`Express Mail Label No. EL149284212US
`
`PATENT
`
`COVER SHEET FOR FILING PROVISIONAL PATENT APPLICATION
`
`Box: PROVISIONAL PATENT APPLICATION
`Assistant Commissioner for Patents
`Washington, D.C. 20231
`
`Type a plus sign(+) inside
`this box (cid:157)
`
`+
`
`INVENTOR(s)IAPPLICANT(s)
`
`Name:
`Address:
`
`Joel E. Short
`725 S. Barrington A venue #310
`Los Angeles, California 90049
`
`TITLE OF THE INVENTION (280 characters maximum)
`
`SYSTEMS AND METHODS FOR DYNAMICALL CREATING SUBSCRIBER
`TUNNELS BY A GATEWAY DEVICE IN A COMPUTER NETWORK
`
`CORRESPONDENCE ADDRESS
`
`Malvern U. Griffin, III
`Registration No. 38,899
`ALSTON & BIRD LLP
`P. 0. Drawer 34009
`Charlotte, NC 28234-4009
`Tel. Atlanta Office (404) 881-7000
`Fax Atlanta Office (404) 881-7777
`
`ENCLOSED APPLICATION PARTS (check all that apply)
`
`C8J
`C8J
`C8J
`D
`D
`
`Specification (Number of Pages 160 including Claims, Abstract and Attachments)
`Drawing(s) (Number of Sheets
`Claims (Number of Claims ..Q._)
`(A complete provisional application does not requ1re clalll1S 37 C.F.R. § l.5l(a)(2).)
`Small Entity Statement
`Other (specify)
`
`GUEST TEK EXHIBIT 1021
`Guest Tek v. Nomadix, IPR2019-01191
`
`Page 1 of 167
`
`
`
`Attorney Docket No. 9506-3P
`Filed: Concurrently herewith
`Page 2
`
`METHOD OF PAYMENT (check one)
`D
`
`Check or money order is enclosed to cover the filing fee.
`
`[8J
`
`lz;J
`
`The Commissioner is hereby authorized to charge filing fees and credit Deposit Account
`No. 16-0605.
`
`Please charge Deposit Account No. 16-0605 for any fee deficiency.
`
`PROVISIONAL FILING FEE AMOUNT(s)
`
`Large Entity $150.00
`Small Entity$ 75.00
`
`Filing Fee Amount:
`
`$150.00
`
`The invention was made by an agency of the United States Government or under a contract with an agency
`of the United States Government.
`
`0
`D
`
`No.
`
`Yes, the name of the U.S. Government agency and the Government contract number are:
`
`Respectfully submitted,
`
`j1(d,,_(f. ct
`
`Malvern U. Griffin, III
`Registration No. 38,899
`Date: October 22, 1999
`
`ALSTON & BIRD LLP
`Post Office Drawer 34009
`Charlotte, NC 28234
`Tel. Atlanta Office (404) 881-7000
`Fax Atlanta Office (404) 881-7777
`
`CERTIFICATE OF EXPRESS MAIL
`
`"Express Mail" mailing label number EL149284212US
`Date of Deposit: October 22, 1999
`
`l hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post
`Office to Addressee" service under 37 CFR 1.10 on the date indicated above and is addressed to Box:
`PROVISIONAL PA TENT APPLICATION, Assistant Commissioner for Patents, Washington, D.C. 20231.
`
`m.t..u. ~-:
`
`Malvern U. Grim.Jr
`
`ATL01/10613836vl
`
`2
`
`Page 2 of 167
`
`
`
`Attydckt: 9506-3P
`
`SYSTEMS AND METHODS FOR DYNAMICALLY CREATING SUBSCRIBER
`TUNNELS BY A GATEWAY DEVICE IN A COMPUTER NETWORK
`
`FIELD OF THE INVENTION
`
`5
`
`The present invention relates generally to a universal subscriber gateway and,
`
`more particularly, a universal subscriber gateway that dynamically creates tunnels for
`
`subscribers.
`
`BACKGROUND OF THE INVENTION
`
`10
`
`In order for a computer to function properly in a network environment, the
`
`computer must be appropriately configured. Among other things, this configuration
`
`process establishes the protocol and other parameters by which the computer transmits
`
`and receives data. In one common example, a plurality of computers are networked to
`
`create a local area network (LAN). In the LAN, each computer must be appropriately
`
`15
`
`configured in order to exchange data over the network. Since most networks are
`
`customized to meet a unique set of requirements, computers that are part of different
`
`networks are generally configured in different manners in order to appropriately
`
`communicate with their respective networks.
`
`While desktop computers generally remain a part of the same network for a
`
`20
`
`substantial period ohime, laptops or other portable computers are specifically designed
`
`to be transportable. As such, portable computers are connected to different networks at
`
`different times depending upon the location of the computer. In a common example in
`
`which the portable computer serves as an employee's desktop computer, the portable
`
`computer is configured to communicate with their employer's network, i.e., the enterprise
`
`25
`
`network. When the employee travels, however, the portable computer may be connected
`
`to different networks that communicate in different manners. In this regard, the
`
`employee may connect the portable computer to the network maintained by an airport or
`
`by a hotel in order to access the enterprise network, the internet or some other on-line
`
`service. Since these other networks are configured somewhat differently, however, the
`
`30
`
`portable computer must also be reconfigured in order to properly communicate with these
`
`other networks. Typically, this configuration is performed by the user/subscriber each
`
`1-
`
`Page 3 of 167
`
`
`
`Attydckt: 9506-3P
`
`time that the portable computer is connected to a different network. As will be apparent,
`
`this repeated reconfiguration of the portable computer is not only quite time consuming,
`
`but is also prone to errors. Further, the user/subscriber is often required to have specific
`
`software running on the portable computer in order to communicate with the enterprise
`
`5
`
`network, though such communications may be in conflict with the network over which
`
`the portable computer must transfer data to reach the enterprise network.
`
`As described by United States Patent Application No. 08/816,174 and United
`
`States Provisional Patent Application No. 60/111,497, a universal subscriber gateway
`
`device has been developed by Nomadix, Incorporated of Santa Monica, California. The
`
`10
`
`contents of both of these applications are incorporated herein by reference. The gateway
`
`device serves as an interface connecting the user/subscriber to a number of networks or
`
`other online services. For example, the gateway device can serve as a gateway to the
`
`Internet, the enterprise network, or other networks and/or on-line services. In addition to
`
`serving as a gateway, the gateway device automatically configures a computer to
`
`15
`
`communicate with the new network in a manner that is transparent to the user/subscriber.
`
`In this regard, the gateway device will download the necessary protocols and other
`
`configuration parameters to the computer without any intervention by the user/subscriber
`
`and without loading any additional software on the user/subscriber's computer. Once the
`
`gateway device has appropriately configured the user/subscriber's computer, the
`
`20
`
`computer can appropriately communicate via the new network, such as the network at a
`
`hotel or at an airport, in order to access other networks, such as the enterprise network, or
`
`other online services, such as the internet.
`
`The computer user/subscriber, and more specifically the remote or laptop user,
`
`benefits from being able to access a myriad of computer networks without having to
`
`25
`
`undergo the time-consuming and all-too-often daunting task of reconfiguring their host in
`
`accordance with network specific configurations. In this fashion, the gateway device is
`
`capable of providing more efficient network access to the user/subscriber. A gateway
`
`device is also instrumental in providing the user/subscriber broadband network access
`
`that can be tailored to the user/subscriber's needs. In many instances the remote
`
`30
`
`user/subscriber is concerned with being able to acquire network access to their home or
`
`enterprise network, which are most typically protected by a firewall. The firewall
`-2-
`
`Page 4 of 167
`
`
`
`Attydckt: 9506-3P
`
`prevents unauthorized access to the enterprise network through a general internet
`
`connection, such as through an internet service provider. While some access is possible
`
`from outside the firewall, such as inbound electronic mail, corporate resources such as
`
`network databases and application programs are generally not made accessible to
`
`5
`
`computers located outside the firewall unless the user/subscriber has an active account
`
`with a valid username and password combination.
`
`However, as appreciated by those of ordinary skill in the art, different network
`
`protocols may be used within the Internet infrastructure and within an enterprise
`
`networks. For example, an Internet Protocol (IP) is typically used at the network protocol
`
`IO
`
`level to send data through the Internet An enterprise network, on the other hand, may
`
`use any one of a variety of network protocols including IP, IPX, Appletalk, etc. When a
`
`remote user attempts to access the enterprise network through the Internet, typically
`
`through an Internet service provider, the remote user is dynamically assigned an IP
`
`address. Thus, the remote user may be denied access by the firewall of the enterprise
`
`15
`
`network because the IP address assigned by the Internet service provider is not one of the
`
`authorized addresses in the corporate network. In addition, the remote user may be
`
`forced by the Internet service provider to use an IP protocol incompatible with that of the
`
`enterprise network. If the IP protocol and the enterprise network protocol are
`
`incompatible, then the remote user may be prevented from accessing resources on the
`
`20
`
`enterprise network.
`
`In response to these and other problems associated with granting remote access to
`
`an enterprise network over the internet, several techniques have been developed for
`
`creating virtual private networks (VPN), wherein a remote node of a single network is
`
`interconnected using a publicly accessible communication medium. For example, there
`
`25
`
`are a number of systems that enable user/subscribers to create virtual networks using the
`
`Internet as a medium for transporting data between the enterprise network and a remote
`
`user. These systems often times include encryption and other security mechanisms to
`
`ensure that only authorized users can access the virtual network, and that the data cannot
`
`be intercepted.
`
`30
`
`The common technique for constructing a VPN is by tunneling. Tunneling works
`
`by encapsulating or wrapping a packet or a message from one network protocol in the
`-3-
`
`Page 5 of 167
`
`
`
`Attydckt: 9506-3P
`
`protocol of another. The encapsulated packet is transmitted over the network via the
`
`protocol of the wrapper. This method of packet transmission avoids protocol restrictions,
`
`and enables remote users to have seamless access to their enterprise network without any
`
`apparent effects from accessing their enterprise network over another network having a
`
`5
`
`different protocol. Several relatively well known tunneling protocols include Microsoft's
`
`PPTP, Cisco's Layer Two Forwarding (L2F) protocol, and Redback's L2TP which is a
`
`hybrid ofL2F and PPTP. While these and other tunneling techniques have some merit,
`
`no one single tunneling protocol provides for automated configuration without the need
`
`for special client-side (i.e., remote computer) software.
`
`10
`
`Therefore, an unsatisfied need exists in the industry for a system method that
`
`dynamically creates subscriber tunnels automatically and without special client-side
`
`software.
`
`SUMMARY OF THE INVENTION
`
`15
`
`The present invention comprises a gateway device for use in providing a
`
`subscriber access to a computer system, and more particularly, for dynamically creating
`
`and managing subscriber tunnels through the computer system (i.e., network), such as the
`
`Internet, from the gateway device to an enterprise network, such as a corporate network.
`
`The present invention does not require special client-side software to be loaded on the
`
`20
`
`remote computer of the subscriber, and does not require any manual configuration of the
`
`remote computer. Instead, the gateway device establishes a tunnel, whereby the gateway
`
`device operates as one end point and the enterprise network operates as the other end
`
`point. Rather than configuring and reconfiguring the remote computer each time a tunnel
`
`is created, the remote computer provides the gateway device with the appropriate profile
`
`25
`
`information necessary to create a tunnel to a particular enterprise network during the
`
`setup of the account. Thereafter, the gateway device uses the profile information each
`
`time a tunnel is created for that user to that enterprise network. In essence, the gateway
`
`device takes the place of the remote computer as an end point of the tunnel, spoofing the
`
`enterprise network. The tunnel is created from the gateway device to the enterprise
`
`30
`
`network is such that the enterprise network views the gateway device as though it were
`
`the remote computer. By allowing the gateway device to operate as the end point of the
`-4-
`
`Page 6 of 167
`
`
`
`Attydckt: 9506-3P
`
`tunnel, the remote computer is not limited to a single tunnel per session, but may have
`
`numerous tunnels established simultaneously during a single session. The gateway
`
`device determines on a per packet basis whether a tunnel is required based upon the
`
`packet destination. If a tunnel is required, then the gateway device creates the tunnel and
`
`5
`
`places the packets in the tunnel for delivery to the destination network.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Figure 1 is block diagram of a computer system that includes a gateway device in
`
`accordance with an embodiment of the present invention for automatically configuring
`
`10
`
`one or more tunnels for a remote computer to communicate via the gateway device with
`
`other networks and/or online services.
`
`Figure 2 is a block diagram showing two simultaneous tunnel sessions in
`
`accordance with an embodiment of the present invention.
`
`Figure 3 is a flowchart diagram of a method for creating and managing tunnels in
`
`15
`
`accordance with an embodiment of the present invention.
`
`Figures 4 - 6 illustrate component configurations for the L2TP, PPTP, and PPPoE
`
`tunneling protocols, respectively.
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`
`20
`
`The present invention now will be described more fully hereinafter with reference
`
`to the accompanying drawings, in which preferred embodiments of the invention are
`
`shown. This invention may, however, be embodied in many different forms and should
`
`not be construed as limited to the embodiments set forth herein; rather, these
`
`embodiments are provided so that this disclosure will be thorough and complete, and will
`
`25
`
`fully convey the scope of the invention to those skilled in the art. Like numbers refer to
`
`like elements throughout.
`
`Referring now to Figure 1, the computer system 10 that includes a gateway device
`
`12 is depicted in block diagram form. The computer system typically includes a plurality
`
`of user/subscriber computers 14 that access the computer network in order to gain access
`
`30
`
`to other networks or other online services. For example, the computers can be plugged
`
`into ports that are located in different rooms of a hotel, a multi-dwelling residence or an
`
`Page 7 of 167
`
`
`
`Attydck:t: 9506-3P
`
`office building. Alternatively, the computers can be plugged into ports in an airport, an
`
`arena, or the like. The computer system also includes a gateway device in accordance
`
`with the present invention that provides an interface between the plurality of computers
`
`and the various networks or other online services. Most commonly, the gateway device
`
`5
`
`is located near the computers at a relatively low position in the structure of the overall
`
`network. (i.e. the gateway will be located within the hotel, multi-unit residence, airport,
`
`etc.) However, the gateway device can be located at a higher position in the overall
`
`network structure such as at a Point of Presence (PoP) ofNetwork Operating Center
`
`(NOC), if so desired. Although the gateway device can be physically embodied in many
`
`10
`
`different fashions, the gateway device typically includes a controller and a memory
`
`device in which software is stored that defines the operational characteristics of the
`
`gateway device. Alternatively, the gateway device can be embedded within another
`
`network device, such as the access controller or a router, or the software that defines the
`
`functioning of the gateway device can be stored on a PCMCIA card that can be inserted
`
`15
`
`into the computer in order to automatically reconfigure the computer to communicate
`
`with a different computer system.
`
`The computer system 10 also typically includes an access controller 16 positioned
`
`between the computers 14 and the gateway device 12 for multiplexing the signals
`
`received from the plurality of computers onto a link to the gateway device. Depending
`
`20
`
`upon the medium by which the computers are connected to the access controller, the
`
`access controller can be configured in different manners. For example, the access
`
`controller can be a digital subscriber line access module (DSLAM) for signals transmitted
`
`via regular telephone lines, a cable headend for signals transmitted via coaxial/optical
`
`fiber cables, a wireless access point (W AP) for signals transmitted via a wireless
`
`25
`
`network, a CMPS, a switch or the like. As also shown in Figure 1, the computer system
`
`typically includes one or more routers 18 and/or servers (not shown in Figure 1) of a
`
`plurality of computer networks 20 or other online services 22. While the computer
`
`system is depicted to have a single router, the computer system can have a plurality of
`
`routers, switches, bridges, or the like that are arranged in some hierarchical fashion in
`
`30
`
`order to appropriately route traffic to and from the various networks or other online
`
`services. In this regard, the gateway device typically establishes a link with one or more
`-6-
`
`Page 8 of 167
`
`
`
`Attydckt: 9506-3P
`
`routers. The routers, in turn, establish links with the servers of other networks or other
`
`online service providers, such as internet service providers, based upon the subscriber's
`
`selection.
`
`The gateway device 12 is specifically designed to configure computers 14 that log
`
`5
`
`onto the computer network 10 in a manner that is transparent to the subscriber. In the
`
`typical computer network that employs dynamic host configuration protocol (DHCP)
`
`service, the DHCP server 24 will initially assign an IP address to a computer that is
`
`logging onto the computer network through communication with the gateway device.
`
`While illustrated as a separate device from the gateway device 12, the DHCP server 24
`
`10 may be incorporated into the physical embodiment housing the gateway device. Upon
`
`opening their web browser or otherwise attempting to access an on-line service, the
`
`gateway device will direct the subscriber to enter their ID and password. The gateway
`
`device then determines if the subscriber is entitled to access the computer system, the
`
`level of access and/or the type of services to which the subscriber is entitled according to
`
`15
`
`an Authentication, Authorization and Accounting (AAA) procedure that is described by
`
`U.S. Patent Application No. 08/816, 174 and U.S. Provisional Application No.
`
`60/111,497, which is incorporated herein by reference.
`
`An AAA server, which is a database of subscriber records, may be remote to the
`
`gateway device or the AAA database may be incorporated into the physical embodiment
`
`20
`
`housing the gateway device. Assuming that the subscriber has been authenticated and
`
`has authorization, the gateway device typically presents new subscribers with a home
`
`page or control panel that identifies, among other things, the online services or other
`
`computer networks that are accessible via the gateway device. In addition, the home
`
`page presented by the gateway device can provide information regarding the current
`
`25
`
`parameters or settings that will govern the access provided to the particular subscriber.
`
`As such, the gateway administrator can readily alter the parameters or other settings in
`
`order to tailor the service according to their particular application. Typically, changes in
`
`the parameters or other settings that will potentially utilize additional resources of the
`
`computer system will come at a cost, such that the gateway administrator will charge the
`
`30
`
`subscriber a higher rate for their service.
`
`-7-
`
`Page 9 of 167
`
`
`
`Attydckt: 9506-3P
`
`The home page also permits the subscriber to select the computer network 20 or
`
`other online service 22 that the subscriber wishes to access. For example, the subscriber
`
`can access the enterprise network on which the computer is typically resident.
`
`Alternatively, the subscriber can access the internet or other on-line services. Once the
`
`5
`
`subscriber elects to access a computer network or other online service, the gateway
`
`device establishes an appropriate links or tunnels to the desired computer network or
`
`online service, as discussed in detail below.
`
`Thereafter, the subscriber can communicate freely with the desired computer
`
`network 20 or other online service 22. In order to support this communication, the
`
`10
`
`gateway device 12 generally performs a packet translation function that is transparent to
`
`the user/subscriber. In this regard, for outbound traffic from the computer 12 to the
`
`computer network or other on-line service, the gateway device changes attributes within
`
`the packet coming from the user/subscriber, such as the source address, checksum, and
`
`application specific parameters, to meet the criteria of the network to which the
`
`15
`
`user/subscriber has accessed. In addition, the outgoing packet includes an attribute that
`
`will direct all incoming packets from the accessed network to be routed through the
`
`gateway device. In contrast, the inbound traffic from the computer network or other
`
`online service that is routed through the gateway device, undergoes a translation function
`
`at the gateway device so that the packets are properly formatted for the user/subscriber's
`
`20
`
`host computer. In this manner, the packet translation process that takes place at the
`
`gateway device is transparent to the host, which appears to send and receive data directly
`
`from the accessed computer network. Additional information regarding the translation
`
`function is provided by United States Patent Application No. 08/816,714. By
`
`implementing the gateway device as an interface between the user/subscriber and the
`
`25
`
`computer network or other online service, however, the user/subscriber will eliminate the
`
`need to re-configure their computer 12 upon accessing subsequent networks.
`
`A particularly advantageous feature of the gateway device 12 is the dynamic
`
`creation and management of tunnels in computer system 10, such as those illustrated in
`
`FIG. 2. The gateway device 12 provides automatic configuration of tunnels without the
`
`30
`
`need for specialized client-side software on computer 14'. Further, the gateway device
`
`12 enables a single user/subscriber to establish two or more tunnels simultaneously since
`-8-
`
`Page 10 of 167
`
`
`
`Attydckt: 9506-3P
`
`the tunnels do not depend upon a particular configuration on the user/subscriber computer
`
`14'.
`
`A user/subscriber initially sets up an account with gateway device 12 via a web
`
`browser interface, wherein the user/subscriber enters various data, including that which is
`
`5
`
`necessary for establishing connections to the networks and/or online services that the
`
`user/subscriber wishes to gain access. In addition, the user/subscriber enters establishes
`
`a user name and password for their account. The user/subscriber will be requested to
`
`enter authorization information (such as a user name, network access identifier, and
`
`password) for each network to establishment of a tunnel for access to that network. The
`
`10
`
`information entered by the user/subscriber will be used to create a profile which will be
`
`stored in the authorization file in the AAA module 30 of the gateway device 12. The
`
`user/subscriber will be provided with the capability to add, delete and/or modify his or
`
`her profile, including the information for establishing tunnels. While the AAA module
`
`30 is illustrated as an integral component of the gateway device 12, it is noted that the
`
`15 AAA module 30 may be disposed in a remote location, central to and accessible by a
`
`plurality of gateway devices, such as a regional or national chain of hotels.
`
`At the beginning of a new network access session by the user/subscriber, the
`
`user/subscriber logs onto the gateway device 12 by entering his or her account user name
`
`and password. The user/subscriber can then select access to one or more of the networks
`
`20
`
`and/or online services available through gateway device 12. For example, as illustrated
`
`in FIG. 2, the user/subscriber of computer 14' has simultaneously established access to
`
`three separate networks, two of which are being accessed through separate tunnels. A
`
`first tunnel 32 provides access to network 20'. The tunnel 32 was established when the
`
`user/subscriber requested access to enterprise network 20', typically from a web browser
`
`25
`
`interface, which caused a setup notification packet to be sent from the user/subscriber
`
`computer 14' to the gateway device 12. The gateway device 12 identifies the packet as
`
`originating from the user/subscriber by cross-referencing the MAC address of the packet
`
`with the authorization files in the AAA module 30. By referencing the IP address in the
`
`packet with the profile of the user/subscriber (where the user/subscriber provided a list of
`
`30
`
`networks for access via a tunnel), the gateway device 12 can determine if a tunnel is
`
`needed to provide the user/subscriber with access to the enterprise network 20'. If a
`-9-
`
`Page 11 of 167
`
`
`
`Attydckt: 9506-3P
`
`tunnel is not needed, then the user/subscriber is provided with standard network access.
`
`However, if a tunnel is needed, the tunnel management module 44 of the gateway device
`
`12 determines if a tunnel to the enterprise network 20' has already been established, and
`if so, places the packet in the existing tunnel. If a tunnel does not exist, then the tunnel
`
`5 management module 44 establishes a tunnel utilizing the profile information provided by
`the user/subscriber during account creation and/or subsequent modification. If the
`
`user/subscriber did not provide all the necessary information because, for example,
`
`concern over security of the information, the user/subscriber is presented with pop-up
`
`control panel requesting the missing information.
`
`IO
`
`The tunnel management module 44 contacts the enterprise network 20' in order to
`
`establish access to the enterprise network 20', typically through a firewall 34 or other
`
`secure access server. Using the authorization information provided when the
`
`user/subscriber initially set up his or her account (e.g., such as a user name, network
`
`access identifier, and password), the gateway device 12 is given access to enterprise
`
`15
`
`network 20', assuming the enterprise network 20' authenticates and accepts the
`
`connection. The resulting tunnel established by the tunnel management module 44 is
`
`between the gateway device 12 and the enterprise network 20' and may be implemented
`
`by any suitable tunneling protocol supported by the enterprise network 20', such as
`
`L2TP, PPPTP or PPPoE. From the server-side perspective of the enterprise network 20',
`
`20
`
`the fact that the tunnel terminates at the gateway device 12 rather than at the
`user/subscriber computer 14' is undetectable. The gateway device 12 essentially spoofs
`the enterprise network 20' to believing that the tunnel extends all the way to an end point
`
`at the user/subscriber computer 14'. However, since the end point is at the gateway
`
`device 12 rather than the user/subscriber computer 14', multiple tunnels can be
`
`25
`
`established simultaneously during a single session because the tunnels are not dependent
`
`upon the configuration of specific software at the user/subscriber computer 14'. In
`
`addition, the tunnel management module 44 of the gateway device 12 is able to
`
`dynamically create a tunnel on behalf of a user/subscriber utilizing the network log-on
`
`information provided by the user/subscriber. The session management module 42
`
`30 manages the access sessions provided by the gateway device, recording information
`
`about the sessions as desired.
`
`-10-
`
`Page 12 of 167
`
`
`
`Attydckt: 9506-3P
`
`As illustrated in FIG. 2, a second tunnel 36 is established on behalf of the
`
`user/subscriber for providing access to the enterprise network 20" through firewall 38.
`
`The tunnel 36 can be established in substantially the same manner as described above
`
`with regard to tunnel 32. In addition, the user/subscriber may be given access to other
`
`5
`
`networks and/or online services such as the worldwide web portion of the Internet 40.
`
`As previously mentioned, the user/subscriber computer 14' does not require any
`
`specific client-side software for accessing the enterprise networks 20', 20", but only
`
`requires a suitable communication protocol for communicating with the gateway device
`12, such as TCP/IP. Once established, the tunnels 32, 36 can receive packets in virtually
`
`10
`
`any protocol and encapsulate them with the tunneling protocol utilized for the respective
`
`tunnels. The tunnels can be terminated by an express command of the enterprise network
`
`20', 20" or the user/subscriber computer 14'. Alternatively, the tunnels may timeout if
`
`they are not utilized within a certain predetermined period of time.
`
`With reference to FIG. 3, a flowchart diagram of a methodology of tunnel
`
`15 management in accordance with the environment of the present invention is illustrated.
`
`At block 50, the gateway device receives a network access request from a
`
`user/subscriber. The user/subscriber is then authorized for network access utilizing the
`MAC address to look up the user/subscriber's profile in the AAA module, as indicated by
`
`20
`
`block 52. A packet is then received form the user/subscriber, as indicated by block 54. It
`is then determined at block 56 if the destination IP address of the packet is associated
`with an enterprise network which requires a tunnel for access. If the destination IP
`
`address does not require a tunnel for access, then the user/subscriber is provided with
`
`standard network access, as indicated by block 58. If the destination IP address does
`
`require a tunnel, then it is determined at block 60 if a tunnel has already been established.
`If a tunnel has been established, then the packet is encapsulated using the tunnel protocol
`
`25
`
`appropriate for that enterprise network, and then the encapsulated packet is placed in the
`
`tunnel for delivery to the enterprise network, as indicated by block 62. If it is determined
`
`at block 60 that a tunnel has not yet been established, then it is determined at block 64 if
`
`additional subscriber data is necessary to log into the enterprise network for establishing
`a tunnel between the enterprise network and the gateway device. If additional subscriber
`
`30
`
`data is necessary, then a pop-up control panel is displayed to the user/subscriber for
`-11-
`
`Page 13 of 167
`
`
`
`Attydckt: 9506-3P
`
`requesting the needed additional data from the user/subscriber, as indicated by block 66.
`
`If no additional data is needed or has already been obtained, then a tunnel is created with
`
`the enterprise network using the subscriber's network access identifier, user name and
`
`password so as to create a tunnel with the gateway device as one end point and the
`
`5
`
`enterprise network as the other end point as indicated by block 68. Upon receipt of a
`
`termination command or the lapse of a period of non-use (i.e., timeout), the tunnel is
`
`terminated, as indicated block 70.
`
`With reference to FIG. 4, a suitable configuration for an L2TP component for
`
`implementation by the gateway device 12 is illustrated. FIG. 5 illustrates a suitable
`
`10
`
`configuration for a PPTP client component for implementation in the gateway device.
`
`Lastly, FIG. 6 illustrates a suitable configuration for a PPPoE component for
`
`implementation by the gateway device.
`
`Many modifications and other embodiments of the invention will come to mind to
`
`one skilled in the art to which this invention pertains having the benefit of the teachings
`
`15
`
`presented in the foregoing descriptions and the associated drawings. Therefore, it is to be
`
`understood that the invention is not to be limited to the specific embodiments disclosed
`
`and that modifications and other embodiments are inten