	US 12,231,433 B2
	Policy-based secure communication session using direct link and digitally segregated secure tunnels
James S. Robinson, Indianapolis, IN (US)
Assigned to Netskope, Inc., Santa Clara, CA (US)
Filed by Netskope, Inc., Santa Clara, CA (US)
Filed on May 2, 2023, as Appl. No. 18/311,054.
Application 18/311,054 is a continuation of application No. 17/985,733, filed on Nov. 11, 2022, granted, now 11,671,430.
Application 17/985,733 is a continuation in part of application No. 17/549,638, filed on Dec. 13, 2021, granted, now 11,882,125.
Application 17/549,638 is a continuation of application No. 17/331,516, filed on May 26, 2021, granted, now 11,233,801, issued on Jan. 25, 2022.
Prior Publication US 2023/0269254 A1, Aug. 24, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 67/141 (2022.01); H04L 67/561 (2022.01)

CPC H04L 63/102 (2013.01) [H04L 63/0435 (2013.01); H04L 63/20 (2013.01); H04L 67/141 (2013.01); H04L 67/561 (2022.05)]

20 Claims

1. A policy-based security system for establishing a direct link or a secure tunnel from client devices to remote instances on a web server, the policy-based security system comprising:

a policy component comprising a plurality of policies, wherein:

the plurality of policies is based on a set of parameters, and

the plurality of policies specifies configuration settings of a plurality of secure tunnels and a plurality of session protocols,

a client device with a local application configured to execute on the client device, the local application is further configured to select a cloud service from a plurality of cloud services for shared content,

a data classifier identifies a tag associated with the shared content, wherein the shared content is to be provided between a client device and the web server,

a mid-link server, coupled to the plurality of specified secure tunnels, the mid-link server comprising:

a policy enforcer configured to determine a set of policies from the plurality of policies for the client device based on the set of parameters and the identified tag, wherein the set of determined policies selectively direct traffic to the mid-link server based on the identified tag of the shared content, and wherein (a) if the client device satisfies security standards the set of determined policies specify a direct link between the client device and the web server and (b) if the client device does not satisfy the security standards, the set of determined policies specify to establish a secure session of a secure tunnel from the plurality of specified secure tunnels between the client device and the mid-link server; and

a router configured to establish via an encryption link a secure session of the client device with the web server for providing the shared content using:

a session protocol from the set of session protocols based on the direct link; or

a tunnel protocol based on the secure tunnel.