Abstract: Systems, methods and apparatuses are described herein that allow an enterprise to analyze and manage work product images that are stored on a mobile device. Employees of an enterprise may use a mobile device to store both work product images (e.g., images of sensitive or proprietary information) and non-work product images (e.g., personal images). An enterprise may desire to enforce security protocols on the work product images, but the employee may not want the security protocols applied to the non-work product images. In some embodiments, by installing and executing an image manager that is able to analyze and manage images, the enterprise can enforce security protocols on only the work product images. Such security protocols may include the prevention of unauthorized viewing of the work product image (e.g., by encrypting the work product image) or deleting any work product image from the mobile device when the employee's employment has ended.

Abstract: A method and system for operating an application with multiple modes are described. A plurality of applications may be presented to a user on a mobile device and one of the displayed applications may be selected. The selected application may have one or more contexts that are determined based on one or more operational parameters. For example, a context for the selected application may be that the application is configured to access an enterprise account. Based on the context, the selected application may be run on the mobile device in one of a plurality of operations modes. The operation modes may comprise managed, unmanaged, and partially managed modes, among others.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies.

Abstract: Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things.

Abstract: The invention relates to methods and systems for reconnecting a client and providing user authentication across a reliable and persistent communication session. The method includes providing a first connection between a client and first protocol service and a second connection between the first protocol service and a host service. The first protocol service detects a disruption in the first connection. The client re-establishes the first connection between the client and the first protocol service while maintaining the second connection between the first protocol service and the host service. The first protocol service receives a ticket associated with the client and validates the ticket. The first protocol service links the re-established first connection to the maintained second connection after the ticket is validated.

Abstract: A scalable cloud infrastructure serves two or more customers, where each customer is associated with at least one unit of virtual resources. The virtual resources are established by apportioning physical resources in the cloud infrastructure that are partitioned into pods within one or more zones in a scalable manner. Additionally, the cloud infrastructure establishes one or more management server clusters each comprising one or more management servers. The two or more customers create a number of virtual machines within pods in a zone. Due to the scalability of the cloud infrastructure, customer virtual machines may exist in non optimal locations within the zone. A method to migrate virtual machines and defragment customer networks is devised to optimally manage network traffic and data communication in a scaled cloud infrastructure.

Abstract: The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.

Abstract: Methods and systems for transparent user interface integration between remote (“published”) applications and their local counterparts are described, providing a seamless, unified user experience, and allowing integration of a start menu, dock, taskbar, desktop shortcuts, windows, window and application switching, system tray elements, client-to-host and host-to-client file type association, URL redirection, browser cookie redirection, token redirection, status message interception and redirection, and other elements. These methods and systems further enhance theme-integration between a client and remote desktop or virtual machine by remoting all UI elements to a recipient for generation, including text controls, buttons, progress bars, radio buttons, list boxes, or other elements; presenting them with the receiver's product and OS-specific UI; and returning status back to the sender. This may achieve a more unified and transparent UI integration.

Abstract: The present disclosure is directed to systems and method for providing a virtual appliance. One or more application delivery controller appliances intermediary to a plurality of clients and a plurality of servers perform a plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. A virtual application delivery controller is deployed on a device intermediary to the plurality of clients and the plurality of servers. The virtual application delivery controller executing on the device performs one or more of the plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract: The methods and systems described herein provide functionality for managing injection of input events to one virtual machine of a plurality of guest virtual machines, in a computing device executing a hypervisor hosting a trusted virtual machine and a non-trusted virtual machine. An input manager receives a first item of input data from an input device communicating with the computing device. The input manager identifies whether the first item of input data includes a predetermined string. The input manager forwards, responsive to the identification, the first item of input data to one of (i) a first virtual machine of a plurality of guest virtual machines executed by the processor of the computing device and (ii) an application executed by the control virtual machine, wherein at least one virtual machine of the plurality of guest virtual machines is a trusted virtual machine.

Abstract: The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract: The present disclosure is directed generally to systems and methods for Diameter load balancing. In some embodiments, an intermediary device may receive a diameter connection request from a client that includes a CER. The intermediary device may initiate a connection with a server of a plurality of servers and place the server protocol control block in a reuse pool. Responsive to opening the connection with the server, the intermediary device may forward the received CER. The intermediary device may then receive a CEA message from the server and establish an AVP-based persistent connection. The intermediary device may modify the received CEA message, and then forward the message to the client. When the intermediary device receives a diameter message from a client, the intermediary device may match an AVP of the message with an AVP associated with a persistent server connection, and forward the diameter message to the corresponding server.

Abstract: The present application is directed towards systems and methods for a user to configure the backup locations to use by an intermediary device providing Global Server Load Balancing (GSLB) services when a primary location is down. In some embodiments, when GSLB is based on static proximity of the location of the client to the GSLB sites and if the primary location is DOWN, then request may be load balanced among all the other locations. But this may not be desirable in many cases. So we need to provide option to the user to specify the preferred list of backup locations to service a client request. The present solution achieves this configurability by using a GSLB policy based on preferred location. One can configure preferred location(s) via a GSLB policy to redirect the client to preferred location(x). One can configure individual policies for different client locations. Based on implementation requirements, one can configure country level granularity, state level granularity and so on.

Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.

Abstract: The present disclosure is directed towards systems and methods for lightweight identification of flow information by application. A flow monitor executed by a processor of a device may maintain a counter. The flow monitor may associate an application with the value of the counter and transmit, to a data collector executed by a second device, the counter value and a name of the application. The flow monitor may monitor a data flow associated with the application to generate a data record. The flow monitor may transmit the data record to the data collector, the data record including an identification of the application consisting of the counter value and not including the name of the application. The data collector may then re-associate the data record with the application name based on the previously received counter value.

Abstract: The present application is directed towards systems and methods for managing ownership of one or more SSL sessions. A cluster of nodes intermediary between at least one client server may maintain a succession list for at least one session of a first client from the at least one client. The succession list may include a list of nodes within the cluster and an order of succession for the nodes to transfer ownership of the at least one session. A first node of the cluster may enter an operational state for managing one or more sessions between the at least one client and the at least one server. A second node of the cluster may initiate, based on the succession list and responsive to the first node entering the operational state, a transfer of ownership of the at least one session from the second node to the first node.

Abstract: The present disclosure is directed towards a system and method for handling limit parameters for spillover conditions of virtual servers across multiple nodes in a cluster system. The cluster system may comprise a plurality of nodes, wherein one node may be elected as a master node and the remaining nodes are designated as slave nodes. The master node may monitor the cluster system and establish limit parameters for the cluster system and apply them to the plurality of nodes. The limit parameters may be based upon the number of open connections in the cluster system and the number of nodes. The master node may establish an ideal quota value for each node to balance the number of open connections in the cluster.