Abstract: A method may include storing and updating published resource entitlements for a plurality of client devices at a computing device. The method may also include using a plurality of virtual delivery appliances to receive connection requests from the client devices, with the connection requests including connection leases having associated resource entitlements the client devices are respectively permitted to access, and request validation of the connection leases from the computing device. At the computing device, responsive to validation requests from the virtual delivery appliances, the connection leases may be compared to the updated published resource entitlements and validated based thereon. At the virtual delivery appliances, the client devices may be provided with access to virtual sessions corresponding to the published resource entitlements responsive to the virtual session request validations from the computing device.

Abstract: A method may include storing and updating published resource entitlements for a plurality of client devices at a computing device. The method may also include using a plurality of virtual delivery appliances to receive connection requests from the client devices, with the connection requests including connection leases having associated resource entitlements the client devices are respectively permitted to access, and request validation of the connection leases from the computing device. At the computing device, responsive to validation requests from the virtual delivery appliances, the connection leases may be compared to the updated published resource entitlements and validated based thereon. At the virtual delivery appliances, the client devices may be provided with access to virtual sessions corresponding to the published resource entitlements responsive to the virtual session request validations from the computing device.

Abstract: A computing device may include a memory configured to store a group connection lease and a group user interface (UI) cache shared by different users within a user delivery group. The computing device may also include a processor coupled to the memory and configured to establish communications links with a plurality of smart card devices associated with different users within the user delivery group, initiate virtual sessions for the different users based upon the group connection lease responsive to establishing the communications links with the smart card devices, and launch the virtual sessions for the different users based upon the group UI cache.

Abstract: A computing appliance may include a memory and a processor configured to cooperate with the memory to establish a first virtual session for an endpoint device over a first network connection. The endpoint device may have an endpoint public/private key pair associated therewith and configured to store a plurality of connection leases generated based upon the endpoint public key, and the first virtual session may be established responsive to a first one of the connection leases and authentication based upon the endpoint private key. The processor may further establish a second virtual session for the endpoint device to access through the first virtual session with another computing appliance over a second network connection responsive to a second one of the connection leases and authentication based upon the endpoint private key.

Abstract: A computing device may include a memory and a processor cooperating with the memory and configured to receive connection leases providing instructions for connecting to computing sessions, and request connections to the computing sessions including the connection leases. Each connection lease may comprise a first component unique to a published resource, and a second component referenced by the first component and shared in common with a plurality of different published resources in other connection leases, with the second component being updateable independent of the first component.

Abstract: Systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

Abstract: A computing device may include a memory and a processor configured to cooperate with the memory to store an authentication token having first and second authentication credentials associated therewith. The first and second authentication credentials may be different from one another. The processor may further cooperate with a server to access a session based upon the authentication token.

Abstract: A method may include establishing a transport layer session between a gateway appliance and at least one virtual delivery appliance, establishing a presentation layer session between the gateway appliance and the at least one virtual delivery appliance via the transport layer session, and establishing a connection lease exchange tunnel between the gateway appliance and the at least one virtual delivery appliance via the presentation layer session. The method further include receiving, at the at least one virtual delivery appliance, a connection lease from a client device via the gateway appliance through the connection lease exchange tunnel and validating the connection lease, and issuing a resource connection ticket at the at least one virtual delivery appliance to the client device through the connection lease exchange tunnel responsive to the validation.

Abstract: A computing system may include a client device configured to remotely access virtual computing sessions, and a virtual delivery appliance configured to connect the client device to the virtual computing sessions. The client device and the virtual delivery appliance may share a symmetric encryption key and encrypt data communications exchanged therebetween with the symmetric encryption key. The system may further include a gateway appliance configured to relay the encrypted communications between the client device and the virtual delivery appliance, the gateway appliance not having the symmetric key and being unable to decrypt the encrypted communications relayed between the virtual delivery appliance and the client device.

Abstract: A method may include storing and updating published resource entitlements for a plurality of client devices at a computing device. The method may also include using a plurality of virtual delivery appliances to receive connection requests from the client devices, with the connection requests including connection leases having associated resource entitlements the client devices are respectively permitted to access, and request validation of the connection leases from the computing device. At the computing device, responsive to validation requests from the virtual delivery appliances, the connection leases may be compared to the updated published resource entitlements and validated based thereon. At the virtual delivery appliances, the client devices may be provided with access to virtual sessions corresponding to the published resource entitlements responsive to the virtual session request validations from the computing device.

Abstract: A computing system may include a plurality of Point of Presence computing devices (PoPs) configured to provide access to a computing network(s), and a plurality of gateway appliances. The gateway appliances may be configured to relay communications between client devices and virtual delivery appliances to provide the client devices with access to virtual sessions. The gateway appliances may route client device communications through the PoPs based upon gateway connection tickets, and may also generate the gateway connection tickets including a payload encrypted with a symmetric encryption key, and a plurality of different versions of the symmetric key encrypted with different public encryption keys of the PoPs. The PoPs may be further configured to use their private encryption keys to decrypt the encrypted symmetric key, use the decrypted symmetric key to decrypt the payload, and permit routing of the client communications based upon the decrypted payload of the gateway connection tickets.

Abstract: A computing system may include a computing device configured to store and update published resource entitlements for a plurality of client devices. The system may further include a plurality of virtual delivery appliances configured to receive connection requests from the client devices, with the connection requests including a connection lease issued based upon the published resource entitlements for the client devices, request validation of the connection leases from the computing device, and provide the client devices with access to virtual sessions corresponding to the published resource entitlements responsive to validation of connection leases from the computing device. The computing device, responsive to validation requests from the virtual delivery appliances, may also compare the connection leases to the updated published resource entitlements and validate virtual session requests based thereon.

Abstract: A smart card may include a memory configured to store a user connection lease and user interface (UI) cache for a user and a private/public key pair of the smart card, with the user connection lease being bound to the private/public key pair of the smart card. The smart card may further include a processor coupled to the memory and configured to establish a communications link with a kiosk device to be shared by a plurality of different users, initiate a virtual session for the user at the kiosk device based upon the user connection lease and the private key responsive to establishing the communications link (with the smart card defining an endpoint for the virtual session authorization), and cause the kiosk device to launch the virtual session based upon the user UI cache.

Abstract: A computing device may include a memory configured to store a group connection lease and a group user interface (UI) cache shared by different users within a user delivery group. The computing device may also include a processor coupled to the memory and configured to establish communications links with a plurality of smart card devices associated with different users within the user delivery group, initiate virtual sessions for the different users based upon the group connection lease responsive to establishing the communications links with the smart card devices, and launch the virtual sessions for the different users based upon the group UI cache.

Abstract: A computing device may include a memory and a processor cooperating with the memory and configured to receive requests from a client device to connect with the computing device. The client device may be shared by multiple authenticated users and have a public/private encryption key pair associated therewith, and the requests may be based upon connection leases and the public key for the client device. The connection leases may also be generated for respective authenticated users and include an authenticated version of the public key for the client device so that the connection leases are specific to the client device and respective users. The processor may also provide the client device with access to computing sessions for respective authenticated users based upon the connection leases and verification of the public key, and prevent the use of the connection leases for authorizing connections for other authenticated users.

Abstract: A computing device may include a memory and a processor cooperating with the memory and configured to receive a connection request from a client device having a public/private encryption key pair associated therewith. The connection request may be based upon a connection lease and the public key for the client device, and the connection lease may be generated based upon an authenticated version of the public key for the client device. The processor may also be configured to verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device and authorize a connection with the client device and provide the client device with access to a virtual computing session via the connection.

Abstract: Systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

Abstract: A computing device may include a memory and a processor cooperating with the memory and configured to receive connection leases providing instructions for connecting to computing sessions, and request connections to the computing sessions including the connection leases. Each connection lease may comprise a first component unique to a published resource, and a second component referenced by the first component and shared in common with a plurality of different published resources in other connection leases, with the second component being updateable independent of the first component.

Abstract: Systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

Abstract: A computing device may include a memory and a processor cooperating with the memory and configured to access a plurality of connection lease templates corresponding to published resources stored in a shared memory. The processor may further be configured to provision connection leases for respective client devices using a connection lease issuing appliance based upon the stored connection lease templates. The connection leases may be provisioned on demand responsive to selection of the published resources by the client devices, and the connection leases may provide instructions for connecting the client devices to virtual computing sessions corresponding to the published resources.