1. Field of the Invention
Embodiments of the present invention relate to configuration of remote devices using a secure protocol.
2. Related Art
When remote devices connect to a gateway, for example, when an IPSec VPN tunnel is established between a remote client and a corporate gateway, it is often necessary to apply some policy and configuration commands to the remote client. For example, the corporate gateway may require the remote client to authenticate users using an 802.1x authentication scheme; so long as the VPN tunnel is up, the 802.1x authentication scheme must be active for traffic through the tunnel.
In other situations, a remote device may connect back to a gateway for the first time, and need to be brought up to the current configuration. For example, a large corporation may issue its remote employees preconfigured hardware for establishing a VPN backed the corporate site, e.g., for telecommuting purposes. This preconfigured hardware, when it first connects to the corporate site, will need to be reconfigured to match the current state required by the corporate network.
Other, similar, circumstances exist, which require that multiple remote devices be reconfigured, either permanently or temporarily, in order to enable or facilitate connection with a remote server. Further, once these devices are connected, it is often useful, and sometimes necessary, that the remote server be able to monitor the status of all the connected devices. Status information can be as simple as a working/not-working flag, or the version of the configuration currently being executed. It can also be more complicated, e.g., performing a polling operation of all network computers attached to a central point to determine available/used RAM in order to decide whether an additional program can be installed on existing hardware.
At present, several approaches are used to try and to fill this need. First, each individual device can be manually configured, e.g., by logging into each device and uploading the necessary configuration commands. This is not a scalable solution, in that every additional device requires an additional investment of time to be configured.
Another approach is to use a specially configured computer, loaded with specialized software, which is provided with all of the necessary passwords and user names to log into and configure every device that connects to the remote server. While better than manual configuration, this approach still has several drawbacks. First, the specialized computer must establish a separate, secure connection to each device. Additionally, the necessary login parameters have to be provided to the remote server.
A third approach is to continually extend the protocol used for establishing a VPN tunnel, such that all of the configuration commands that are going to be performed on the remote device can be transmitted from the remote server to the remote device during negotiation of the tunnel. Several problems for this solution exist as well. One problem is that every new feature implemented on the remote device requires a corresponding alteration to the protocol, and upgrades to both the remote server and the remote device.