Abstract: A request is received from a device within a network for a resource on server outside of the network. The resource is subject to a policy of the network. An informational webpage is served to the device; the webpage includes an interface element. An indication of a selection of the interface element is received the resource is served to the device from a proxy server configured to apply the policy to the resource.

Abstract: Information corresponding to a set of signatures is maintained, and for each signature in the set, an associated group policy of a network is maintained. A message from a device on the network is intercepted, and the message includes a header. At least a portion of the header matches a signature in the set of signatures. Responsive to determining that the portion of the header matches the signature, the matched signature's associated group policy of the network is applied to the device on the network.

Abstract: A first request is received from a device over a network. It is determined that the first request should be redirected, based at least in part on information included in the first request. A redirect message is sent to the device over the network. A second request is received that includes the address and the port number. Responsive to determining that the port number is on the predetermined list of port numbers, modifying the second request by removing the port number. The modified second request is sent to the address.

Abstract: This specification generally relates to using redirect messages to implement content scanning. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be analyzed; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client, the second request including the modified location; in response to receiving the second request for the network resource from the client: retrieving the network resource from the original location; determining that the retrieved network resource is suitable to send to the client; and in response to determining that the retrieved network resource is suitable, sending the retrieved network resource to the client.

Abstract: Methods and systems for performing device authentication using proxy automatic configuration script requests are described. One example method includes generating a unique key for a client device; configuring the client device to send a request for a proxy automatic configuration (PAC) script upon accessing a network, the request including the unique key; receiving, over a network, a request for the PAC script including a request key; and authenticating the client device on the network if the request key matches the client device's unique key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for overriding a soft website block. One of the methods includes receiving, from a user device, a request to access a resource, determining, using a first policy group for the user device, that the user device should be prevented from accessing the resource, providing, to the user device and based on determining that the user device should be prevented from accessing the resource, instructions for the presentation of a user interface including a user credentials field, receiving user credentials from the user device, determining that the user credentials are the same as credentials used to log onto the user device, and allowing the user device access to the resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for location based network usage policies. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes sending a domain name resolution query including a domain name; receiving a domain name resolution response including a network address; determining a current network location of the computing device based on the received domain name resolution response; and applying to the computing device either an internal network configuration or an external network configuration depending on the determined current network location of the computing device.

Abstract: Associations are maintained among a plurality of subnets, policies, and client types. Each subnet has an associated client type and policy. For a particular client device, (i) a client type of the particular client device, and (ii) a client type associated with the subnet on which the particular client device is hosted is determined. For the particular client device, (i) the determined client type of the particular client device with (ii) the determined client type associated with the subnet on which the particular client device is hosted is compared. Responsive to a determination that the client type of the particular client device matches the client type associated with the subnet that hosts the particular client device, a policy is applied to the particular client device.

Abstract: An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording.

Abstract: Methods and systems for providing device-specific authentication are described. One example method includes receiving, by an input port of a network adapter within the computer system, a stream of network traffic; dividing, by load balancing logic within the network adapter, the received stream of network traffic into a plurality of substreams; and presenting the plurality of substreams to respective interfaces of the network adapter, each network adapter interface being accessible by an operating system executing on the computer system.

Abstract: Data including a set of one or more resources and one or more associated IP addresses is updated based on monitored DNS responses. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request.

Abstract: A gateway within a network intercepts a request by a client within the network for content associated with a server outside the network, the client having a direct connection with the server outside the network. The method further includes determining whether a copy of the requested content is available in a cache within the network. The method further includes, if the copy of the requested content is determined to be available in the cache within the network, transmitting a redirect response to the client to cause the cause to retrieve the copy of the requested client from the cache within the network. The method further includes if the copy of the requested content is determined not to be available in the cache within the network, permitting the intercepted content request by the client to be transmitted to the server outside the network to cause the requested content to be retrieved via the direct connection between the server outside the network and the client within the network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for location based network usage policies. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group.

Abstract: At a gateway within a network, a message containing content is received. The message conforms to a protocol that specifies a format of the content, the message having been sent from a server outside the network to a client within the network. The message is routed from the gateway to the client. The message is analyzed to determine whether the content is static. Depending on a result of the analyzing, the content is selectively caused to be stored in the format specified by the protocol in a cache within the network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automated mobile device management profile distribution. One of the methods includes receiving a first request for access to a first network resource from a client device, the first network resource corresponding to one of a plurality of restricted resources accessible only by devices enrolled with a mobile device management system, determining that the client device is not enrolled with the mobile device management system, preventing the client device access to the first network resource, providing to the client device a redirect to a mobile device management resource that is different from the first network resource, providing instructions for presentation of a user interface to the client device, and enrolling the client device with the mobile device management system, the enrolling comprising providing a copy of the mobile device management profile to the client device.

Abstract: First data that identifies forbidden resources hosted outside a network that client devices on the network are not permitted to access, and second data that associates, for each forbidden resource, a permitted resource that the client devices on the network are permitted to access is maintained. Each permitted resource offers comparable services as its associated forbidden resource. A request from a client device for a forbidden resource is intercepted. The request is redirected to a permitted resource associated with the requested forbidden resource.