Abstract: The present invention is directed towards a method for using a listening policy for a virtual server on an intermediary device. An intermediary device establishes for a first virtual server a first listening policy with an expression for evaluating packets received by the intermediary device to determine whether the packet may access the first virtual server. The intermediary device listens for packets at a first internet protocol (IP) address and a first port specified for the first virtual server. Then, the intermediary device evaluates the expression of the first listening policy to a first packet received at the first IP address and first port and determines whether to provide the first packet to the first virtual server based on a result of the evaluation.

Abstract: The present invention provides a system and a method for global server load balancing of a plurality of sites based on a number of Secure Socket Layer Virtual Private Network (SSL VPN) users. The SSL VPN users may access servers at each of the plurality of sites. A global server load balancing virtual server (GSLB) may receive a request to access a server. The GSLB virtual server may load balance a plurality of sites wherein each of the plurality of sites may further comprising a load balancing virtual server load balancing users accessing the server accessing servers via an SSL VPN session. GSLB may receive from a first load balancing virtual server at a first site, a first number of current SSL VPN users accessing servers from the first site via SSL VPN sessions. The GSLB may also receive from a second load balancing virtual server at a second site, a second number of current SSL VPN users of the users accessing servers from the second site via SSL VPN sessions.

Abstract: The present invention is directed towards systems and methods for providing static proximity load balancing via a multi-core intermediary device. An intermediary device providing global server load balancing identifies a size of a location database comprising static proximity information. The intermediary device stores the location database to an external storage of the intermediary device responsive to determining the size of the location database is greater than a predetermined threshold. A first packet processing engine on the device receives a domain name service request for a first location, determines that proximity information for the first location is not stored in a first memory cache, transmits a request to a second packet processing engine for proximity information of the first location, and transmits a request to the external storage for proximity information of the first location responsive to the second packet processing engine not having the proximity information.

Abstract: Systems and methods are disclosed for providing a hierarchy of appliances to access resources across branch offices. A method comprises: establishing, by a first aggregator appliance, connections with a first plurality of branch office appliances; establishing, by a second aggregator appliance, connections with a second plurality of branch office appliances, the first plurality not having information identifying the second plurality; receiving, by the first aggregator appliance, from a first branch office appliance a request from a client for access to a resource; identifying, by the first aggregator appliance via the second aggregator appliance, a second branch office appliance from the second plurality to service the request; transmitting, by the first aggregator appliance, to the first branch office appliance information identifying the second branch office appliance; and establishing, by the first branch office appliance, a connection with the second branch office appliance.

Abstract: Methods for using a client agent to route client requests among a plurality of appliances using transport layer information include the steps of: establishing, by a client agent executing on a client, a first transport layer connection with a first appliance of a plurality of appliances, the first appliance providing access to one or more servers; establishing, by a client agent executing on the client, a second transport layer connection with a second appliance of a plurality of appliances, the second appliance providing access to one or more servers; intercepting, by the client agent, a packet transmitted by the client; selecting, by the client agent, one of the connections to transmit the intercepted packet based on a characteristic of at least one of: the transport layer connections, the plurality of appliances, or the servers; and transmitting the intercepted packet via the selected connection.

Abstract: A method for an appliance to switch handling of transport layer connection requests from a first virtual server of the appliance managing a first plurality of services to a second virtual server of the appliance managing a second plurality of services upon exceeding, by the first virtual server, a maximum connection threshold determined dynamically from a status of the first plurality of services The appliance establishes a predetermined threshold identifying a maximum active transport layer connection capacity for the first virtual server that comprising a sum of a predetermined connection capacity for each of the plurality of services. The appliance determines via monitoring that the status of a service of the plurality of services indicates the service is not available and adjusts the predetermined threshold to comprise the sum of the predetermined connection capacity for each of the plurality of services having a status of available.

Abstract: The present application is directed towards systems and methods for adaptive application provisioning for cloud services. An appliance deployed in a network as a gateway may be able to transparently monitor application activity in a cloud computing environment provided by one or more servers, including servers executed by virtual machines, bare-metal or non-virtual servers, or other computing devices. In some embodiments, the appliance may monitor one or more network metrics, including bandwidth usage, latency, congestion, or other issues; and/or may monitor application health or server or virtual machine statistics, including memory and processor usage, bandwidth usage, latency, or other metrics. Responsive to one or more metrics exceeding a threshold, the appliance may automatically provision or start, or deprovision or shut down, one or more virtual or physical machines from a cloud service provider, and may provide configuration information to the provisioned or started machines as needed.

Abstract: The present invention provides maintains site persistence in a hierarchical Global Server Load Balancing (GSLB) deployment. Via configuration of GSLB services locally and remotely on each of the GSLB appliances and LB appliances at a site, a site appliance identifies and associates requests from the GSLB with the site. Furthermore, the site appliance may receive a GSLB cookie with the client request and confirms the request is from the expected GSLB in the site hierarchy. When the load balancers receives a response from a server, the appliance may include the GSLB cookie with the response back to the client. The appliance may also include an LB cookie to identify the server selected by the LB. When the client sends another request, the request may include the GSLB and LB cookie.

Abstract: A method for an appliance to switch handling of transport layer connection requests from a first virtual server of the appliance managing a first plurality of services to a second virtual server of the appliance managing a second plurality of services upon exceeding, by the first virtual server, a maximum connection threshold determined dynamically from a status of the first plurality of services.

Abstract: The present invention provides improvements to load balancing by providing a load balancing solution that distributes a load among a plurality of heterogenous devices, such as different types of local load balancers, using metrics collected from the different devices. The load balancing appliance collects metrics from heterogenous devices using a network management protocol and communication model, such as a Simple Network Management Protocol (SNMP). These heterogenous device metrics are available on the load balancing appliance with appliance determined metrics and metrics obtained by the appliance from homogenous devices using a metric exchange protocol. Via a configuration interface of the appliance, a user can select one or more of these different metrics for global load balancing. As such, the load balancing appliance described herein obtains a multitude of metrics from the different devices under management.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: Described are methods and systems for managing the connections between a client, an intermediary appliance and a server, so that asynchronous messages can be transmitted over HTTP from the server to a client. When a connection is established between a client and an intermediary, and the intermediary and a server to establish a logical client-server connection, that logical client-server connection is labeled and not maintained, while the connection between the client and the intermediary is maintained. Messages generated by the server and destined for the client are transmitted to the intermediary along with the connection label. The intermediary can then use the connection label to determine which client should receive the message.

Abstract: The present invention provides maintains site persistence in a hierarchical Global Server Load Balancing (GSLB) deployment. Via configuration of GSLB services locally and remotely on each of the GSLB appliances and LB appliances at a site, a site appliance identifies and associates requests from the GSLB with the site. Furthermore, the site appliance may receive a GSLB cookie with the client request and confirms the request is from the expected GSLB in the site hierarchy. When the load balancers receives a response from a server, the appliance may include the GSLB cookie with the response back to the client. The appliance may also include an LB cookie to identify the server selected by the LB. When the client sends another request, the request may include the GSLB and LB cookie.

Abstract: The present application is directed towards systems and methods for handling a multi-connection protocol communication between a client and a server traversing a multi-core system. The multi-connection protocol comprises a first connection and a second connection, which may be used respectively for control communications and data communications. Because different cores in the multi-core system may handle the first connection and second connection, the present invention provides systems and methods for efficiently coordinating protocol management between a plurality of cores.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two ore more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: The present solution is directed to providing, transparently and seamlessly to any client or server, layer 2 redirection of client requests to any services of a device deployed in parallel to an intermediary device An intermediary device deployed between the client and the server may intercept a client request and check if the request is to be processed by a service provided by one of the devices deployed in parallel with the intermediary device. The service may be any type and form of service or feature for processing, checking or modifying the request, including a firewall, a cache server, a encryption/decryption engine, a security device, an authentication device, an authorization device or any other type and form of service or device described herein. The intermediary device may select the machine to process the request and use layer 2 redirection to the machine.

Abstract: The present disclosure describes methods and systems for efficiently assigning, managing and querying virtual private network (VPN) addresses intranet IP (IIP) addresses of users, such as SSL VPN users on an enterprise network. The disclosure describes techniques and policies for assigning previously-assigned VPN addresses of a user to subsequent sessions of the user as the user logs in multiple times or roams between access points. The disclosure also describes a configurable user domain naming policy so that one can query the VPN address of a user by an easily referable host name identifying the user. The appliance and/or client agent provides techniques for applications to seamlessly and transparently communicate on the VPN using the VPN address of the user or client on the private network.

Abstract: The present solution provides a spillover management technique for virtual servers of an appliance based on bandwidth. A network administrator may configure a bandwidth threshold for one or more virtual servers, such as virtual servers providing acceleration or load balancing for one or more services. The bandwidth threshold may be specified as a number of bytes transferred via the virtual server. The bandwidth threshold may also be specified as a round trip time or derivative thereof. A user may specify the bandwidth threshold via a configuration interface. Otherwise, the appliance may establish the bandwidth threshold. The appliance monitors the bandwidth used by a first virtual server. In response to detecting the bandwidth reaching or exceeding the bandwidth threshold, the appliance dynamically directs client requests to a second virtual server.

Abstract: The present application is directed towards systems and methods for handling a multi-connection protocol communication between a client and a server traversing a multi-core system. The multi-connection protocol comprises a first connection and a second connection, which may be used respectively for control communications and data communications. Because different cores in the multi-core system may handle the first connection and second connection, the present invention provides systems and methods for efficiently coordinating protocol management between a plurality of cores.

Abstract: The present invention is directed towards systems and methods for aggregating and providing statistics from cores of a multi-core system intermediary between one or more clients and servers. The system may maintain in shared memory a global device number for each core of the multi-core system. The system may provide a thread for each core of the multi-core system to gather data from the corresponding core. A first thread may generate aggregated statistics from a corresponding core by parsing the gathered data from the corresponding core. The first thread may transfer the generated statistics to a statistics log according to a schedule. The system may adaptively reschedule the transfer by monitoring the operation of each computing thread. Responsive to a request from a client, an agent of the client may obtain statistics from the statistics log.