METHOD AND APPARATUS FOR RESOLVING A WEB SITE ADDRESS WHEN CONNECTED WITH A VIRTUAL PRIVATE NETWORK (VPN)

METHODE ET APPAREIL POUR RESOUDRE UNE ADRESSE DE SITE WEB LORSQUE LA CONNEXION EST ETABLIE AVEC UN RESEAU PRIVE VIRTUEL (VPN)

English Abstract

The present invention is directed at a method and apparatus of resolving an address location for a web site when connected with a virtual private network (VPN). Once the public host is connected to, or logged on to, the VPN, a software module within the public host monitors domain name requests and routes them to a domain name server (DNS) associated with the VPN. The VPN DNS then resolves the address location request and returns the address location to the software module in the form of a domain name response. The software module then forwards the address location to the requesting public host.

French Abstract

La présente invention porte sur une méthode et un appareil permettant de résoudre un emplacement d'adresse d'un site web lorsque la connexion est établie avec un réseau privé virtuel (VPN). Une fois que l'hôte public est connecté, ou qu'une session est ouverte, le réseau privé virtuel, un module logiciel de l'hôte public surveille les demandes de nom de domaine et les achemine à un serveur de nom de domaine associé au réseau privé virtuel. Le serveur de nom de domaine associé au réseau privé virtuel résout alors la demande d'emplacement d'adresse et la retourne au module logiciel sous forme d'une réponse de nom de domaine. Le module logiciel envoie ensuite l'emplacement de l'adresse à l'hôte public demandant.

Claims

THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY OR
PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:


1. A method for transparently resolving a web site address for a client in a
public network
when said client is connected to a virtual private network (VPN) using said
public network, said
method comprising the steps of:
a) connecting said client with said virtual private network (VPN) through said
public network,
said client storing a software module on a computer readable medium for
routing domain
name requests to a domain name server (DNS) of said VPN while a connection is
active,
said software module comprising computer executable instructions that, when
executed,
operate transparently at said client by performing the following steps:
b) said software module monitoring communication packets transmitted from said
client for
presence of domain name requests outbound from said client;
c) said software module transparently intercepting said requests;
d) said software module modifying said requests by replacing an address of a
DNS of an
internet service provider (ISP) of said client with an address of said DNS of
said VPN and
routing said requests to said DNS of said VPN;
e) said software module receiving an address location as a domain name
response from said
DNS of said VPN resolving said requests routed thereto by said software
module;
f) said software module modifying said response by re-modifying said address
of said DNS of
said ISP to counter-act the modifying performed in step d); and
g) said software module providing said address location to said client;
wherein said address location appears to said client as being provided by said
DNS of said ISP.
2. The method of claim 1 further including the step of connecting said client
to said
address location.

3. The method of claim 1 or claim 2, wherein step d) further comprises said
software
module modifying a check sum of said domain name requests; and step f) further
comprises
said software module re-modifying said check sum to counter-act the modifying
performed in
step d).

4. The method of claim 3 wherein said modifying performed in step d) includes
computing a
new check sum by XORing said check sum with a hexadecimal value to obtain a
one's


8



complement, and replacing said check sum with said new check sum.

5. The method of any one of claims 1 to 4, wherein said connection between
said client
and said VPN comprises a VPN tunnel.

6. The method of claim 5 wherein said VPN tunnel comprises a Secure Internet
Protocol
(IPSec) tunnel.

7. The method of any one of claims 1 to 6, wherein said client is one of a
personal digital
assistant (PDA), a desktop personal computer, or a laptop personal computer;
wherein said
client has data communication capabilities.

8. A client device configured for using a public network and for transparently
resolving a
web site address when said client device is connected to a virtual private
(VPN), said client
device comprising a communication link with a domain name server (DNS) of said
VPN for
connecting said client device with said VPN through said public network and
storing a software
module configured to operate transparently in said client device, said
software module
configured for, when executed, performing the steps of:
a) monitoring communication packets outbound of said client device for
presence of said
domain name requests;
b) transparently intercepting said requests;
c) modifying said requests by replacing an address of a DNS of an internet
service provider
(ISP) of said client device with an address of said DNS of said VPN, said DNS
of said
VPN configured for resolving domain name requests from said client and for
returning an
address location as a domain name response;
d) routing said requests to said DNS of said VPN;
e) receiving and modifying said response from said DNS of said VPN by re-
modifying said
address of said ISP to counter-act the modifying performed on said requests;
and
f) providing said address location to said client device, wherein said address
location
appears to said client device as being provided by said DNS of said ISP.

9. The client device of claim 8, wherein said software module comprises a
driver.

10. The client device of claim 8 or claim 9, wherein said client device is one
of a personal

9



digital assistant (PDA), a desktop personal computer, or a laptop personal
computer; wherein
said client device has data communication capabilities compatible with said
communication link.
11. A computer readable medium storing a software module for transparently
resolving a
web site address for a client in a public network when said client is
connected to a virtual private
network (VPN) using said public network, said software module comprising
computer
executable instructions that, when executed, operate transparently at said
client by performing
the steps of:
a) connecting said client with said virtual private network (VPN) through said
public
network; routing domain name requests to a domain name server (DNS) of said
VPN
while a connection is active;
b) operating transparently in said client;
c) monitoring communication packets transmitted from said client for presence
of domain
name requests outbound from said client;
d) transparently intercepting said requests;
e) modifying said requests by replacing an address of a DNS of an internet
service provider
(ISP) of said client with an address of said DNS of said VPN and routing said
requests to
said DNS of said VPN;
f) receiving an address location as a domain name response from said DNS of
said VPN
resolving said requests routed thereto;
g) modifying said response by re-modifying said address of said ISP to counter-
act said
modifying performed on said requests; and
h) providing said address location to said client; wherein said address
location appears to
said client as being provided by said DNS of said ISP.

12. The computer readable medium of claim 11 comprising instructions for
connecting said
client to said address location.

13. The computer readable medium of claim 11 or claim 12 comprising
instructions for
modifying a check sum of said domain name requests; and for re-modifying said
check sum to
counter-act the modifying of the check sum.

14. The computer readable medium of claim 13, wherein said modification of
said check
sum includes computing a new check sum by XORing said check sum with a
hexadecimal value




to obtain a one's complement, and replacing said check sum with said new check
sum.

15. The computer readable medium of any one of claims 11 to 14 wherein said
connection
between said client and said VPN comprises a VPN tunnel.

16 The computer readable medium of claim 15, wherein said VPN tunnel comprises
a
Secure Internet Protocol (IPSec) tunnel.

17. The computer readable medium of any one of claims 11 to 16, wherein said
client is one
of a personal digital assistant (PDA), a desktop personal computer, or a
laptop personal
computer; wherein said client has data communication capabilities.

18. A method for resolving web site addresses for a client in a public
network, wherein said
client is capable of connecting to a virtual private network (VPN) using said
public network, and
wherein parameters of said client for accepting domain name requests from a
domain name
server (DNS) of an internet service provider (ISP) are established and
unalterable, said method
comprising the steps of:
- transparently intercepting all domain name requests outbound from said
client;
- examining said domain name requests to determine if a requested web site is
a public site or
a private site;
- if said requested web site is a public web site: routing said request
directly to said DNS of
said ISP; receiving an address location as a domain name response; and
providing an
address location to said client without altering said parameters; and
- if said requested web site is a private web site: modifying said request;
routing a modified
request to a DNS of said VPN; and re-modifying a response from said DNS of
said VPN, said
modifying and re-modifying being done to appear to said client as if said
request and said
response are being sent and received from said DNS of said ISP.

19. The method according to claim 18, wherein communication with said DNS of
said VPN is
over a VPN tunnel, said method further comprising the step of: upon
determining that said VPN
tunnel is closed off, no longer performing the step of examining said domain
name requests and
instead sending all domain name requests directly to said DNS of said ISP.


11



20. The method according to claim 18 or claim 19, wherein said step of
transparently
intercepting is performed by executing a software module stored on a computer
readable
medium at said client.

21. The method according to claim 20, wherein said software module comprises a
driver.
22. The method according to claim 20 or claim 21, further comprising the step
of notifying
said software module upon connecting said client to a VPN tunnel between said
client and said
DNS of said VPN.

23. The method according to any one of claims 18 to 22, wherein said modifying
said
request comprises modifying a check sum of said outbound domain name requests
and re-
modifying said check sum on inbound responses from said DNS of said VPN to
counter-act the
modifying of the check sum.

24. The method according to claim 23, wherein said modifying of said check sum
includes
computing a new check sum by XORing said check sum with a hexadecimal value to
obtain a
one's complement, and replacing said check sum with said new check sum.

25. The method according to any one of claims 18 to 24, wherein said client is
connected to
said DNS of said VPN over a VPN tunnel.

26. The method according to claim 25, wherein said VPN tunnel comprises a
Secure
Internet Protocol (IPSec) tunnel.

27. A computer readable medium comprising computer executable instructions for
resolving
web site addresses for a client in a public network, wherein said client is
capable of connecting
to a virtual private network (VPN) using said public network, and wherein
parameters of said
client for accepting domain name requests from a domain name server (DNS) of
an internet
service provider (ISP) are established and unalterable, said instructions,
when executed,
perform the steps of:
- transparently intercepting all domain name requests outbound from said
client;
- examining said domain name requests to determine if a requested web site is
a public
site or a private site;


12



- if said requested web site is a public web site: routing said request
directly to said DNS
of said ISP; receiving an address location as a domain name response; and
providing an
address location to said client without altering said parameters; and
- if said requested web site is a private web site: modifying said request;
routing a
modified request to a DNS of said VPN; and re-modifying a response from said
DNS of
said VPN, said modifying and re-modifying being done to appear to said client
as if said
request and said response are being sent and received from said DNS of said
ISP.

28. The computer readable medium according to claim 27, wherein communication
with said
DNS of said VPN is over a VPN tunnel, said computer readable medium further
comprising
instructions for: upon determining that said VPN tunnel is closed off, no
longer performing the
step of examining said domain name requests and instead sending all domain
name requests
directly to said DNS of said ISP.

29. The computer readable medium according to claim 27 or claim 28, wherein
said
instruction for transparently intercepting is performed by executing a
software module stored on
a computer readable medium at said client.

30. The computer readable medium according to claim 29, wherein said software
module
comprises a driver.

31. The computer readable medium according to claim 29 or claim 30, further
comprising
instructions for: notifying said software module upon connecting said client
to a VPN tunnel
between said client and said DNS of said VPN.

32. The computer readable medium according to any one of claims 27 to 31,
wherein said
modifying said request comprises modifying a check sum of said outbound domain
name
requests and re-modifying said check sum on inbound responses from said DNS of
said VPN to
counter-act the modifying of the check sum.

33. The computer readable medium according to claim 32, wherein said modifying
of said
check sum includes computing a new check sum by XORing said check sum with a
hexadecimal value to obtain a one's complement, and replacing said check sum
with said new
check sum.


13



34. The computer readable medium according to any one of claims 27 to 33,
wherein said
client is connected to said DNS of said VPN over a VPN tunnel.

35. The computer readable medium according to claim 34, wherein said VPN
tunnel
comprises a Secure Internet Protocol (IPSec) tunnel.


14

Description

CA 02353180 2001-07-13
yIETHOD AND APPARATUS FOR RESOLVING
A WEB SITE ADDRESS WHEN CONNECTED
WITH A VIRTUAL PRIVATE NETWORK (VPN)
Field of the Invention
The present invention relates, in general, to virtual private nerivorks and,
more
specifically, to a method and apparatus for resolving a web site address when
connected with a
virtual private network (VPN).
':o Background of the Invention
In the high tech world of data communication and the Internet, having the
capability to access both private and public web sites at the same time is
becoming increasingly
important. While, accessing public web sites over the Internet is quite
simple, accessing private
web sites over the Internet is more difficult unless one is logged on to a
private network
t5 associated with the private sites. Generally, private web sites are located
in a private network
while the public sites are located in a public network.
When a public host is connected to a virtual private network (VPN), i.e.
connected to a private network using a public network such as the Internet,
the host should be
able to receive domain names for web sites that are associated with the VPN,
otherwise, the
public host is required to use raw IP addresses to communicate with the web
sites associated with
the VPN. Commonly, network interfaces located on the public hosts assist in
this
communication with other public sites, on the Internet. Each network interface
has specific
parameters, such as local IP address default route address, network mask, DNS
server address
etc..., that are pre-assigned. Therefore, when a public host is connected to
the Internet, generally
~5 through an Internet service provider (ISP), the public host expects
resolved domain name to be
returned from the ISP domain name server (DNS). Any other communication
between the
network interface and other domain name servers may not be possible.
>=iowever, if the public host is connected to the VPN, it is required to
receive domain name responses from the VPN DNS since, unlike the ISP DNS, the
VPN DNS
_'.o stores the web site address locations of the private web sites associated
with the VPN.
Therefore, in order for the public host to connect to a private web site, a
modification of the

CA 02353180 2001-07-13
network parameters on the public host, to allow communication between the
network interface of
the public host is unattainable.
Moreover, there are instances whereby when one is connected to a virtual
private
network, access to public sites may be restricted. Since the public host is
generally connected to
the VPN via a VPN tunnel, communication between the public host and the ISP
DNS does not
exist. Therefore, unless the VPN DNS is capable of resolving public web site
addresses, access
to public web sites may not be possible when connected to a VPN.
Accordingly, there is a need for a method and apparatus for resolving a web
site
address when connected with a virtual private network (VPN). It is a further
object of the
1 o present invention to provide a method and apparatus that obviates or
mitigates the above
disadvantages.
Summary of the Invention
The present invention is directed at a method and apparatus for resolving an
05 address location for a site associated with a virtual private network and
forwarding the address
location to a requesting entity.
In accordance with an aspect of the present invention, there is provided:
A method for resolving a web site address when connected with a virtual
private
network (VPN) comprising the steps of:
2o receiving a domain name request from a public host;
resolving said domain name request at a domain name server (DNS) associated
with said VPN; and
returning an address location corresponding to said domain name request to
said
public host.
25 In accordance with another embodiment, there is provided a method for
resolving
a web site address when connected with a virtual private network (VPN)
comprising the steps of:
intercepting a domain name request from a public host addressed to a pre
determined domain name server (DNS);
forwarding said domain name request to a DNS associated with said VPN;
3o receiving a domain name response including an address location
corresponding to
said domain name request; and

CA 02353180 2001-07-13
forwarding said domain name response to said public host.
In yet another embodiment, there is provided apparatus for resolving a web
site
address for a public host when connected with a virtual private network (VPN)
comprising:
a VPN domain name server (DNS) for resolving domain name requests; and
a software module for forwarding a domain name request to said VPN DNS and
for receiving a domain name response from said VPN DNS and for forwarding said
response to
said public host.
Brief Description of the Detailed Drawings
to An embodiment of the present invention will be described by way of
example only with reference to the accompanying drawings in which
Figure 1 is a schematic diagram of a network including a public network and a
virtual private network (VPN); and
Figure 2 is a flowchart outlining a method of communicating with the network
of
15 Figure 1.
Detailed Description of the Preferred Embodiment
The present invention is directed at a method and apparatus of resolving an
address location for a web site when connected with a virtual private network
(VPN). Once the
2o public host is connected to, or logged on to, the VPN, a software module
within the public host
monitors domain name requests and routes them to a domain name server (DNS)
associated with
the VPN. The VPN DNS then resolves the address location request and returns
the address
location to the software module in the form of a domain name response. The
software module
then forwards the address location to the requesting public host. It will be
understood that the
25 software module is preferably a driver.
Turning to Figure 1, a schematic diagram of a network is shown. The network 10
includes both a public network 12 and a virtual private network (VPN) 14. The
public network
12 includes an Internet service provider (ISP) 16 along with an ISP domain
name server (DNS)
18. A public host 20 may be connected to the Internet 22 via the ISP 16. The
public host 20
3o may also be connected to the VPN 14 via a VPN tunnel 22 or via the public
network 12. In both
cases, the public host 20 is connected to a security gateway 24 associated
with the VPN 14 which

CA 02353180 2001-07-13
requires the public host to log on to the VPN. After the log on has been
verified, the public host
is connected to the VPN 14. The VPN 14 includes a VPN DNS 26 as well as
address locations
(private hosts) 28 which are not accessible via the public network 12(without
logging in).
In public operation, in order to access the Internet, the public host accesses
the Internet service provider (ISP). As will be understood by one skilled in
the art, the
connection between the public host and the ISP is via a dial - up connection
or a direct Ethernet
connection. In most cases, the public host has an agreement with the ISP to
provide access to the
Internet. The ISP generally includes at least one domain name server (DNS)
which assists in
providing web site address locations for domain name requests from the public
host. In the
ao preferred example, when the public host requests to be connected to
www.certicom.com, in the
preferred embodiment, the ISP DNS operates to return the actual numerical IP
address for the
www.certicom.com site to the public host which then establishes a connection
between the
public host and the requested address location.
However, if the public host requests a connection with a private web site
~5 associated with the VPN, the ISP DNS is unable to establish a connection
since the address
location of the private site is not stored in the ISP DNS. In order to access
the private site, the
public host is required to log in to the virtual private network.
Unfortunately, the public host
may still not be able to a establish a connection between the public host and
the private site due
to the fact that the parameters of the public host may not be alterable and
are designated to be
zo associated with the ISP DNS only. This is in part due to the fact that the
public host may be set
to only receive address locations from the ISP DNS and hence, access to
private sites is not
possible since they are not stored within the ISP DNS. Therefore, there is
required a method and
apparatus to resolve domain names when connected to the VPN.
As mentioned above, the parameters of some public hosts are not alterable, yet
25 without the alteration, access to the virtual private network, and hence,
the private sites, may not
be possible. Therefore, when the public host is connected to the virtual
private network, the
domain name request is modified to suit the public host without requiring the
parameters to be
altered.
In the preferred embodiment, it will be assumed that the public host is
3o already connected to the ISP and the ISP DNS and that the parameters of the
public host are
established and unalterable.
4

CA 02353180 2001-07-13
If the public host wishes to be connected to a private site located within the
virtual
private network, the domain name of the private network login is requested.
The ISP DNS
resolves the address location of the security gateway associated with the VPN
and the public host
is connected to a private network login site. Upon a verified login, the
public host is connected
to the VPN and has access to the private sites associated on the private
network. In order to have
the domain names of the private site resolved, the VPN DNS is provided to
assist in this matter.
It will be understood that the public host may still connect with various
public sites by having the
domain name requests resolved by the VPN DNS. This is assuming that the VPN
DNS stores
the address locations of the private sites associated with the VPN along with
public sites. This is
r0 made with the assumption that the VPN DNS stores all address locations
(public and private). It
will be understood that without a connection with the VPN DNS, the public host
is unable to
establish a connection with the private sites. However, in order to allow the
public host to
connect with the private sites, the public host must be capable to receiving
address locations
from the VPN DNS.
Therefore, in a preferred embodiment of the present invention, after being
connected to the VPN, a software module located within the public host,
monitors the
communications packets being transmitted and received for any domain name
requests or
responses. In order to notify the software module that the public host is
connected to the VPN, a
VPN client sends a message to the software module upon creation of the VPN
tunnel alerting the
2o software module that all future domain name requests are to be re-routed to
the VPN DNS until
the tunnel is closed. It will be understood that the software module is pre-
stored on the public
host and is part of the operating system of the public host. The software
module is programmed
to view all information packets, including domain name requests, which are
being processed by
the public host.
Once a domain name request directed at the ISP DNS is sensed (step 30),
the domain name request is then modified (step 32). Firstly, the address of
the ISP DNS is
replaced with the VPN DNS address and then the check sum of the domain name
request is
adj usted.
Although many methods to modify the check sum are available, in the preferred
3o embodiment, the check sum modification outlined in Method For Computing the
Internet
Checksum, filed on even date, and assigned to the assignee of the present
invention, hereby

CA 02353180 2001-07-13
incorporated by reference, is used. For example, to modify a 16-bit checksum
(HC) to a new
checksum (HC'), initially, a value in the original message is modified from m
to m'. The
checksum HC is XORed with the 16-but hexadecimal value OxFFFF to obtain a
one's
complement of HC. A difference value is the then computed from the new message
m' and the
old message m by standard two's complement subtraction which sets a first
carry flag if the
result is negative. The difference value is then decremented by one if the
first carry flag is set.
An intermediate checksum HCZ is them computed as HCZ = HC + the difference
value. A
second carry flag is then set is the sum overflows 16 bits. The intermediate
checksum HCZ is
then incremented if the second carry flag is set. The new checksum HC' is the
computed by
y0 XORing HC with OxFFFF to obtain it's one's complement. The request is then
modified to
replace the HC with HC'.
The modified domain name request is then transmitted to the VPN DNS (step 34)
via the VPN tunnel. It will be understood that this tunnel is preferably an
IPSEC tunnel. After
receiving the domain name request, the VPN DNS then resolves the domain name
and returns
the address location to the driver in the form of a domain name response (step
36). The driver
then re-modifies the check sum of the domain name response (step 38) to
counter-act the original
check sum modification and then transmits the modified domain name response to
the public
host (step 40). The original ISP DNS address is then recovered. As described
above, since the
public host may only accept address location responses from the ISP DNS, the
modifications of
2o the VPN DNS domain name response is required to fool the public host. The
software module
has to modify the address location response to show that it is being delivered
by the ISP DNS
and then the check sums are adjusted. After receiving the address location
from the software
module, the public host connects to the returned address location and
operation continues until
another domain name request is sensed by the driver. It will be understood
that this address
location may either be a part of the public network or the VPN.
It will be understood that when the VPN tunnel is closed off, the driver stops
monitoring the domain name requests. All domain name requests are then sent to
the ISP DNS.
In most cases, the parameters, such as address of the DNS and the servers
from which to accept information, are pre-programmed into the public host and
are difficult to
alter.
6

CA 02353180 2001-07-13
Although the public host 20 is shown as a personal digital assistant in Figure
1, it
will be understood that the public host may also be a desktop computer or a
laptop computer
with data communication capabilities.
Although the invention has been described with reference to certain specific
embodiments, various modifications thereof will be apparent to whose skilled
in the art without
departing, various modifications thereof will be apparent to those skilled in
he art without
departing from the spirit and scope of the invention as outlined in the claims
appended hereto.
7

Representative Drawing