.
`
`Umted States Patent [19]
`Chang
`
`IlllllllllllllIlllllllllllllllllIIIIIIlllllllllllllllllllllllllIIIIIIHIIII
`[11] Patent Number:
`5 444 850
`a
`a
`[45] Date of Patent:
`Aug. 22 1995
`
`USOO5444850A
`
`7
`
`[54] METHOD AND APPARATUS FOR
`CONTROLLING NETWORK AND
`WORKSTATION ACCESS PRIOR TO
`WORKSTATION BOOT
`
`[75] Inventor: Steve M‘ chfmg’ Rancho Palos
`verdes’ Cahf'
`[73] Assignee: Trend Micro Devices Incorporated,
`Torrance, Calif:
`
`[21] Appl. No-: 101,837
`t
`_
`Aug' 4’ 1993
`[22] Filed
`[51] Int. C1.6 ..................... .. G06F 15/177; G06F 9/24
`[52] US. Cl. ............................... .. 395/ 200.1; 395/ 700;
`395/ 600; 380/ 3; 380/23; 364/2802; 364/2803;
`364/ 286.5
`[58] Field of Search ............. .. 395/700, 200, 575, 325,
`395/600; 380/25, 49, 3, 23
`
`[56]
`
`References Cited
`US. PATENT DOCUMENTS
`4 590 557 5/1986 Lillie ................................. .. 395/700
`38050
`4,982,430 l/ 1991 Frezza et a1. .
`330/25
`5,073,933 12/1991
`364/550
`5,121,345 6/1992
`395/700
`5,138,712 8/1992
`395/ 325
`5,146,568 9/1992
`--------- ~- 380/ 4
`5,204,397 4/1993
`395/700
`5’237’69O 8/1993
`" 395/575
`5 ’247’65 9 9/1993
`
`yman .
`
`__________
`Heider
`5:280:62? 1/1994 Flahertyueitiaiuinniii ........... .. 395/700
`5,325,529 6/1994 Brown et a1. ...... ..
`395/700
`5,325,532 6/ 1994 Crosswy et a1. .................. .. 395/700
`
`Primary Examiner-—Krisna Lim
`Attorney, Agent, or Firm-J. P. Violette; Eric S. Hyman
`
`ABSIRACT
`[57]
`A method and apparatus for preboot tile and informa
`tion transfer between workstations and other worksta
`tions or workstations and servers on local area net
`works. During a workstation boot sequence, the various
`components of the workstation and network operating
`system are loaded and executed. Since all control of the
`workstation after the boot sequence is passed to the
`workstation operating system, any management tasks
`performed after boot must be performed by application
`programs running on the workstation. The present in
`vention overcomes problems created by using such
`application programs to perform management tasks by
`providing a hardware component, for example a ROM
`or PROM containing appropriate programming placed
`in the usually unused boot ROM socket of a LAN card
`installed in the individual workstations, or a chip includ
`ing a PROM or ROM built onto the motherboard or
`system board of the individual workstations. The pro
`gram in the PROM is set “P so that’ at system stump’
`prior to loading of the workstation operating system
`software during the boot sequence, it performs certain
`operating system functions by using the basic input/out
`put system (BIOS) of the workstation to enable the
`workstation to communicate with a server on the net
`work and make the necessary resources of the worksta
`tion available to a server management application run
`ning on the server via the network. This process, con
`trolled by a system administrator, allows a variety of
`Preboot functions t° take Place in the Workstatifm
`
`7 Claims, 5 Drawing Sheets
`
`LOCAL AREA NETWORK
`
`wonxsnnou monx menace CARD meNnncAnoN
`
`mo wonxsrmon ue'nwonx menace CARD IDENTTFICATDN
`
`won Ks'rAnoN
`_ SERVER
`
`1 1a
`
`FILE on 5001 necoao UPDATE
`
`Ac
`
`CONTROL
`LSTDATABASE "c
`
`I
`semen
`"Mum
`mucxnou
`1 1 d
`
`WORKSTATION
`DATABASE
`
`WORKSTATION
`USER
`
`Flnuwme
`
`UPDATED comeummon
`
`H
`19'
`- 15
`H
`
`WORKSTATION eoorme'rwonx A'ITACH
`
`wonxsnnou
`Anmsnuron
`
`ADIINSTRATOR
`Access
`
`17a
`
`uwme
`H"
`
`IJ
`1 9b
`
`1
`
`muusmaroa
`
`WORKSTATION
`FLES
`
`17b
`
`EXHIBIT 2002
`
`

`
`U.S. Patent
`
`Aug. 22, 1995
`
`Sheet 1 of 5
`
`5,
`
`,850
`
`Q:
`
`mm>mmm
`
`zo:<»$Eo.s
`
`mmmoo<
`
`._om»zoo
`
`
`
`mm<m<.—<o.5...
`
`mm>:mm
`
`»zu:mo<z<s.
`
`zo=<o.._.E<
`
`zoEP$Eo3
`
`.WEDGE
`
`zo=<»mvEo_s
`
`.u.m.E
`
`..._o»<E.m_z_=n<
`
`mmmoo<
`
`EXHIBIT 2002
`
`mw<m<._.<ozo_._.<._.mv_:03
`
`
`
`
`
`mo»<Em_z_s_o<
`
`zozfimxmoa
`
`:2.<Em_z_sE<
`
`mm._E
`
`
`
`
`
`m=<E:omoommpoemmom.=u
`
`
`
`zo:<m:c:zooou»<o.S
`
`
`
`
`
`IU<.E.<viozcmztoomzo=<»$Eo>>
`
`
`
`
`
`
`
`
`
`
`
`
`
`zo:<o_u_=zuo_a¢<omo<"Em»z_xzospmzzo=<.§Eo;am_".Em>mum:
`
`
`
`
`
`zmozfimz<m:<._<UO._
`
`
`
`
`
`zo_.Eo_u_=zmn_om<omu<"Eu»z_gmoapmzzo=<5vEo3
`
`
`
`
`
`zo:<5vEo_s
`
`EXHIBIT 2002
`
`
`
`
`
`
`
`
`
`
`

`
`US. Patent
`
`Aug. 22, 1995
`
`Sheet 2 of 5
`
`5,444,850 2
`
`TO SERVER MANAGEMENT APPLICATION
`
`SERVER MANAGEMENT COMMAND INTERFACE r)
`
`2
`EXECUTABLE SERVICES ENGINE J
`
`2
`OPERATING SYSTEM KERNEL 2
`
`COMPONENT NETWORK
`FILE
`HANDLER CONTROL
`SERVICES
`
`/
`/
`
`27a
`
`f
`/
`
`f
`/
`
`J m) m)
`
`FIGURE 2
`
`EXHIBIT 2002
`
`

`
`US. Patent
`
`Aug. 22, 1995
`
`Sheet 3 of 5
`
`5,444,850
`
`WORKSTATION
`POWER-UP
`
`I 31
`
`BASIC INPUT/OUTPUT
`SYSTEM
`(sTART PREBOOT
`SEQUENCE)
`
`I33
`
`BASIC INPUT/OUTPUT
`SYSTEM
`(DETECT PRoGRAM I35
`SIGNATURE DURING
`BASIC INPUT/OUTPUT
`sYsTEM OPTION READ
`ONLY MEMoRY
`lNlTlALlZATlON PHASE)
`
`37
`TAKE CONTROL OF
`CENTRAL PRocEssoR f
`UNIT PRIOR To BOOT
`PROCESS
`(FIGURE 3b)
`
`COMPLETE PERSONAL
`COMPUTER BOOT
`
`I55
`
`.
`
`FIGURE 3a
`
`EXHIBIT 2002
`
`

`
`US. Patent
`
`Aug. 22, 1995
`
`Sheet 4 of 5
`
`5,444,850
`
`39
`\ LOAD
`COMMUNICATIONS
`SOFTWARE
`
`1
`
`41
`
`INITIATE NETWORK
`\ SERVER
`CONNECTION
`
`SEND
`WORKSTATION
`\ NETWORK
`INTERFACE CARD
`ADDRESS
`
`45
`
`ADDRESS IN
`ACCESS CONTROL
`LIST DATABAS
`
`CUT NETWORK
`CONNECTION
`
`UPDATE
`49
`\ WORKSTATION
`FILES
`
`51
`
`53 \ RETURN CONTROL
`TO WORKSTATION
`
`FIGURE 3b
`
`EXHIBIT 2002
`
`

`
`US. Patent
`
`Aug. 22, 1995
`
`Sheet 5 of 5
`
`5,444,850
`
`EXHIBIT 2002
`
`

`
`METHOD AND APPARATUS FOR CONTROLLING
`NETWORK AND WORKSTATION ACCESS PRIOR
`TO WORKSTATION BOOT
`
`5
`
`15
`
`20
`
`25
`
`35
`
`45
`
`BACKGROUND OF THE INVENTION
`1. Field of the Invention
`The invention is directed to personal computers used
`as workstations in local area networks (LANs).
`2. Background of the Invention
`It is common to connect individual personal comput
`ers as workstations using what is often referred to as a
`local area network or LAN. A LAN is usually de?ned
`as a network of computers, usually connected by a cable
`or wire at a single geographical location such as one or
`more floors of an office building, so that various re
`sources can be shared among the workstations and/or
`allow the individual workstations to send and receive
`electronic mail or E-Mail.
`Typically, local area networks enable individual users
`to access databases or ?les physically associated with
`another computer, called a server, or with other work
`stations on the LAN. In this manner, data and programs
`which are needed by more than one user can be main
`tained on a single computer on the network and still be
`available to other workstations on the network. In this
`instance the computer with the common data is referred
`to as the server and the workstations of the individual
`users are called clients. In other situations, a database or
`?les may be set up on various workstations such that
`each can function as a server and each can function as a
`client. This is frequently referred to a peer-to-peer
`structure.
`In large networks, with hundreds or, even thousands
`of workstations and dozens of servers, administration or
`management of the individual workstations can be a
`cumbersome task. This administration consists of, but is
`not limited to, the following tasks:
`Workstation con?guration control
`System security
`Workstation fault correction
`Application monitoring for software license compliance
`Software application distribution
`Software version control
`Customization of user environment (i.e. menus, boot
`?les, etc.)
`User training
`In such larger networks, this administration can be
`very time-consuming and tedious because the system
`administrator must be in the same physical location as
`the workstation. Since these workstations can be spread
`over a large area such as a large multi-story building, a
`signi?cant amount of time and effort is spent in travel
`ing between workstations to perform management
`55
`tasks.
`Also, these management tasks are often associated
`with computer functions that take place during the
`workstation’s boot (startup) cycle. They often require
`repeat reboots of the workstation to test changes in
`con?guration. From a security standpoint, much of the
`ability to control access to both workstations and serv
`ers is vastly improved by being able to control functions
`that occur before, during and after the boot process.
`Current methods depend upon control of functions
`occurring during or after the boot process. Since con~
`trol of many functions prior to workstation boot allows
`the network administrator to impose signi?cantly more
`
`65
`
`1
`
`5,444,850
`
`2
`control over the workstation some method of pre-boot
`control is very desirable.
`
`BRIEF SUMMARY OF THE INVENTION
`The present invention is directed to a method and
`apparatus for preboot ?le and information transfer be
`tween workstations and other Workstations or worksta
`tions and servers on local area networks. For conve
`nience, this description will be with reference to DOS
`based systems. However, persons skilled in the art will
`recognize that the inventive concepts have application
`in UNIX based systems and other network environ—
`ments. Speci?cally, it is necessary to provide a mecha
`nism by which a network administrator can carry out
`the functions, as well as other network management
`tasks. That mechanism should be imposed prior to
`workstation boot. Workstations using MS-DOS, PC
`DOS or other operating system variations such as
`UNIX execute a startup process called a boot sequence.
`During the boot sequence the various components of
`the workstation and network operating system are
`loaded and executed. Since all control of the worksta
`tion after the boot sequence is passed to the operating
`system, any management tasks performed after boot
`must be performed by application programs running on
`the workstation. These application programs are often
`called utilities. In order for utilities to run at the same
`time as other applications (such as word processing,
`database management or E-Mail) the utilities must be
`loaded resident in the workstation memory. That causes
`a reduction in available application memory and, often,
`causes con?icts which can cause the workstation to
`“lock up” or “hang”. In that case, the workstation must
`be rebooted and all programs reloaded. There is, like
`wise, a strong probability of damage or loss of data
`which was in use during the failure.
`The present invention overcomes these problems by
`providing a hardware component, for example a ROM
`or PROM containing appropriate programming placed
`in the usually unused boot ROM socket of a LAN card
`installed in the individual workstations, or a chip includ
`ing a PROM or ROM built onto the motherboard or
`system board of the individual workstations. The pro
`gram in the PROM can be set up so that, at system
`startup, prior to loading of the workstation operating
`system software during the boot sequence, it performs
`certain operating system functions by using the basic
`input/output system (BIOS) of the workstation to en
`able the workstation to communicate with a server on
`the network and make the necessary resources of the
`workstation available to a server management applica
`tion running on the server via the network. This pro
`cess, controlled by a system administrator, allows a
`variety of preboot functions to take place in the work
`station.
`For example, by exchanging IDs encoded within
`workstation and server hardware the workstation can
`be validated for connection to the network. This adds a
`greatly improved dimension of security to the network.
`Or, as another example, a workstation which has experi
`enced a con?ict resulting in a failure could be rebooted
`remotely and, during the reboot cycle, boot ?les
`changed to clear possible con?icts. While this process is
`common, it is always performed by an operator entering
`commands while sitting at the workstation. The inven
`tion enables this functionality to be carried out re
`motely. The invention could also provide preboot up
`dates to critical boot ?les prior to workstation boot by
`
`EXHIBIT 2002
`
`

`
`15
`
`25
`
`30
`
`35
`
`5,444,850
`3
`transferring those ?les from the server in advance of
`their use. Workstations that had experienced a virus
`attack on the boot sectors of their hard drives could
`have that damage detected and repaired prior to execut
`ing the boot sequence providing an increased measure
`of anti-virus protection. It is to be noted that the appli
`cations, utilities or malicious programs such as viruses
`that may be present on the workstation hard disk will be
`under the control of the invention since all preboot
`operations take place prior to loading and running the
`workstation’s operating system.
`The invention enables a rich assortment of high-value
`technologies because it is:
`Protocol and operating system independent
`Only activated on request
`Not a TSR-it occupies no memory
`A tool that allows the system administrator to force a
`server connection
`Able to create a network connection for the worksta
`tion at boot time even if the local drive is damaged or
`the user does not log in
`A remote access to the workstation hard drive without
`user intervention
`Some examples of possible server management appli
`cations enabled by the present invention are:
`Con?guration management (remote edit and installation
`of workstation system ?les)
`Identi?cation and authentication services
`Smart hub management
`Critical node monitoring
`Workstation crash recovery
`Remote software installation, distribution, metering and
`diagnostics
`Single sign-on synchronized passwords
`Finally, the invention provides a rich variety of net
`work administrator bene?ts because:
`Thousands of hours per year can be saved because no
`“of?ce hiking” is required to gain access to user
`workstations that have hung or crashed
`User workstations can be con?gured centrally
`The invention allows appropriate workstation con?gu
`ration regardless of the environment. Users who can
`not tolerate TSRs due to ill-behaved applications still
`bene?t since the invention requires no TSRs
`Security can be improved materially by adding pre-boot
`authentication for both user and workstation
`Software installation, updating, version control and
`metering can be greatly simpli?ed and centralized
`The administrator’s overall view of the network is ma
`terially improved.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block overview diagram showing a local
`area network with a pair of client workstations and a
`single server.
`FIG. 2 is block diagram showing the functional com
`ponents of the programming contained in a PROM or
`ROM forming part of the invention.
`FIGS. 3a and 3b are flow charts of the preboot se
`quence controlled by the invention.
`FIG. 4 is a block diagram showing of EE-PROM
`/ASIC implementation of the invention.
`
`4
`workstation designated Administrator 15. The server
`workstation 11 includes server files (not shown), an
`access control list database (ACL-DB) 11a, and a server
`management application (SMA) such as a NetWare
`Loadable Module (NLM) in a Novell NetWare envi
`ronment, which functions in conjunction with the in
`vention, and a workstation database (DB) 11d which
`contains information used by the invention to modify
`information in the workstation during the preboot pro
`cess. Both client workstations 13 and 15 are con?gured
`the same, each containing a hardware component (typi
`cally a programmable read-only memory (PROM) and
`application speci?c integrated circuit (ASIC) combina
`tion, referred to herein as ?rmware, installed on the
`workstation network interface card (NIC) or mother
`board) 19a and 19b respectively, but the administrator
`client also includes an administrator program 13. The
`?rmware manages workstation functions and communi
`cates with the server prior to loading of the complete
`workstation operating system.
`The client workstation ?rmware (19a or 19b) also
`provides preboot access to the client operating system’s
`?le services and contains a functional subset of the cli
`ent workstation operating system and the client work
`station component of the network operating system. Its
`purpose is to communicate with the server. The server
`hardware component takes instructions from the server
`SMA. The server SMA contains control routines to
`manage operation of the invention. The speci?cs for
`incorporating suitable programming in the SMA de
`pend upon the functionality desired to be performed.
`However, such speci?cs are well within the skills of
`persons having ordinary ability in the field of the inven
`tion based upon the descriptions provided herein. Ad
`ministrative utilities are executed in the designated
`workstation. One of those utilities could be a scripting
`language which allows the administrator to program a
`series of client-server operations.
`FIG. 1 shows the basic communications between the
`client workstation 13 and the server workstation 11 and
`the client workstation 15 and the server workstation 11.
`The basic communications (which actually take place
`over the network) provide the mechanism for making a
`connection between client and server. Once that con
`nection has been made, the client 13 is authenticated as
`a legitimate client to the server 11. Once the client is
`identi?ed to the server, any preboot activity such as file
`transfers, ?le updates or operating system rescue (due to
`malicious or accidental damage) can take place auto
`matically under control of the SMA.
`In particular, each time a client workstation attempts
`to connect to the network, ?rmware 190 or 19b exe
`cutes a program which seeks a server on the network
`with which to communicate. The appropriate server,
`e.g. the one with the SMA (the NLM in a Novell Net
`Ware environment), responds to the client workstation.
`The client workstation then sends, using the invented
`subsystem, its network interface card (N IC) address to
`the server. The server SMA veri?es the address in the
`access control list 110 which resides in the server. The
`server SMA then performs whatever tasks it is prepro
`grammed to perform. The invention, being an enabling
`technology, insofar as it resides in the SMA, can be
`customized to provide a wide variety of preboot ser
`vices. For example, it could be customized to update
`?les by transferring new ?les to the client prior to boot
`since the ?le management system is operating on the
`client. It could be customized to verify that the boot
`
`45
`
`50
`
`55
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`FIG. 1 is a block overview diagram showing a local
`area network with a single server workstation 11, a
`client workstation designated User 13 and a client
`
`65
`
`EXHIBIT 2002
`
`

`
`5,444,850
`5
`sector of the client is free of virus infection and that the
`boot sector is intact. If not, it could remove the virus
`and restore the boot sector from the workstation data
`base 11d residing safely on the server.
`Once all client-server preboot functions are complete
`and acknowledged by the client, the ?rmware 19a or
`191) on the client returns boot control to the client’s
`basic input/ output system (BIOS). The client then boots
`in the normal manner, loading the complete worksta
`tion operating system and attaches to the network as it
`normally would. The advantage of the preboot se
`quence of the invention is that any damage to the client
`workstation’s boot or operating system that would pre
`vent normal boot or cause further damage can be man
`aged and recovered during the preboot process. The
`invention contains a functional subset of the complete
`operating system installed in the client workstation
`which allows the client to partially boot from a sterile
`environment without using any of the operating system
`elements installed in the client workstation which could
`become damaged. This sterile environment is main
`tained within the ?rmware of the invention. A second
`advantage is that any updates or repairs to critical soft
`ware systems can be managed centrally using a sterile
`operating environment without interfering with the
`user of the client in any way.
`The invented technique for initiating a network con
`nection with a server sends a registered unique identi?
`cation to the server, such as the workstation network
`interface card (NIC) ID (for example, in an Ethernet
`environment the Ethernet hardware address), through
`the standard or de-facto network protocol. The net
`work protocol could be varied depending on the net
`working environment, such as TCP/IP of Internet,
`35
`SPX/IPX of Novell’s NetWare, or any standard LAN
`protocols de?ned by Institute of Electrical and Elec
`tronic Engineers (IEEE). The server application checks
`for a pre-con?gured database to determine whether the
`connection should be accepted. After connection is
`established, the server SMA sends managing requests to
`instruct the program in the workstation ?rmware to
`perform appropriate management tasks. The ?rmware
`sends back the result of its executed operation to the
`SMA and goes back to the normal booting process
`when approved by the server.
`The invention utilizes a client server technology,
`implemented as ?rmware (i.e., programming in a
`PROM or ROM), which allows full, remote pre-boot
`control of any network workstation, regardless of oper
`ating environment, without the use of terminate and
`stay resident (T SR) programs at the workstation. The
`invention provides an open architecture upon which
`developers and OEMs can build custom server-based
`client management applications.
`One example of an implementation of the invention
`utilizes a single PROM containing the necessary pro
`gramming (i.e., ?rmware) which is plugged in an ASIC,
`which provides address decoding, which ASIC plugs
`into the normally unused boot ROM socket on most
`network interface cards. The necessary programming
`provides ?le handler, component control, network ser
`vices, server management command interface, and exe
`cutable services engine functions. In an alternate em
`bodiment, the programming could be contained in a
`?ash erasable PROM (EPROM) which would avoid
`the need for the address decoding ASIC for reasons
`which should be apparent to persons skilled in the art.
`
`6
`The ?rmware on the client communicates with server
`SMA via a customer application programming interface
`(API) or industry standard protocol such as SNMP.
`Virtually any server management application can be
`written in a variety of programming languages, or exist
`ing SNMP management applications can be accessed
`directly.
`A simpli?ed block diagram for the programming in
`the PROM or ROM of the invention is shown in FIG.
`2. Excluding housekeeping services and functions not
`germane to this description, the system includes:
`A Server Management Command Interface 21: This
`is the basic interface between the ?rmware on the client
`and the Server Management Application (SMA) on the
`server. Its main task is to interpret the commands sent in
`packets from the server SMA and to construct a re
`sponse packet containing the result of performed opera
`tions in a form which can be understood by the SMA. It
`serves the same function as an SNMP, an industry de
`?ned management protocol.
`’
`Executable Services Engine 23: The executable ser
`vices engine provides the proprietary pre-boot func
`tions that allow control of the workstation pre-boot
`processes. The executable services engine receives its
`instructions based upon the requirements of the SMA.
`In other words, the executable services engine and the
`SMA together control the actions of the workstation
`prior to the commencement of the workstation boot
`process.
`Operating System Kernel 25: The operating system
`kernel is, in effect, a “mini operating system.” The oper
`ating system kernel utilizes ?le handler 27a, component
`control 27b and network services 270 and communica
`tions appropriate to the installed operating environ
`ment. This environment includes both the workstation
`environment (DOS, 0/ S2, UNIX etc.) and the network
`operating system (NetWare, LANManager, Vines,
`etc.).
`The programming necessary to provide the function
`ality of server management command interface 21 and
`executable services engine 23 is well within the skills of
`a person having ordinary skills in the ?eld of the inven
`tion. A suitable operating system kernel 25 is available
`from I-Iitech Business Software, Inc. of Wilmington,
`Del.
`FIGS. 3a and 3b are flow charts showing the process
`ing performed by programming in the PROM or ROM
`at system startup.
`In normal operation, as shown in the ?owcharts of
`FIGS. 30 and 3b, the invention interrupts the boot pro
`cess after the BIOS (in an MS-DOS environment, for
`example) is executed but before DOS executes. Speci?
`cally, upon workstation power-up (step) 31, the system
`BIOS is executed (step 33) in a manner well known in
`the art. The system BIOS detects the existence of a
`program in a ROM socket on a network interface card
`(step 35) and passes control to this program (step 37).
`Referring now to FIG. 3b, upon control being passed to
`the program in the PROM, network communications
`software is loaded from the workstation storage me
`dium (step 39) using its internal mini-operating system
`and the appropriate network communications proto
`cols. In this manner, communication with the server
`SMA is initiated (step 41). Under instructions from the
`SMA, the invention executes the appropriate functions
`contained in the executive services engine of the pro
`gram in the PROM. The executive services engine uses
`low level control functions, such as the BIOS under
`
`55
`
`65
`
`20
`
`25
`
`40
`
`45
`
`EXHIBIT 2002
`
`

`
`5,444,850
`7
`DOS, to perform the instructions sent by the server
`SMA to the workstation. After initiation of the server
`connection in step 41, the workstation NIC address is
`sent to the server for veri?cation (step 43). If the NIC
`address is not in the ACL-DB (step 45), the connection
`to the network is cut, otherwise an attempt is made to
`connect the workstation to the network (step 47) and, if
`successful, workstation ?les are updated (step 49). Oth
`erwise, the attempt to initiate the network connection is
`repeated (step 41). In step 49, the server sends any re
`quired workstation updates to the client and performs
`any assigned tasks under control from the SMA. During
`update workstation ?les step 49, any processes pro
`grammed in the PROM are executed and acknowl
`edged. This process execution and acknowledgment is
`accomplished by the ?rmware under instruction from
`the server SMA. The server and client communicate
`directly with workstation hardware and ?rmware at a
`level below the normal operating system, thus provid
`ing a sterile, controlled operating environment. After
`20
`the update is successfully performed and acknowledged
`(ACK) by the client (step 51), control is returned to the
`workstation boot process (step 53) and the normal boot
`process is completed (step 55 of FIG. 3a). The forego
`ing functionality set forth in steps 39 and 41 is per
`formed by ?le handler 27a and 27b, while the function
`ality set forth in steps 43, 45, 47, 49, 51 and 53 is per
`formed by network services 270 and executable services
`engine 23.
`Since the operating system kernel in the ?rmware is
`controlling the workstation, a pristine operating envi
`ronment exists. The workstation can execute any in
`structions sent by the SMA, exit from control of the
`?rmware and commence normal boot Any changes
`made during the pre-boot process by the SMA are re
`?ected immediately at the workstation.
`Referring to FIG. 4, the ?rmware 19a and 19b is
`implemented on a read only memory (ROM) such as a
`256K PROM 61. As shown in FIG. 4, also necessary is
`a 2K (or larger) electrically erasable PROM (EE
`PROM) or random access memory (RAM) 65 which
`functions as a workstation con?guration memory which
`is set up by the user when the workstation is ?rst set or
`when additional hardware is added. For purposes of
`this invention, the only information which needs to be
`45
`stored in this memory is the address of the network
`driver program on the workstation disk drive or other
`storage medium which is needed to communicate with
`other devices on the network. As previously noted,
`when implemented in this manner, an address decoder
`with page control 63 is also necessary. The address
`decoder logic provides a shared memory paging mecha
`nism. It is needed in a typical DOS system since the
`boot PROM can only provide 8K bytes of addressable
`memory' space. In order to access the 256K memory
`space needed by the invention, the address decoder
`logic is needed to page the ROM address space into the
`8K page accessible to the workstation CPU. Preferably,
`the address decoder functionality is provided using an
`ASIC. The details for producing a suitable ASIC which
`60
`can be plugged into a network interface card and into
`which a PROM containing the programming used by
`the invention can be plugged should be readily apparent
`to persons skilled in relevant art.
`Some additional examples of the preboot functional
`ity which could be programmed into the ?rmware are
`checking to insure that the client is running only the
`most current versions of application software, the most
`
`8
`current databases for virus scanners are available to the
`client and that the correct boot ?les are in place on the
`client. If errors are found during the preboot process,
`the PROM programming could provide the appropriate
`updates from the server ?les.
`For the purposes of this invention, however, poten
`tial customized functions are not considered. Only the
`basic, enabling technology present in the client used in
`the preboot process form the present invention as de
`?ned in the following claims.
`We claim:
`1. An apparatus for enabling predetermined worksta
`tion resources to be controlled via a network connec
`tion prior to loading of a complete workstation operat
`ing system onto a storage medium accessible to a pro
`cessor of the workstation comprising:
`a) transferring control means, operable upon work
`station startup for transferring control from a
`workstation preboot process to an external process
`prior to loading the complete workstation operat
`ing system onto a storage medium of the worksta
`tion accessible to a processor of the workstation;
`b) responsive to the external process, network con
`nection initiation means for initiating a network
`connection of the workstation to a server on the
`network;
`c) upon initiating the network connection, worksta
`tion authentication means for authenticating the
`workstation identi?cation through the server to
`ensure that the workstation is authorized to be
`connected to the network;
`d) upon authenticating the workstation identi?cation,
`?le updating means for updating selected ?les lo
`cated within the workstation based upon data lo
`cated within ?les in the server;
`e) upon updating the selected ?les, return control
`means for returning control to the workstation
`boot process to load the complete workstation
`operating system.
`2. The apparatus de?ned by claim 1 wherein the
`transferring control means comprises means for detect
`ing existence of a program module in a ROM socket of
`a network interface card to which control is passed
`upon the detection of its existence.
`3. The apparatus de?ned by claim 1 wherein the
`network connection initiation means comprises:
`a) means for loading a network communications pro
`gram onto a storage medium accessible to a proces
`sor of the workstation;
`b) means for executing said loaded network commu
`nications program to establish connection with a
`server management application which is executing
`in a server coupled to said network.
`4. The apparatus de?ned by claim 3 wherein the
`workstation authentication means comprises:
`a) means for receiving instructions from said server
`management application instructing the worksta
`tion to send a unique identi?er to the server over
`the network;
`b) means for receiving from said server one of an
`authorization and a denial of authorization.
`5. The apparatus de?ned by claim 4 wherein the ?le
`updating means comprises means for determining that
`said authorization has been received receiving ?le up
`date information from said server and sending a con?r
`mation upon completion of said updating to said server.
`6. The apparatus de?ned by claim 1 wherein the
`return control means comprises means for exiting the
`
`65
`
`25
`
`30
`
`35
`
`EXHIBIT 2002
`
`

`
`5,444,850
`
`9
`program module in the ROM socket and returning to
`said workstation boot process.
`7. An apparatus for enabling predetermined worksta
`tion resources to be controlled via a network connec- 5
`tion prior to loading of