DE60028004T2 - Virtual private network with automatic updating of user accessibility information - Google Patents

Description

AREA OF INVENTION

The The present invention relates to computer networks, and more particularly on devices and methods for providing efficient, integrated and scalable Policy management services for remote private networks the Internet.

BACKGROUND OF THE INVENTION

The Growth and proliferation of computers and computer networks enables businesses to be efficient with their own components and with those of their business partners, To communicate with customers and suppliers. The flexibility and efficiency, However, these computers and computer networks offer more risks including security breaches from outside of the company, the accidental release of important internal information and inappropriate use of LAN, WAN, Internet or extranet.

at the administration of the extension of computer networks as well as with the solution Of the various security issues, network managers often use management services for network policies such as. Firewall protection, address assignment in the NAT procedure (Network Address Translation), Spam Filtering, DNS Caching, Web Caching, VPN Organization (Virtual Private networks) and security, as well as URL blockers to the network users to prevent it from exploiting ISPs (Internet Service Providers) the organization to access certain websites. Everyone However, policy management service usually requires a separate one Device, that is configured, managed and monitored must become. Furthermore, the existing devices are always more numerous as the organization grows and spreads across multiple locations expands, thereby reducing the corresponding expenses and the overhead of configuration, Administration and monitoring the devices also rise.

The solution for this The problem is not just that, it has many management features for network policies into a single device integrate at every location and allow every location to exchange his policy data with other locations. Actually there There are many obstacles and challenges in implementing one such method. For example, a plan for efficient requires Specification and distribution of data for policy management via remote private network for the entire organization generally a well-designed object model. Synchronization of multiple databases within the organization With updates of the policy management data can also be a complex Pose a problem. Furthermore, the creation of logs and statistics data from the remote private network in one far distributed policy management system This is often a difficult task for efficient analysis and reporting. Usually Only the raw data is logged and stored, which in general time-consuming and custom programs need to get out of the raw data Create meaningful reports and statistics offline.

It gives another challenge to the implementation of a single Policy Management Systems. For an elevated one Benefit should be this unified policy management functions so as far as possible in the hardware are implemented. The implementation of policy management however, on a chip typically requires efficient design partitioning.

In addition, should the unified policy management system the efficient configuration, Manage and update virtual private networks, which are over various remote locations extend.

in the Document "Inter Domain Policy Routing: Overview of Architecture and Protocols "by Estrin D. et al. 1991, XP000175708, is an overview of the Architecture and the protocols of cross-domain policy routing lists being key concepts and protocols explained become.

in the Document "Virtual Private Network Architecture "by T. Braun et al., January 8, 1999, XP002239239, an architecture is described, with the QoS-enabled, virtual private networks over the Internet can be built and managed. Here are the basic ones Technologies for secure VPNs and for presented the QoS support.

Accordingly, there is a need in the industry for a network management solution that overcomes these and other obstacles in the current state of the art.

SUMMARY OF THE INVENTION

According to one variant invention, a remote user intervenes from a remote location remote user terminal to the member networks. The terminal is configured by software according to the table the dynamic member information from the edge device, with which it is connected to download. Updates to member information will be automatically transferred to the remote user terminal below, without having to reconfigure the terminal.

SHORT DESCRIPTION THE DRAWINGS

These and other features, designs and advantages of the present invention will be apparent upon reading the following, detailed description, the appended claims and the accompanying drawings, wherein:

1 FIG. 12 is a schematic block diagram of an exemplary, unified policy management system; FIG.

2 represents the hierarchical, object-oriented structure of the policies stored for an organization according to the principles of the invention;

3 presents a schematic block diagram of a policy server in the policy management system 1 group;

4 presents a schematic diagram of a central management submodule in the policy server 3 group;

5 FIG. 3 illustrates an exemplary flowchart of a facility registration process that originates from the central management sub-module 4 is carried out;

6 FIG. 12 illustrates a screen shot of an exemplary graphical user interface for registering a device; FIG.

7 FIG. 12 illustrates a screen shot of an example global user interface for monitoring status and status information of a device; FIG.

8th Figure 13 is a screen shot of an exemplary graphical user interface that exposes the policy management submodule in the policy server 3 offers;

9 Figure 12 is a screen shot of an exemplary graphical user interface for managing system devices;

10 Figure 12 is a screen shot of an example graphical user interface for managing system hosts;

11 Figure 12 is a screen shot of an exemplary graphical user interface for managing system devices;

12 Figure 13 is a screen shot of an exemplary graphical user interface for managing time groups;

13 Figure 12 is a screen shot of an exemplary graphical user interface displaying a number of VPN clouds;

14 Figure 12 is a screen shot of an example graphical user interface for entering a new firewall policy;

15 is a schematic block diagram of policy enforcers that their respective VPN member update company information;

16 Fig. 10 is a block diagram of components in a self-extracting execution program for downloading a remote VPN client;

17 is a functional block diagram for downloading the self-extracting execution program 16 ;

18 is a schematic block diagram of a policy enforcer in the policy management system 1 ;

19 is a detailed, schematic block diagram of a policy engine in the Policy Enforcer 18 ;

20 FIG. 12 is a more detailed, schematic block diagram of a Policy Enforcer Protocol Classification Engine 18 ;

21 is a more detailed, schematic block diagram of an Internet Protocol security machine in the Policy Enforcer 18 ;

22 is a schematic representation of a general protocol format according to an embodiment of the invention;

23 is a block diagram of an LDAP tree structure according to an embodiment of the invention;

24 is a more detailed block diagram of a branch of the LDAP tree 23 ;

25 is a flowchart of logging and forwarding LDAP changes to policy enforcers;

26 Fig. 10 is a schematic block diagram of a high availability system including a primary unit and a backup unit;

27 FIG. 10 is a flow chart of an example status determination process performed by a high availability unit; FIG.

28 FIG. 12 is a flowchart of a process for maintaining the configuration information in the primary and spare units. FIG 26 be synchronized;

29 FIG. 10 is an exemplary flowchart of updating the primary and reserve units 26 in which both are ready; and

30 FIG. 10 is an exemplary flowchart of updating the primary and reserve units 26 in which the primary unit is not ready for operation.

DETAILED DESCRIPTION THE INVENTION

I. UNIFORM ARCHITECTURE THE POLICY MANAGEMENT SYSTEM

1 FIG. 10 is a schematic block diagram of an exemplary unitary policy management system according to an embodiment of the invention. FIG. As in 1 shown are the private local networks 102 . 104 and 106 all via appropriate routers (generally with 110 and Internet Service Providers (ISPs) (not shown) with a public network, such as the Internet 108 , connected. Likewise via the ISPs with the public Internet 108 Connected are internet surfers 112 network users connected via temporary dial-up connections 114 , Server 116 that offer unauthorized websites, mail spammers 118 who send unsolicited junk mail, as well as remote VPN clients 140 having access to the private local networks 102 want to get.

According to one example, the local network connects 102 Users and resources, such as Work stations, servers, printers, and the like, at a first location of the organization, such as the organization's headquarters, and the local area network 104 connects users and resources to a second location of the organization, such as a branch office. Furthermore, the local network connects 106 Users and resources of a customer of the organization who needs special access to the users and resources of the organization. Authorized network users connected via dial-up connections 114 The organization is located at sites remote from the first and second local area networks and also requires special access to the organization's users and resources. Furthermore, internet surfers communicate 112 with the internet server 120 the organization via the public Internet 108 and access the company's website.

The local network 102 includes a policy server 122 to define and manage network services and policies for the organization. The network policies are a set of rules and instructions that govern the operation of the network, firewall, VPN, bandwidth, and administrative policies. The firewall policies decide on the traffic in the network, which is from the public Internet 108 for the local networks 102 . 104 , is released and about the traffic that is to be blocked. The bandwidth policies determine the type of bandwidth to be allocated to the traffic on the local networks. The VPN policies set the rules for implementing multi-site connectivity over the local area networks. The administrative policies specify the users who have access to the administrative functions, the type of administrative functions assigned to these users, and the policy enforcers 124 . 126 for which these users can exercise these administrative functions. The firewall, VPN, bandwidth, and administration policies for the entire organization are preferably stored in a Policy Server database 130 stored by the policy server 122 is managed.

Every local network 102 . 104 , also includes an edge device, here as a policy enforcer 124 . 126 , designated for access control to the network. Each policy enforcer 124 . 126 , manages the network policies and services for the users and resources of their respective local area networks 102 . 104 , according to the release of the policy server 122 , The corresponding portions of the Policy Server database 130 be in the databases 132 . 134 , which copies the policy enforcer to allow the policy enforcers the network policies and services for the local networks 102 . 104 , can manage.

According to one embodiment of the invention, the policy server 122 and the policy enforcers 124 . 126 , are implemented in a similar way to the FORT KNOX policy routers by Alcatel Internetworking Inc. of Milpitas, California.

II. OBJECT MODEL FOR NETWORK POLICY MANAGEMENT

According to one embodiment of the invention, the policy server database is 130 and Policy Enforcer databases 132 . 134 to LDAP databases that adhere to a unified, hierarchical, object-oriented structure. The LDAP Directory Service model is based on entries, where each entry represents a collection of attributes that are named with a unique name (DN). Each attribute contains a type and one or more values. The type is typically a mnemonic string, such as "o" for organization, "c" for country, or "mail" for e-mail addresses, depending on the attribute type, for example, the attribute "mail" Value "babs@umich.edu" The attribute "jpegPhoto" can contain a photo in a binary JPEG / JFIF format. Further details about the LDAP Directory Service Model are described in RFC 1777 "The Lightweight Directory Access Protocol" (W. Yeong, T. Howes and Kille, Network Working Group, March 1995) and "LDAP Programming: Directory-enabled Applications with Lightweight Directory Access Protocol "(T. Howes and M. Smith, Macmillan Technical Publishing, 1997).

The Posts in the LDAP database are preferably in a hierarchical, tree-like structure built up, the political, geographical and / or organizational Limits taken into account. The entries, the countries represent, appear at the top of the tree. among them the entries appear, representing state or national organizations. Among the national or national organizations may make entries in relation to persons, organizational units, Printers, documents and the like be listed.

2 is a schematic representation of the unified, hierarchical, object-oriented structure to which the policy server database 130 holds according to an embodiment of the invention. The Policy Enforcer databases 132 . 134 , follow with the exception of a few differences of the same structure. For example, the policy enforcer databases preferably do not include a policy server domain object 201 or related policy server objects, nor a policy domain object 240 ,

As in 2 Each object in the structure is preferably stored as an LDAP entry. At the top of the hierarchy is the policy server domain object 201 arranged various policy server resources and a set of policy domain objects (generally with 204 designated). Each policy domain object 240 is a grouping of policy enforcers with shared policies. Each policy domain object 240 includes a resource root object 200 and a group root object 202 , All policy management functions are preferably implemented in the form of resource objects, the facilities 204 , Users 206 , Hosts 208 , Services 210 and time 220 include. Thus, a firewall policy can be defined simply by associating the policies, users, hosts, services, and times that apply to the policy. The facilities, users, hosts and services are preferably in groups 212 . 214 . 216 and 218 , organized with a group name, description, and member information to provide a more intuitive way of addressing and organizing resources.

The users 206 are preferably associated with a user domain that provides a secure and efficient means of checking user authorization. Each user domain has a single Policy Enforcer that has the authority to verify the user's permission. Thus, user domains ensure that the validated agent is generally on the same local network as the user. In this way, the cost of network dependency or network latency can be reduced during the user verification process. It should be noted, however, that users are also authorized users connected in the dialing process 114 and users from the customer network 106 can act. These users contact a remote validation agent, who submits the user review back to the appropriate proxy policy enforcer.

hosts 208 are the various networks that exist in an organization. For example, a particular LAN subnet may be specified as a host in a system. hosts 208 are preferably organized on the basis of their physical location within the organization. The physical location of a host is determined by the device (Policy Enforcer) 204 flag assigned to the host.

services 210 Include the various services provided by the policy server 122 to be provided. Such services include multimedia streaming / conferencing, information retrieval, security and privilege validation, database applications, e-mail applications, routing applications, standard communication protocols, and the like. The attributes associated with each service preferably include service name, description, type (eg, HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks, and the like) and group.

facilities 204 are the policy enforcers 124 . 126 , at the edges of a particular local area network. Each entity / policy enforcer preferably includes users 206 and a host / network 208 that is managed by the policy enforcer.

Time 220 is another dimension for access control to network resources. When creating the firewall policies, different time objects that cover a specific time range can be created and used.

Similar to resources, the network policies are preferably defined in the form of objects for the efficient and intuitive definition of the policies. Policies are defined by the administrators and by the policy enforcers 124 . 126 , in the network traffic between the public Internet 108 and the local networks 102 and 104 enforced.

According to an embodiment variant of the invention comprises a policy object 222 a bandwidth policy 224 , a firewall policy 226 , a management policy 228 and a VPN policy 230 , The VPN policy 230 defines a security policy for the member networks and includes one or more VPN clouds 232 , Every VPN cloud 232 is a single VPN or group of VPNs that define a group of security policies that provide a list of sites 234 and users 236 includes that can communicate with each other. A site is preferably a group of hosts / networks that are physically behind one of the policy enforcers 124 . 126 are arranged. In other words, a location is the definition of a network that includes the policy enforcer associated with it. The policy enforcers for the sites act as VPN tunnel endpoints when the hosts at the sites begin to communicate. These communications are subject to certain rules 238 that are configured for each VPN cloud. The rules 238 can, inter alia, VPN access permissions and security features, such as the level of encryption and ver specified access authorization for the connectivity at the respective network level.

The object-oriented structure 2 gives network administrators the ability to define policies in an intuitive and comprehensive way. Such policies can be defined by simply assigning resources and policies. This enables a policy-driven management model that gives the administrator the impression that a single logical server provides the firewall, bandwidth management, and VPN services to the entire enterprise. The fact that the policy is enforced via individual policy enforcers in different locations is transparent to the administrator.

III. POLICY-BASED NETWORK ARCHITECTURE

3 is a more detailed schematic block diagram of the policy server 122 according to an embodiment of the invention. The policy server 122 preferably includes a management module 302 , which is the central controller of policy enforcers 124 . 126 , made possible from a single console. The policy server 122 also includes a log collection and archiving module 304 and a policy server report module 316 , The log collection and archiving module 304 collects information about the status and use of resources from policy enforcers 124 . 126 , as well as the management module 302 , and stores them in an archive database 318 , The policy server report module 316 Uses the collected logs and archive data to generate reports in a structured report format.

In terms of the management module 302 , includes the management module 302 preferably four submodules that support the central control, in particular a central management submodule 306 , a policy management submodule 308 , a secure, role-based management submodule 310 and a multi-site connectivity management submodule 312 ,

The central management submodule 306 provides the network administrator with the ability to install and manage individual policy enforcers from a central location. The network administrator preferably uses a web-based graphical user interface to define the policy enforcer's network configuration and to monitor various aspects of the device, such as device status, alarm messages, VPN port status, and the like.

The policy management submodule 308 provides the network administrator with the ability to create policies that include many policy enforcer functional aspects (eg, firewall, bandwidth management, and virtual private networks), multiple resources (eg, users, hosts, services, and time) and multiple policy enforcers.

The secure, role-based management submodule 310 Provides role-based management that allows administrators to delegate administrative functions to other administrators. This sub-module preferably ensures maximum security in terms of accessing the management functions.

The multi-site connectivity management submodule 312 Allows the network administrator to set up secure communication channels between one or more remote sites. This submodule uses the central management submodule 306 , the policy management submodule 308 , the dynamic routing capabilities of Policy Enforcers 124 . 126 and the management infrastructure to provide virtual private networks within the enterprise with detailed access control.

4 is a more detailed schematic of the central policy management submodule 306 according to an embodiment of the invention. The submodule includes a policy server installation wizard 404 which provides an interactive user interface to help install the policy server 122 offers. For this purpose, the network administrator has access to a personal computer that has a connection cable, a hub, or the like to the LAN port of the policy server 122 connected. The network administrator connects to the policy server 122 preferably by entering the URL of the policy server 122 into a standard Internet browser, such as Microsoft Internet Explorer. The URL preferably has the following form:
"Http: // <ipaddress>: 88 / index.html", where <ipaddress> is the IP address associated with the policy server, and the IP address is automatically assigned to the policy server if the browser attempts to use it Address When the administrator's personal computer sends an Address Resolution Protocol request for the IP address, the policy server detects that it has a packet on port 88 Not is claimed and takes the IP address.

Once the connection is made, the Policy Server Installation Wizard will call 404 the interactive user interface on, the network administrator when setting up the policy server 122 to support. The Policy Server Installation Wizard 404 Among other things, the administrator asks for a server name, an IP address for the server, and an IP address for the router. In addition, the Policy Server Installation Wizard prompts 404 Allow the administrator to select one of several default policies to create default firewall, VPN, bandwidth, and administrator policies. These policies will then be replicated to each new Policy Enforcer attached to the policy server 122 is registered.

The central management submodule 306 also includes a Policy Enforcer installation wizard 406 , which provides an interactive user interface to support the installation of Policy Enforcers 124 . 126 , offers. As with the installation of the policy server 122 , the access to the assistant takes place 406 preferably web-based via the network administrator's personal computer.

Once the connection is made, the Policy Enforcer Installation Wizard prompts 406 the interactive user interface on, the network administrator when setting up a particular policy enforcer 124 . 126 to support. The Policy Enforcer Installation Wizard 464 Among other things, the administrator asks for the IP address of the policy server, the IP address of the policy enforcer, and the IP address of the router. The policy enforcer will then be in the policy server 122 registered by calling the URL in the policy server with its own basic bootstrap information. Registration of the Policy Enforcer enables initialization of the Policy Enforcer database 132 . 134 , with the configuration information as well as monitoring the status and state of the policy enforcer via the policy server 122 ,

Before registering the policy enforcer in the policy server 122 , the network administrator preferably logs the policy enforcer in the policy server. This pre-logon allows you to create a wildcard node in the policy server for policy enforcer data when the policy enforcer actually registers. For this purpose, the central management sub-module includes 306 a configuration interface 410 which allows the pre-registration of a new Policy Enforcer.

5 is an exemplary flowchart for the pre-registration and registration process of a policy enforcer according to an embodiment of the invention. In step 401 The Policy Enforcer connects to the network using the Policy Enforcer Installation Wizard described above 406 installed at its actual, physical location. The network administrator who has the new facility's serial number logs in the policy enforcer by going to step 403 Add a new Policy Enforcer to a device group. For this purpose calls the configuration interface 410 an interactive graphical interface on, as in 6 presented to the network administrator, the device name 415 , the serial number 417 and the location information 419 enter; In addition, the administrator has the option of a device group 421 to select the new Policy Enforcer to belong to. By pressing a button 423 takes the new policy enforcer in step 405 with the policy server 122 Connection by preferably invoking a URL in the policy server. Once connected to the policy server, the new policy enforcer submits the policy server its registration package. The registration package includes at least the new Policy Enforcer serial number and the LAN, WAN, and DMS IP addresses in the Policy Enforcer. In step 407 compares the central management submodule 306 the serial number of the new Policy Enforcer with the list of policy servers 122 pre-registered policy enforcer. If a match is found, the policy server executes 122 the registration process by going in step 409 stores the settings that were set during the installation for the policy enforcer, preferably in a file in the LDAP data exchange format (ldif). In step 411 the file is transmitted to the Policy Enforcer, preferably over an HTTPS channel, by invoking a Common Gateway Interface (CGI) in the Policy Enforcer. The policy enforcer then uses the file to step in 413 its configuration database, eg the database 132 . 134 to initialize.

Again referring to 4 includes the central management submodule 306 also a global monitor user interface 402 and a data collection program 412 , each displaying and capturing the state and status of all Policy Enforcers sent by the policy server 122 to get managed. The data acquisition program 412 obtains the state and status information from all the up-and-running policy enforcers it manages, and transmits the relevant information to the global monitor UI. A state agent, which runs as a deamon in all policy enforcers that are regularly monitored, collects the device's data and analyzes its status. The collected data will be sent to the Poli cy server 122 when submitted by the data collection program 412 be retrieved.

7 Figure 12 is a screen shot of an exemplary global monitor user interface 402 which displays various types of status and status information. Such information can affect the state of the device, such as system load 712 and network usage information 714 Respectively. The information can also be updated on current alarm messages 716 for the facility, including alarm name, type, description and the like. The information can also look at current VPN connections 718 Include connection type, source / destination, duration, and VPN traffic volume.

Again referring to 3 enables the policy management submodule 308 the policy management of policy enforcers 124 . 126 , As described above, all policy management functions are implemented in the form of resource objects stored in policy databases 130 . 132 . 134 , including users, facilities, hosts, services and time. Preferably, all resources are associated with the default policy settings selected by the administrator during the installation process. The network administrator can centrally view the policies through a graphical user interface provided by the policy management submodule 308 is provided, display, add or modify. This provides a centralized policy management model, giving the administrator the impression that a single logical server provides firewall, bandwidth management, and VPN services to the entire enterprise. The fact that the policy is enforced via individual policy enforcers in different locations is transparent to the administrator.

8th is an exemplary graphical user interface provided by the policy management submodule 308 provided. The interface includes a resource palette 718 which includes a list of resource registers, including a user register 718a , a device register 718b , a host register 718c , a service register 718d and a time register 718e , The resource palette allows the administrator to add and modify resource definitions from a single console.

After selecting the user register 718a the system displays the user groups defined for the system 722 , New users can be added to the group by selecting a specific group and defining the different user attributes such as login name, full name, policy enforcer to which the user is assigned, authorization scheme, password and the like.

After selecting the device tab 718b are various device management icons used to manage the policy server 122 and the policy enforcer 124 . 126 , displayed as in 9 shown. An icon for the policy server system settings 750 provides the network administrator with the ability to set system settings such as LAN or WAN / DMS IP addresses of the policy server 122 to display and change. An icon for Policy Server archive options 752 Allows the specification of reports or other database archive options for the policy server 122 , A global URL blocking icon 754 gives the administrator the option of a list of unauthorized Internet sites 116 to be created by all Policy Enforcers 124 . 126 , the system should be blocked. In the same way, the symbol allows for a global spam list 756 the administrator, a list of all e-mail addresses of spammers 118 to be blocked by all Policy Enforcers.

The administrator can view the information about all Policy Enforcers 124 . 126 , show by the icon 758 selects.

Information about a specific policy enforcer can be obtained by selecting a specific policy enforcer 760 in a particular device group 761 are displayed. Such information includes information about the device settings 762 , Information about URL blocks 764 , Information about the spam list 766 and similar information specific to selected policy enforcers. For example, after selecting the icon for the URL blocking information 764 Policy Enforcer display the various URL categories 768 which the network administrator can select for blocking by the selected policy enforcer.

After selecting the host register 718c the display of various hosts (networks) of the system takes place, as in 10 shown. A host is organized based on its physical location as well as a specific policy enforcer 124 . 126 , assigned. Hosts are assigned to various attributes, including a unique name 770 , an IP address in the network 772 and a subnet mask 774 , In addition, the network administrator can specify whether the host is an external host 776 These, that belongs to a network that is not from the policy server 122 is managed. If it is an external host, the administrator specifies an IP address 778 the external device to which the host belongs. A furnishing field 780 allows the administrator to enter the name of the policy enforcer to which the host belongs. Each host is also a specific group 782 assigned by the administrator.

After selecting the service register 718d The display of various service groups is carried out by the policy server 122 be supported, as in 11 shown. Such service groups include, for example, multimedia streaming / conferencing, information retrieval, security and permissions, e-mail applications, routing applications, database applications, standard communication protocols, and the like. If desired, users can also add new service groups.

Each service is a name 784 , a description 786 and a service type 788 (eg HTTP, HTTPS, FTP, TELNET, SMTP, Real Networks or similar). In addition, each service is a service group 790 assigned. Based on the service type, additional information may also be specified for the service. For example, for an HTTP service, the administrator can specify whether the URL is blocked 792 should be activated.

After selecting the time register 718e the display of different time group symbols takes place 794 that cover the time range that should be used in the firewall policies, as in 12 shown. For example, selecting the icon of a working time group allows the network administrator to enter days and times to be set as working days and times.

Again referring to 8th The interface also includes a policy canvas 720 including a list of policies available in the system. A policy definition is preferably an association of a resource set that is from the resource palette 718 drawn and in the policy canvas 720 can be stored.

After selecting a firewall register 720a will display all firewall policies specified for a particular policy domain, including one or more policy enforcers. The network administrator decides to which domain the policy enforcer should belong during the policy enforcer's pre-registration. The interface gives the administrator the option of different policies from the policy server 122 view, add, and modify changes to the Policy Enforcers 124 . 126 to perform these changes individually to each Policy Enforcer.

According to one embodiment of the invention, each firewall policy comprises a policy identification attribute (ID). 724 to identify a specific policy rule in the list of policies. A number attribute 726 Policy rule specifies the order in which the policy should be applied. For this purpose, the policy enforcer calls 124 . 126 , one at a time for each local network, compares it to network traffic and preferably applies the first rule that corresponds to network traffic.

Each firewall policy also contains a description attribute 728 to describe the firewall policy to be implemented. For example, the description may indicate that the policy allows spam blocking, URL blocking, VPN key management, and the like. An action flag attribute 730 Indicates whether traffic is allowed or denied for the displayed policy. An active flag attribute 732 Indicates whether the policy has been activated or deactivated. This allows the network administrator to create a policy and enable it at a later time. A deactivated policy preferably has no effect on network traffic.

Each firewall policy also includes a user attribute 734 , a source attribute 736 , a service attribute 738 , a destination attribute (not shown) and a time attribute (not shown). Each of these attributes is preferably represented by a group name or a resource name. The name acts as a pointer to an entry in the group root object 202 or the resource root object of the LDAP database 130 . 132 or 134 ,

The user attribute 734 preferably indicates the user groups and users that can be selected for the policy. The source attribute 736 indicates the origin point in the network traffic associated with the user. The service attribute 738 Specifies the services that are shared or blocked by the policy the. The destination attribute specifies a specific LAN, WAN or DMS segment or specific hosts in which the specified services are allowed or disabled. To configure SMTP POP services on an e-mail server, the host can represent the IP address on which the e-mail server is running, and the specified services are SMTP. The time attribute specifies a time slot in which the policy is effective.

Next The above includes any firewall policy as well Authentication attribute (not shown) representing the authentication scheme for the Policy (e.g., without, LDAP, SecurID, RADIUS, WinNT or all).

14 is a screen shot of an exemplary graphical user interface for adding a new policy policy firewall policy after clicking on the "Add" button 725 , The existing firewall policies can be changed by clicking on the "Change" button 727 or "delete" 729 be changed or deleted.

As in 14 As shown, a new firewall policy can be defined by simply describing the policy in the description area 728a is added by placing the action to be applied to the corresponding network traffic in an action box 730a is selected and in the active area 732a whether the policy should be activated or deactivated. In addition, the network administrator sets users, source, services, destination and time resources in the user area 734a , Source area 736a , Service area 738a , Target area 739a or time range 741 firmly. The network administrator dials in an authentication area 743 also an authentication scheme for the policy. After pressing the OK button 745 The corresponding entries in the LDAP tree of the Policy Server database are changed to reflect the entry of the new policy. The change will also be communicated to the respective policy enforcers, as described in detail below.

Again referring to 8th allows selection of the bandwidth register 720c displaying, adding, and changing various bandwidth policies that determine the type of bandwidth associated with the traffic flowing through a particular policy enforcer. Different bandwidths can be specified for different users, hosts and services.

The selection of the administrative register 720d Allows you to view, add, and modify various management policies that allow the top-level network administrator to delegate administrative responsibility to other administrators. To do this, the top-level network administrator specifies management policies that determine which users have access to which features and facilities. The management policies preferably include attributes similar to the firewall rules, except for the specification of a role attribute. Certain users may be granted additional administrative privileges depending on their role.

IV. VIRTUAL PRIVATE NETWORK WITH AUTOMATIC UPDATE OF USER REACHABILITY INFORMATION

Again referring to 3 enables the management module to connect multiple sites 312 creating VPNs with dynamic routing, where the VPN member lists are automatically created without static configuration of member information by the network administrator. Therefore, as soon as the administrator configures a VPN over a policy enforcer's LAN to another, the routing protocols, such as RIPv1 or RIPv2, running on LAN interfaces will be aware of the networks reachable through their respective interfaces. These networks then become members of the VPN and the policy enforcers 124 . 126 to create member tables on one side of the VPN by using the known routes. The member information is preferably via the LDAP databases 132 . 134 , between policy enforcers 124 . 126 , exchanged. In this way, the combined use of routing protocols and LDAP allows the creation of VPNs whose member lists are dynamically compiled.

Again in terms of 8th The network administrator configures VPN policies for multi-site connectivity using the resource palette 718 and the policy canvas 720 , After selecting the VPN register 720b in the policy canvas 720 the display shows a selection of VPN clouds 270 that have already been configured for the system, as in 13 shown. As described above, a VPN cloud is a single VPN or group of VPNs for which a security policy can be defined. Each VPN cloud includes a list of the locations of a site node 234 as well as the user of a user node 236 who can communicate with each other. A site is a set of hosts that are physically behind one of the policy enforcers 124 . 126 , are arranged. The policy enforcers for the sites act preferably as VPN tunnel endpoints, once the hosts of the sites begin to communicate with each other.

The users in the VPN cloud are the users who have access to the sites 234 assigned hosts. Users access the hosts as VPN clients by using the VPN client software installed on each user PC, as described in detail below.

Every VPN cloud 270 also includes a firewall rule node 276 including firewall rules that apply to all connections in the cloud. These rules determine, among other things, the VPN access permissions, the security features, such as the encryption level and the authentication used for network-level connectivity.

The provides hierarchical organization provided by the VPN clouds the network administrator thus the possibility of fully networked Create VPNs, with each location within a VPN cloud over the full Connectivity with all other sites. The network administrator needs not any more Manually configure connection within the VPN, he needs just create a VPN cloud and the sites, users and Specify rules to associate with the VPN. each Connection is then based on the specified for the VPN cloud Configuration made. The hierarchical organization facilitates thus setting up a VPN with a large number of sites.

The network administrator prefers to add a new VPN cloud by clicking the "Add" button. 280 actuated. The policy server then creates it 122 automatically the location node 272 , the user node 274 and the rule node 276 for the VPN cloud. The administrator then specifies the locations and users in the VPN.

According to one embodiment of the invention, the rule node comprises 276 initially a VPN default rule 278 according to the policy settings made by the network administrator during policy server setup 122 has selected. The VPN default rule 278 allows unrestricted access to the hosts in the VPN.

The administrator can implement access control within the VPN cloud by following the default rule 278 deletes and sets specific firewall rules for the VPN. Such firewall rules allow the administrator to provide detailed access control for traffic within the VPN as part of the encrypted access provided by such a VPN. The firewall rules are applied to the plaintext packet after it has been decrypted, or before it is encrypted.

According to one embodiment of the invention, the administrator selects the default rule 278 to make such changes to the default rule. After selecting the default rule, a graphical user interface is invoked, similar to the one in 8th shown. The network administrator defines detailed access rules for the VPN by defining the firewall rules that apply to the VPN. The parameters in these firewall rules are preferably identical to the general firewall rules defined in 8th are shown.

Once a VPN cloud has been configured, it will be used by the policy enforcers 124 . 126 , dynamically create VPN member information on the network. For this purpose, each VPN site includes a register that identifies the hosts associated with that site. At run time, the policy enforcers arrange 124 . 126 For each location, assign IP addresses to the registry by identifying the hosts at each site. In this way, the IP addresses can be determined dynamically without the need for a static configuration of the IP addresses.

To The creation of the member tables will be changes in the routing information and the policy enforcers of the members using a publish-subscribe procedure reported. The actual changes are retrieved from the Policy Enforcer by the LDAP database queries the respective network, the changed routing information equivalent.

15 is a schematic block diagram of the policy enforcers 124 . 126 at the opposite ends of a VPN tunnel, updating their respective routing information. As in 15 Each policy enforcer includes 124 . 126 , a gate module 252 . 261 that is configured as a daemon to to run one or more routing protocols to exchange links in the network. Such routing protocols may include RIPv1, RIPv2, OSPF, and the like.

If a network administrator does that with the Policy Enforcer 124 connected local network 102 To add a new route, the administrator reports the new route in step 241 in the gate module 252 of the policy enforcer 124 at. This is typically done by configuring a downstream in the Policy Enforcer for an additional network. This information is then passed through standard routing protocols to the gate module 252 of the policy enforcer 124 forwarded. The policy server 122 For example, the new route can be the Policy Enforcer 124 announce to which the new route should be assigned. For example, the route may be specified using an LDAP statement, such as "LAN Group @ PR1," which specifies a new route between Policy Enforcer PR1 and a LAN called LAN Group 242 saves the gate module 252 the new track in a kernel 253 Policy Enforcer, including a VPN driver 254 so the policy enforcer 124 be able to correctly forward the relevant messages about the new route. In addition, the gate module writes 252 the new route in step 243 in his LDAP database 132 ,

The gate module 252 sends the name of the new route in step 244 to a Distinguished Name Monitor (DN) monitor 255 which is configured to handle the updates in the LDAP database 132 to monitor. The DN monitor in turn informs in step 245a and 245b a VPN daemon 256 and a PDP machine (Policy Deployment Point) 257 about the change in the LDAP database 132 , The PDP engine then updates the modules that enforce the policies with the change.

In step 246 uses the VPN daemon 256 the route name to access the LDAP database 132 to get the full route information, a list of all VPNs to which the new route belongs, and a list of all the other policy routers connected to those VPNs. In step 247 transmits the VPN daemon 256 the new route name to all other policy routers.

If the policy router 126 a new route name from the policy router 124 receives his network daemon attacks 258 in step 248 to the LDAP database 132 in the Send Policy Router 124 to get the complete new route information. If the new route belongs to more than one VPN and has different parameters for the various VPNs, the routers in the various VPNs assign the various information to the respective VPNs.

In step 249 writes the network daemon 258 the received new route information into its own LDAP database 134 and forwards it to its own DN monitor module. As in the Send Policy Router 124 transmits the DN monitor module 259 in the receive policy router 126 the new route information to his PDP machine 260 to update its kernel 265 with the current changes.

Even though 15 With regard to the extension of a policy enforcer and its associated VPNs by a new route, it will be obvious to those skilled in the art that the essentially same techniques are also used to delete a link (for example, if a network component becomes inoperative or incapable of communication). or to change a route (the policy router can detect if a route already exists in another form and simply override it). In this way, the VPN system or systems can dynamically maintain the routing information between their policy enforcers with minimal system administrator work.

V. VIRTUAL PRIVATE NETWORK WITH AUTOMATIC UPDATE OF CLIENT REACHABILITY INFORMATION

Remote users communicate over the public Internet 108 with the others, behind the policy enforcers 124 . 126 , arranged members of the VPN after they have provided their respective credentials. These remote users have as VPN clients 140 access to private networks using VPN client software. According to an embodiment of the invention, the system provides the remote user with the ability to download a self-extracting program file that, after execution, installs both the VPN client software and the VPN reachability information unique to the remote user in the remote user terminal.

Each policy enforcer 124 . 126 , preferably includes a copy of the self-extracting program file of the VPN client software, including a setup program and the template for the VPN creator reichbarkeitskonfiguration. With the help of the setup program, the VPN client software can be installed on the VPN client 140 be installed. When downloading the self-extracting executable, the configuration template is replaced with the VPN reachability information specific to the downloading user.

According to another embodiment of the invention, the system provides the VPN client 140 the ability to download a self-extracting executable that installs, after execution, only the VPN reachability information that is unique to the user. According to this embodiment, the VPN client software is already on the VPN client 140 Installed. In this scenario, the setup program allows the installation of the reachability information specific to the downloading user to the VPN client 140 ,

According to a third embodiment of the invention, the system provides the VPN client 140 the ability to automatically download the VPN reachability information each time you connect to the Policy Enforcer 124 . 126 , will be produced. In this way, the VPN reachability information is for each VPN client 140 always up to date. Once a VPN session is established, the connection between the VPN client applies 140 and the policy enforcer already considered safe. The VPN client preferably performs a Common Gateway Interface (CGI) query on a Web server running on the Policy Enforcer and downloads the current VPN reachability information from the corresponding LDAP database.

16 is a block diagram of the components in a self-extracting program file 290 according to an embodiment of the invention. The self-extracting program file 290 can be created using standard tools such as INSTALLSHIELD EXEBUILDER from InstallShield Software Corporation of Schaumburg, Illinois.

The self-extracting program file 290 preferably includes an executable setup file 292 to install the VPN client software and / or the VPN configuration information. The setup file 292 preferably forms the static portion 298 the self-extracting executable because this information does not change depending on the downloading VPN client. The self-extracting program file 290 also includes VPN configuration file templates for the VPN reachability information 294 and shared key information 296 of the VPN client. The VPN reachability information 294 and the common key information 296 of the VPN client preferably form the dynamic share 229 the self-extracting program file 290 because this information varies depending on the downloading VPN client. The self-extracting program file 290 will then be used as a template file in the policy enforcer 124 . 126 , stored and can then be downloaded by the remote users.

17 is a block diagram for downloading the self-extracting program file 290 out 16 according to an embodiment of the invention. In step 320 creates a new VPN client 140 First, a secure connection session with the policy enforcer 124 . 126 to the self-extracting program file 290 download. This is preferably done by means of an HTTPS protocol session in the web browser of the VPN client or the like. In step 322 and 324 The policy enforcers use the VPN client to perform an authentication procedure in which the policy enforcer queries the username and password and the VPN client provides this information. In step 326 The Policy Enforcer compares the information supplied with the entries in its VPN client database 328 , If the information is correct, the policy enforcer will find appropriate shared keys for the user, and determine in step 330 and the VPN reachability information of the client from a VPN configuration database 332 , The VPN client database 328 and the VPN configuration database 332 can be part of a single LDAP database 312 . 314 be saved by Policy Enforcer 124 . 126 , or they can each be separate LDAP databases.

In step 334 the policy enforcer replaces the dynamic share 299 the self-extracting program file 290 by the VPN reachability information and the shared key that is unique to the VPN client. The newly generated, self-extracting program file will then be in step 336 on the VPN client 140 downloaded. When the program file is running, it either installs the VPN client software and / or the VPN reachability information.

Similar techniques can also be used to download a new and updated copy of the VPN configuration information to the VPN client, whenever the client connects to the Policy Enforcer and requests a session key. In addition, the user can obtain the latest configuration of the VPN network by explicitly requesting this information from the policy enforcer. In this way, the VPN client does not have to be reinstalled and configured each time updates to the VPN reachability information are made.

VI. INTEGRATED POLICY ENFORCER

According to one embodiment of the invention, the functions of the policy enforcers 124 . 126 , to enforce the policy for the efficient implementation of the hardware. However, it will be obvious to those skilled in the art that some or all of the functions may be implemented in software, hardware, or various combinations thereof.

18 is a block diagram of the policy enforcer 124 . 126 in which the division of the various functions according to an embodiment of the invention is shown. The Policy Enforcer includes an Internet Protocol Security (IPSec) machine 502 to perform the security and authentication functions, for example to implement virtual private networks. A data stream table 506 assembles the packets that pass the policy enforcer into data streams. A protocol classification engine 508 decodes the protocols that are used in forwarding the packets. A policy machine 510 sets the policies for the packages based on the policy settings that are in the policy database 132 . 134 , are stored. A packet forwarding module 504 receives packets from the public Internet through the router 110 and cache the packets, forward them, or delete them based on enforced policies. A bandwidth management module 514 Ensures bandwidth shaping services for the packets that are routed based on the bandwidth settings that are in the policy database 132 . 134 , are stored.

In practice, there will be an incoming packet with the data stream table 506 compared to determine if a matching entry already exists in the table. If not, a new entry will be added. The data stream table preferably includes enough portions of the packet to uniquely identify a data stream. For example, when enforcing policies for IP-level three to IP-level four traffic, the stream table can store the source IP, destination IP, source port, destination port, and log number of the incoming packet.

The protocol classification engine 508 takes the new data stream and generates a detailed protocol decoding for the stream. Then, the policy rules to be applied to the data stream are in the policy engine 510 queried. Based on the policy rules used by the policy engine 510 the packet forwarding module processes 504 , the IPSec machine 502 and / or the bandwidth management module 514 the data streams accordingly. Processing may be recursive until all actions have been taken on the packets in the data stream specified in the policy rules that apply to them.

The policy enforcer also includes a statistics module 512 to generate statistics for the packets that are routed through the local network, as well as other status and resource usage information, and store them in logs and archives to be sent to the policy server 122 , According to an embodiment variant of the invention, the statistics module leads 512 running byte counts on the packets passing through the network 102 . 104 , to get redirected. These byte counts can be automatically sorted by class, based on specific resources (such as users, hosts, services), bytes blocked by the policies, or exceptions, such as firewall policies. For this purpose maintains the statistics module 512 in a cache, a status table containing a list of resources involved in the individual firewall-enabled connections. For each packet forwarded in the connection, the statistics module performs a packet and byte count for each of the resources in the list. The statistics module 512 then passes the structured information to the policy server 122 Next, the information is entered directly into tables, which are organized according to specific classes and are deleted regularly.

19 is a more detailed block diagram of the policy engine 510 according to an embodiment of the invention. The policy machine 510 includes a policy query table 602 , which acts as a queue for all policy decision queries. For this purpose, the portion of the packet that matches the information contained in the data stream table 506 stored, the policy machine 510 presented in the form of a policy query. The policy query is then queued for the Policy Query Table 602 set.

A resource machine 604 Maintains an up-to-date mapping of resource group names relative to member mapping. A database buffer for policy rules 608 saves a current policy rule set by the policy engine 510 should be applied. The in the buffer 608 stored policy rules are preferably in the group-based original rule specification format. The buffer 608 therefore stores a rule created for a group in its group-based form, instead of instantiating a rule for each member of the group.

A decision machine 606 includes logic to handle the incoming policy decision requests in the policy query table 602 by matching the policy rule set in the policy rule database buffer 608 based on the current member information provided by the resource machine 604 to be delivered. The relevant group-based rule that matches the traffic is identified and data bits are set in the stream table to implement the appropriate actions. The decision bits therefore represent the set of actions to be performed on the packets of the data stream. All packets that match the data stream are then processed based on these decision bits. The decision engine may also set an access control list (ACL), including a rule set that enables / disables traffic, a DiffServ standard to ensure quality of service quality for the traffic, and / or VPN implementation information.

20 is a more detailed block diagram of the protocol classification engine 508 according to an embodiment of the invention. As in 20 includes the protocol classification engine 508 a data stream unit 702 , a data stream sliding window 704 , an ASN.1 block 706 , a protocol classification state machine 708 and a protocol definition signature database 710 , The data stream unit 702 Extracts and reassembles the data portion of an incoming packet stream and stores it in the stream flipping window 704 from. The data stream sliding window preferably follows FIFO protocols. The ASN.1 decoder decodes the data stream, if necessary, using standard ASN.1 encoding / decoding standards. The protocol classification state machine 708 then resembles the fully reassembled and decoded data with the log definition signature database 710 from. This database 710 preferably includes a mapping of the protocol names with the data patterns found in the data stream. The matched protocol is then sent to the data stream table 506 returned.

Thus, the protocol classification engine provides 508 a comprehensive protocol decoding and packet classification for level three through level seven, including the complete identification of dynamic data streams through the use of a dynamically updated signature database compiled on the basis of script protocol definitions. If new protocols are defined in the future and / or users create their own individual applications with individual protocols, it may be necessary to add a recognition of these protocols to the protocol classification engine. The described protocol classification engine architecture allows such extensions by simply adding the new script definition of the new protocol to the classification engine, without having to change the design each time a new protocol is added. This ensures the support of individual protocols and the future extensibility of protocols.

21 is a more detailed block diagram of the IPSec machine 502 according to an embodiment of the invention. As in 21 shown includes the IPSec machine 502 a pseudo-random number generator (PRNG) function 802 for generating random numbers used to generate encryption keys using well-known methods. A Diffie Hellman 804 as well as an RSA block 812 implement the appropriate asymmetric public encryption / decryption / signature algorithms also known to those skilled in the art. An IKE block 806 communicates with an IPSec SA table 808 to implement ISAKMP / Oakley (IKE) standard code exchange protocols. An encryption transcoding block 814 implements the standard symmetric encryption / decryption algorithms. An IPSec encapsulation / decapsulation block 810 performs standard encapsulation / decapsulation functions. Accordingly, the IPSec machine offers 502 a mature, standards-based IKE / IPSec implementation that supports public code certificates and the necessary encryption and decryption capabilities for packet forwarding through the private local area networks 102 . 104 , offers.

VII. NETWORK POLICY PROTOCOLS AND STATISTICS CONSTRUCTION

Again in terms of 3 Collects the log collection and archiving module 304 the information about the status and use of resources by the policy enforcers 124 . 126 , as well as the management module 302 and saves them in the archive database 318 from. The policy server report module 316 then uses the captured logs and archives to create reports in a structured report format.

According to one embodiment of the invention, each policy enforcer maintains 124 . 126 , a log file containing information about the flow of traffic through the policy enforcers and the status and use of the resources associated with the policy enforcer. All log files conform to a predefined, common log format, which is preferably designed to create compact logs.

22 is a schematic representation of such a protocol format according to an embodiment of the invention. Each log entry includes a timestamp 820 in the format yyyymmddhhmmss, which specifies the year, month, hour, minute, and second when the log entry was created. A service field 822 Specifies the service type used by the policy enforcer 124 . 126 , is provided. Such services include VPN, FTP, Telnet, HTTP, packet filtering, bandwidth, and the like. Each log entry also contains the source IP address and port 824 indicating the source from which a packet was received and destination IP address and port 826 that specify the destination to which the package was submitted.

A user ID field 828 indicates the user who submits the package. The user ID can be an entry in the LDAP database 130 . 132 or 134 , to be assigned to receive further information about the user.

A status field 830 indicates the status of an operation and may include a result code, an error code, and the like. For example, for a packet filter service, the status field may include the result code "p" if the packet could pass, or "b" if the packet was blocked.

An operation field 832 contains codes for the operation type offered by the service. Operations for a VPN service may include, for example, sending packets and receiving packets. Operations for an FTP service may include GET and PUT operations. Operations for an HTTP service may include GET and POST operations.

In addition to the above, each log entry includes an in bytes field 832 that specifies the number of bytes the Policy Enforcer received as a result of an operation and an Out Bytes field 834 that specifies the number of bytes submitted by the policy enforcer. It is also in a permanent field 836 the duration (eg in seconds) of the operation specified.

Certain Fields can in certain log entries be left free if you are for do not apply to a particular service, such as one FTP download. If there is no outgoing traffic, the Out Bytes field will be released. Furthermore you can dependent on additional fields are inserted by the type of service being logged. For example, an HTTP operation becomes the URL that is accessed is also recorded in the log entry. The additional Fields are preferably at the end of the standard log format attached.

Of the Professional will certainly recognize that adding, deleting and other types of changes can be done in protocol format, as long as the log format for All Policy Enforcers are the same and aim to have compact protocols to create.

The policy enforcers 124 . 126 Created log files are sent to the policy server based on the archive options specified by the policy server 122 transfer. To do this, the network administrator specifies a maximum size for the logs that are created by the policy enforcers by selecting the policy server archive option 752 out 9 , If the log file exceeds the specified size, it will be sent to the policy server 122 sent. Preferably, the logs are sent to the policy server at least once a day 122 even if the maximum size has not been exceeded. The logs can also be archived locally in the Policy Enforcer if so designated by the network administrator.

Once the policy server 122 When the logs are received, they are stored in the archive database 318 stored, preferably in the form of an SQL database. The policy server report module 316 queries this database for reports for each policy enforcer 124 . 126 , to create. In addition, the logs can be exported in a format that can be interpreted by commercial products such as WEBTRENDS, a product of WebTrends Corporation of Portland, Oregon.

The report module 316 Reports created include usage reports for the various resources, such as policy enforcers, users, services, hosts, and VPNs. For example, these reports can include VPN overviews, bandwidth overviews, packet filter reports, and the like for each policy enforcer.

The reports preferably indicate the use of all resources over a period of time. Start and end times for the report can be specified by the user. The user can also set the time dimension or resource dimension to display specific times and specific resources. For example, when creating the packet filter reports, the user can specify a start and an end time, the source IP address, the source port, the destination IP address, and the destination port. All packages that meet these criteria are then removed from the archive database 318 and displayed in a package report.

VIII. METHOD OF SELECTIVE LDAP DATABASE SYNCHRONIZATION

According to one embodiment of the invention, the databases are 130 . 132 . 134 , in the single policy management system 1 LDAP databases that store policy management information, including policies for firewall, VPNs, bandwidth, management, user records, network logs, services, and the like. As described above, the LDAP directory service model is based on the entries, where each entry represents a collection of attributes. The entries are arranged in a tree structure, which depends on the geographical and organizational structure. The entries are marked with a unique name (DN) according to their position in the hierarchy.

The policy server 122 preferably stores the policy management information for all policy enforcers in the policy server database 130 , This information is in the database 130 organized in the form of one or more DNs with the corresponding attributes. The corresponding portions of the policy server database are then added to the Policy Enforcer databases 132 . 134 , copied.

23 is a block diagram of an LDAP tree that is an LDAP root 265 and a variety of branches 264 . 266 . 268 . 270 , includes. According to one example, the policy server maintains 122 in the policy server database 130 branches, 264 and 266 , with policy management information for all Policy Enforcers 124 . 126 , Each policy enforcer 124 . 126 , also cultivates shares of branches 264 and or 266 in the respective policy enforcer databases 132 . 134 , as sub-branches of the policy server database 130 , The shares of each policy enforcer 124 . 126 , maintained branches preferably refer to configuration information for this policy enforcer as well as some additional information about the other policy enforcers. This additional information is used to communicate with the other policy enforcers.

The policy server 122 can also do the branch 268 with storage information used only by the applications running on the server and the other policy enforcers 124 . 126 , not available. Similarly, the policy enforcers 124 . 126 , a share of the branch 268 maintain information that is only used by the applications on the policy enforcers and unavailable to others. Typically, those in branch 268 stored data is dynamically generated and used by the applications running on the corresponding server or agent.

branch 270 is preferably only for the policy server database 130 is included in the LDAP tree and stores the logged policy management changes sent to the Policy Enforcer 124 . 126 can be forwarded. Such changes include, for example, adding, deleting or changing a user for a device, VPN cloud, bandwidth policy or firewall policy, which is performed by the network administrator through the various graphical user interfaces described above. Such changes result in an update of the policy database 130 where the corresponding DN is added, deleted or changed to the LDAP tree. The policy server 122 also creates a log of the changes and saves them in branch 270 for later distribution to the policy enforcers 124 . 126 ,

24 is a more detailed block diagram of branch 270 the LDAP tree 23 , The LDAP root 265 includes an ApplyLog entry 270a which in turn is a user log entry 270b and a device log entry 270c includes. The user log entries include specific administrator log entries associated with specific DNs 270d which reflects the changes provided by the respective administrators. The device log entry 270c includes specific device log entries containing specific DNs 270e that reflect the changes made to the respective policy enforcers 124 . 126 , to be distributed. Preferably, the changes made by the administrators after pressing the "Apply" button, such as the in 6 displayed button "Apply" 417 to the policy enforcers 124 . 126 , forwarded.

25 Figure 3 is a flow chart for logging and forwarding the LDAP changes to policy enforcers according to an embodiment of the invention. In step 420 A specific network administrator makes a change to a policy setting. According to one example, the administrator is the administrator "adm" working in the domain "domain1" and the change is adding a new user for a device.

In step 422 is the change made by the administrator in the policy server database 130 implemented. For this purpose, the branches 264 and 266 Modified the LDAP tree to reflect the policy setting change. Additionally, the policy server creates 122 in step 424 a log of changes for the administrator for later processing and shipment to the appropriate policy agent. In step 426 updates the policy server 122 the log of the administrator 270d to reflect the change. In the above example and as shown in FIG 24 the created protocol is called "A_L1" and the policy server 122 updated DN 270d for "adm" in "domain1" to get an "Apply" attribute 270f create the value "A_L1" 270g having. Other changes made by the administrator are recorded in separate logs (eg "A_L2", "A_L3") and to the existing value of the Apply attribute in the administrator log DN 270d attached.

In step 428 checks the policy server 122 whether the changes made by the administrator to the appropriate policy enforcers 124 . 126 , should be forwarded. As discussed above, it is preferred that the changes be forwarded upon actuation of the "Apply" button on the administrator's graphical user interface.

When the "Apply" button has been pressed, the policy server creates in step 430 a log for each policy enforcer to whom the change should be submitted. For this purpose, the policy server is detected 122 Any changes made by the administrator in the values 270g . 270h the Apply attribute 270f the administrator's log DN 270d are included.

These changes are processed for each policy enforcer that belongs to the administrator's domain. This processing preferably includes reading out the relevant changes and the corresponding change of DNs for the Policy Enforcer LDAP. Such changes may be due, for example, to differences in the tree structures in the policy server database 130 and Policy Enforcer databases 132 . 134 , to be required. For example, a change in the admin protocol may include a DN that specifies the domain name of the policy enforcer. Applying this change to the policy enforcer does not specify the domain name in the DN because the Policy Enforcer tree does not contain a domain name.

The appropriate changes made to each Policy Enforcer's LDAP are then stored in a device log. The log DNs of all policy enforcers 270e will then be adapted to the change and sent to the respective policy enforcer. In the above example and as shown in FIG 24 the created device protocol is called "PE_L1", the policy server 122 updates the DN 270e for the respective policy enforcer "PE1" in "domain1" to an "Apply" attribute 270i create the value "PE_L1" 270j having.

In step 432 becomes the Apply attribute 270f for the Administrator Protocoll DN 270d deleted from the LDAP tree. In step 434 will be the changes read out for each Policy Enforcer in the values 270j and 270k the Apply attribute 270i Policy Enforcer Protocol DN 270e to the Policy Enforcer to update its database 132 . 134 , transmitted. The changes are preferably sent over the HTTPS channel to the policy enforcers.

In step 436 checks the policy server 122 whether the updates were successful. The policy server waits for this purpose 122 until it receives confirmation from the Policy Enforcer that the updates have been successfully completed. After a positive response from the policy enforcer, the policy server deletes 122 the Apply attribute 270e from the policy DN of the policy enforcer 270e , If the update, however was unsuccessful (for example, because the Policy Enforcer was disabled), the Apply log is resent the next time another Apply function is called. Alternatively, the failed policy enforcer submits a request to the policy server 122 on the log of unimplemented changes as soon as it is back online (eg after a reboot).

IX. STATUS TRANSITION PROTOCOL FOR HIGHLY AVAILABLE UNITS

According to one embodiment of the invention, the policy server 122 , the policy enforcers 124 . 126 , as well as other network devices, are configured for high availability by having a spare unit in addition to the primary unit.

26 is a schematic block diagram of a high availability system consisting of a primary unit 902 and a reserve unit 904 , The two units, 902 and 904 , communicate with each other by using the parallel ports 906a . 906b and a cable 908 Exchange heartbeats. In these parallel connections 906a . 906b , as well as the cable 908 these are conventional components that are commonly available in the art.

The primary unit 902 and the reserve unit 904 are each in a similar way with the other components 910 . 912 . 914 , about the connections 920a . 920b . 922a . 922b . 924a , respectively. 924b , connected. With these components 910 . 912 . 914 , may be hubs, switches, connectors or the like. As the primary unit 902 and the reserve unit 904 ensure similar services and functions and can be used interchangeable, each unit is preferably with the same components 910 . 912 . 914 , connected.

The parallel connection cable 908 is preferably a conventional LAP interconnect cable designed to connect two parallel ports and communicate with one another. The primary unit 902 and the reserve unit 904 preferably communicate via TCP packets over the highly available ports 906a . 906b , together. Preferably, a point-to-point connection exists between the primary unit 902 and the reserve unit 904 over the highly available connections 906a . 906b ,

Preferably, the primary unit 902 responsible for checking the status of their network connections for faults or failures. If the primary unit 902 For example, it detects that one of its network connections is not ready for operation, eg connection 922a , checks the primary unit 902 whether the corresponding connection 922b in the reserve unit 904 is ready for use. After finding that the corresponding port 922b in the reserve unit 904 is ready, sends the primary unit 902 a request to the reserve unit 904 to adopt the system functions as an active entity. The primary unit 902 then gives up its role as an active unit, shuts itself off and allows the reserve unit 904 , the tasks of the primary unit 902 to take over. If the primary unit 902 resumes operation receives the reserve unit 904 a request from the primary unit 902 to give up her role as an active entity.

If the primary unit 902 is active and does not detect any faults at its connections, it permanently checks the fault-tolerant connection 906a to the status of the reserve unit 904 to monitor. The primary unit 902 checks the fault-tolerant connection 906a to signals from the reserve unit 904 , If the reserve unit 904 is switched on and running, it connects to the primary unit 902 ago. Once the connection is made, the reserve unit starts 904 with the sending of heartbeats to the primary unit 902 , The reserve unit 904 continuously sends heartbeats to the primary unit at predefined intervals 902 , According to one embodiment of the invention, the reserve unit sends 904 a "keep alive" packet once per second, including a KEEP ALIVE command to the primary unit 902 ,

The primary unit 902 responds to the "Keep Alive" packet by modifying the command field of the packet into a KEEP_ALIVE_RESP command and returning the packet to the sender 904 over a predefined period of time (eg one second) no response to the "Keep Alive" packet from the primary unit 902 receives, the reserve unit begins 904 to prepare for taking on the active role. The predefined time period should preferably not be longer than two consecutive "keep alive" packets.

After taking over the role as active unit, the reserve unit tries 904 at regular intervals, reconnect to the primary unit 902 to determine whether the malfunction or failure of the primary unit has been remedied. If the fault or failure has been rectified, the reserve unit indicates 904 the control to the primary unit 902 starting after getting the IP addresses of all network cut reset to the appropriate value.

In situations where the reserve unit 904 the active role of the primary unit 902 a warning / alarm message is sent to the network administrator in which this change is displayed. If the primary unit 902 no more heartbeats from the reserve unit 904 A warning / alarm message is also sent to the network administrator indicating that the backup unit has failed.

It may occur the situation in which both the primary unit 902 as well as the reserve unit 904 are fully functional and the reserve unit 904 still want to take the active role. In this case, the reserve unit transmits a shutdown command to the primary unit 902 which then gives the control. The reserve unit 904 continues its role as an active unit until the primary unit 902 a request to the reserve unit 904 to give up her active role.

According to one embodiment of the invention, the initial protocol for determining the status of each fault-tolerant unit as a primary, standby or stand-alone unit is based on a self-test method. 27 FIG. 10 is a flowchart of an exemplary status determination process according to an embodiment of the invention. FIG. In step 930 A first highly available unit (unit X), which has not yet definitively determined its status as primary or reserve unit, moves up and takes over in step 932 the role of a reserve unit. In step 934 Unit X searches the network for a primary unit and asks in step 936 on whether a primary unit has been detected. If the answer is YES, unit X will attempt to connect to the primary unit. If this is successfully established, unit X will initialize in step 938 as reserve unit. However, if unit X does not capture a primary unit, unit X takes over in step 940 the role of the primary unit.

In step 942 Unit X searches the network for a reserve unit. If a reserve unit is detected, as in step 944 requested, unit X connects to the reserve unit and initializes in step 946 as a primary unit. However, if unit X does not detect any other units in the network within a predefined period of time, unit X will initialize in step 948 as a standalone unit.

Once the primary and secondary units have been initialized, the primary unit configuration changes are also communicated to the reserve unit to synchronize the two units. The configuration information is preferably stored in an LDAP database, such as the central policy server database 130 or a policy agent database, 124 . 126 , saved.

28 FIG. 10 is a flow chart of a process for synchronizing the configuration information of the primary and spare units. In step 950 moves the primary unit up and in step 952 she records the reserve unit. In step 954 the reserve unit receives the information about the configuration changes from the primary unit, if it is functional. Otherwise, the network administrator will enter the configuration changes directly into the reserve unit. If the configuration changes are to be transmitted to the primary unit, the primary unit notifies the standby unit if configuration changes occur in the primary unit. The changes are then transmitted to the reserve unit and implemented. The reserve unit, in turn, transmits the status of transmission and conversion back to the primary unit.

In step 956 the primary unit is checked to determine if it is functional. If this is the case, the primary unit is updated equally with the configuration change. If, however, the primary unit does not function, the reserve unit takes over the active role and becomes in step 958 to the active unit. The primary unit may become inoperative due to CPU, network interface card, or power failure and become inactive.

In step 960 the reserve unit marks the changes to be transmitted to the primary unit as soon as the primary unit becomes operational. As soon as the primary unit becomes operational, the primary unit is updated with the changes marked by the reserve unit as in step 962 shown.

According to one variant The invention will be software updates in the primary and the reserve unit also synchronized to the primary and the To update reserve unit serially in a single cycle, without having to perform several update cycles. The network administrator must therefore do its work to update the reserve unit Do not duplicate with the same information as the primary unit.

29 Figure 10 is an exemplary flowchart for updating the primary and reserve units when both are operational. In step 970 For example, an update, such as a software update not stored in the LDAP databases, is sent / transmitted to the primary unit by a management station accessible to the network administrator. The primary unit then updates in step 972 yourself. In step 974 the primary unit automatically sends / transmits the update information to the reserve unit. In step 976 itself updates the reserve unit with the update information received from the primary unit.

30 is an exemplary flowchart for updating the primary and backup units when the primary unit is not functional. In step 978 the primary unit becomes inoperable and in step 980 the network administrator sends / transmits an update directly to the reserve unit instead of to the primary unit. In step 982 itself updates the reserve unit with the information it has received from the management station and waits until the primary unit becomes operational again. As soon as the primary unit becomes operational, the update in step 986 automatically sent / communicated to the primary unit for updating. The primary unit updates in step 988 even.

Even though the present invention in detail with reference to the preferred variants has been described, it is for The expert certainly understands that the various changes and modifications made to the examples described herein can be.

The uniform policy management system 1 For example, it should be considered as an example rather than a limitation. It will be obvious to those skilled in the art, after reviewing the present invention, that numerous alternative configurations are possible. For example, additional networks with policy enforcers or no additional networks may be present. Likewise, the policy enforcers do not necessarily have to access the policy server over the Internet, but can connect using other means, such as WAN, MAN, etc. In short, the number and type of users and resources within and outside the organization can vary significantly without exceeding the scope of the present invention. Legends to the figures Figure 1 Policy Enforcer Policy Enforcer Policy Server Policy Server Public Internet Public Internet router router Web server Web Server Figure 2 Admin. Groups administrator groups Admin. Policies Administrator Policies administrator administrators Alarms alarms Alternate DMZ Alternating DMZ Alternate LAN Alternating LAN Archive Archive Authentication authentication Bandwidth bandwidth certs certifications Config. configuration Control control Device device Device Group equipment group Dimensions Dimensions Direct proxy Direct proxy Dynamic routes Dynamic routes FW Policy Firewall Policy Global Info Global information Group Root group root host host Host Group host group License approval NOT A WORD administrative organization Nat National Nat pool National pool Networks nets Policy Server Policy Server Policy Server Domain Domain of the policy server Priv. Key Priv. key Proxy port Proxy port Resource Root resource source Routes stretch Rules regulate service service Service Group services group sites Locations SNMP Settings SNMP settings Thresholds limits Time Time User user User Group user group Video Nat Video, national VPN clouds VPN clouds weights weights Figure 3 Administrator Administrator Centralized Management Central Administration Log Collecting and Archiving Log collection and archiving Multi-site connectivity management Manage multi-site connectivity Policy Management Policy management Policy Server Reports Policy Server Reports Secure Role Based Management Secure, role-based administration Figure 4 Administrator Administrator Configuration Interface Configuration interface Data collector data collection Global Monitor UI Global Monitor UI Policy Server Install Installation of the policy server Policy Enforcer Install Installation of the Policy Enforcer Figure 5 begin begin Install and Connect Device to Network Install the device and connect to the mains Add Device to Device Group Add a device to a device group Transmit Registration Packet Submit registration package Serial NO. Matched Match the serial numbers YES Yes No No Package Settings for Policy Enforcers Package Settings for Policy Enforcers Transfer File to Policy Enforcer Submit file to Policy Enforcer Initialize Configuration Database Initialize configuration database End The End Figure 6 & 7 Add New Device Add a new device address address Admin. Administrator Alarms alarms Alles All All Devices All devices All Devices' status Status of all devices Applet Viewer: Presentation Mainmenu Applet Viewer: Presentation of the main menu Apply Apply Attached Device Group Associated device group Back Back Bandwidth bandwidth Cancel Abort description description Device Explored Edited device Device Name Device name (Boston) Device Serial Number Serial number of the device East Coast Device Group Equipment group East Coast Edit To edit favorites favorites File file Forward Further Global Monitor Explored Edited general monitor Global Spam List General spam list Global URL Blocking General URL blocking Go Go to Help Help Left Left Location Location Manager Manage monitor Monitor Surname Surname Network network Network status Network Status OK To confirm Policy Server Policy Server Policy Server Archive Options Policy server archive options Policy Server System Settings Policy server system settings Registered Registered Remove Clear Reports reports reset Reset to default Stop stop System load system load Time Time UITeam UI team Up / Down Next Back View view VPN Connections VPN connections Figure 8 Manager Manage monitor Monitor Reports reports Admin. Administrator Apply Apply Help Help User Explored Edited user Alles All Admin User Administrator users Sales and Marketing sales and marketing Finance finances Manufacturing production Customer Service Customer service Engineering development Mobile Users Mobile users Partners partner VPN Users VPN users firewall firewall VPN VPN Bandwidth bandwidth administration administration Policy List Policy List Add Add Modify To change Delete Clear up Further down Back filter filter Print To Print Refresh Reload ID ID order sequence description description Action action Active active User user source source Services services Allow any Allow all User Group user group Alles All Spam blocking Block spam Host group Host group URL blocking Block URL VPN Key Ma .. VPN key manager Internet Acc ... Internet account Allow Allow Figure 9 Device Explored Edited device Policy Server Policy Server System Settings system settings Archive Options archive options Global URL Blocking General URL blocking Global Spam List General spam list Alles All UITEam UI team Authentication Settings Authentication Settin East Coast Device Group Equipment group East Coast Modify URL of Aspen Change URL for Aspen Enable List Download Free download the list Download URL Download URL Password password Day of the Week weekday Time of Day daytime Profile Management profile management Categories Categories Violence and Profanity Violence and denigration Sexual text Texts with sexual content Sex education sex education Sports and Leisure sport and freetime Partial Nudity Permissive representations Gross Depictions Immoral pictures Gambling gambling Full Nudity nude Photos Militant and extremist Militants and extremist representations zero Void OK To confirm reset Reset to default Cancel Abort Figure 10 Manager Manage monitor Monitor Reports reports Admin. Administrator Apply Apply Help Help Host Explored Edited host Alles All LAN LAN WAN WAN DMZ / server DMZ / Server Sales and Marketing sales and marketing Engineering development Manufacturing production Finance finances Partners partner Remote sites Remote locations Mobile Users Mobile users Customer Service Customer service Add New Host Add new host Surname Surname IP Address IP address Netmask netmask External host External host External Device IP Address IP address of the external device Device device Attachted Host Group Related host group Remove Remove OK To confirm reset Reset to default Cancel Abort Figure 11 Manager Manage monitor Monitor Reports reports Admin. Administrator Apply Apply Help Help Service Explored Edited service Alles All Multimedia Streaming / Conferencing Multimedia streaming / conferencing Information retrieval information retrieval Security and Authentication Security and authentication Mail Applications Mail applications Routing Protocols Routing Protocols Standard protocols Standard protocols Database Applications Database Applications Popular Internet Protocols Common Internet Protocols Modify service Service change Name - http and URL Tracking Name - http and URL tracking description description http with URL Blocking enabled http released with URL blocking grade Type Attached Service Group Associated service group http Configuration http configuration Enable URL blocking Release URL blocking OK To confirm reset Reset to default Cancel Abort Figure 12 Manager Manage monitor Monitor Reports reports Admin. Administrator Apply Apply Help Help Time Explored Processed period Alles All Any Any Evening Eve Work working time Weekends weekends Modifiy Time Work Change working hours Surname Surname description description Working Hours / Week Days Working hours / weekdays Day of Week / Hour of Day Day / Time Sunday Sunday Monday Monday Tuesday Tuesday Wednesday Wednesday Thursday Thursday Friday Friday Saturday Saturday AM / PM Morning afternoon OK To confirm reset Reset to default Cancel Abort Figure 13 firewall firewall Bandwidth bandwidth administration administration VPN policy VPN Policy West / East Coast Cloud Cloud West / East Coast Host Group Host group Customer Service Customer service Device device Users Group user group Rules regulate sites Locations Users user VPN Rule VPN rule order assignment Desc: description Policy Created by System for VPN Cloud Functioning Policy to share the VPN cloud feature was created by the system Figure 14 firewall firewall Bandwidth bandwidth administration administration New / FW Policy New / Firewall Policy description description Action action Allow release Active active User user source source Services services Destination aim Time Time Authentication: None Authentication: None OK To confirm reset Reset to default Cancel Abort Figure 15 DNMON domain New route New route gate gate PDP engine PDP machine kernel kernel VPN Driver VPN driver Figure 16 & 17 Setup File Setup file VPN Reachability Configuration File VPN reachability configuration file Client's VPN Preshared Key File File with the predefined VPN client codes Self-extracting executable Self-extracting program file Static Portion (Executable) Static part (program file) Dynamic Portion (Dynamic Configuration) Dynamic part (Dynamic configuration) Replace Dynamic Portion with client-specific VPN configuration Replace dynamic share with client-specific VPN configuration Verify Authentication Check authentication VPN client VPN client Client opens https connection Client opens https connection Reques Authentication Authentifizierungsanfraqe Respond to Authentication Transmit authentication Deliver self-extraction executable Transfer self-extracting program file Policy Enforcer Policy Enforcer Authentication / Authorization DB Database for authentication / authorization VPN Configuration DB Database for VPN configuration Access VPN Configuration Access to VPN configuration Figure 18 IP SEC engine IP SEC machine Packet Forwarding packet delivery Stream Table Data stream table Stats status Protocol Classification Engine Protocol classification engine Policy engine Policy engine B / W management B / W Management Figure 19 Policy Request Table Policy-up table Decision engine decision engine User Group user group Host Group Host group Service Groupe services group Time Group time group Policy Rules Database Buffer Database cache for policy rules Resource Engine Resource machine Figure 20 Stream data assembly Compilation of the data stream Sliding Stream Data Window Sliding stream data window ANS. 1 Answer 1 Protocol Classification State Machine Machine for the status of the protocol classification Protocol Definition Signature DB Database for the signature of the protocol definition Figure 21 PRNG Pseudo-random number generator Diffie Hellman Diffie-Hellman block IKE IKE block IPSEC SA Table IPSEC SA table RSA RSA block Bulk Cryptographic Transforms General encryption IPSEC Encapsulation / Decapsulation IPSEC encapsulation / de-encapsulation Figure 22-24 timestamp time stamp service service Source / Destination IP Address and Port IP address and source / destination connection User ID User ID status status surgery surgery In / Out bytes Incoming / outgoing bytes Duration duration LDAP root LDAP root Branch branch Apply Log application protocol User user Device device domain domain Apply Apply Figure 25 begin begin Admin. Makes a Policy Setting Change Administrator changes the policy settings Update LDAP Tree with Change Update the LDAP directory tree with the change Create Log with Change Create change log Update Admin. Log DN Update administrator log domain Apply Invoked Application called? Create Log for each Policy Enforcer in Domain Create a log for each Domain Policy Enforcer Clear Apply Attributes in Admin's Log DN Unique assignment of the attributes in the administrator log Transmit Updates to Policy Enforcers Submit updates to Policy Enforcer Update Successful? Update successful? Clear Apply Attributes in Unique application of Successful Policy Enforcers DN Attributes in the domain of the successful policy enforcer End The End Figure 26 Primary Unit primary unit Backup unit reserve unit Figure 27 begin begin Boot up go up Assume Role of First Class Unit Assumption of the role as primary unit Search Network for Second Class Unit Search for reserve unit in the network Second Class Unit Detected? Reserve unit detected? Yes Yes Initialize as First Class Unit Initialize as primary unit No No Assume Role of Second Class Unit Takeover of the role as reserve unit Search Network for First Class Unit Search for primary unit in the network First Class Unit Detected? Detected primary unit? Initialize as a second-class unit Initialize as reserve unit Initialize as a third-class unit Initialize as a third unit End The End Figure 28 begin begin Boot up primary unit Start up the primary unit Detect Backup Unit Enter reserve unit Receive Config. Changes Receive configuration changes Primary Functional? Primary unit functional? Yes Yes No No Backup Unit Becomes Active Unit Reserve unit becomes active unit Tag config. Changes Set day for configuration changes Update Primary Unit Update primary unit Figure 29 begin begin Management Station Sends Update Management station sends to primary unit Update to primary unit Primary Unit Updates Update of the primary unit Primary Unit Sends Update to Primary unit sends Backup unit Update to reserve unit Backup Unit Updates Updating the backup unit End The End Figure 30 Primary Unit Becomes Primary unit becomes nonfunctional inoperable Management Station Sends Update to Management station sends Backup unit Update to reserve unit Backup Unit Updates Updating the reserve unit Primary Unit Becomes Functional Primary unit becomes functional Backup Unit Sends Update to Reserve unit sends Primary Unit Update to primary unit Primary Unit Updates Update of the primary unit End The End

Claims (7)

Method of using a computer network comprising an edge device ( 124 . 126 ) with a private network ( 102 . 104 ), wherein the edge device ( 124 . 126 ) a table with information about each via the edge device ( 124 . 126 ) reachable member networks, wherein a remote subscriber terminal ( 140 ) as a VPN client ( 140 ), which uses VPN client software, to the private network ( 102 . 104 ), characterized in that said edge means ( 124 . 126 ) a copy of a self-extracting program file ( 290 ) of said VPN client software, said self-extracting program file ( 290 ) a setup program ( 292 ) and a template for VPN reachability configuration ( 299 ), whereby the setup program offers the possibility of the VPN client software on the VPN client ( 140 ) and wherein said template for the VPN reachability configuration ( 299 ) is replaced by the VPN reachability information available to a user ( 140 ) that downloads said VPN client software. Method according to claim 1, wherein said remote subscriber terminal ( 140 ) prior to downloading said VPN client software authentication information to the edge device ( 124 . 126 ) transmitted ( 324 ). Method according to one of the preceding claims, characterized in that the VPN client ( 140 ) downloads a self-extracting program file which, after execution, installs only said VPN reachability information relevant to said user ( 140 ) are specific. Method according to one of the preceding claims, characterized in that the VPN client ( 140 ) automatically downloads said VPN reachability information each time it connects to the edge device ( 124 . 126 ). Method according to claim 4, characterized in that said VPN client ( 140 ) performs a common CGI (Common Gateway Interface) query on a web server residing on the edge device ( 124 . 126 ), and downloads said VPN reachability information from an LDAP database. A computer network comprising an edge device ( 124 . 126 ) with a private network ( 102 . 104 ), wherein the edge device ( 124 . 126 ) a table with information about each via the edge device ( 124 . 126 ), the said computer network also comprising a remote subscriber terminal ( 140 ), which is configured to be used as a VPN client ( 140 ) on the private network ( 102 . 104 ) using VPN client software, characterized in that said edge device ( 124 . 126 ) a copy of a self-extracting program file ( 290 ) of said VPN client software, said self-extracting program file ( 290 ) a setup program ( 292 ) and a template for VPN reachability configuration ( 299 ), whereby the setup program offers the possibility of the VPN client software on the VPN client ( 140 ), and wherein said edge means ( 124 . 126 ) is configured to use said VPN reachability configuration template ( 299 ) to be replaced by VPN reachability information available to a user ( 140 ) that downloads said VPN client software. Computer network according to Claim 6, characterized that it is appropriately configured to perform the method according to a the claims 2 to 5 execute.