Abstract: Systems and techniques are described for providing visibility into encrypted traffic without requiring access to the private key. Some embodiments can transparently intercept a secure connection handshake that establishes a secure connection between a client and a server, wherein during said transparently intercepting the secure connection handshake, the embodiments can (1) obtain connection information associated with the secure connection, and (2) obtain a session key that the client and server agree on during the secure connection handshake. The connection information and the session key can then be stored in a database, thereby providing visibility into encrypted traffic without requiring access to the private key.

Abstract: Transparent network devices intercept messages from non-transparent network devices that establish a connection. Transparent network devices modify these messages to establish an inner connection with each other. The transparent network devices mimic at least some of the outer connection messages to establish their inner connection. The mimicked messages and any optional reset messages are intercepted by the transparent network devices to prevent them from reaching the outer connections. Transparent network devices modify network traffic, using error detection data, fragmentation data, or timestamps, so that inner connection network traffic inadvertently received by outer connection devices is rejected or ignored by the outer connection network devices. Transparent network devices may use different sequence windows for inner and outer connection network traffic.

Abstract: A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second intermediary that responds affirmatively. Some or all client-server communications that transit the intermediaries' session are accelerated or otherwise optimized. The first intermediary's probe uses the client's source address, but a different port number, while the optimized intermediary session is opened using the client's source address and source port. Therefore, a network monitoring tool can monitor the end-to-end connection, and the stateful firewall will not reject the optimized session.

Abstract: Transparent network devices intercept messages from non-transparent network devices that establish a connection. Transparent network devices modify these messages to establish an inner connection with each other. The transparent network devices mimic at least some of the outer connection messages to establish their inner connection. The mimicked messages and any optional reset messages are intercepted by the transparent network devices to prevent them from reaching the outer connections. Transparent network devices modify network traffic, using error detection data, fragmentation data, or timestamps, so that inner connection network traffic inadvertently received by outer connection devices is rejected or ignored by the outer connection network devices. Transparent network devices may use different sequence windows for inner and outer connection network traffic.

Abstract: Transparent network devices intercept messages from non-transparent network devices that establish a connection. Transparent network devices modify these messages to establish an inner connection with each other. The transparent network devices mimic at least some of the outer connection messages to establish their inner connection. The mimicked messages and any optional reset messages are intercepted by the transparent network devices to prevent them from reaching the outer connections. Transparent network devices modify network traffic, using error detection data, fragmentation data, or timestamps, so that inner connection network traffic inadvertently received by outer connection devices is rejected or ignored by the outer connection network devices. Transparent network devices may use different sequence windows for inner and outer connection network traffic.

Abstract: A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second intermediary that responds affirmatively. Some or all client-server communications that transit the intermediaries' session are accelerated or otherwise optimized. The first intermediary's probe uses the client's source address, but a different port number, while the optimized intermediary session is opened using the client's source address and source port. Therefore, a network monitoring tool can monitor the end-to-end connection, and the stateful firewall will not reject the optimized session.

Abstract: A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second intermediary that responds affirmatively. Some or all client-server communications that transit the intermediaries' session are accelerated or otherwise optimized. The first intermediary's probe uses the client's source address, but a different port number, while the optimized intermediary session is opened using the client's source address and source port. Therefore, a network monitoring tool can monitor the end-to-end connection, and the stateful firewall will not reject the optimized session.

Abstract: A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second intermediary that responds affirmatively. Some or all client-server communications that transit the intermediaries' session are accelerated or otherwise optimized. The first intermediary's probe uses the client's source address, but a different port number, while the optimized intermediary session is opened using the client's source address and source port. Therefore, a network monitoring tool can monitor the end-to-end connection, and the stateful firewall will not reject the optimized session.