Abstract: Described embodiments provide systems and methods for rewriting an URL in a message transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via the session, an absolute URL that includes a hostname of the server. The device may determine that the absolute URL includes an intranet domain name. The device may generate, responsive to the determination, a URL segment by combining a unique string corresponding to the hostname of the server, with a hostname of the device. The device may rewrite, responsive to the determination, the absolute URL by replacing the server hostname in the absolute URL with the generated URL segment. A DNS server for the client may be configured with a DNS entry comprising a wildcard combined with the device hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.

Abstract: Described embodiments provide for routing remote application data. A device can receive a request to access an application. The application can be provided by data centers and accessible via service providers. The device can select a data center from the plurality of data centers and a service provider based at least on a metric indicative of a connection between the data center and the service provider. The device can query a database including one or more connection metrics using the application identified in the request and a location of a router transmitting the request. The device can determine the location of the router based on an internet protocol (IP) address of a client communicably coupled to the router. The device can transmit a response to the request identifying the selected data center and the selected service provider.

Abstract: Improving load distribution and consistency is provided. A device intermediary to clients and servers can maintain bit values indicative of server availability stored in indices arranged in various levels. A lowest level comprises indices corresponding to a list of servers repeated multiple times. Each index in a higher level maps to a set of indices in a lower level. The device can receive a request from a client to access a server. The device can identify an index in a highest level. The device can determine a second index in the highest level that is after the index in the highest level and has a bit value indicating server availability. The device can identify an index in the lowest level mapping to the second index in the highest level. The device can select a server corresponding to the index in the lowest level.

Abstract: Methods and systems for device authentication based on generating and displaying an optically scannable visual representation of a public portion of a hardware secured encryption key (EK) are described herein. A client certificate is encrypted with the public portion of the EK based on a scan of the displayed visual representation. A connection may be established between a computing device and a server using the encrypted client certificate and a private portion of the EK to authenticate the computing device. In some implementations, a request is received from a second computing device to access a first computing device, and includes data encrypted using a public portion of an EK acquired from a displayed optically scannable visual representation of the public portion of the EK. The second computing device is provided access to the first computing device based on decryption of the encrypted data using a private portion of the EK.

Abstract: Described herein are systems and methods for end user connection load balancing amongst multiple on-premise connector proxies deployed across geographic locations and reducing connection setup latency without using a shared or distributed database. The system can load balance connections deterministically amongst the on-premise connector proxies using load statistics. The system utilizes an intelligent DNS service that can use network experience data, service availability, and application metrics to provide sophisticated traffic management via DNS or API-based decisions. The system can include a domain name system (DNS) resolver configured to receive metrics for a first connector and a second connector of a data center of an entity, receive a DNS request including an entity identifier and a data center identifier; and transmit a response to the DNS request identifying a server selected based on the metrics identified using the entity identifier and the data center identifier.

Abstract: Reducing vulnerability to a server is provided. A device intermediary to a client and a server can receive a RPC message from the RPC based client to the RPC based server, the RPC message having a plurality of fields to execute one or more routines on the server. The device can detect that one or more fields of the plurality of fields exploits a vulnerability of the RPC based server. The device can modify the RPC message to remove the one or more fields from the RPC message. The device can forward the modified RPC message to the RPC server.

Abstract: Methods, systems, computer-readable media, and apparatuses may provide creation and management of composite tokens for use with services in a virtual environment without the user having to re-authenticate each time the user accesses a different service. A composite identity server may receive a request to upgrade a first authentication token for a user. The composite identity server may redirect a user agent to an identity provider for authentication and, in response, may receive a second authentication token for the user. The composite identity server may send the second authentication token to a federated microservice and, in response, may receive one or more claims of the second authentication token designated for inclusion in a composite token. The composite identity server may generate a composite token including the one or more claims of the first authentication token and one or more claims of the second authentication token.

Abstract: Described embodiments provide systems and method for intelligent path selection to reduce latency and maintain security. A client can request access to a server and multiple connections can be initiated to the requested destination, for example, a direct connection from a branch office and a backhauled connection through a data center. Traffic via the second connection can be controllable by application of at least one rule of the data center. A device can determine a delay in the exchange of data via the connections and a security level of the connections. The determination of the delay in the exchange of data via the another connection can be based on in part feedback about the application of the rule. The device can connect a client device to a server through one of the connections using the determination of the delay and the security level of the connection.

Abstract: Aspects described herein relate to methods, devices and systems that allow for a client device, as part of a remote access or cloud-based network environment, to map external user identities to desktops and applications. Local user accounts can be dynamically generated on a virtual delivery agent. A mapping of the local user account to an external identity can be secured using signed tokens and maintained by a broker machine that allocates resources for the deployment of particular applications to the client device from the virtual delivery agent. This allows for the removal of any dependency on an Active Directory for maintaining user identities or federated sign-on services, greatly simplifying the management of user identities within the system and allowing for greater compatibility across client devices.

Abstract: Methods and systems for accessing conflicting frameworks and classes are presented. In some embodiments, a conflicting frameworks computing platform may receive an application classloader corresponding to a mobile application. The application classloader may indicate one or more child application-defined classloaders. Subsequently, the conflicting frameworks computing platform may create a framework-defined classloader comprising a first class that conflicts with a second class in the one or more child application-defined classloaders. Further, the conflicting frameworks computing platform may create a framework-termination classloader. The framework-termination classloader may be a parent classloader of the framework-defined classloader. Next, the conflicting frameworks computing platform may replace, using a reflection function, the application classloader with a new application classloader.

Abstract: Described embodiments provide systems, methods, non-transitory computer-readable medium for initiating one-factor or multi-factor authentication. A device comprising one or more processors and coupled to memory. The device can receive a request to authenticate a user to enable access to an application by the user. The request can originate from an Internet Protocol (IP) address external to a network hosting the application. The device can determine that a previous request to authenticate the user originated from the IP address and was approved based on successful completion of multi-factor authentication by the user. The device can provide, responsive to the determination, the user with access to the application using one-factor authentication instead of the multi-factor authentication.

Abstract: Described embodiments provide for provisioning devices securely using zero touch deployments. A controller application can receive a first authentication code from the controller. The controller application can establish, responsive to receiving the first authentication code, a short-range wireless connection with the device within a pairing range of the controller application using at least one of one or more short-range wireless communication types. The controller application can receive a second authentication code from the device via the short-range wireless connection. The controller application can determine that the first authentication code received from the controller corresponds to the second authentication code received via the short-range wireless connection.

Abstract: Systems and methods of reconstructing execution call flows to detect anomalies is provided. A device can establish call flows using information extracted from a log file to. Each of the call flows can identify information from the log file of a call flowing through a plurality of modules. The device can identify a count of a number of occurrences of one or more keywords in information of each call flow. The device can generate a vector of numbers for each call flow based at least on the count for the one or more keywords for that call flow. The device can classify each call flow into one or more clusters that indicate whether an operation of the call flow is anomalous. The device can classify each call flow using the vector of numbers for each call flow.

Abstract: A system for providing a service may include a user device executing an application. The application may have an authorization token associated therewith to authenticate a given user to the service. The system may also include a server executing the service, and a virtual assistant to receive a request to access the service via the virtual assistant and communicate the request to the server. The server may determine whether the token has been obtained thereat based upon the identifier. When the token has been received by the server, the server may determine whether the token has expired, and when not expired, the server may process the request. When the token has not been received by the server, the server may obtain the token from the user device, and process the request based upon obtaining the token from the user device.

Abstract: Aspects of the present disclosure are directed towards responding to a touch gesture at a touch-enabled computing device. An interface control element may be presented at a first computing environment provided by a computing device. A touch gesture may be received at a touchscreen of the computing device, and it may be determined whether at least a portion of the touch gesture occurred at the interface control element. Based, at least in part, on whether at least a portion of the touch gesture occurred at the interface control element, a display of the first computing environment may be adjusted or information corresponding to the touch gesture may be transmitted to a second computing environment. The interface control element may be a preview pane.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory. The processor is configured to identify a message to a plug and play (PnP) manager of an operating system, the message comprising an identifier of a device to be configured by the PnP manager, determine whether the device is targeted for device identifier translation at least in part by determining whether the device satisfies one or more target device criteria, and replace the identifier of the device with a reference identifier different from the identifier of the device in response to a determination that the device is targeted for device identifier translation, the reference identifier being usable by the PnP manager to install or configure the device.

Abstract: A method of casting a source device display screen to a target device includes, by an application on the source device, storing information about the target device in a shared memory and issuing a request to an operating system to initiate capturing and casting for the source device display screen. The operating system responds to the request by launching a casting extension and supplying a content stream containing content of the source device display screen. Upon being launched, the casting extension (1) obtains the information about the target device from the shared memory and uses the information to establish a display connection with the target device, and (2) forwards the content stream to the target device on the display connection.

Abstract: Methods and systems for path selection involving remote access protocols and/or user behavior are described herein. A request, from a first computing device, for content hosted on a second computing device may be received. Based on network state metrics, remote access protocol metrics, and/or user experience metrics, a path of a plurality of paths between the first computing device and the second computing device may be selected. The path need not be the most direct path between the first computing device and the second computing device, and may comprise remote access to a computing device on an intermediary server. Based on user behavior analysis performed with respect to user input data, a path may be re-selected, and/or the network state metrics, remote access protocol metrics, and/or user experience metrics may be weighted.

Abstract: A computing device may include a memory configured to store a group connection lease and a group user interface (UI) cache shared by different users within a user delivery group. The computing device may also include a processor coupled to the memory and configured to establish communications links with a plurality of smart card devices associated with different users within the user delivery group, initiate virtual sessions for the different users based upon the group connection lease responsive to establishing the communications links with the smart card devices, and launch the virtual sessions for the different users based upon the group UI cache.

Abstract: Described embodiments provide systems and methods for selecting one or more firewall rules to apply to a server based at least on identifying a service of the server. A device intermediary to a plurality of clients and a serve may identify a pattern of a firewall to apply to a response from the server to a request from a client of the plurality of clients. The pattern may be to identify a service configured on the server. The device may determine that the response from the server matches the pattern. The device may identify, responsive to the response matching the pattern, that the service is configured on the server. The device may select, based at least on the service, one or more rules for the firewall to apply to responses from the server.