Abstract: Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session.

Abstract: The present invention describes a system, method, and article of manufacture for resolving names received in network protocol requests by a network intermediary device coupled between a client network and a server network. A deferred trust model caching engine in the network intermediary device includes a transactor module configured to efficiently process a protocol request with a sequence of determinant criteria, although the sequence can occur in different orders. The deferred trust model caching engine includes a cacheability evaluator component configured to determine whether the protocol request is for a resource that the protocol permits to be cached by the network intermediate device, and a supplier trust evaluator component configured to compare information about the client's network protocol request and a cached object representation to determine if the object is trustworthy or not. The cached object representation associates an object with a supplier identity and a supplier trust property.

Abstract: Packets received at a network appliance are classified according to a packet classification rules based on flow state information maintained by the network appliance and evaluated for each packet as it is received at the appliance on the basis of OSI Level 2-Level 4 (L2-L4) information retrieved from the packet. The received packets are acted upon according to outcomes of the classification; and the flow state information is updated according to actions taken on the received packets. The updated flow state information is then made available to modules performing additional processing of one or more of the packets at OSI Layer 7 (L7).

Abstract: A communication between a client and an intermediary device on a network is evaluated at multiple communication flow checkpoints according to a tenant-specific policy current at the outset of the communication and selected according to an identification of a tenant with which the client is associated, the identified tenant being one of a plurality of tenants services by the intermediary device. Non-current policies are maintained by the intermediary device for use in connection with communications that have not yet been fully processed so that consistency of policy enforcement is maintained even if policies change while transactions are in process. Further, long-standing transactions may be reevaluated in light of changed policies to determine whether or not the transactions should be dropped.

Abstract: In accordance with one embodiment of the present disclosure, a system includes one or more computer systems including a memory, one or more processors, and a bypass switch with an open position and a closed position. The one or more computer systems further include computer-executable program code. The computer-executable program code includes one or more virtual machines modules including computer-executable instructions configured, when executed, to cause the one or more processors to implement one or more virtual machines that host one or more guest operating systems and one or more applications. The computer-executable program code further includes a virtual bypass switch module including computer-executable instructions configured, when executed, to cause the one or more processors to, responsive to the availability of the one or more applications, forward packets received on the first physical network interface to at least one of the one or more virtual machines.

Abstract: Methods, apparatuses and systems directed to facilitating transitions from IPv4 to IPv6 networks. In particular implementations, the invention facilitates or enables accessibility of network application services between IPv4 and IPv6 hosts, or traversal of network paths including both IPv6 or IPv4 domains. Particular implementations of the invention are directed to selective mapping of network layer addresses between IPv6 and IPv4 protocols and Domain Name System records under one or more policy controls. Other implementations of the invention are directed to a proxy-to-proxy based tunnel architecture allowing hosts implementing a first network layer protocol, such as IPv4, to traverse a network implementing a second network layer protocol, such as IPv6.

Abstract: A Layer 2 packet return mechanism in a proxy, such as a web cache, operatively associated with a redirecting router. In a particular embodiment, the present invention provides a Layer 2 packet return mechanism in a Web Cache Communication Protocol (WCCP) network environment. In one embodiment, the present invention provides an efficient mechanism allowing a proxy or web cache to recognize WCCP redirected packets, forwarded using Layer 2 forwarding mechanisms, and subsequently to return unprocessed packets to the original forwarding WCCP router using a Layer 2 packet return mechanism.

Abstract: A split proxy is configured for managing asynchronous MAPI communications between a client and a server by establishing a queuing structure for MAPI messages that make up the communications. The MAPI messages are subsequently exchanged between the client and the server using the queuing structure. Multiple remote procedure calls (RPCs) underlying the MAPI messages may be grouped together in batches for exchange between proxies of the split proxy. Also, when the client logs off from the server, a MAPI keep-alive process allows updates received at the server to be pre-populated to the split proxy for transfer to the client when it reestablishes a connection.

Abstract: Methods, apparatuses, and systems directed to cost-aware bandwidth management schemes that are adaptive to monitored network or application performance attributes. In one embodiment, the present invention supports bandwidth management systems that adapt to network conditions, while managing tradeoffs between bandwidth costs and application performance. One implementation of the present invention tracks bandwidth usage over an applicable billing period and applies a statistical model to allow for bursting to address increased network loading conditions that degrade network or application performance. One implementation allows for bursting at selected time periods based on computations minimizing cost relative to an applicable billing model. One implementation of the present invention is also application-aware, monitoring network application performance and increasing bandwidth allocations in response to degradations in the performance of selected applications.

Abstract: In one embodiment, a method includes receiving an address of a DNS server of a network. A secure communication tunnel is established with a client of the network. The client is notified that requests to the address of the DNS server of the network should not pass through the secure communication tunnel. A request for a DNS lookup of a name of a host of the network is received through the secure communication tunnel. A DNS referral that includes the address of the DNS server of the network is sent to the client.

Abstract: A request for content is received at a content filter of a computer system, and a determination is made, based on a referrer included in the request, regarding a root site directly or indirectly associated with the request. Thereafter, the content is permitted or not permitted according to whether or not the root site is a permitted site and a site associated with the content is categorized in a semantically equivalent content category with the root site. The determination regarding the root site may involve consulting a referrer chain cache storing lists of referrers which associate referring Web sites with root sites from which referrals originate.

Abstract: Methods, apparatuses and systems directed to a network traffic synchronization mechanism facilitating the deployment of network devices in redundant network topologies. In certain embodiments, when a first network device directly receives network traffic, it copies the network traffic and transmits it to at least one partner network device. The partner network device processes the copied network traffic, just as if it had received it directly, but, in one embodiment, discards the traffic before forwarding it on to its destination. In one embodiment, the partner network devices are operative to exchange directly received network traffic. As a result, the present invention provides enhanced reliability and seamless failover. Each unit, for example, is ready at any time to take over for the other unit should a failure occur.

Abstract: In one embodiment, an intermediary device situated along a communication path between two endpoint devices may receive communication packets sent along the communication path. If the intermediary device receives a connection-initiating packet having a customization indicator and a connection-acknowledgement packet having a customization indicator, then the intermediary device may install a bypass rule.

Abstract: In a particular implementation, providing a virtual cached network drive, on a client, for PST-type (Personal STore) file operations, during a non-optimal connection. In one implementation, during the non-optimal connection, changes to objects, in a local PST file, are saved in a local cache (the virtual network drive) and logged. At certain intervals, the changes are compiled, compared with entries in a synchronization database and a list of changes, to be performed on the objects, is generated which is used to update a remote PST. If the connection remains non-optimal, a temporary PST file is created, based on the list of changes, and transferred to a remote agent that performs the changes on the remote PST. If the connection improves, the changes are instead performed directly on the remote PST.

Abstract: A graphical user interface for configuring policies which manage traffic over a computer network. An implementation of the invention disassociates the definition of traffic policies from their logical and physical application to the network and its constituent devices. One implementation allows a network manager to define traffic policies through user inputs such as dragging and dropping rule templates with a mouse. An implementation further allows such policies to be logically applied to parts and subparts of the computer network through the dragging and dropping of the policies and defined network endpoints. One implementation of the invention then provides multiple views of these policies as applied.

Abstract: Systems, methods, apparatus and computer-executable instructions stored on computer-readable media for communicating a modified hash message authentication code (HMAC) signed message between two endpoints are provided. The HMAC signature of the message may include a plurality of components. In some cases, the HMAC signature is a Server Message Block (SMB) signature. The first and/or second endpoint may be a client, server, or host. Some embodiments of the present application utilize a proxy, such as a CIFS proxy. In one embodiment, HMAC signature information sent from the first endpoint to the second endpoint may be intercepted. A value for a component of the HMAC signature may be determined by, for example, using the intercepted HMAC signature information. The intercepted message may be modified, resigned using the intercepted HMAC signature information, and transmitted to a receiving endpoint.

Abstract: In certain embodiments, a method includes receiving, by a capture device, traffic flows transmitted by a plurality of client devices, each of the traffic flows being associated with one of the plurality of client devices and comprising encrypted data. The method further includes receiving, by the capture device, flow information communicated from a proxy server communicatively coupled to the capture device, the flow information comprising an identification of a particular traffic flow and a session key associated with the particular traffic flow. The method further includes storing, by the capture device, encrypted data of the particular traffic flow identified by the flow information supplied by the proxy server; storing, by the capture device, the session key associated with the particular traffic flow; and discarding, by the capture device, any of the plurality of received traffic flows not identified in the flow information received from the proxy server.

Abstract: An apparatus, system, and method for segregating customer traffic through a cloud service are disclosed. The apparatus, system, and method perform network address translation (NAT) on first data packets received from a subnet to translate a first private network IP address into a second private network IP addresses, perform network address and port translation (NAPT) on the first data packets to translate the second private network IP address into a second public network IP address before sending the first data packets to a remote host, perform NAPT on second data packets received from the remote host to translate the second private network IP address back into the first private network IP address, and perform NAT on the second data packets to translate the second private network IP address back into the first private network IP address before sending the second data packets to the subnet.

Abstract: In one embodiment, downloading one or more content items; determining which ones of the one or more content items are popular among a plurality of users; categorizing the one or more content items into one or more groups, wherein each group comprises one or more related content items; associating one or more keywords with each group, wherein the one or more keywords describe content of the one or more related content items in the corresponding group; and caching the one or more content items categorized into the one or more groups and the one or more keywords associated with each group.

Abstract: The present invention, in particular embodiments, provides methods, apparatuses and systems directed to providing a mechanism by which clients can transparently access remote file server appliances. Due to this, clients do not need to modify the pathnames in order to access the file servers.