Patents by Inventor Vitaly KHAIT
Vitaly KHAIT has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240106802Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.Type: ApplicationFiled: October 17, 2023Publication date: March 28, 2024Inventors: Guy LEWIN, Vitaly KHAIT, Yossi HABER
-
Publication number: 20240028757Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.Type: ApplicationFiled: June 15, 2023Publication date: January 25, 2024Inventors: Guy LEWIN, Vitaly KHAIT, Alexander ESIBOV
-
Patent number: 11831616Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.Type: GrantFiled: March 24, 2020Date of Patent: November 28, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Vitaly Khait, Yossi Haber
-
Patent number: 11720699Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.Type: GrantFiled: December 15, 2020Date of Patent: August 8, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Guy Lewin, Vitaly Khait, Alexander Esibov
-
Publication number: 20230216925Abstract: Embodiments described herein leverage web cookies to carry messages across cloud application communications, wherein the messages are between entities that are not part of the cloud application itself. For example, in embodiments, a proxy server is interconnected between a client computer that is executing a front-end component of an application and an application server that is executing a back-end component of the application. The proxy server intercepts a request from the front-end component that is intended for the back-end component and generates a response thereto that includes a command to create a web cookie at the client computer, wherein the web cookie includes data to be utilized by a custom code component of the client computer. The proxy server may further cause the custom code component to be injected into the application front-end component for execution by the client computer.Type: ApplicationFiled: March 10, 2023Publication date: July 6, 2023Inventors: Vitaly Khait, Nir M. Rappaport
-
Patent number: 11677722Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.Type: GrantFiled: October 8, 2021Date of Patent: June 13, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Yossef Haber, Vitaly Khait
-
Patent number: 11616847Abstract: Embodiments described herein leverage web cookies to carry messages across cloud application communications, wherein the messages are between entities that are not part of the cloud application itself. For example, in embodiments, a proxy server is interconnected between a client computer that is executing a front-end component of an application and an application server that is executing a back-end component of the application. The proxy server intercepts a request from the front-end component that is intended for the back-end component and generates a response thereto that includes a command to create a web cookie at the client computer, wherein the web cookie includes data to be utilized by a custom code component of the client computer. The proxy server may further cause the custom code component to be injected into the front-end component of the application for execution by the client computer.Type: GrantFiled: October 19, 2018Date of Patent: March 28, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Vitaly Khait, Nir M. Rappaport
-
Patent number: 11582153Abstract: Techniques are described herein that are capable of load-balancing establishment of connections among groups of connector servers in a public computer network by performing operations that include receiving a connection request from a connector client in a private computer network, requesting establishment of a connection between the connector client and one of the connector servers in the public computer network. A number of connections between the private computer network and each group is determined. An identified group is selected from the groups based at least in part on a number of connections between the private computer network and the identified group being less than or equal to a number of connections between the private computer network and each other group. The connection request is provided toward the identified group, which enables establishment of the connection between the connector client and a connector server in the identified group.Type: GrantFiled: May 1, 2020Date of Patent: February 14, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Daniel Senderovich, Vitaly Khait, Yossef Haber, Amir Geri
-
Publication number: 20220188438Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.Type: ApplicationFiled: December 15, 2020Publication date: June 16, 2022Inventors: Guy LEWIN, Vitaly KHAIT, Alexander ESIBOV
-
Publication number: 20220029967Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.Type: ApplicationFiled: October 8, 2021Publication date: January 27, 2022Inventors: Guy LEWIN, Yossef HABER, Vitaly KHAIT
-
Patent number: 11233749Abstract: Providing fluid external access to a resource that is internal to a network from external to that network. From within the network, the internal user simply provides an internal identifier, and the external user accesses not the internal identifier, but an external uniform resource identifier (URL) that the external user can simply select to obtain access to the internal resource of the network. This is accomplished by translating the internal identifier to an external URL having a proxy server as its domain name. When the external URL selects the URL, a request with that external URL is made to the proxy server, which translates the external URL back to the internal identifier, and coordinates with the network to obtain the resource for the external user.Type: GrantFiled: October 23, 2019Date of Patent: January 25, 2022Assignee: MICROSOFT TECHNOLOGLY LICENSING, LLCInventors: Guy Lewin, Vitaly Khait, Yossi Haber, Ami Luttwak, Alexander Esibov
-
Patent number: 11233867Abstract: A method, a non-transitory computer readable medium, and a proxy device. The method includes receiving, by a proxy device, a request to access a first web resource of a plurality of web resources; modifying a received response to include at least a messaging handler, wherein the response corresponds to the received request; returning the modified response with the messaging handler to a client device, wherein the messaging handler causes establishment of a communication channel between the client device and a notification server; and providing the notification server with at least one notification, wherein the notification server immediately pushes the at least one notification to the client device over the communication channel, wherein the at least one notification is related to at least the first web resource.Type: GrantFiled: March 13, 2017Date of Patent: January 25, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Avihai Berkovitz, Vitaly Khait
-
Publication number: 20210409403Abstract: Methods, systems and computer program products are provided for service to service SSH with authentication and SSH session reauthentication. A client service initiates an SSH session by automatically providing authentication information to an authentication provider service, which returns access information. The client service uses an SSH client to automatically provide the access information to an SSH server, which receives and validates the access information. A service-to-service SSH session is created between the SSH client and SSH server. The client service and a server service may communicate securely via the service-to-service SSH session. Security may be maintained for any type of SSH connection (e.g., user to service, service to service) by periodically and automatically providing and validating reauthentication and refresh information. AN SSH connection/session is maintained if periodic access information is validated.Type: ApplicationFiled: June 25, 2020Publication date: December 30, 2021Inventors: Guy LEWIN, Vitaly KHAIT, Liran MOYSI
-
Publication number: 20210344602Abstract: Techniques are described herein that are capable of load-balancing establishment of connections among groups of connector servers in a public computer network by performing operations that include receiving a connection request from a connector client in a private computer network, requesting establishment of a connection between the connector client and one of the connector servers in the public computer network. A number of connections between the private computer network and each group is determined. An identified group is selected from the groups based at least in part on a number of connections between the private computer network and the identified group being less than or equal to a number of connections between the private computer network and each other group. The connection request is provided toward the identified group, which enables establishment of the connection between the connector client and a connector server in the identified group.Type: ApplicationFiled: May 1, 2020Publication date: November 4, 2021Inventors: Guy Lewin, Daniel Senderovich, Vitaly Khait, Yossef Haber, Amir Geri
-
Publication number: 20210337041Abstract: An example proxy server is disclosed. The proxy server includes a plurality of services to process a received network message. Proxy services applicable to the received network message are determined. The applicable proxy services are selected from the plurality of proxy services. The network message is routed to the applicable proxy services for processing.Type: ApplicationFiled: April 27, 2020Publication date: October 28, 2021Applicant: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Vitaly Khait, Yossi Haber
-
Patent number: 11146534Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The administrator-defined action is defined by an administrator of the network-based system. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.Type: GrantFiled: April 7, 2020Date of Patent: October 12, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Yossef Haber, Vitaly Khait
-
Publication number: 20210314302Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The administrator-defined action is defined by an administrator of the network-based system. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.Type: ApplicationFiled: April 7, 2020Publication date: October 7, 2021Inventors: Guy Lewin, Yossef Haber, Vitaly Khait
-
Publication number: 20210306303Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.Type: ApplicationFiled: March 24, 2020Publication date: September 30, 2021Inventors: Guy Lewin, Vitaly Khait, Yossi Haber
-
Patent number: 11115417Abstract: A method and proxy device for securing an access to a cloud-based application are presented. In an embodiment, the method includes receiving an authentication token that includes an identity of a user of a client device requesting an access to the cloud-based application. The method further includes receiving, from an agent executed in the client device, a client certificate; retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate; identifying an access policy for the client device to access the cloud-based application, and determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy. In an embodiment, the access policy is identified based at least on the retrieved device posture.Type: GrantFiled: March 28, 2016Date of Patent: September 7, 2021Assignee: Microsoft Technology Licensing, LLC.Inventors: Vitaly Khait, Ami Luttwak, Liran Moysi, Ariel Stolovich, Greg Vishnepolsky
-
Patent number: 11025593Abstract: A computer-implemented method includes receiving, by a reverse proxy device, a session control template, and a client request directed to a service provider regarding an application. The method includes determining, by the reverse proxy device, whether the client request should be allowed or blocked based on the received session control template. If the reverse proxy device determines that the client request should be allowed, the client request is forwarded from the reverse proxy device to the service provider. If the reverse proxy device determines that the client request should be blocked, the client request is blocked from proceeding to the service provider.Type: GrantFiled: June 28, 2019Date of Patent: June 1, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Guy Lewin, Tomer Cherni, Daniel Senderovich, Vitaly Khait