The claimed method and apparatus are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the methods or apparatus of the claims include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
The steps of the claimed method and apparatus may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The methods and apparatus may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
With reference to
Device 100 may also contain communications connection(s) 112 that allow the device to communicate with other devices. Communications connection(s) 112 is an example of communication media. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. The term computer readable media as used herein includes both storage media and communication media.
Device 100 may also have input device(s) 114 such as keyboard, mouse, pen, voice input device, touch input device, etc. Output device(s) 116 such as a display, speakers, printer, etc. may also be included. All these devices are well know in the art and need not be discussed at length here.
The ISA server may be a server 230 computer with appropriate software that may enable a multi-networking model that allows network managers to control traffic between internal and external networks, and within an organization by means of firewall policy rules. A network manager may define network objects in an ISA server management module, for example, and configure relationships to specify whether traffic should be routed between them, or have network address translation (NAT) applied. The network objects that the network manager defines may be used as source and destination elements in access rules configured to specify what traffic is allowed or denied between networks. The general process of configuring the ISA server may be summarized as follows:
Create network objects, or modify ISA server predefined network objects. Network objects may allow a network manager to define included networks (a range of Internet Protocol (IP) addresses), network sets (set of networks), computers, computer sets, address ranges (set of contiguous IP addresses), subnets, Uniform Resource Locator (URL) sets, and domain name sets.
Create network rules to configure how traffic is passed between networks in an organization. The ISA server may check network rules to determine whether source and destination networks are allowed to connect, and if so, whether traffic requests should be routed or have NAT applied.
Create firewall policy rules to expose traffic between networks to stateful filtering and application layer traffic inspection. Traffic may be allowed or denied based on the parameters in the network rules.
Any of the computers in
At block 305, if the security 230 application is not present, the method may install the security server 230 application, such as the ISA server application. Without a proper security server, the three legged network 200 may be vulnerable to unwanted attacks. In another embodiment, the method may store data about the progress of the method, request that the security server 230 application be installed and stop the method until the security server 230 application is installed. The stored data may be stored in a log file, for example, and the data may be used for support functions. For example, the log file may be sent to a software support specialist and the software support specialist may be able to understand the blocks completed by the user and any blocks that may have failed. In yet another embodiment, the stored data may be used to replicate the steps taken by a user for a software support specialist such that the software support specialist can see virtually the same steps taken by a user and a resulting problem. As such, the software support specialist can better diagnose the problems, propose better solutions and test proposed solutions. In addition, the log file may be viewed at virtual any block of the method.
At block 310, the method may determine a version of the security server 230 application. At block 315, if the version of the security server 230 application is not satisfactory, an acceptable version of the security server 230 application may be installed. Security servers 230 have been around for some time and some security server 230 applications may be too far out of date to be used by the method.
At block 320, the method may determine the number of network cards 260 on the computer that is hosting the security server 230 application. At block 325, if the number of network cards 260 on the three legged network 200 is not a desired number, the method may request that the desired number of network cards 260 be installed on the three legged network 200. In an alternate embodiment, the method may store data related to the progress of the method, request that the desired number of network cards 260 be installed on the three legged network 200 and the method may stop until the proper number of network cards 260 are installed. In one embodiment the proper number of network cards 260 is three such as in
At block 330, it may be determined whether the network cards 260 on the three legged network 200 are active. If the network cards 260 are not active, at block 335, the method may request that the network cards 260 be made active. If the network cards 260 are not active, proper communication within the three legged network 200 may not occur. In an another embodiment, the method may store data related to the progress of the method, request that the network cards 260 be made active on the three legged network 200 and the method may stop until the network cards 260 are made active.
At block 340, the method may configure the security server 230 application by collecting an internet protocol (IP) address of the Internet server 240 in the perimeter network 210 and an IP address of a domain controller on the internal network 220. At block 345, the method may store the IP addresses for the Internet 240 server and the domain controller.
At block 350, the method may validate the IP addresses for the Internet server 240 and the domain controller from block 340. If the IP addresses for the Internet server 240 and domain controller cannot be validated, at block 355 the method may request that the IP addresses for the Internet server 240 and domain controller be corrected. Without proper IP addresses or valid IP addresses, communication in the three legged network 200 may not occur as desired.
At block 360, the method may communicate rules for the network to be used by the security server 230. The security server 230 rules may determine what network resources client machines are permitted to access. The rules may be used to control incoming traffic from the Internet 250 to the internal network 220, and outgoing traffic from the internal network 220 to the Internet 250. There may be several types of rules supported by the security server 230. These rules may include access policy, bandwidth, protocol, routing and chaining, scheduling, server publishing, site and contents, and Web publishing rules. A sample rule may be a requirement that access over the Internet 250 uses 128 bit encryption, and that the Internet 250 connection be SSL enabled.
At block 360, the method may select applications to be available over the three legged network 200. The application may be a business application, such as a CRM application, for example.
At block 405, the certificate name for SSL security may be inputted. The name may be selected from a drop down list or inputted manually. At block 410, an Internet address that is to be used to access the business application may be inputted. At block 415, the method may verify the inputted values from blocks 400 through 410. As the verification proceeds, visual indications may be displayed to the user that the inputted values have been verified. If the values are not verified, the specific values that were not verified are highlighted to be corrected. If problems persist, the user may ask for help. All the inputted data from blocks 400 through 415 may be stored in a log file.
At block 420, the security server 230, such as a Microsoft ISA server, may be configured using the data from blocks 400-415. In addition, actual connectivity may be checked and status may be displayed. At block 425, data from additional business programs that are to be available over the Internet may be collected and verified.
At multiple points in the method, data may be stored regarding the progress of the method. The data may be stored in a file such as a log file that can be used by support to analyze the steps taken and the results. The data may be fed into a system that creates the displays that the user viewed, fills in the data the user entered and displays the resulting displays. In this way, support personnel may be better able to track problems. Further, software designers may be able to view how users navigate through the software and determine if the flow is as desired or could be improved.
As a result of the method, the process of setting up a business application to be available over the Internet using a three legged network is greatly simplified. The steps to configure the network have been automated into a series of easy to follow displays. If there is a problem at any step of the method, the method may stop at that point and inform the user that there is a problem. In this way, users will know of problems virtually immediately. The method will log the steps as performed and if problems occur, the method may be used to view the progress of the method up to the point problems occurred.
Although the forgoing text sets forth a detailed description of numerous different embodiments, it should be understood that the scope of the patent is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possible embodiment because describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.
Thus, many modifications and variations may be made in the techniques and structures described and illustrated herein without departing from the spirit and scope of the present claims. Accordingly, it should be understood that the methods and apparatus described herein are illustrative only and are not limiting upon the scope of the claims.