Abstract: The present disclosure describes methods and systems for efficiently assigning, managing and querying virtual private network (VPN) addresses intranet IP (IIP) addresses of users, such as SSL VPN users on an enterprise network. The disclosure describes techniques and policies for assigning previously-assigned VPN addresses of a user to subsequent sessions of the user as the user logs in multiple times or roams between access points. The disclosure also describes a configurable user domain naming policy so that one can query the VPN address of a user by an easily referable host name identifying the user. The appliance and/or client agent provides techniques for applications to seamlessly and transparently communicate on the VPN using the VPN address of the user or client on the private network.

Abstract: The present disclosure is directed to a system for managing spillover via a plurality of cores of a multi-core device intermediary to a plurality of clients and one or more services. The system may include a device intermediary to a plurality of clients and one or more services. The system may include a spillover limit of a resource. The device may also include a plurality of packet engines operating on a corresponding core of a plurality of cores of the device. The system may include a pool manager allocating to each of the plurality of packet engines a number of resource uses from an exclusive quota pool and shared quota pool based on the spillover limit. The device may also include a virtual server of a packet engine of the plurality of packet engines. The virtual server manages client requests to one or more services.

Abstract: The present application is directed to systems and methods for providing failover connection mirroring between two or more multi-core devices intermediary between a client and a server. A first multi-core device may receive a hash key of a second multi-core device for mapping packets to cores of the second multi-core device. The first device may identify a core of the second device using (i) the hash key of the second device and (ii) tuple information corresponding to a connection between the client and the server via the first device. The first device may determine that the identified core is not a desired core for providing a failover connection. The first device may modify the tuple information so as to identify the desired core when used with the hash key of the second device. The first device may use the modified tuple information to establish the failover connection.

Abstract: The present invention is directed towards systems and methods for aggregating and providing statistics from cores of a multi-core system intermediary between one or more clients and servers. The system may maintain in shared memory a global device number for each core of the multi-core system. The system may provide a thread for each core of the multi-core system to gather data from the corresponding core. A first thread may generate aggregated statistics from a corresponding core by parsing the gathered data from the corresponding core. The first thread may transfer the generated statistics to a statistics log according to a schedule. The system may adaptively reschedule the transfer by monitoring the operation of each computing thread. Responsive to a request from a client, an agent of the client may obtain statistics from the statistics log.

Abstract: The present solution allows users, such as administrators to configure slow start parameters for new services. These slow start parameters specify a rate at which requests should be given to a newly added or up service. The users can also chose to automatically increase the load in multiples of the chosen rate by specifying an increment interval. The services are given the configured rate for the interval, and once the interval is reached, the next multiple of the rate of requests is given. The increase of rate of requests is done automatically until an existing service request rate is reached. At that point in time this functionality is disabled and the existing and new services are treated the same.

Abstract: The present application is directed towards ASDR table contract renewal. In some embodiments, a core may cache an ASDR table entry received from an owner core such that when the entry is needed again the core does not need to re-request the entry from the owner core. As storing a cached copy of the entry allows the non-owner core to use an ASDR table entry without requesting the entry from the owner core, the owner core may be unaware of an ASDR table entry's use by a non-owner core. To ensure the owner core keeps the ASDR table entry alive, which the non-owner core has cached, the non-owner core may perform contract renewal for each of its recently used cached entries. The contract renewal method may include sending a message to the owner core that indicates which cached ASDR table entries the non-owner core has recently used or accessed. Responsive to receiving the message the owner core may reset a timeout period associated with the ASDR table entry.

Abstract: The present invention is directed towards systems and methods for monitoring an access gateway. The systems and methods include monitors on appliances that generate and send requests to logon agents or login page services on access gateways. Based on the responses from the logon agents or login page services, the monitors determine whether the logon agents or login page services are available.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: The present disclosure presents systems and methods for maintaining original source and destination IP addresses of a request while performing intermediary cache redirection. An intermediary receives a request from a client destined to a server identifying a client IP address as a source IP address and a server IP address as a destination IP address. The intermediary transmits the request to a cache server, the request maintaining original IP addresses and identifying a MAC address of the cache server as the destination MAC address. The intermediary receives the request from the cache server responsive to a cache miss, the received request maintaining the original source and destination IP addresses. The intermediary identifying that the third request is coming from the cache server via one or more data link layer properties of the third transport layer connection.

Abstract: The present invention provides methods and systems for performing load balancing via a plurality of virtual servers upon a failover using metrics from a backup virtual server. The methods and systems described herein provide systems and methods for an appliance detecting that a first virtual server of a plurality of virtual servers having one or more backup virtual servers load balanced by an appliance is not available, identifying at least a first backup virtual server of a one or more backup virtual servers of the first virtual server is available, maintaining a status of the first virtual server as available in response to the identification, obtaining one or more metrics from the first backup virtual server of a one or more backup virtual servers, and determining the load across the plurality of virtual servers using the metrics obtained from the first backup virtual server associated with the first virtual server.

Abstract: The present invention is directed towards systems and methods for using a distributed hash table to maintain the same configuration and resource persistency across a plurality of cores in a multi-core system. The distributed hash table includes a plurality of partitions, each partition being owned by a respective core of the multi-core system. A core may establish resources in the partition it owns. A core may request other cores to establish resources in the partitions they own and send resource information to the core. The core may locally cache the resource information.

Abstract: The present invention provides a system and a method for global server load balancing of a plurality of sites based on a number of Secure Socket Layer Virtual Private Network (SSL VPN) users. The SSL VPN users may access servers at each of the plurality of sites. A global server load balancing virtual server (GSLB) may receive a request to access a server. The GSLB virtual server may load balance a plurality of sites wherein each of the plurality of sites may further comprising a load balancing virtual server load balancing users accessing the server accessing servers via an SSL VPN session. GSLB may receive from a first load balancing virtual server at a first site, a first number of current SSL VPN users accessing servers from the first site via SSL VPN sessions. The GSLB may also receive from a second load balancing virtual server at a second site, a second number of current SSL VPN users of the users accessing servers from the second site via SSL VPN sessions.

Abstract: The present disclosure presents systems and methods for maintaining original source and destination IP addresses of a request while performing intermediary cache redirection. An intermediary receives a request from a client destined to a server identifying a client IP address as a source IP address and a server IP address as a destination IP address. The intermediary transmits the request to a cache server, the request maintaining original IP addresses and identifying a MAC address of the cache server as the destination MAC address. The intermediary receives the request from the cache server responsive to a cache miss, the received request maintaining the original source and destination IP addresses. The intermediary identifying that the third request is coming from the cache server via one or more data link layer properties of the third transport layer connection.

Abstract: Systems and methods for consolidating metrics and statistics used for load balancing by a plurality of cores of a multi-core intermediary are disclosed. A timer operating on each packet engine of each core in a multi-core system may expire. A consolidator may store, responsive to expiration of the timer, a set of counter values from each of the packet engines to a first storage location. The consolidator may send to each packet engine a message to update the set of counter values. The consolidator may, upon completion of updating the set of counter values by the packet engines, send a second message to the packet engines that includes a consolidated set of counter values determined based on the updated set of values from each packet engine. Each packet engine may establish settings and parameters for load balancing based on the consolidated set of counter values.

Abstract: The present solution is directed to providing, transparently and seamlessly to any client or server, layer 2 redirection of client requests to any services of a device deployed in parallel to an intermediary device An intermediary device deployed between the client and the server may intercept a client request and check if the request is to be processed by a service provided by one of the devices deployed in parallel with the intermediary device. The service may be any type and form of service or feature for processing, checking or modifying the request, including a firewall, a cache server, a encryption/decryption engine, a security device, an authentication device, an authorization device or any other type and form of service or device described herein. The intermediary device may select the machine to process the request and use layer 2 redirection to the machine.

Abstract: The present invention is directed towards systems and methods for using a distributed hash table to maintain the same configuration and resource persistency across a plurality of cores in a multi-core system. The distributed hash table includes a plurality of partitions, each partition being owned by a respective core of the multi-core system. A core may establish resources in the partition it owns. A core may request other cores to establish resources in the partitions they own and send resource information to the core. The core may locally cache the resource information.

Abstract: The present invention is directed towards a method for using a listening policy for a virtual server on an intermediary device. An intermediary device establishes for a first virtual server a first listening policy with an expression for evaluating packets received by the intermediary device to determine whether the packet may access the first virtual server. The intermediary device listens for packets at a first internet protocol (IP) address and a first port specified for the first virtual server. Then, the intermediary device evaluates the expression of the first listening policy to a first packet received at the first IP address and first port and determines whether to provide the first packet to the first virtual server based on a result of the evaluation.

Abstract: The present invention is directed towards systems and methods for dynamically redirecting on a client communications of the client with a server to bypass an intermediary that is determined to be unavailable for such communications. An acceleration program on the client establishes a transport layer connection between the client and server, and intercepts communications of the client to the server. The transport layer connection may be established via an intermediary, such as a gateway, proxy or appliance. If the client-side acceleration program determines the intermediary is not available for communicating by the client to the server, the acceleration program automatically establishes a second transport layer connection to the server in order to bypass the intermediary. The acceleration program then transmits the intercepted communications of the client via the second transport layer connection to the server.

Abstract: A method for compressing a stream of application layer network traffic communicated over a transport layer connection of a virtual private network connection between a client and a server using an appliance. The appliance intercepts one or more transport layer packets of a stream of application network traffic communicated via a transport layer connection of a virtual private network connection between a client and a server. The appliance accumulates data from a payload of the intercepted transport layer packets, determines data accumulated for transmission should be compressed based on one or more compression trigger, and compresses the accumulated data into a self-contained compression block for transmission.

Abstract: Methods for redirecting, on a client, a communication of the client to a server to upon determining the server is not useable to communicate to the client include the steps of: establishing, by an client agent on a client, a transport layer connection between the client and an intermediary appliance, the intermediary appliance providing access to one or more servers; receiving, by the client agent from the intermediary appliance, address information identifying at least one of the one or more servers available to communicate; determining, by the client agent, the transport layer connection is unusable to communicate; establishing, by the client agent, a second transport layer connection between the client and one of the identified available servers to bypass the appliance. Corresponding systems are also described.