WO2001076190A2 - Application gateway system - Google Patents

Application gateway system Download PDF

Info

Publication number
WO2001076190A2
WO2001076190A2 PCT/US2001/010900 US0110900W WO0176190A2 WO 2001076190 A2 WO2001076190 A2 WO 2001076190A2 US 0110900 W US0110900 W US 0110900W WO 0176190 A2 WO0176190 A2 WO 0176190A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
information
subscriber
module
access
Prior art date
Application number
PCT/US2001/010900
Other languages
French (fr)
Other versions
WO2001076190A3 (en
Inventor
Randy Salo
Chris Van Hamersveld
Barry K. Shelton
Larry Herbinaux
Teddy D. Lindsey
Lee Inness-Brown
Jeffrey Martyn
Original Assignee
Wireless Knowledge
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wireless Knowledge filed Critical Wireless Knowledge
Priority to AU2001249833A priority Critical patent/AU2001249833A1/en
Publication of WO2001076190A2 publication Critical patent/WO2001076190A2/en
Publication of WO2001076190A3 publication Critical patent/WO2001076190A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/04Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements

Definitions

  • This invention generally relates to the field of communications and information network management. More particularly, the present invention relates to a novel system that allows remote end users to rapidly and securely access information from a variety of subscriber devices.
  • the problem with providing universal access to proprietary information is one of logistics. For example, it is common for an individual to keep sets of addresses on different devices, such as work addresses on a personal computer used at work, personal addresses on a home computer, and commonly called telephone numbers on a cellular telephone. Problems arise when the individual is at home and wishes to call or fax a work colleague, particularly when the individual does not have access to the work addresses from the home computer or any other available device. Further, different urgent priority items, such as urgent e-mails, may be unavailable to a subscriber for an extended period of time if the subscriber is equipped only with a personal digital assistant (PDA) and a cellular telephone unable to receive e-mail.
  • PDA personal digital assistant
  • an enterprise represents any entity maintaining or controlling information at a remote location from a subscriber. Examples of enterprise configurations include a secure corporate network, a dedicated server, or a publicly accessible web site network. Other enterprises may be employed which maintain and control certain information as may be appreciated by those of skill in the art.
  • ente ⁇ rises also have particular needs and preferences. For example, some co ⁇ orate ente ⁇ rises may maintain a network that interfaces ' with offices in different countries, and depending on the person accessing the information, he or she may have a particular language preference.
  • Certain ente ⁇ rises also find it highly desirable to have a reconfigurable interface to provide updated graphics, information, and presence to network users. These subscriber interfaces may change rapidly in some industries. A system offering information access should therefore be readily reconfigurable and offer subscriber interfaces structured for the ente ⁇ rise for use on a variety of input devices.
  • Such a system should be relatively easy to set up and maintain, and use readily available hardware and software wherever possible. Further, the system should provide for data access tracking and efficient security and authorization.
  • Patent Application 09/436,661 entitled “SECURE REMOTE ACCESS TO ENTERPRISE NETWORKS EMPLOYING ENTERPRISE GATEWAY SERVERS,” to Randy Salo et al
  • U.S. Patent Application 09/438,819 entitled “DATA CENTER FOR PROVIDING SUBSCRIBER ACCESS TO DATA MAINTAINED ON AN ENTERPRISE NETWORK” to Randy Salo et al
  • U.S. Patent Application 09/438,033 entitled “ENTERPRISE NETWORK ARCHITECTURE,” to Randy Salo et al; U.S.
  • the Data Center approach can, in certain circumstances, provide unwanted and undesirable latency. Further, some ente ⁇ rise personnel have expressed concerns about security of transmissions and maintenance of sensitive information at a remote site, such as a Data Center.
  • the present invention provides a system for remotely accessing subscriber information from an ente ⁇ rise network in real-time, the system comprising: a data network; a remote access device coupled to the data network, the remote device having browser capabilities to accommodate a request inputted by a subscriber to access the subscriber information; an application gateway server hosting the subscriber information, the application gateway server comprising: a navigation module for receiving data in a predetermined format and accessing device specific information; a session module for maintaining temporary data associated with the subscriber, said session module interfacing with said navigation module; a rendering module for obtaining the requisite browser data based on desired action and current state; a data source module for obtaining subscriber information and passing said subscriber information to the navigation module; and an authentication module associated with said data source module for verifying subscriber credentials.
  • FIG. 1 illustrates a conceptual overview ofthe design ofthe current system
  • FIG. 1A is an alternate conceptual view ofthe current invention
  • FIG. IB presents the basic elements of a wireless implementation of the network and access facility of FIG. 1A;
  • FIG. IC is the front end of the ente ⁇ rise network and shows the interaction between the wireless system and ente ⁇ rise network;
  • FIG. 2A illustrates an embodiment of the ente ⁇ rise network having a PPTP VPN Server;
  • FIG. 2B illustrates an embodiment of the ente ⁇ rise network having an IPSEC Router/Firewall
  • FIG. 3 provides a further simplified version ofthe current inventive system illustrating major components ofthe access facility and ente ⁇ rise network;
  • FIG. 4 is an alternate implementation of the interface between the access facility and the ente ⁇ rise network
  • FIG. 5 illustrates the configuration of the ente ⁇ rise dedicated server or messaging server
  • FIG. 6 is an alternate embodiment of the current system wherein dedicated server employs multiple information sources
  • FIG. 7 presents another alternate embodiment of the current system employing a single firewall
  • FIG. 8 illustrates another alternate embodiment of the current system using a dual firewall around the ente ⁇ rise dedicated server or messaging server;
  • FIG. 9 is an alternative to the dual firewall configuration wherein the access database is behind both firewalls.
  • FIG. 10 shows a hardware specific implementation ofthe current system.
  • FIG. I presents a conceptual overview ofthe design ofthe current system.
  • a subscriber has access to an input device, which may be one from a class of input devices 10 including, but not limited to, a cellular telephone 11, a personal digital assistant (PDA) 12, a Microsoft® Windows CE device 13, a desktop personal computer 14, or a laptop personal computer 15.
  • PDA personal digital assistant
  • Other devices may be employed, such as a two-way paging device or palmtop computer, while still within the scope of the present invention.
  • the important characteristic of the class of input devices 10 is that each device must have the ability to receive information.
  • the input device transmits or receives information over a data link 16, such as a telephone line, dedicated computer connection, satellite connection, cellular telephone network, the Internet, or other data connection.
  • the data link 16 is connected to an access facility 17, such as an Internet service provider, cellular telephone carrier, telephone switching utility, or other data facility having the ability to receive data in particular formats (cellular telephone traffic, Internet traffic, data packets, and so forth) and convert and efficiently transfer that data over the internet or other data networks.
  • Access facility 17 provides users with access to information or data maintained at an ente ⁇ rise network 22.
  • Data is transferred from the access facility 17 in Hypertext Transfer Protocol (HTTP) format over a communication link 18, preferably the Internet, to the remote ente ⁇ rise 22.
  • HTTP Hypertext Transfer Protocol
  • other communication means may be employed, such as a telephone network, a PPTP tunnel through the internet, or other mechanism for efficiently conveying data traffic.
  • an application gateway server 19 receives data in HTTP format and relies on data stored in storage media 20.
  • Storage media 20 is preferably a SQL data storage server, but any type of data storage mechanism which can be rapidly accessed by the application gateway server 19 is acceptable.
  • the subscriber must first access the remote ente ⁇ rise 22 using an access arrangement, such as an account and password verifying his or her identity.
  • the subscriber makes a request into the subscriber device, such as a cellular telephone, to view data, such as his or her e-mail.
  • the access facility 17 receives the request via the data link and passes the request through the communication link 18 and on to the ente ⁇ rise network 22.
  • the ente ⁇ rise network 22 processes the request for e-mail on the application gateway server 19 and obtains the necessary data pursuant to the subscriber preferences available from the provided by the storage media 20 in the ente ⁇ rise network 22. For example, the subscriber is presumed to have established that if he or she desires e-mail through his or her cellular telephone, the information provided should be only the first ten messages, alphabetized by the last name of the sender. In such a situation, the ente ⁇ rise network 22 obtains the requisite information and transmits the data back through the communication link 18, to the access facility 17, and to the subscriber via data link 16 to the requesting subscriber input device.
  • FIG. 1A illustrates an embodiment of the present invention.
  • the embodiment allows subscribers to securely and remotely access information residing in an independent ente ⁇ rise network 403 in real time.
  • a subscriber by virtue of a remote access device 104, makes a request, across a network 100, to access facility or Base Station Controller/Mobile Switching Center (BSC/MSC) 106, to supply subscriber information (e.g., messaging and collaboration information, such as electronic mail, appointment calendars, address/phone books).
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • the ente ⁇ rise network 403 retrieves the subscriber information and formats the information in accordance with the display capabilities of the remote access device 104.
  • the remote access device 104 may be connected to a "wireline" network (e.g., personal computer, kiosk, etc.) or may be connected to a wireless network (e.g., cellular phones, personal digital assistants (PDAs), Microsoft® Windows CE devices, etc.).
  • a wireless network e.g., cellular phones, personal digital assistants (PDAs), Microsoft® Windows CE devices, etc.
  • the remote access and retrieval of subscriber information resident in the ente ⁇ rise network 403 is initiated by requesting the information on a remote access device 104.
  • these requests are initiated by inputting an address on a browser (or micro- browser) interface of the remote access device 104.
  • the address partially identifies the ente ⁇ rise network 403 that the subscriber is associated with (i.e., company, employer, etc.) and the address may be in the form of an HTTP URL (Hypertext Transfer Protocol Uniform Resource Locator).
  • HTTP URL Hypertext Transfer Protocol Uniform Resource Locator
  • the request may be in other structured formats, including but not limited to XML encoded requests.
  • the remote access devices 104 have communication capabilities, allowing them to interface with wireless and wireline communication networks.
  • the remote access devices 104 are wireless and include devices that are well- known in the art, such as hand-held wireless phones, Personal Digital Assistants (PDAs), Microsofi® Windows CE devices, and mobile computers. Such devices operate in wireless networks that include, but are not limited to PSTN, CDPD, CDMA/IS-95, TDMA/IS-136, MOBITEX, and GSM networks. Each of these devices has a browser associated therewith.
  • these remote access devices 104 generally have graphical displays to accommodate their browsing capabilities.
  • the remote access devices may use different markup languages to inte ⁇ ret, format, and display the contents of the retrieved subscriber information.
  • Such languages may include Hypertext Markup Language (HTML), Handheld Device Markup Language (HDML), Extensible Markup Language (XML), Extensible Stylesheet Language (XSL), and Wireless Application Protocol (WAP) Wireless Markup Language (WML).
  • HTML Hypertext Markup Language
  • HDML Handheld Device Markup Language
  • XML Extensible Markup Language
  • XSL Extensible Stylesheet Language
  • WAP Wireless Application Protocol
  • the remote access devices 104 have communication capabilities to interface with a variety of communication networks including wireless communication systems.
  • FIG. IB illustrates the basic elements of a wireless implementation of network 100 in FIG. 1 A.
  • the remote access device 104 first communicates and sustains a session with a Base Station Controller Mobile Switching Center (BSC/MSC) 106 via the wireless interface (i.e., air-link) U m in accordance with a wireless communication network scheme, such as CDPD, CDMA/IS-95, TDMA/IS-136, MOBITEX, and OSM.
  • BSC/MSC Base Station Controller Mobile Switching Center
  • the BSC/MSC 106 employs a transceiver to transmit to the remote access device 104 (i.e., forward link) and receive from the remote access device 104 (i.e., reverse link), consistent with the wireless network scheme.
  • the BSC/MSC 106 supervises, manages, and routes the calls between the remote access device 104 and the Inter- Working Function (IWF) 108.
  • IWF Inter- Working Function
  • the IWF 108 serves as a gateway between the wireless system 100 and other networks.
  • the IWF 108 is coupled to the BSC/MSC 106 and in many cases it may be co- located with the BSC/MSC 106.
  • the IWF 108 provides the session data between the remote access device 104 and the BSC/MSC 106 with an IP address, consistent with the well-known
  • IP Internet Protocol
  • the internet Protocol is a network layer protocol that specifies the addressing and routing of packets (datagrams) between host computers and specifies the encapsulation of data into such packets for transmission. Addressing and routing information is affixed in the header of the packet. IP headers contain 32-bit addresses that identify the sending and receiving hosts. These addresses are used by intermediate routers to select a path through the network for the packet towards its ultimate destination at the intended address. Providing the session between the remote access device 104 and the BSC/MSC 106 with an IP address, the session can be intelligently routed to other networks.
  • the IWF 108 is subsequently coupled to a system router 110, which interfaces with other networks, such as the Public Switched Telephone Network (PSTN) and other Wide Area Networks (WANs) providing internet- or secure/unsecure Intranet-based access.
  • PSTN Public Switched Telephone Network
  • WANs Wide Area Networks
  • Ente ⁇ rise network 403 remotely and securely collects, processes, and formats the information residing therein and presents the information on the remote access device 104 in real time.
  • the desired information will be stored in a specialized database/messaging server within the ente ⁇ rise network 403, such as, for example, Microsoft® Exchange Server 5.5.
  • the ente ⁇ rise network 403 includes an interface network 120.
  • the interface network 120 employs perimeter router 122 to interface with the wireless communication system 100, which transports the IP datagrams between the remote access device 104 and the BSC/MSC 106.
  • the interface is achieved by virtue of a WAN topology and may employ well-known Asynchronous Transfer Mode (ATM), Frame Relay, dedicated DS-1 (1.544 Mbps), DS-3 (45 Mbps) and other topologies.
  • the perimeter router 122 may connect to the ente ⁇ rise network 403 through a firewall 124 to provide an added level of protection and further limit access to ente ⁇ rise network 403 from the Internet.
  • firewalls are well-known security mechanisms that protect the resources of a private network from users of other networks, and further implementations of firewalls will be described below.
  • firewalls For example, ente ⁇ rises that allow subscribers to access the Internet may install a firewall (or firewalls) to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own subscribers have access to. Basically, firewalls filter incoming and outgoing network packets to determine whether to forward them toward their destination.
  • the firewall 124 interfaces with the gateway server 415.
  • Application gateway servers 415 are preferably implemented as servers that act as an intermediary between messaging/data servers 410 and Base Station Controller/Mobile Switching Center (BSC/MSC) 106.
  • Application gateway servers 415 provide a layer of abstraction between the messaging/data servers and the Base Station Controller/Mobile Switching Center (BSC/MSC) 106 that enables more efficient communication when communicating over a "slow" network such as the Internet.
  • Application gateway servers 415 are described in more detail below. If network 402 is a public network, such as the Internet, data transmitted over network
  • the data may be encrypted at its transmission site (e.g., Base Station Controller/Mobile Switching Center (BSC/MSC) 106 or ente ⁇ rise network 403), and correspondingly decrypted at its reception site.
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • ente ⁇ rise network 403 effectively communicate with one another as if they were on a private network.
  • This type of encrypted network comrnunication is called a virtual private network (“VPN").
  • Figs. 2 A and 2B are block diagrams illustrating embodiments ofthe implementation of a VPN between Base Station Controller/Mobile Switching Center (BSC/MSC) 190 and ente ⁇ rise network 403.
  • the VPN is implemented by encrypting information transmitted between Base Station Controller/Mobile Switching Center (BSC/MSC) 106 and ente ⁇ rise gateway server 415 on ente ⁇ rise network server 403.
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • Base Station Controller/Mobile Switching Center (BSC/MSC) 106 encrypts the transmitted data using software 510 running thereon.
  • the encrypted data is transmitted over network 402 and decrypted by dedicated VPN server 515.
  • Data flowing from ente ⁇ rise network 403 to Base Station Controller/Mobile Switching Center (BSC/MSC) 106 is similarly encrypted at VPN server 515 and decrypted by software 510.
  • Firewall 520 may optionally be implemented in conjunction with VPN server 515 to limit unauthorized outsiders from accessing the private data resources of ente ⁇ rise network 403 and to control what outside resources users at ente ⁇ rise 403 have access to.
  • PPTP software 510 is software that implements the well-known Point-to-Point Tunneling Protocol (PPTP). Although PPTP software 510 is shown executing on a VPN server 515, it may alternatively be implemented in special pu ⁇ ose PPTP routers or other network devices.
  • PPTP Point-to-Point Tunneling Protocol
  • FIG. 2B illustrates another embodiment implementing a VPN between Base Station Controller/Mobile Switching Center (BSC/MSC) 106 and ente ⁇ rise network 403.
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • IPSEC Internet Protocol Security
  • IP SEC Internet Protocol Security
  • PPTP packet processing layer
  • IPSEC Internet Protocol Security
  • FIG. 4 illustrates an alternate implementation of the interface between the access facility and the ente ⁇ rise network.
  • application gateway server 415 provides a MAPI (Messaging Application Programming Interface) interface 602.
  • MAPI 602 is a Microsoft® Windows program interface that enables software objects on application gateway server 415 to communicate with a MAPI-compliant information store, such as Microsoft® Exchange messaging server 410.
  • MAPI 602 provides the low level interface between application gateway server 415 and messaging server 410.
  • MAPI 602 accesses messaging server 410 based on commands from CDO (Collaboration Data Objects) object 604.
  • CDO 604 is an object in the COM (Component Object Model) framework for the development of component software objects.
  • COM provides the underlying services of interface negotiation, life cycle management (determining when an object can be removed from a system), licensing, and event services (putting one object into service as the result of an event that has happened to another object).
  • MAPI the COM framework, and the CDO object are all available from Microsoft® Co ⁇ oration.
  • CDO 604 in operation, processes requests from data center 190 to access messaging server 410.
  • Typical CDO requests include requests such as: retrieve the message object for a particular email of a particular subscriber, retrieve the subject of the email, and retrieve the time the email was sent. For each of these requests, CDO 604 accesses messaging server 410, retrieves the requested information, and returns the information to the requesting entity.
  • FIG. 3 A further simplified version ofthe system is provided in FIG. 3. From FIG. 3, data is transmitted from the device 301 over the airwaves 302 to a Base Station 303.
  • Base station 303 uses a router 304 to provide data in the form of information packets over a connection 305, such as the Internet, to the ente ⁇ rise network 311.
  • Ente ⁇ rise network 311 includes router 306, router connection 307, ente ⁇ rise gateway server 308, database 309, and information source 310.
  • Router 306 initially receives the request from the device 301 in the form of a URL and transmits the request to dedicated server 308 using router connection 307.
  • Application gateway server 307 and application gateway server 415 operate according to the mechanization depicted in FIG. 5. According to FIG. 5, according to FIG.
  • BSC/MSC Base Station Controller/Mobile Switching Center
  • ISAPI Internet Server Application Program interface
  • ISAPI is an Application Program Interface for Microsoft's 115 (Internet information Server) Web server.
  • ISAPI enables Web-based applications that run much faster than conventional CGI programs due to tight integration with the Web server.
  • ISAPI is the first segment encountered by the browser request
  • interface module 501 represents a software interface and can be an interface other than ISAPI, such as Active Server Pages (ASP) or Device Mobility Interconnect (DMI), or any software having the ability to perform a software routing function and convert a URL into a method call.
  • the method call indicates the type of request made by the browser, the user was on a particular screen, the user initiated a particular action, or other similar information.
  • ASP Active Server Pages
  • DMI Device Mobility Interconnect
  • the interface module 501 passes the action to the navigation module 502, which is a state engine that effectively controls operation of the retrieval and transmission of information at the ente ⁇ rise server 403.
  • Navigation module 502 interacts with session module 505, which contains local variables, such as the temporary storage of addressee of an email, priority, subject, body, and so forth during the composition of an email across multiple URL requests.
  • session module 505 contains local variables, such as the temporary storage of addressee of an email, priority, subject, body, and so forth during the composition of an email across multiple URL requests.
  • sessions module 505 may include, for example, temporary variable ADDRESSEE, with associated data TOM SMITH, temporary variable PRIORITY with associated data NORMAL, and so forth. All temporary variables are stored in the session module 505 and may be changed by the user. Once the user has completed the e-mail or other browser function, all variables are collected and transmitted.
  • the navigation module 502 acts within the framework depicted in FIG. 5 to use the current browser state and verb, seek and compile the requisite information, and respond with the next logical sequence, such as the next page, next action, or next item in sequence.
  • the temporary variables and data associated therewith held in sessions module 505 is static, such that a user logging out or disconnecting in the middle of a session will cause all data in the sessions module 505 associated with that user session to be lost. The same user initiating a new session will begin with no data associated within session module 505.
  • Navigation module 502 receives URL data and transmits web page data.
  • the navigation module 502 does not depend on the type of browser or type of device being used by the user. Rather, navigation module 502 merely receives URL data, acts accordingly by assembling the appropriate response to the URL action request, and returns browser appropriate data.
  • Render or rendering module 504 provides the necessary browser specific information to the navigation module 502 for transmission back to the particular device. Once a page id is known or recognized by the navigation module, an action indicates the page to where the user wishes to go.
  • the navigation module reads the page id (8510) and the action desired (complete entry) and knows that the action associated with complete" is to transition to screen 8503.
  • Page 8503 is appropriate for the necessary browser used by the particular device.
  • the render module 504 obtains screen data from screen database 506 and passes that data to navigation module 502.
  • Screen specific data may include a title, graphics, and other information, while user data may include, for example, telephone numbers, addresses, priority levels, and so forth.
  • the user can scroll through the screen, select or otherwise act on the user data or screen data presented, and make a request.
  • User specific data is a data repository that can be refilled.
  • Screen data such as the title of screen 8510, is implemented so as to be configurable by the user or the ente ⁇ rise.
  • the navigation module 502 passes the screen type through to the render module 505 such that it can be used repeatedly, while passing through user data, such as headers for emails, as well as user data or user parameters, such as eight user specific e-mail headers, and thus tells the rendering module 504 what to place in certain locations within the browser page.
  • Navigation module 502 therefore hands off the request for a particular screen, email headers, title inbox, and so forth, to the rendering module 504, which locates the appropriate screen in the screen bank 506 and locates the necessary template, fills the template with the data provided by the navigation module 502, and passes the completed screen to the navigation module.
  • Rendering module 504 may hold hundreds of screens, including several screen 8510s for the various types of user devices available.
  • Rendering module 502 determines the type of browser being used by reading the header associated with the URL received and determines whether the device is a Netscape browser (if the word "moziUa" appears in the header), a Windows CE device if a Windows CE browser, and so forth. Once the type of device has been identified, that information is passed to render to retrieve and compile the appropriate information for transmission.
  • Data access module 507 also known as information access or data source module, fetches and provides the requested user data.
  • the navigation module After authenticating the user, sends a request to data access module 507 to enter the user's mailbox.
  • Data access module 507 interacts with Exchange Server to initiate an active session.
  • Navigate module 502 recognizes from the incoming URL that it must obtain mailbox information and thus queries data access module 507 for the particular information sought, such as the first twenty emails, the first five contacts, or other data.
  • Data is transmitted in XML format, which is an abstract format, from the data access module 507 to navigation module 502.
  • the data access module interfaces with the data source 508, which is a Microsoft® Exchange Server holding all necessary mail, contact, and user data, including passwords.
  • the interface between data access module 507 and data source 508 enables obtaining and transmission ofthe necessary information. Reports back from the render module 505 or data access module 504 are subsequently compiled and transmitted to the user. In the event of an error, the navigation module 502 transmits an error screen or message back to the user indicating an error has occurred.
  • Other objects besides mail capability include contact management systems, sales force automation systems, customer management systems, Oracle or other database front ends. In these cases, servers other than Microsoft® Exchange Server are accessed by the data access module 507.
  • the user For pruposes of authentication, the user initially enters a name and password, which passes to the navigation module and on to the data source, to authentication module 509.
  • the authentication module 509 queries the data source 508, which keeps track of permissible users on the system. Under the implementation illustrated, a user may enter with a username but cannot obtain information from the data source 508 without a password.
  • Authentication module 509 compares the entered password to the passwords stored on the data source 508 and, if correct, retrieves the requested data and passes the requested data to the navigation module 502. Thus passwords are stored with data.
  • the authentication module can be username and password, but other authentication methods may be used to verify a user, including but not limited to retina scans, finge ⁇ rint verification, pass cards, and so forth. Data retrieved by these authentication methods is then compared against data maintained in data source 508 and data passed only when verification is achieved.
  • Navigation module 502 obtains information such as username and identification information from database 503, which is typically a SQL database.
  • the database 503 only holds username data and not password data. This permits user access to the system based on entry of an acceptable username.
  • the ente ⁇ rise network 403 performs the authentication outlined above.
  • navigation module 502 evaluates the URL by parsing the information and making the call for necessary data. Once the navigation module has compiled the requisite information from the session module, rendering module, and data access module, the browser specific data is sent back through interface module 501 and to the device.
  • FIG. 6 shows an alternate mechanization employing multiple information sources, where one source 610 contains mailbox data, a second source 611 contact data, and the third source 612 messaging data or other user and ente ⁇ rise appropriate data.
  • FIG. 7 illustrates the system employing a firewall 708 between router 706 and the application gateway server 710. The firewall 708 prevents unwanted internet access to the server and remainder of the configuration.
  • FIG. 8 illustrates yet another configuration in accordance with the current invention, including a dual firewall setup (firewall 808 and 812) surrounding application gateway server 710. Use of a dual firewall permits user access to server data while protecting data, such as mailbox, contact, or other user specific data from persons having or desiring access to the ente ⁇ rise but not having the appropriate need or credentials to access alternate information.
  • FIG. 808 and 812 dual firewall setup
  • FIG. 9 illustrates an alternate configuration employing the database 915 behind both firewalls, such that users are permitted access to the application gateway server 910 without a username or other information, but must use the database to access any mailbox, contact, or other user specific data.
  • FIG. 10 is a hardware specific implementation of the current system, using an US Server 1001 as a front end, with data access module accessing a Microsoft Exchange Server Version 5.5 1002, Microsoft Exchange 2000 Server 1003, Lotus Notes/Domino R5 1004, POP3 Server 1005, or DVIAP4 Server 1006.
  • Other similar hardware may be employed while still within the scope ofthe current invention.
  • a further aspect of the current system is the ability for the system to determine the type of device accessing the system.
  • the system receives information over a data line including initialization information, account information, passwords, and so forth, in addition to browser information.
  • Browser information includes the information requested for the type of browser used, e.g. a Microsoft® Windows CE device indicates that it is using a Windows CE compliant browser.
  • Included in the browser information is header information from which the ente ⁇ rise network 403 can determine the type of device transmitting the data.
  • the ente ⁇ rise network 403 stores the information expected to be received from a particular browser; for example, the Netscape browser, used on desktop and laptop devices, may include the word "mozilla" in its header information.
  • the ente ⁇ rise network 403 maintains predetermined expected header parameters for each anticipated input device. This predetermined information is preferably maintained in the SQL server. Upon connection between the input device and the ente ⁇ rise network, the data center retrieves the browser header information and compares this information with the predetermined information and, if it determines a match, interfaces with the input device with input device specific data, e.g. screen size limitations, colors/greyscale data, and so forth. Thus the system does not require user input to determine the type of device addressing the ente ⁇ rise network 415 and can transmit appropriate input device specific data to the user.
  • input device specific data e.g. screen size limitations, colors/greyscale data, and so forth.

Abstract

A system for permitting a subscriber to access subscriber information from a remote enterprise network in real-time is presented. The system includes a remote access device with browser capabilities for inputting requests to access the subscriber information. The remote access device communicates with an application gateway server, and the application gateway server rapidly and efficiently processes the requests to access the subscriber information and renders the requested subscriber information on the remote access device. The application gateway server includes a navigation module, a rendering module, a session module, a data access module, and an authentication module for efficiently retrieving user/subscriber data, such as mail, contact, or other user specific data and compiling and sending browser specific data to the input device.

Description

APPLICATION GATEWAY SYSTEM
Inventors:
Randy Salo Chris van Hamersveld Barry K. Shelton, P.E.
Teddy Lindsey
Larry Herbinaux
Lee Inness-Brown
Jeffrey Martyn
CROSS-REFERENCE TO RELATED APPLICATION
This application is a continuation in part of co-pending United States Patent Application No. 09/438,817, entitled "SECURE REMOTE ACCESS TO ENTERPRISE NETWORKS," to Randy Salo et al, filed on November 10, 1999.
BACKGROUND OF THE INVENTION
1. Field ofthe Invention
This invention generally relates to the field of communications and information network management. More particularly, the present invention relates to a novel system that allows remote end users to rapidly and securely access information from a variety of subscriber devices.
2. Description of Related Art
Recent innovations in wireless communication and computer-related technologies as well as the unprecedented growth of Internet subscribers have provided tremendous opportunities in telecommuting and mobile computing. In fact, corporate entities and enterprises are moving toward providing their workforces with ubiquitous access to networked corporate applications and data, such as, for example, e-mail, address books, appointment calendars, scheduling information, etc.
The problem with providing universal access to proprietary information is one of logistics. For example, it is common for an individual to keep sets of addresses on different devices, such as work addresses on a personal computer used at work, personal addresses on a home computer, and commonly called telephone numbers on a cellular telephone. Problems arise when the individual is at home and wishes to call or fax a work colleague, particularly when the individual does not have access to the work addresses from the home computer or any other available device. Further, different urgent priority items, such as urgent e-mails, may be unavailable to a subscriber for an extended period of time if the subscriber is equipped only with a personal digital assistant (PDA) and a cellular telephone unable to receive e-mail.
Along with the problem of maintaining data in various locations, users frequently have access to different devices, each having different data access abilities and requirements. For example, certain cellular telephones have speed dial or commonly called telephone numbers, but do not have the ability to receive e-mail. Certain cellular telephone handsets have the ability to receive alphanumeric pages, but some cellular service providers do not support this feature while others do. Also, many PDAs do not have the ability to receive over-the-air transmissions, but can synchronize with a database, such as a database associated with a personal computer and/or network. Other PDAs have the ability to receive and edit e-mail messages. Some systems or networks allow a subscriber to download her e-mail headers to a remote device and read some portion or all of the e-mail. After reading the e-mail on the remote device, some systems delete the e-mail while others maintain the e-mail on the system until read or deleted at the home system. Hence the ability for a subscriber to access, maintain, and dynamically utilize information is heavily dependent on the input device employed by the subscriber.
Further, certain organizations limit access to workers having a need to know the information maintained. For example, many corporations control e-mail using a dedicated server having restricted access, including using firewalls and encryption. Access to this information requires making the information available under conditions imposed and maintained by the corporation. For purposes of this application, a corporation or other entity, public, private, or otherwise, is referred to as an "enterprise." As used herein, an enterprise represents any entity maintaining or controlling information at a remote location from a subscriber. Examples of enterprise configurations include a secure corporate network, a dedicated server, or a publicly accessible web site network. Other enterprises may be employed which maintain and control certain information as may be appreciated by those of skill in the art.
While certain systems have been employed to provide access to information maintained at an enterprise, none have provided for access by multiple devices including PDAs, cellular telephones, personal computers, laptops, palmtops, Microsoft® Windows CE devices, and so forth. Further, those systems discussed in the literature that provide information access to users employing a limited set of input devices have suffered from accessibility and data latency problems. Accessibility issues involve providing access to the information by only offering access through a corporate Intranet or other internal access scheme. A subscriber wishing to review his or her e-mail on a laptop borrowed from a colleague frequently is denied access to the corporate information. Further, data latency universally inhibits the ability to access data. Users desire a fast response to the information they desire, and information on any device that takes longer than fifteen seconds to load is undesirable.
Additionally, certain enterprises wish to have control over information maintained on their networks, including maintaining password and account information for the enteφrise users. It is therefore undesirable for the enteφrise to offer sensitive data, such as subscriber information and passwords, to outside parties where the data may be compromised. Security issues, such as coφorate firewalls and encryption of data, must in many instances be maintained and controlled by the enteφrise rather than a third party. Certain enteφrises also have particular needs and preferences. For example, some coφorate enteφrises may maintain a network that interfaces' with offices in different countries, and depending on the person accessing the information, he or she may have a particular language preference. Certain enteφrises also find it highly desirable to have a reconfigurable interface to provide updated graphics, information, and presence to network users. These subscriber interfaces may change rapidly in some industries. A system offering information access should therefore be readily reconfigurable and offer subscriber interfaces structured for the enteφrise for use on a variety of input devices.
Such a system should be relatively easy to set up and maintain, and use readily available hardware and software wherever possible. Further, the system should provide for data access tracking and efficient security and authorization.
Systems fully addressing the aforementioned needs of users and enteφrises are relatively unknown in the telecommunications, Internet, and mobile computing fields. Inventors currently employed by Wireless Knowledge, the assignee of the application, have invented a system utilizing a Data Center to provide access to the desired information over a series of laptops. Those applications include U.S. Patent Application 09/438,317, entitled "SECURE REMOTE ACCESS TO ENTERPRISE NETWORKS," to Randy Salo et al; U.S. Patent Application 09/438,815, entitled "METHOD OF PROVIDING REMOTE ACCESS TO SUBSCRIBER INFORMATION MAINTAINED ON ENTERPRISE NETWORKS," to Randy Salo et al; U.S. Patent Application 09/436,661, entitled "SECURE REMOTE ACCESS TO ENTERPRISE NETWORKS EMPLOYING ENTERPRISE GATEWAY SERVERS," to Randy Salo et al, U.S. Patent Application 09/438,819, entitled "DATA CENTER FOR PROVIDING SUBSCRIBER ACCESS TO DATA MAINTAINED ON AN ENTERPRISE NETWORK," to Randy Salo et al, U.S. Patent Application 09/438,033, entitled "ENTERPRISE NETWORK ARCHITECTURE," to Randy Salo et al; U.S. Patent Application 09/438,818, entitled "DATA TRANSMISSION ARCHITECTURE FOR SECURE REMOTE ACCESS TO ENTERPRISE," to Randy Salo et al; U.S. Patent Application 09/438,816, entitled "USER INTERFACE FOR USE WITH SECURE REMOTE ACCESS TO ENTERPRISE NETWORKS," to Randy Salo et al; and U.S. Patent Application 09/438,820, entitled "SYSTEM AND METHOD FOR DETERMINING REMOTE ACCESS DEVICE USED TO ACCESS ENTERPRISE NETWORK DATA," to Randy Salo et al, the entirety of which are incoφorated herein by reference.
The Data Center approach can, in certain circumstances, provide unwanted and undesirable latency. Further, some enteφrise personnel have expressed concerns about security of transmissions and maintenance of sensitive information at a remote site, such as a Data Center. SUMMARY OF THE INVENTION
The present invention provides a system for remotely accessing subscriber information from an enteφrise network in real-time, the system comprising: a data network; a remote access device coupled to the data network, the remote device having browser capabilities to accommodate a request inputted by a subscriber to access the subscriber information; an application gateway server hosting the subscriber information, the application gateway server comprising: a navigation module for receiving data in a predetermined format and accessing device specific information; a session module for maintaining temporary data associated with the subscriber, said session module interfacing with said navigation module; a rendering module for obtaining the requisite browser data based on desired action and current state; a data source module for obtaining subscriber information and passing said subscriber information to the navigation module; and an authentication module associated with said data source module for verifying subscriber credentials.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incoφorated in and constitute a part of this Specification, illustrate an embodiment of the invention and, together with the description, explain the objects, advantages, and principles ofthe invention. In the drawings: FIG. 1 illustrates a conceptual overview ofthe design ofthe current system;
FIG. 1A is an alternate conceptual view ofthe current invention; FIG. IB presents the basic elements of a wireless implementation of the network and access facility of FIG. 1A;
FIG. IC is the front end of the enteφrise network and shows the interaction between the wireless system and enteφrise network; FIG. 2A illustrates an embodiment of the enteφrise network having a PPTP VPN Server;
FIG. 2B illustrates an embodiment of the enteφrise network having an IPSEC Router/Firewall; FIG. 3 provides a further simplified version ofthe current inventive system illustrating major components ofthe access facility and enteφrise network;
FIG. 4 is an alternate implementation of the interface between the access facility and the enteφrise network;
FIG. 5 illustrates the configuration of the enteφrise dedicated server or messaging server;
FIG. 6 is an alternate embodiment of the current system wherein dedicated server employs multiple information sources;
FIG. 7 presents another alternate embodiment of the current system employing a single firewall; FIG. 8 illustrates another alternate embodiment of the current system using a dual firewall around the enteφrise dedicated server or messaging server;
FIG. 9 is an alternative to the dual firewall configuration wherein the access database is behind both firewalls; and
FIG. 10 shows a hardware specific implementation ofthe current system.
DETAILED DESCRIPTION
The following detailed description of the embodiments of the present invention refers to the accompanying drawings that illustrate these. Other embodiments are possible and modifications may be made to the embodiments without departing from the spirit and scope of the invention. Therefore, the following detailed description is not meant to limit the invention. Rather the scope ofthe invention is defined by the appended claims.
It will be apparent to one of ordinary skill in the art that an embodiment of the present invention, as described below, may be realized in a variety of implementations, including the software, firmware, and hardware of the entities illustrated in the figures (i.e.,) remote access device 104, BSC/MSC 106 and IWF 108). The actual software code or control hardware used to implement the present invention is not limiting of the present invention. Thus, the operation and behavior ofthe present invention will be described without specific reference to the actual software code or hardware components. Such non-specific references are acceptable because it is clearly understood that a person of ordinary skill in the art would be able to design software and control hardware to implement the embodiment of the present invention based on the description herein.
FIG. I presents a conceptual overview ofthe design ofthe current system. From FIG. 1, a subscriber has access to an input device, which may be one from a class of input devices 10 including, but not limited to, a cellular telephone 11, a personal digital assistant (PDA) 12, a Microsoft® Windows CE device 13, a desktop personal computer 14, or a laptop personal computer 15. Other devices may be employed, such as a two-way paging device or palmtop computer, while still within the scope of the present invention. The important characteristic of the class of input devices 10 is that each device must have the ability to receive information.
The input device transmits or receives information over a data link 16, such as a telephone line, dedicated computer connection, satellite connection, cellular telephone network, the Internet, or other data connection. The data link 16 is connected to an access facility 17, such as an Internet service provider, cellular telephone carrier, telephone switching utility, or other data facility having the ability to receive data in particular formats (cellular telephone traffic, Internet traffic, data packets, and so forth) and convert and efficiently transfer that data over the internet or other data networks. Access facility 17 provides users with access to information or data maintained at an enteφrise network 22. Data is transferred from the access facility 17 in Hypertext Transfer Protocol (HTTP) format over a communication link 18, preferably the Internet, to the remote enteφrise 22. In practice, other communication means may be employed, such as a telephone network, a PPTP tunnel through the internet, or other mechanism for efficiently conveying data traffic.
At the remote enteφrise 22, an application gateway server 19 receives data in HTTP format and relies on data stored in storage media 20. Storage media 20 is preferably a SQL data storage server, but any type of data storage mechanism which can be rapidly accessed by the application gateway server 19 is acceptable. In operation, the subscriber must first access the remote enteφrise 22 using an access arrangement, such as an account and password verifying his or her identity. The subscriber makes a request into the subscriber device, such as a cellular telephone, to view data, such as his or her e-mail. The access facility 17 receives the request via the data link and passes the request through the communication link 18 and on to the enteφrise network 22. The enteφrise network 22 processes the request for e-mail on the application gateway server 19 and obtains the necessary data pursuant to the subscriber preferences available from the provided by the storage media 20 in the enteφrise network 22. For example, the subscriber is presumed to have established that if he or she desires e-mail through his or her cellular telephone, the information provided should be only the first ten messages, alphabetized by the last name of the sender. In such a situation, the enteφrise network 22 obtains the requisite information and transmits the data back through the communication link 18, to the access facility 17, and to the subscriber via data link 16 to the requesting subscriber input device. To accomplish this, the enteφrise network 22 must include a dedicated server 21 having a scalable, reliable and secure data access platform, such as Microsoft® Exchange Server, for ready access to the requested e-mail, calendar, or contact information. FIG. 1A illustrates an embodiment of the present invention. The embodiment allows subscribers to securely and remotely access information residing in an independent enteφrise network 403 in real time. In one implementation, a subscriber, by virtue of a remote access device 104, makes a request, across a network 100, to access facility or Base Station Controller/Mobile Switching Center (BSC/MSC) 106, to supply subscriber information (e.g., messaging and collaboration information, such as electronic mail, appointment calendars, address/phone books). Access facility or Base Station Controller/Mobile Switching Center (BSC/MSC) 106 passes the subscriber information in the form of Internet data packets over network 402 to enteφrise network 403. The enteφrise network 403 retrieves the subscriber information and formats the information in accordance with the display capabilities of the remote access device 104. The remote access device 104 may be connected to a "wireline" network (e.g., personal computer, kiosk, etc.) or may be connected to a wireless network (e.g., cellular phones, personal digital assistants (PDAs), Microsoft® Windows CE devices, etc.).
The features and details ofthe various embodiments ofthe invention will be described below. The remote access and retrieval of subscriber information resident in the enteφrise network 403 is initiated by requesting the information on a remote access device 104. Generally, these requests are initiated by inputting an address on a browser (or micro- browser) interface of the remote access device 104. The address partially identifies the enteφrise network 403 that the subscriber is associated with (i.e., company, employer, etc.) and the address may be in the form of an HTTP URL (Hypertext Transfer Protocol Uniform Resource Locator). The request may be in other structured formats, including but not limited to XML encoded requests. The remote access devices 104 have communication capabilities, allowing them to interface with wireless and wireline communication networks. In one implementation, the remote access devices 104 are wireless and include devices that are well- known in the art, such as hand-held wireless phones, Personal Digital Assistants (PDAs), Microsofi® Windows CE devices, and mobile computers. Such devices operate in wireless networks that include, but are not limited to PSTN, CDPD, CDMA/IS-95, TDMA/IS-136, MOBITEX, and GSM networks. Each of these devices has a browser associated therewith.
In addition, these remote access devices 104 generally have graphical displays to accommodate their browsing capabilities. The remote access devices may use different markup languages to inteφret, format, and display the contents of the retrieved subscriber information. Such languages may include Hypertext Markup Language (HTML), Handheld Device Markup Language (HDML), Extensible Markup Language (XML), Extensible Stylesheet Language (XSL), and Wireless Application Protocol (WAP) Wireless Markup Language (WML). As stated above, the remote access devices 104 have communication capabilities to interface with a variety of communication networks including wireless communication systems. FIG. IB illustrates the basic elements of a wireless implementation of network 100 in FIG. 1 A. Artisans of ordinary skill will readily appreciate that these elements, and their interfaces, may be modified, augmented, or subjected to various standards known in the art, without limiting their scope or function. hi one implementation, the remote access device 104 first communicates and sustains a session with a Base Station Controller Mobile Switching Center (BSC/MSC) 106 via the wireless interface (i.e., air-link) Um in accordance with a wireless communication network scheme, such as CDPD, CDMA/IS-95, TDMA/IS-136, MOBITEX, and OSM. The BSC/MSC 106 employs a transceiver to transmit to the remote access device 104 (i.e., forward link) and receive from the remote access device 104 (i.e., reverse link), consistent with the wireless network scheme. The BSC/MSC 106 supervises, manages, and routes the calls between the remote access device 104 and the Inter- Working Function (IWF) 108.
The IWF 108 serves as a gateway between the wireless system 100 and other networks. The IWF 108 is coupled to the BSC/MSC 106 and in many cases it may be co- located with the BSC/MSC 106. The IWF 108 provides the session data between the remote access device 104 and the BSC/MSC 106 with an IP address, consistent with the well-known
Internet Protocol (IP).
As is well-known in the art, the internet Protocol is a network layer protocol that specifies the addressing and routing of packets (datagrams) between host computers and specifies the encapsulation of data into such packets for transmission. Addressing and routing information is affixed in the header of the packet. IP headers contain 32-bit addresses that identify the sending and receiving hosts. These addresses are used by intermediate routers to select a path through the network for the packet towards its ultimate destination at the intended address. Providing the session between the remote access device 104 and the BSC/MSC 106 with an IP address, the session can be intelligently routed to other networks.
The IWF 108 is subsequently coupled to a system router 110, which interfaces with other networks, such as the Public Switched Telephone Network (PSTN) and other Wide Area Networks (WANs) providing internet- or secure/unsecure Intranet-based access.
Enteφrise network 403 remotely and securely collects, processes, and formats the information residing therein and presents the information on the remote access device 104 in real time. Generally, the desired information will be stored in a specialized database/messaging server within the enteφrise network 403, such as, for example, Microsoft® Exchange Server 5.5. As shown in FIG. IC, the enteφrise network 403 includes an interface network 120. The interface network 120 employs perimeter router 122 to interface with the wireless communication system 100, which transports the IP datagrams between the remote access device 104 and the BSC/MSC 106. The interface is achieved by virtue of a WAN topology and may employ well-known Asynchronous Transfer Mode (ATM), Frame Relay, dedicated DS-1 (1.544 Mbps), DS-3 (45 Mbps) and other topologies. The perimeter router 122 may connect to the enteφrise network 403 through a firewall 124 to provide an added level of protection and further limit access to enteφrise network 403 from the Internet. Artisans of ordinary skill will readily appreciate that generally, firewalls are well-known security mechanisms that protect the resources of a private network from users of other networks, and further implementations of firewalls will be described below. For example, enteφrises that allow subscribers to access the Internet may install a firewall (or firewalls) to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own subscribers have access to. Basically, firewalls filter incoming and outgoing network packets to determine whether to forward them toward their destination. The firewall 124 interfaces with the gateway server 415.
Application gateway servers 415 are preferably implemented as servers that act as an intermediary between messaging/data servers 410 and Base Station Controller/Mobile Switching Center (BSC/MSC) 106. Application gateway servers 415 provide a layer of abstraction between the messaging/data servers and the Base Station Controller/Mobile Switching Center (BSC/MSC) 106 that enables more efficient communication when communicating over a "slow" network such as the Internet. Application gateway servers 415 are described in more detail below. If network 402 is a public network, such as the Internet, data transmitted over network
402 is at risk of being intercepted or monitored by third parties. To avoid this problem, the data may be encrypted at its transmission site (e.g., Base Station Controller/Mobile Switching Center (BSC/MSC) 106 or enteφrise network 403), and correspondingly decrypted at its reception site. By encrypting all data transmitted over network 402, Base Station Controller/Mobile Switching Center (BSC/MSC) 106, and enteφrise network 403 effectively communicate with one another as if they were on a private network. This type of encrypted network comrnunication is called a virtual private network ("VPN").
Figs. 2 A and 2B are block diagrams illustrating embodiments ofthe implementation of a VPN between Base Station Controller/Mobile Switching Center (BSC/MSC) 190 and enteφrise network 403. The VPN is implemented by encrypting information transmitted between Base Station Controller/Mobile Switching Center (BSC/MSC) 106 and enteφrise gateway server 415 on enteφrise network server 403.
As shown in the embodiment of FIG. 2A, Base Station Controller/Mobile Switching Center (BSC/MSC) 106 encrypts the transmitted data using software 510 running thereon. The encrypted data is transmitted over network 402 and decrypted by dedicated VPN server 515. Data flowing from enteφrise network 403 to Base Station Controller/Mobile Switching Center (BSC/MSC) 106 is similarly encrypted at VPN server 515 and decrypted by software 510. Firewall 520 may optionally be implemented in conjunction with VPN server 515 to limit unauthorized outsiders from accessing the private data resources of enteφrise network 403 and to control what outside resources users at enteφrise 403 have access to. One example of appropriate encryption/decryption software 510 is software that implements the well-known Point-to-Point Tunneling Protocol (PPTP). Although PPTP software 510 is shown executing on a VPN server 515, it may alternatively be implemented in special puφose PPTP routers or other network devices.
FIG. 2B illustrates another embodiment implementing a VPN between Base Station Controller/Mobile Switching Center (BSC/MSC) 106 and enteφrise network 403. This embodiment is similar to the one described with reference to FIG. 2A, the primary difference being that the IPSEC (Internet Protocol Security) standard is used to encrypt/decrypt data instead of the PPTP standard. As shown, encryption using IP SEC is implemented by a pair of complementary routers 525. The IPSEC standard is known in the art. hi contrast to the PPTP standard, the IPSEC standard can provide encryption at the session layer or the network packet processing layer. PPTP provides encryption at the session layer. Additionally, the IPSEC standard offers considerably more options in the implementation of bulk encryption and hash algorithms.
FIG. 4 illustrates an alternate implementation of the interface between the access facility and the enteφrise network. As shown in FIG. 4, application gateway server 415 provides a MAPI (Messaging Application Programming Interface) interface 602. MAPI 602 is a Microsoft® Windows program interface that enables software objects on application gateway server 415 to communicate with a MAPI-compliant information store, such as Microsoft® Exchange messaging server 410. MAPI 602 provides the low level interface between application gateway server 415 and messaging server 410. MAPI 602 accesses messaging server 410 based on commands from CDO (Collaboration Data Objects) object 604. CDO 604 is an object in the COM (Component Object Model) framework for the development of component software objects. COM provides the underlying services of interface negotiation, life cycle management (determining when an object can be removed from a system), licensing, and event services (putting one object into service as the result of an event that has happened to another object). MAPI, the COM framework, and the CDO object are all available from Microsoft® Coφoration.
CDO 604, in operation, processes requests from data center 190 to access messaging server 410. Typical CDO requests include requests such as: retrieve the message object for a particular email of a particular subscriber, retrieve the subject of the email, and retrieve the time the email was sent. For each of these requests, CDO 604 accesses messaging server 410, retrieves the requested information, and returns the information to the requesting entity.
A further simplified version ofthe system is provided in FIG. 3. From FIG. 3, data is transmitted from the device 301 over the airwaves 302 to a Base Station 303. Base station 303 uses a router 304 to provide data in the form of information packets over a connection 305, such as the Internet, to the enteφrise network 311. Enteφrise network 311 includes router 306, router connection 307, enteφrise gateway server 308, database 309, and information source 310. Router 306 initially receives the request from the device 301 in the form of a URL and transmits the request to dedicated server 308 using router connection 307. Application gateway server 307 and application gateway server 415 operate according to the mechanization depicted in FIG. 5. According to FIG. 5, the information from Base Station Controller/Mobile Switching Center (BSC/MSC) 106 is transmitted as a URL request for information in the form of a session identifier, page identifier, an action, and additional information. This URL information is received by an interface module 501 in an World Wide Web server employing ISAPI (Internet Server Application Program interface). ISAPI is an Application Program Interface for Microsoft's 115 (Internet information Server) Web server. ISAPI enables Web-based applications that run much faster than conventional CGI programs due to tight integration with the Web server. ISAPI is the first segment encountered by the browser request, interface module 501 represents a software interface and can be an interface other than ISAPI, such as Active Server Pages (ASP) or Device Mobility Interconnect (DMI), or any software having the ability to perform a software routing function and convert a URL into a method call. The method call indicates the type of request made by the browser, the user was on a particular screen, the user initiated a particular action, or other similar information. In an ISAPI configuration, several Web servers from companies other than Microsoft provide support. The interface module 501 passes the action to the navigation module 502, which is a state engine that effectively controls operation of the retrieval and transmission of information at the enteφrise server 403. Navigation module 502 interacts with session module 505, which contains local variables, such as the temporary storage of addressee of an email, priority, subject, body, and so forth during the composition of an email across multiple URL requests. Once entered by the user at the device and transmitted to the application gateway server 415 and navigation module 502, each individual variable and the value associated therewith is stored in the sessions module 505. At any one time, sessions module 505 may include, for example, temporary variable ADDRESSEE, with associated data TOM SMITH, temporary variable PRIORITY with associated data NORMAL, and so forth. All temporary variables are stored in the session module 505 and may be changed by the user. Once the user has completed the e-mail or other browser function, all variables are collected and transmitted. Once the navigation module 502 passes the URL for session id, page id, and an action, the navigation module 502 acts within the framework depicted in FIG. 5 to use the current browser state and verb, seek and compile the requisite information, and respond with the next logical sequence, such as the next page, next action, or next item in sequence. The temporary variables and data associated therewith held in sessions module 505 is static, such that a user logging out or disconnecting in the middle of a session will cause all data in the sessions module 505 associated with that user session to be lost. The same user initiating a new session will begin with no data associated within session module 505.
Navigation module 502 receives URL data and transmits web page data. The navigation module 502 does not depend on the type of browser or type of device being used by the user. Rather, navigation module 502 merely receives URL data, acts accordingly by assembling the appropriate response to the URL action request, and returns browser appropriate data. Render or rendering module 504 provides the necessary browser specific information to the navigation module 502 for transmission back to the particular device. Once a page id is known or recognized by the navigation module, an action indicates the page to where the user wishes to go. For example, if a user is entering contact information on screen 8510 (arbitrary screen ID for illustrating this example), completes entering contact data, and wishes to return to the contact page by pressing "enter" or "complete" or some other such transition verb, the navigation module reads the page id (8510) and the action desired (complete entry) and knows that the action associated with complete" is to transition to screen 8503. Page 8503 is appropriate for the necessary browser used by the particular device. For any particular data needed to render the browser appropriate screen, the render module 504 obtains screen data from screen database 506 and passes that data to navigation module 502. Screen specific data may include a title, graphics, and other information, while user data may include, for example, telephone numbers, addresses, priority levels, and so forth. The user can scroll through the screen, select or otherwise act on the user data or screen data presented, and make a request. User specific data is a data repository that can be refilled. Screen data, such as the title of screen 8510, is implemented so as to be configurable by the user or the enteφrise.
The navigation module 502 passes the screen type through to the render module 505 such that it can be used repeatedly, while passing through user data, such as headers for emails, as well as user data or user parameters, such as eight user specific e-mail headers, and thus tells the rendering module 504 what to place in certain locations within the browser page. Navigation module 502 therefore hands off the request for a particular screen, email headers, title inbox, and so forth, to the rendering module 504, which locates the appropriate screen in the screen bank 506 and locates the necessary template, fills the template with the data provided by the navigation module 502, and passes the completed screen to the navigation module. Rendering module 504 may hold hundreds of screens, including several screen 8510s for the various types of user devices available. Rendering module 502 determines the type of browser being used by reading the header associated with the URL received and determines whether the device is a Netscape browser (if the word "moziUa" appears in the header), a Windows CE device if a Windows CE browser, and so forth. Once the type of device has been identified, that information is passed to render to retrieve and compile the appropriate information for transmission.
Data access module 507, also known as information access or data source module, fetches and provides the requested user data. When a user initiates a session and requests access to her mailbox, the navigation module, after authenticating the user, sends a request to data access module 507 to enter the user's mailbox. Data access module 507 interacts with Exchange Server to initiate an active session. Navigate module 502 recognizes from the incoming URL that it must obtain mailbox information and thus queries data access module 507 for the particular information sought, such as the first twenty emails, the first five contacts, or other data. Data is transmitted in XML format, which is an abstract format, from the data access module 507 to navigation module 502. The data access module interfaces with the data source 508, which is a Microsoft® Exchange Server holding all necessary mail, contact, and user data, including passwords. The interface between data access module 507 and data source 508 enables obtaining and transmission ofthe necessary information. Reports back from the render module 505 or data access module 504 are subsequently compiled and transmitted to the user. In the event of an error, the navigation module 502 transmits an error screen or message back to the user indicating an error has occurred. Other objects besides mail capability include contact management systems, sales force automation systems, customer management systems, Oracle or other database front ends. In these cases, servers other than Microsoft® Exchange Server are accessed by the data access module 507.
For pruposes of authentication, the user initially enters a name and password, which passes to the navigation module and on to the data source, to authentication module 509. The authentication module 509 queries the data source 508, which keeps track of permissible users on the system. Under the implementation illustrated, a user may enter with a username but cannot obtain information from the data source 508 without a password. Authentication module 509 compares the entered password to the passwords stored on the data source 508 and, if correct, retrieves the requested data and passes the requested data to the navigation module 502. Thus passwords are stored with data. The authentication module can be username and password, but other authentication methods may be used to verify a user, including but not limited to retina scans, fingeφrint verification, pass cards, and so forth. Data retrieved by these authentication methods is then compared against data maintained in data source 508 and data passed only when verification is achieved.
Navigation module 502 obtains information such as username and identification information from database 503, which is typically a SQL database. The database 503 only holds username data and not password data. This permits user access to the system based on entry of an acceptable username. The enteφrise network 403 performs the authentication outlined above. Once the user has been authenticated, navigation module 502 evaluates the URL by parsing the information and making the call for necessary data. Once the navigation module has compiled the requisite information from the session module, rendering module, and data access module, the browser specific data is sent back through interface module 501 and to the device. FIG. 6 shows an alternate mechanization employing multiple information sources, where one source 610 contains mailbox data, a second source 611 contact data, and the third source 612 messaging data or other user and enteφrise appropriate data. FIG. 7 illustrates the system employing a firewall 708 between router 706 and the application gateway server 710. The firewall 708 prevents unwanted internet access to the server and remainder of the configuration. FIG. 8 illustrates yet another configuration in accordance with the current invention, including a dual firewall setup (firewall 808 and 812) surrounding application gateway server 710. Use of a dual firewall permits user access to server data while protecting data, such as mailbox, contact, or other user specific data from persons having or desiring access to the enteφrise but not having the appropriate need or credentials to access alternate information. In FIG. 8, database 811 permits user verification according to username and entry into the enteφrise, which may be useful for an enteφrise wishing to permit customer access to certain information but employee access to all information. FIG. 9 illustrates an alternate configuration employing the database 915 behind both firewalls, such that users are permitted access to the application gateway server 910 without a username or other information, but must use the database to access any mailbox, contact, or other user specific data.
FIG. 10 is a hardware specific implementation of the current system, using an US Server 1001 as a front end, with data access module accessing a Microsoft Exchange Server Version 5.5 1002, Microsoft Exchange 2000 Server 1003, Lotus Notes/Domino R5 1004, POP3 Server 1005, or DVIAP4 Server 1006. Other similar hardware may be employed while still within the scope ofthe current invention.
A further aspect of the current system is the ability for the system to determine the type of device accessing the system. For example, the system receives information over a data line including initialization information, account information, passwords, and so forth, in addition to browser information. Browser information includes the information requested for the type of browser used, e.g. a Microsoft® Windows CE device indicates that it is using a Windows CE compliant browser. Included in the browser information is header information from which the enteφrise network 403 can determine the type of device transmitting the data. The enteφrise network 403 stores the information expected to be received from a particular browser; for example, the Netscape browser, used on desktop and laptop devices, may include the word "mozilla" in its header information. The enteφrise network 403 maintains predetermined expected header parameters for each anticipated input device. This predetermined information is preferably maintained in the SQL server. Upon connection between the input device and the enteφrise network, the data center retrieves the browser header information and compares this information with the predetermined information and, if it determines a match, interfaces with the input device with input device specific data, e.g. screen size limitations, colors/greyscale data, and so forth. Thus the system does not require user input to determine the type of device addressing the enteφrise network 415 and can transmit appropriate input device specific data to the user. The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible consistent with the above teachings or may be acquired from practice of the invention. Accordingly, the scope of the invention is defined by the claims and their equivalents.

Claims

What is claimed is:
1. A system for remotely accessing subscriber information from an enteφrise network in real-time, the system comprising: a data network; a remote access device coupled to the data network, the remote device having browser capabilities to accommodate a request inputted by a subscriber to access the subscriber information; an application gateway server hosting the subscriber information, the application gateway server comprising: a navigation module for receiving data in a predetermined format and accessing device specific information; a session module for maintaining temporary data associated with the subscriber, said session module interfacing with said navigation module; a rendering module for obtaining the requisite browser data based on desired action and current state; a data source module for obtaining subscriber information and passing said subscriber information to the navigation module; and an authentication module associated with said data source module for verifying subscriber credentials.
2. The system of claim 1, further comprising a database associated with said data source module, wherein said authentication module compares user data with user stored data, said user stored data being stored on said database.
3. A system as in one of claims 1-2, wherein said data in a predetermined format comprises data in URL format.
4. A system as in one of claims 1-3, wherein said subscriber information comprises at least one from the group comprising: mailbox information; calendar information; contact information; and enteφrise specific information.
5. A system as in one of claims 1-4, wherein: said navigation module extracts an action request from said data in the predetermined format, passes the action request to the data source module which retrieves any necessary information based upon the action request; and said navigation module retrieves a browser specific screen corresponding to the action request from the rendering module.
6. A system as in one of claims 1-5, wherein the data network has the ability to receive information and data requests in remote access device specific formats and convert said information and data requests into data packets.
7. A system as in one of claims 1-6, wherein the data network comprises the
Internet.
8. A system as in one of claims 1-7, wherein the data network comprises a dedicated network connection.
9. A system as in one of claims 1-8, wherein the remote access device comprises at least one from a group including: a personal computer; a laptop computer; a palmtop computer; a personal digital assistant; a cellular telephone; a two-way pager; and a Microsoft® Windows CE device.
10. A method for accessing subscriber information, comprising the steps of: receiving a subscriber information request in a predetermined format; navigating the access and transmission ofthe requested subscriber information, said transmission ofthe requested subscriber information being in a subscriber device specific predetermined format, said access and transmission navigating step comprising: compiling subscriber information based on said subscriber information request; assembling and rendering said subscriber information into a device specific format, said device specific format depending on said subscriber device; and transmitting the assembled and rendered subscriber information to said subscriber device; wherein said predetermined format for said subscriber information request differs from said subscriber device specific predetermined format.
11. The method of claim 10, wherein said predetermined format comprises URL format and the subscriber device specific format comprises a browser format compatible with the device used by the subscriber.
12. A method as in one of claims 10-11, further comprising the step of: parsing said subscriber information into an action task and a page specific task, said parsing step occurring prior to said compiling step.
13. A method as in one of claims 10-12, further comprising the step of: verifying user credentials using credential verification information maintained with subscriber information at a local database.
14. A method as in one of claims 10-13, wherein said subscriber information comprises at least one from the group comprising: contact information; calendar information; mailbox information; paging information; and enteφrise specific information.
15. A method as in one of claims 10-14, wherein said subscriber information compiling step comprises seeking requested information from a local database.
16. A method as in one of claims 10-15, wherein the subscriber device comprises at least one from a group including: a personal computer; a laptop computer; a palmtop computer; a personal digital assistant; a cellular telephone; a two-way pager; and a Microsoft® Windows CE device.
17. An application gateway server for accessing subscriber information, said application gateway server comprising: a navigation module for receiving a subscriber information request in a first predetermined format, obtaining requested information, and transmitting the requested information to said subscriber in a second predetermined format; a data access module for accessing data requested by the navigation module, the data access module accessing subscriber data maintained on an enteφrise database; a rendering module for obtaining device specific formats associated with the data accessed by said data access module and providing device specific formats to the navigation module; and a session module for maintaining intermediate data required to perform the navigation module functions.
18. The application gateway server of claim 17, further comprising an authentication module to verify subscriber credentials, said subscriber credentials at least partially residing on said enteφrise database.
19. An application gateway server as in one of claims 17-18, wherein said enteφrise network receives subscriber requests in URL format and transmits device specific subscriber data in a browser specific format.
20. The application gateway server of claim 19, wherein said navigation module parses said URL subscriber request into segments, at least one segment comprising a requested action.
21. An application gateway server as in one of claims 19-20, wherein the device comprises at least one from a group including: a personal computer; a laptop computer; a palmtop computer; a personal digital assistant; a cellular telephone; a two-way pager; and a Microsoft® Windows CE device.
PCT/US2001/010900 2000-04-03 2001-04-03 Application gateway system WO2001076190A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001249833A AU2001249833A1 (en) 2000-04-03 2001-04-03 Application gateway system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US54117300A 2000-04-03 2000-04-03
US09/541,173 2000-04-03

Publications (2)

Publication Number Publication Date
WO2001076190A2 true WO2001076190A2 (en) 2001-10-11
WO2001076190A3 WO2001076190A3 (en) 2002-05-02

Family

ID=24158475

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/010900 WO2001076190A2 (en) 2000-04-03 2001-04-03 Application gateway system

Country Status (2)

Country Link
AU (1) AU2001249833A1 (en)
WO (1) WO2001076190A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2376767A (en) * 2001-06-22 2002-12-24 Hewlett Packard Co Portal to allow access to web pages using different formats
EP1337088A2 (en) 2002-02-12 2003-08-20 Canon Kabushiki Kaisha System, program and storage medium for authentication of users to a plurality of applications
WO2007006119A1 (en) * 2005-04-18 2007-01-18 Research In Motion Limited System topology for secure end-to-end communications between wireless device and application data source

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5727159A (en) * 1996-04-10 1998-03-10 Kikinis; Dan System in which a Proxy-Server translates information received from the Internet into a form/format readily usable by low power portable computers
US5828833A (en) * 1996-08-15 1998-10-27 Electronic Data Systems Corporation Method and system for allowing remote procedure calls through a network firewall
WO1999042926A1 (en) * 1998-02-19 1999-08-26 Ameritech Corporation System and method for executing a request from a client application

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5727159A (en) * 1996-04-10 1998-03-10 Kikinis; Dan System in which a Proxy-Server translates information received from the Internet into a form/format readily usable by low power portable computers
US5828833A (en) * 1996-08-15 1998-10-27 Electronic Data Systems Corporation Method and system for allowing remote procedure calls through a network firewall
WO1999042926A1 (en) * 1998-02-19 1999-08-26 Ameritech Corporation System and method for executing a request from a client application

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BELLOVIN S M ET AL: "NETWORK FIREWALLS" IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER. PISCATAWAY, N.J, US, vol. 32, no. 9, 1 September 1994 (1994-09-01), pages 50-57, XP000476555 ISSN: 0163-6804 *
HONTANON R: "BUILDING A ROBUST LINUX SECURITY SOLUTION" NETWORK MAGAZINE, MILLER FREEMAN, HARRISON, SAN FRANSISCO, US, vol. 15, no. 3, March 2000 (2000-03), pages 52-53,55,57,59, XP000919502 ISSN: 1093-8001 *
RANUM M J: "STRATEGIC SECURITY FOR IP NETWORKS" DATA COMMUNICATIONS, MCGRAW HILL. NEW YORK, US, vol. 25, no. 14, 21 October 1996 (1996-10-21), page 86,88,90,92, XP000628016 ISSN: 0363-6399 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2376767A (en) * 2001-06-22 2002-12-24 Hewlett Packard Co Portal to allow access to web pages using different formats
GB2376767B (en) * 2001-06-22 2004-12-22 Hewlett Packard Co Distributed content indexing and content aggregating portals
EP1337088A2 (en) 2002-02-12 2003-08-20 Canon Kabushiki Kaisha System, program and storage medium for authentication of users to a plurality of applications
EP1337088A3 (en) * 2002-02-12 2010-10-20 Canon Kabushiki Kaisha System, program and storage medium for authentication of users to a plurality of applications
WO2007006119A1 (en) * 2005-04-18 2007-01-18 Research In Motion Limited System topology for secure end-to-end communications between wireless device and application data source

Also Published As

Publication number Publication date
AU2001249833A1 (en) 2001-10-15
WO2001076190A3 (en) 2002-05-02

Similar Documents

Publication Publication Date Title
US6609148B1 (en) Clients remote access to enterprise networks employing enterprise gateway servers in a centralized data center converting plurality of data requests for messaging and collaboration into a single request
US6563800B1 (en) Data center for providing subscriber access to data maintained on an enterprise network
US20040193694A1 (en) Application gateway systems
US20040193695A1 (en) Secure remote access to enterprise networks
Rao et al. iMobile: a proxy-based platform for mobile services
EP1021897B1 (en) Messaging application having a plurality of interfacing capabilities
US7092998B2 (en) Software architecture for wireless data and method of operation thereof
US10630689B2 (en) Strong identity management and cyber security software
EP2003842B1 (en) A method and devices for providing secure data backup from a mobile communication device to an external computing device
CA2305358C (en) Electronic mail forwarding system and method
US20030231207A1 (en) Personal e-mail system and method
WO2002084941A1 (en) Secure messaging using self-decrypting documents
EP1668867B1 (en) Providing a necessary level of security for computers capable of connecting to different computing environments
US7813714B2 (en) Apparatus for accessing a common database from a mobile device and a computing device
US20030054810A1 (en) Enterprise mobile server platform
US8190773B2 (en) System and method for accessing a web server on a device with a dynamic IP-address residing behind a firewall
EP1207655A2 (en) Mobile device server
CA2642320A1 (en) System and method for supporting multiple certificate status providers on a mobile communication device
US7734907B2 (en) Methods and systems for redirecting data
CN101345752B (en) Method, apparatus and system for guarantee safety of mobile terminal access to WEB resource
EP1358569A1 (en) Remote proxy server agent
Chen et al. iMobile EE–An Enterprise Mobile Service Platform
US20060235945A1 (en) Software architecture for wireless data and method of operation thereof
US20040255043A1 (en) Data transmission architecture for secure remote access to enterprise networks
EP2323087A1 (en) System and method for acknowledging calendar appointments using a mobile device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP