Method for transferring, data, e . g . emails , from a computer protected by a firewall to an external device, e .g . a mobile terminal .
FIELD OF THE INVENTION
The present invention relates to a method of providing secure access from mobile devices to corporate data, such as e-mails, residing behind a firewall.
BACKGROUND OF THE INVENTION
Mobile access to data, e.g. e-mails, is of high importance for people spending much time away from their office. Staying connected while travelling has been a very difficult task for companies without being forced to invest a significant amount of money in wireless gateway products in order to obtain mobile access to firewall- protected servers.
At present, most existing mobile data solutions require considerable investments in servers and network infrastructure - a cost that is considered too high by most companies. Or they present the user with significant technical problems that require high technical expertise to overcome.
Mobile operators have worked closely together with IT- integrators to sell and distribute mobile office solutions to large corporations. However, solutions directed towards small and medium sized enterprises have been overlooked since no products have essentially been offered for their needs.
Thus, there is a need for mobile business solutions for small and medium sized enterprises. In order for such solutions to be attractive for small and medium sized enterprises, no additional IT investments and no additional server installation should be required. The solution should be provided directly to the end-user and should enable a fast and hassle-free set-up/configuration of individual wireless access from basically any kind of mobile handset, such as a mobile phone.
It is an object of the present invention to provide a low cost method that provides secure access from mobile devices to corporate data, such as e-mails, residing behind a firewall.
It is a further object of the present invention that the above-mentioned method is easy to set-up and configure from e.g. a website.
SUMMARY OF THE INVENTION
The above-mentioned are complied with by providing, in a first aspect, a method of transferring data from a firewall-protected computer to an external device, the firewall protected computer being adapted to run a client application, the method comprising the steps of:
- providing, upon request from the external device to an external computer running a server application, data from the firewall- protected computer to the external computer via a secured connection through the firewall protecting the firewall- protected computer,
- temporary storing the provided data on the external computer,
- delivering, from the external computer, the temporary stored data to the external device via an external network, and
- deleting the temporary stored data from the external computer so that no data provided from the firewall-protected computer to the external computer is stored on the external computer after the data has been successfully delivered to the external device.
The method according to the first aspect secures:
1. mobile access to corporate data residing behind a firewall,
2. easy set-up and configuration from a website, 3. that no server installation is required,
4. automatic configuration of handsets using e.g. over-the-air (OTA) provisioning,
5. support for all WAP or POP3 e-mail enabled mobile phones and PDAs,
6. maximum security by avoiding personal e-mail storage outside of corporation firewall, and 7. advanced profiling of e-mail clients for increased performance.
Preferably, the secured connection through the firewall is established as a result of an automatically generated HTTP-request by a client application through the firewall from the firewall-protected computer to the external computer. In a preferred embodiment, the secured connection through the firewall is established through port 80 of the firewall.
Data may be provided from the firewall-protected computer to the external computer in response to a command being received by the firewall- protected computer from the server application running on the external computer, the command being a result of the request from the external device to the external computer.
Preferably, the data provided from the firewall-protected computer to a external computer is encrypted data - for example by using SSL.
The secured connection through the firewall is established via a network, such as the Internet. The firewall-protected computer may be a server or a personal computer.
The external network may comprise a wireless network, such as a GSM network.
In one embodiment, the external device is capable of running a client application so that data, such as e-mails, delivered from the external computer to the external device may be delivered through a service based on the POP3 protocol, and wherein e-mails delivered from the external device to the external computer are delivered through a service based on the SMTP protocol.
The external device may comprise a mobile device selected from the group consisting of: mobile phones, laptops, handheld devices, such as a PDAs, or any combination thereof.
In a second embodiment the external computer is adapted to run a server application for supporting a client application running on the external device. In this second embodiment, the external device is capable of running a browser. The external device may be selected from the group consisting of: mobile phones, computers, such as laptops, handheld devices, such as a PDAs, or any combination thereof.
In a third embodiment, the external network comprises a wired network, such as the Internet. In this third embodiment, the external device is capable of running a client
application. Data delivered from the external computer to the external device may be delivered through a service based on the POP3 protocol, and wherein e-mails delivered from the external device to the external computer are delivered through a service based on the SMTP protocol. The external device may comprise a computer selected from the group consisting of: personal computers, laptops, handheld devices, such as a PDAs, or any combination thereof.
Preferably, the data delivered to the external device in any of the above-mentioned embodiments comprises emails.
In a second aspect, the present invention relates to a method of distributing a mobile Internet service to an external device associated with a user, the method comprising the steps of:
- signing up the external device, and providing the user of the external device with a userid and a password for the Internal service through a website, the userid and the password being provided by an external computer,
- installing a client application on a firewall-protected computer associated with the user, and registering the installation so that the client application automatically connects to the Internet service, and
- delivering over the air, and to the external device, a configuration of the external device so that it, upon request from the external device, connects to the Internet service.
Preferably, the external device comprises a mobile device selected from the group consisting of: mobile phones, laptops, handheld devices, such as a PDAs, or any combination thereof.
The userid may comprise the mobile telephone number of a mobile phone. Preferably, the step of installing the client application on the firewall-protected computer is performed using a secured connection through the firewall between the firewall- protected computer and the external computer. BRIEF DESCRIPTION OF THE INVENTION
The present invention will now be explained in further details with reference to the accompanying figures, where
figure 1 shows an overview of the overall system,
figure 2 illustrates the architecture of the system, and
figure 3 illustrates the data transmission security.
While the invention is susceptible to various modifications and alternative forms, specific embodiments have been shown by way of example in the drawings and will be described in detail herein. It should be understood, however, that the invention is not intended to be limited to the particular forms disclosed. Rather, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.
DETAILED DESCRIPTION OF THE INVENTION
The present invention provides a mobile Internet business solution that provides secure access from mobile devices to corporate data residing behind a firewall. Such corporate data may be e-mails. The solution according to the present invention requires no server installation and supports all standard POP3 e-mail clients and WAP clients on mobile devices. This is made possible through the unique technology of the present invention, which combines an e- mail service provided from a server on the Internet with a secure delivery method through a client application installed on a PC behind the firewall.
The overall solution according to the present invention is shown in figure 1, where
1. The Mobile Business Connector (MBC) Desktop Client installed on the firewall protected PC establishes a secure connection to the MBC Server through the Internet.
2. The MBC Server retrieves e-mails from the firewall protected PC. E-mails are then delivered to the mobile device through a POP3 e-mail service.
3. The mobile device connects to the MBC Server using a POP3 e-mail client and receives e-mails from the firewall protected PC running the MBC Desktop Client.
The architecture of the technical solution is illustrated in figure 2. In the following sections, reference will be made to boxes A, B and C or figure 2.
In A - MBC Desktop Client - the MBC Desktop Client is typically a Windows application that is installed on the PC behind the firewall. The application connects to Microsoft Outlook using a MAPI interface (Microsoft Application Developer Interface) and accesses e-mails from Outlook.
The MBC Desktop Client establishes a secure connection between the firewall protected PC and the MBC Server by sending HTTP-requests through the firewall to the MBC Server. (HTTP is a protocol used for sending and receiving data over the Internet, e.g. HTML-pages that are viewed through a web-browser are sent over the Internet using HTTP.) Commands to be executed by the MBC Desktop Client (e.g. to deliver e-mails from the Outlook inbox to the MBC Server) are collected from the MBC Server and executed on the PC.
In B - MBC Server - the MBC Server is running a number of services, which allows it to deliver e-mails from the firewall protected PC to an external device, such as a mobile device, such as a mobile phone. The MBC Server is running POP3 and SMTP services for receiving and sending e-mails from e-mail clients on external devices. The mobile device sees the MBC Server as an ordinary e-mail server and connects to the POP3 service and the SMTP service using a standard e-mail client application.
The server works as a virtual mail server between the MBC Desktop Client and the external device. When an external device contacts the server to retrieve e-mails using the POP3 protocol, the server posts a command for the MBC Desktop Client to deliver all unread e-mail messages from the Outlook inbox on the PC. With the next HTTP- request sent from the MBC Desktop Client the command is collected from the server and executed on the PC.
When sending e-mails from an external device using the SMTP protocol, the server will post the entire message to be collected by the MBC Desktop Client running on the firewall protected PC. The message is subsequently placed in the Outlook outbox on the PC and sent as any other ordinary e-mail.
No e-mails are stored on the MBC Server. With every request from an external device, e-mails are retrieved from the firewall protected PC, delivered to the external device and subsequently deleted from the MBC Server.
In C - External device - any external device containing an e-mail client application can connect to the MBC Server and retrieve e-mails from a firewall protected PC with MBC Desktop Client installed. External devices without e-mail clients can connect to the MBC Server using a WAP application, which is provided as part of the MBC solution.
Three main challenges in providing mobile access to e-mail residing behind a corporate firewall are:
(1) Secure gateway: Establish access to protected data through the corporate firewall, (2) No data storage: Avoid storage of protected data outside the corporate firewall,
(3) Standard e-mail clients: Allow access from mobile devices using standard clients
The MBC solution solves all the three issues through the unique technology in the MBC Desktop Client and the MBC Server.
Regarding (1) - the secure gateway - the MBC Desktop Client establishes a secure connection between the firewall protected PC and the MBC Server. General firewall configurations place restrictions on all incoming traffic. Direct access from a mobile device to the corporate mailbox is therefore not possible. In order to establish connection between the PC with MBC Desktop Client installed and the MBC Server outside the firewall the communication is based on outgoing traffic.
The MBC Desktop Client is communicating with the MBC Server by sending outgoing HTTP requests through port 80 of the corporate firewall. Since the same protocol and port number is being used for browsing the Internet, general firewall configurations allow the MBC Desktop Client to connect to the MBC Server.
The MBC Desktop Client is using the outgoing HTTP requests to listen for commands that trigger actions to be performed on the PC. When a MBC user is connecting to the service from a mobile device in order to read e-mails, the MBC Server places a new
command for the MBC Desktop Client. With the following request received from the MBC Desktop Client the command will trigger delivery of unread e-mail messages from the Outlook inbox on the PC.
Regarding (2) - no data storage - the MBC Server acts as a virtual mail server between the PC with the MBC Desktop Client installed and the e-mail client on an external device. But unlike an ordinary POP3 mail server, the MBC Server does not store any e-mails.
When the MBC Server receives a request from an e-mail client, the request is processed by the MBC Server and sent to the MBC Desktop Client running on the PC of the user. While the e-mail client on the external device is holding an open session, unread e-mails are delivered from the Outlook inbox to the MBC Connection Server and again from the POP3 service of the MBC Server to the external device. After delivery to the mobile device all e-mails are deleted from the MBC Server.
Regarding (3) - standard e-mail clients - from the point of view of the external device the MBC Server is acting as an ordinary mail server supporting the POP3 and SMTP protocols. Since POP3 and SMTP are the most basic standards for receiving and sending e-mails, the solution supports all standard e-mail clients.
In order to allow mobile phones without embedded e-mail clients to use MBC, the solution also implements a WAP e-mail client, which can be used on all WAP enabled devices.
The MBC solution is designed to allow access to firewall protected e-mails from mobile phones. But the general support for standard e-mail clients means that the solution also supports mobile access to firewall protected e-mails from other external devices like PDA's or laptops.
Referring now to figure 3, all communication between the MBC Desktop Client and the MBC Server is encrypted using the Secure Socket Layer standard (SSL). For communication between the MBC Server and Mobile Clients the solution implements the best possible security by supporting SSL data encryption. Support for SLL encryption is not implemented equally in all handsets. Since the MBC service is supporting standard e-mail clients on mobile devices, end-to-end security depends on
the type of client application used for receiving and sending e-mail from the external device.
E-mail clients used from external devices implement two levels of security:
[A] SSL encryption not supported:
The e-mail client does not support encryption of data communication between the client and the mail server. E-mails are received and sent unencrypted. In some cases userid and password used for login on the mail server can be encrypted.
[B] SSL encryption supported:
The e-mail client supports encryption of data communication between the client and the mail server. E-mails are received and sent encrypted if the mail server has implemented support for SSL encryption and the client is configured to use SSL.
The MBC service can be used in most IT environments, since the MBC Desktop Client is using a standard HTTPS connection for communication between the desktop PC and the MBC Server.
The MBC Desktop Client maintains an outbound-initiated connection through port 80 using standard https. The MBC Desktop Client does not require any change in configuration of the existing network or firewall, because the same kind of connection is used for browsing the world wide web. Because only the out-bound connection is required, there is no "hole" in the firewall and the user can install the MBC Desktop Client and use the service without violating corporate IT security policy.
The desktop PC must remain on and the e-mail client open in order to exchange incoming messages between the MBC Desktop Client and Server while the user is away from the office.
The registration of a new user starts at the MBC Web Service. The user is requested to enter a mobile phone number (which will be used as username) and choose a password. The system automatically generates a 4-digit activation code, which is sent to the users mobile phone via SMS. The activation code is only used for first time
login. Subsequent logins will be based on the username and password entered by the user.
After authentication of the user the MBC Desktop Client can be downloaded and installed on the PC.
When installing the MBC Desktop Client the user is prompted for a valid username and password. The MBC Desktop Client establishes a secure connection to the MBC Server using Secure Socket Layer (SSL). After authentication of the user a unique key containing username and password is generated and a copy is stored in an encrypted hidden file on the PC.