this respect. For example, the client device may include a radio frequency identification (RFID) reader that can read a RFID tag associated with and capable of identifying the user. In act 315, the visited intermediary device determines whether the user is registered 5 with the visited intermediary device. For example, the visited intermediary device may use the obtained identification information to index a database storing registration information and search for a match. If the visited intermediary device determines that the user is registered, the visited intermediary device may finish authenticating the user (act 340) and begin to process the service request of the user (act 350), for example, in a way similar to the process discussed 10 above in connection with FIG. 1 (e.g., initiate a default service, contact an appropriate server, etc.). If the user is not registered with the visited intermediary device, the visited intermediary device may attempt to determine the home intermediary device of the user (i.e., an intermediary device at which the user is registered) as illustrated by act 320. The visited intermediary device may attempt to determine the user's home intermediary 15 device in a variety of ways. For example, the visited intermediary device may present a screen via the client device requesting that the user provide information about the user's home intermediary device. Alternatively, the visited intermediary device may present a list, via the client device, showing all of the intermediary devices with which the visited intermediary device has a roaming agreement and request that the user select his/her home intermediary 20 device. A roaming agreement may be nothing more than the presence of the home intermediary device's identification in the visited intermediary device's database, or may be a more formal agreement including how the intermediary devices should communicate and/or any other information pertaining to the intermediary devices, such as billing information. In instances in which the user is identified/authenticated via a smart card (or other generally 25 automatic technique), the user's home intermediary device may be stored on the smart card and determined by the visited home intermediary device with little or no input from the user. Once a home intermediary device with which the visited intermediary device has a roaming agreement has been identified, the visited intermediary device may notify the home intermediary device that a user would like to connect (act 330). The visited intermediary 30 device may, for example, provide the identification information obtained in act 310 to the home intermediary device. Alternatively, the visited intermediary device may request that the home intermediary device connect with the user and provide its own authentication service, WO 2009/020623 PCT/US2008/009456 - 16 thus obviating the need to transmit user identification information between the two intermediary devices. For example, the visited intermediary device may invoke a service chaining request as discussed in the '358 application. The transfer of control from the visited intermediary device to the home intermediary device may be initiated in other ways as well, as 5 the aspects of the invention are not limited in this respect. The home intermediary device may then use the identification information, however obtained, to determine if indeed the user is registered with the home intermediary device (act 335). If the user is registered, the home intermediary device may complete authentication of the user and begin processing any user requests. For example, the home intermediary device 10 may present the user with a service selection screen that allows the user to select one or more services to be provided, or may otherwise begin processing requests from the user (e.g., brokering connections between one or more available servers, initiating a default service, etc.). If the user is not registered, the home intermediary device may report this event to the visited intermediary device, may refuse connection to the user, or otherwise indicate that the user 15 cannot be authenticated and therefore cannot access services. The visited intermediary device may attempt to establish a different home intermediary device for the user, may terminate the connection with the user, or handle the failed attempt in any other suitable manner. It should be appreciated that the visited intermediary device operates substantially as a pass-through. That is, the visited intermediary device need not know anything about the user 20 once it is determined that the user is not registered with the visited intermediary device. The visited intermediary device need only operate to connect the user to the home intermediary device. Thereafter, the home intermediary device may manage the session and broker subsequent connections with servers providing services requested by the user. As a result, no user information stored by the home intermediary device need be transferred outside of the 25 home intermediary device. The benefits of eliminating any need to transfer user information include confidentiality, security and avoiding situations wherein copied information becomes stale or otherwise invalid. In some embodiments, the transfer of control from the visited intermediary device to the home intermediary device may be performed using the service chaining protocol described 30 in the '358 application. For example, the visited intermediary device's authentication service may chain to the home intermediary device's authentication service which then proceeds to authenticate the user as if the user had first connected with the home intermediary device.
WO 2009/020623 PCT/US2008/009456 - 17 However, the visited intermediary device may notify and connect with the home intermediary device in other ways (e.g., without service chaining), as the aspects of the invention are not limited in this respect. Intermediary device roaming allows users to avail themselves of the services provided 5 via their home intermediary device without tying the user to a particular computing device, or limited set of computing devices. Thus, a more flexible and location independent network solution may be provided using various roaming techniques. Certain aspects of the invention may facilitate a more robust and secure platform for user's to access services remotely. Trends in network computing may benefit from the ability of a user to, for example, order and watch a 10 movie on a hotel TV, select and listen to music on a friend's music player, check email and/or access business services provided behind a corporate LAN from kiosks, hotel lobbies, or using any other offsite computing device proximate the user, thus obviating the need for the user to always have the appropriate client device handy and accessible, or the need to have a particular client device at all. 15 FIG. 4 illustrates a system capable of assisting a requesting user in roaming from a visited intermediary device to a home intermediary device, in accordance with some embodiments of the present invention. In the embodiment illustrated in FIG. 4, the intermediary devices are referred to as network operating centers (NOCs). A NOC may be purely an intermediary device or may include other features that add value to the process of 20 connecting users to remote servers. For example, the NOC may include any of the features, components and/or services described in the incorporated references. The system includes a home NOC 430a at which a user 400 is registered, and a visited NOC 430b at which user 400 is connected via client device 420. Each of NOCs 430a and 430b may include a database 432, a network switching center (NSC) 435, and an authentication service 438 which together assist 25 in enabling NOC roaming and assisting in establishing connections for client devices endeavoring to remotely access services provided by one or more servers. In FIG. 4, the NOCs are illustrated as having generally the same components, each corresponding component having the same reference numeral followed by an "a" for home NOC components and a "b" for visited NOC components. In the following description, the 30 function of the components are described without the letter label to indicate that the operation may be generic to both the visited and home NOCs. When operations specific to either the home NOC or the visited NOC are described, the letter labels are used to specify which NOC WO 2009/020623 PCT/US2008/009456 - 18 is being referred to. However, the individual NOCs may include different components and operate in manners different from each other, as the aspects of the invention are not limited in this respect. Database 432 may include one or more databases of any type to store information about 5 any one or combination of current registered users, registered servers, which services each user subscribes to, NOC's with which the specific NOC has roaming agreements, etc. For example, database 432 may include one or more relational or object oriented databases. Database 432 may store information about the one or more client devices for which the NOC may act as an intermediary device to establish connections with a server, and to generally facilitate the 10 process of establishing a secure end-to-end connection between client and server over which requested services may be provided. Database 432 may include a registration table to store, in association, a user's identification information, information relevant to a service session such as available services (e.g., services to which the user has subscribed or that are available by default), device parameters, etc., as described in further detail below. 15 The NSC 430 may include various modules that facilitate brokering a connection for remote service access. For example, NSC 435 may include a client manager (CLM) 436 adapted to communicate with registered users and to administer and maintain sessions with the registered users. CLM 436 may be coupled to database 432 to obtain information and update the database with respect to current sessions with registered users. CLM 436 may be one or 20 more software components or modules programmed to perform various operations on the client side to facilitate access to one or more services remotely. In some embodiments, CLM 436 operates similar to the CLMs described in the '358 application, although this is not a limitation on the aspects of the invention. CLM 436 may be configured to assist in NOC roaming, as described in further detail below. 25 NSC 430 may also include service center manager (SCCM) 434 adapted to communicate with the servers providing services (also referred to herein as service centers) to administer and maintain sessions with the service centers. SCCM 434 may be coupled to database 432 to obtain information about available services/service centers registered with NSC 430 and update the database with respect to current services being provided. SCCM 434 30 may be one or more software components or modules programmed to perform various operations on the server side to facilitate providing access to one or more services provided by various servers or service centers. The SCCM may perform similar functions as the SCCMs WO 2009/020623 PCT/US2008/009456 - 19 described in the '358 application, although this is not a limitation on the aspects of the invention. In addition, the SCCM may also be configured to assist in NOC roaming, as discussed in further detail below. Together, the CLM 436 operating on the client side, and the SCCM 434 operating on 5 the service center side, operate to establish an initial connection between a client and a service center and perform various other operations to facilitate the provision of services to the subscriber over a network, and to assist in allowing a user to roam between a visited and a home NOC. It should be appreciated that the configuration of components of the NOC (e.g., the CLM, SCCM, etc.) illustrates one exemplary architecture suitable for providing NOC 10 roaming. However, other configuration of components, modules, etc. may be used, as the aspects of the invention are not limited in this respect. A roaming agreement between visited NOC 430b and home NOC 430a may include any information that facilitates NOC roaming. For example, the roaming agreement may include a secure connection to allow the CLM of one of the NOCs to communication with the 15 SCCM of the other NOC (e.g., a secure connection between CLM 436b and SCCM 434a). The roaming agreement may also allow credentials to be provided between the visited CLM and the home SCCM, or vice-versa. The roaming agreement may also provide for entries in the visited NOC's database to allow the visited NOC to service chain to the authentication service of the home NOC. The roaming agreement may include information related to the format of and 20 means to exchange subscriber usage information, billing information and/or details of the services users are allowed to access when roaming. The above components of a roaming agreement are merely exemplary and need not be present in any particular roaming agreement, as the aspects of the invention are not limited in this respect. When user 400 makes a service request (e.g., by connecting to visited NOC 430b via 25 client device 420 as indicated by arrow 1), CLM 436b may process the request and, in response, may initiate the NOC's authentication service 438b (e.g., as indicated by arrow 2). The authentication service may be configured to present the client device with an authentication process appropriate for the type of authentication or login information the authentication service is expecting or requires for the particular client device (e.g., as indicated 30 by arrow 3). For example, if authentication is performed using a username/password pair, the authentication service may provide the client device with a login display requesting the user to input the appropriate usemame/password combination. If authentication is performed via WO 2009/020623 PCT/US2008/009456 - 20 information stored on a smart card (e.g., a SIM number), then authentication may occur generally transparent to the user as the identification information may be automatically obtained from the smart card, RFID tag, etc. In any event, the provided identification information received by the NOC 430b by 5 whatever means may be used by the authentication service to index the registration table to determine whether user 400 is registered with the NOC (e.g., as indicated by arrow 4). If the user is registered, then SCCM 434 may begin processing the user's service request (e.g., initiating a default service, contacting the appropriate service center to provide a selected service, etc.). However, if the user is not registered, then CLM 436b may initiate a process in 10 an attempt to locate the user's home NOC to facilitate NOC roaming. For example, CLM 436b may initiate a process (e.g., a NOC roaming service provided by the visited NOC) that displays all of the NOC's that the visited NOC has a roaming agreement with so that the user may select his/her home NOC. Alternatively, the CLM 436b may initiate a process that presents a user interface that requests the user to input his/her home NOC or information to facilitate 15 identifying the home NOC. In other instances, the user's home NOC may be identified with the information provided by the smart card, RFID tag, etc. After CLM 436b has received information identifying the user's home NOC, by whatever means, the CLM may contact the identified home NOC to initiate the roaming process. For example, CLM 436b may contact NSC 435a of home NOC 430a to indicate that 20 user 400 has identified the NOC as the user's home NOC and would like to request one or more services. In FIG. 4, CLM 436b connects with SCCM 434a to initiate the NOC roaming process (e.g., as indicated by arrow 5). However, CLM 436b (or some other component of the visited NOC) may contact/connect with any component of the home NOC, as the aspects of the invention are not limited in this respect. SCCM 434a may then initiate authentication service 25 438a at the home NOC so that user 400, alleged to be registered with the home NOC, may be authenticated (e.g., as indicated by arrow 6). Authentication process 438a may then connect to client device 410 to authenticate the user (as indicated by arrow 7). As with authentication service 438b in the visited NOC, the authentication service 438a may perform any action consistent with obtaining the type(s) of information expected in identification and 30 authentication of the user (e.g., present a login/password screen, read information from a smart card, RFID tag, etc.), and may access database 432a to index the registration table (e.g., as indicated by arrow 8).
WO 2009/020623 PCT/US2008/009456 -21 In the event that authentication service 438a determines that user 400 is not a registered user, the authentication service 438a may terminate the service and disconnect from the client device. The visited NOC may be notified that user 400 is not registered with home NOC 430a. The visited NOC may then proceed in an attempt to locate a different NOC at which the user is 5 a subscriber, or otherwise indicate that the user is not authorized at the selected home NOC. Should authentication service 438a determine that user 400 is a subscriber, the home NOC may begin to process the user's service request(s). For example, the authentication service 438a may service chain to the default service for the user as stored in the user profile in database 432 (e.g., a Windows desktop service provided by a server available at the user's corporate LAN, a 10 selection service that provides a list of available services, etc.). In this manner, user 400 may access services remotely as if the user had first connected to the user's home NOC. Indeed, the user may effectively be transferred to the home NOC. It should be appreciated that in some embodiments, the visited NOC does not operate as a proxy for the home NOC, but rather as an intermediary device to the home NOC. That is, the visited 15 NOC does not manage the session on behalf of the home NOC, but rather facilitates connection between the client device being used by the user and the services registered with the home NOC so that the home NOC can manage the session. One benefit of this architecture is that information about the user stored at the home NOC does not need to be transferred, exchanged or otherwise communicated to and/or duplicated at the visited NOC. Thus, user information 20 remains secure. In addition, because user information is not exchanged, there is no need to propagate new information (e.g., changes in user information, subscription, additional available services, change in the default service, etc.) to a visited NOC, and ensures that there is no opportunity for information to become stale since only one local copy exists and needs to be maintained 25 (i.e., the local copy stored and maintained at the home NOC). Moreover, NOC's may not need to be configured to "host" a user that is not a registered user and therefore does not require the added complexity needed were visited NOCs configured to operate as a proxy NOC rather than a pass-through intermediary device. The above-described embodiments of the present invention can be implemented in any 30 of numerous ways. For example, the embodiments may be implemented using hardware, software or a combination thereof. When implemented in software, the software code can be executed on any suitable processor or collection of processors, whether provided in a single WO 2009/020623 PCT/US2008/009456 - 22 computer or distributed among multiple computers. It should be appreciated that any component or collection of components that perform the functions described above can be generically considered as one or more controllers that control the above-discussed function. The one or more controller can be implemented in numerous ways, such as with dedicated 5 hardware, or with general purpose hardware (e.g., one or more processor) that is programmed using microcode or software to perform the functions recited above. It should be appreciated that the various methods outlined herein may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms. Additionally, such software may be written using any of a 10 number of suitable programming languages and/or conventional programming or scripting tools, and also may be compiled as executable machine language code. In this respect, it should be appreciated that one embodiment of the invention is directed to a computer readable medium (or multiple computer readable media) (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, etc.) 15 encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the various embodiments of the invention discussed above. The computer readable medium or media can be transportable, such that the program or programs stored thereon can be loaded onto one or more different computers or other processors to implement various aspects of the present invention as discussed above. 20 It should be understood that the term "program" is used herein in a generic sense to refer to any type of computer code or set of instructions that can be employed to program a computer or other processor to implement various aspects of the present invention as discussed above. Additionally, it should be appreciated that according to one aspect of this embodiment, one or more computer programs that when executed perform methods of the present invention 25 need not reside on a single computer or processor, but may be distributed in a modular fashion amongst a number of different computers or processors to implement various aspects of the present invention. Various aspects of the present invention may be used alone, in combination, or in a variety of arrangements not specifically discussed in the embodiments described in the 30 foregoing and is therefore not limited in its application to the details and arrangement of components set forth in the foregoing description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced or of being carried out in various ways.
WO 2009/020623 PCT/US2008/009456 - 23 In particular, various aspects of the present invention may be implemented in connection with any type, collection or configuration networks. No limitations are placed on the network implementation. In addition, an intermediary device may be implemented using an combination and configuration of components. Accordingly, the foregoing description and 5 drawings are by way of example only. Use of ordinal terms such as "first", "second", "third", etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another 10 element having a same name (but for use of the ordinal term) to distinguish the claim elements. Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of "including," "comprising," or "having," "containing", "involving", and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items. 15 What is claimed is:

Claims (21)

1. A method of facilitating roaming of a requesting user requesting remote access to one or more services over a network, the method comprising: 5 receiving, at a first intermediary device, a request from the requesting user; determining, by the first intermediary device, whether the requesting user is registered with the first intermediary device; identifying, by the first intermediary device, a second intermediary device at which the requesting user is registered if the first intermediary device determines that the requesting user 10 is not registered with the first intermediary device; notifying, by the first intermediary device, the second intermediary device of the requesting user; connecting, by the second intermediary device, to a client device used by the requesting user; and 15 determining, by the second intermediary device, whether the requesting user is registered with the second intermediary device.
2. The method of claim 1, further comprising authenticating, by the second intermediary device, the requesting user if it is determined that the requesting user is registered 20 with the second intermediary device.
3. The method of claim 2, further comprising presenting, by the second intermediary device, a list of services available to the requesting user. 25
4. The method of claim 2, further comprising contacting, by the second intermediary, a server capable of providing at least one service to the requesting user to assist in connecting the client device with the server.
5. The method of claim 4, further comprising identifying, by the second 30 intermediary device, a default service for the requesting user, and wherein contacting includes contacting the server to provide the default service.
6. The method of claim 1, wherein notifying includes initiating a service chaining WO 2009/020623 PCT/US2008/009456 - 25 operation from the first intermediary device to the second intermediary device.
7. The method of claim 6, wherein the second intermediary device responds to the service chaining operation by providing an authentication service to the requesting user. 5
8. The method of claim 4, further comprising requesting, by the requesting user to the second intermediary device, that at least one service be provided to the requesting user.
9. The method of claim 4, wherein contacting the server includes providing, by the 10 second intermediary device, a network address of a client device used by the requesting user.
10. The method of claim 9, further comprising establishing a connection, initiated by the server, with the client device at the network address provided by the second intermediary device. 15
11. A roaming enabled intermediary device configured to facilitate connection of a requesting user to a home intermediary device at which the requesting user is registered, the roaming enabled intermediary device comprising: at least one database for storing user information that facilitates identifying whether a 20 requesting user is registered with the roaming enabled intermediary device, and for storing intermediary device information identifying at least one other intermediary device with which the roaming enabled intermediary device has a roaming agreement; an identification component configured to determine whether the requesting user is registered with the roaming enabled intermediary device based, at least in part, on the user 25 information; and a roaming component configured to assist in identifying the home intermediary device based, at least in part, on the intermediary device information when it is determined that the requesting user is not registered with the roaming enabled intermediary device, the roaming component further configure to notify the home intermediary device of the requesting user. 30
12. The roaming enabled intermediary device of claim 11, wherein the roaming component is configured to initiate a service chaining operation upon identifying the home WO 2009/020623 PCT/US2008/009456 - 26 intermediary device device such that the home intermediary device may contact the requesting user.
13. A networked computer system configured to facilitate roaming of a requesting 5 user requesting one or more services over a network, the networked computer system comprising: at least one client device capable of communicating over the network; at least one server adapted to provide at least one service via the network; and a plurality of intermediary devices coupled to the network, at least one of the plurality 10 of intermediary devices adapted to facilitate establishing a connection between the at least one client device and the at least one server, each of the plurality of intermediary devices configured to determine whether the requesting user contacting the respective intermediary device via the at least one client device is registered with the respective intermediary device, and further configured to notify one of the plurality of intermediary devices identified as a 15 home intermediary device at which the user is registered when the respective intermediary device determines that the requesting user is not registered with the respective intermediary device.
14. The networked computer system of claim 13, wherein, once contacted, the 20 home intermediary device authenticates the user if it is determined that the user is registered with the home intermediary device.
15. The networked computer system of claim 14, wherein the home intermediary device is configured to present a list of services available to the requesting user. 25
16. The networked computer system of claim 14, wherein the home intermediary device is configured to contact the at least one server capable of providing at least one service to the requesting user to assist in connecting the at least one client device used by the requesting user with the at least one server. 30
17. The networked computer system of claim 16, wherein the home intermediary device is configured to identify a default service for the requesting user, and wherein the home WO 2009/020623 PCT/US2008/009456 - 27 intermediary contacts the at least one server to provide the default service.
18. The networked computer system of claim 14, wherein the respective 5 intermediary device that the requesting user first contacted, after identifying the home intermediary device, initiates a service chaining operation with the home intermediary device.
19. The networked computer system of claim 18, wherein the home intermediary device responds to the service chaining operation by providing an authentication service to the 10 requesting user.
20. The networked computer system of claim 16, wherein the home intermediary is configured to respond to a request by the requesting user to access at least one service over the network by contacting the at least one server and providing the at least one server with a 15 network address of the at least one client device used by the user.
21. The networked computer system of claim 20, wherein the at least one contacted server initiates a network connection with the client device at the network address provided by the home intermediary device. 20
AU2008284338A 2007-08-08 2008-08-07 Methods and apparatus for intermediary device roaming Abandoned AU2008284338A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US96400507P 2007-08-08 2007-08-08
US60/964,005 2007-08-08
PCT/US2008/009456 WO2009020623A2 (en) 2007-08-08 2008-08-07 Methods and apparatus for intermediary device roaming

Publications (1)

Publication Number Publication Date
AU2008284338A1 true AU2008284338A1 (en) 2009-02-12

Family

ID=40341951

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2008284338A Abandoned AU2008284338A1 (en) 2007-08-08 2008-08-07 Methods and apparatus for intermediary device roaming

Country Status (4)

Country Link
KR (1) KR20100057839A (en)
AU (1) AU2008284338A1 (en)
BR (1) BRPI0815132A2 (en)
WO (1) WO2009020623A2 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166531A1 (en) * 2010-12-23 2012-06-28 Dany Sylvain Location sharing session
US8799470B2 (en) * 2011-03-11 2014-08-05 Qualcomm Incorporated System and method using a client-local proxy-server to access a device having an assigned network address

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7346772B2 (en) * 2002-11-15 2008-03-18 Cisco Technology, Inc. Method for fast, secure 802.11 re-association without additional authentication, accounting and authorization infrastructure
US7620027B2 (en) * 2003-03-14 2009-11-17 Canon Kabushiki Kaisha Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to

Also Published As

Publication number Publication date
WO2009020623A2 (en) 2009-02-12
BRPI0815132A2 (en) 2017-05-09
WO2009020623A3 (en) 2009-04-16
KR20100057839A (en) 2010-06-01

Similar Documents

Publication Publication Date Title
US20080209039A1 (en) Service chaining methods and apparatus
US11190493B2 (en) Concealing internal applications that are accessed over a network
AU770584B2 (en) Secured session sequencing proxy system and method therefor
US7882247B2 (en) Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments
US8200818B2 (en) System providing internet access management with router-based policy enforcement
US20110061090A1 (en) Methods and apparatus for network address change for mobile devices
EP1370040B1 (en) A method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server
EP1911192B1 (en) Suspension and resumption of secure data connection session
KR20090012244A (en) Policy driven, credntial delegat10n for single sign on and secure access to network resources
EP1905211A1 (en) Technique for authenticating network users
WO2009037700A2 (en) Remote computer access authentication using a mobile device
US7965701B1 (en) Method and system for secure communications with IP telephony appliance
JP5864598B2 (en) Method and system for providing service access to a user
US20060122936A1 (en) System and method for secure publication of online content
AU2008284338A1 (en) Methods and apparatus for intermediary device roaming
JP2004318582A (en) Network access system and method, verification system, edge router, access controller, and computer program
EP1466434A1 (en) Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments
Andersen Changes to functionality in Microsoft Windows XP service pack 2
Anderson Universal Session Protocol: A Novel Approach to Session Management
WO2014086652A1 (en) Method of allowing communication between a secure element and a server
MXPA06001088A (en) System and method for controlling access to a network using redirection

Legal Events

Date Code Title Description
MK3 Application lapsed section 142(2)(c) - examination deferred under section 46 no request for examination