Abstract: A system and method for directing network connections. The invention enables a network device to direct subsequent connections from a client to a server for accessing resources. A process extracts a persistence key from a received message, and employs the persistence key to identify the appropriate server. An interface is provided, enabling a user program to direct the process of extracting the persistence key. The invention also provides a way for multiple clients to persist to a common server.

Abstract: Methods and systems are directed to dynamically mirroring a connection between network devices. Mirroring is managed by forwarding a packet between a first network device and a second network device. In one method, the first network device receives the packet from a client and communicates the packet to the second network device. A forwarding device, pre-determined from the first and second network devices, forwards the packet to a server. The first network device receives a response from the server, and communicates it to the second network device. The forwarding device forwards the response packet to the client. In one configuration, the first network device and forwarding device is an active device, and the second network device is a standby device. In another configuration, the first network device is a standby device, and the second network device and forwarding device is an active device.

Abstract: Methods, systems, and devices are described for stateful failover in traffic manager module functioning as a proxy between at least one first network device and at least one server. In a first set of embodiments, an amount of synchronized state information may be reduced through a controlled use of acknowledgment messages. In a second set of embodiments, state information may be synchronized to a standby traffic manager module in response to changes in a sequence number delta between two logically paired connections. In a third set of embodiments, connections may be restored at a standby traffic manager module based on stored connection information, a synchronized sequence number delta stack, and rediscovered sequence numbers.

Abstract: Methods, systems, and devices are described for managing network communications. A traffic manager module configured to serve as a proxy between a plurality of client devices and a network service may receive a plurality of messages for the network service. Each message may be associated with at least one QoS parameter. The traffic manager module may transmit the plurality of messages to the network service over a connection between the traffic manager module and the network service. The QoS of the connection between the traffic manager module and the network service may be dynamically altered during the transmission of a first message of the plurality of messages based on the at least one QoS parameter associated with the first message.

Abstract: Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a message from a first network device to a second network device. The traffic manager module may serve as a proxy between the first network device and the second network device. The traffic manager module may perform an application layer inspection at the traffic manager module on at least one of the message or a response to the message from the second network device, and forward the message or the response to the message to a third network device based on the application layer inspection at the traffic manager module.

Abstract: Methods, systems, and devices are described for managing network communications at a traffic manager module serving as a proxy to at least one network service for at least one client device. The traffic manager module may maintaining a SYN request cache for a socket implemented by the traffic manager module. Active SYN request messages may be stored at the socket in the SYN request cache. The traffic manager module may determine a status of the SYN request cache and ignore additional SYN request messages at the socket based on the determined status of the SYN request cache.

Abstract: Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a script over a management plane of a packet core, interpret the script to identify a traffic management policy; and dynamically modify at least one aspect of a proxy connection over a bearer plane of the packet core at the traffic manager module based on the identified traffic management policy.

Abstract: A traffic manager system comprises communications servers, including one or more active and backup servers. At least one of the communications servers mirrors the communications of the other server involving one or more other network devices, including the encrypted communications. At least one backup server obtains a security value associated with the encrypted communications of at least one active server to independently derive the same key. The backup servers use the keys to engage in the encrypted communications when the active servers become unavailable, for example, without requiring the backup server to reinitiate the encrypted communications.

Abstract: Embodiments are directed towards establishing a plurality of connections between each of a plurality of first computing devices in a primary chassis with each of a plurality of second computing devices in a failover chassis. A first computing device uses the plurality of connections as mesh connections to select a second computing device in which to route information about received packets. Routing of information about the packets to the selected second computing device includes modifying a source port number in the packets to include an identifier of the first computing device and an identifier of the second computing device. The information may indicate that the failover chassis is to perform specialized routing of the modified packets.

Abstract: A method and system for reducing memory required to maintain connection states in a traffic manager. A network device receives a message from a client in which at least a portion of the message is to be forward to a first server. If the network device is maintaining information for facilitating a first connection with a second server, the network device maintains a subset of the information for use in restoring the first connection and frees memory associated with information that is not needed for restoring the first connection. The network device then employs other previously stored information to restore the state of a second connection to the first server. The network device then sends at least a portion of the message to the first server using the second connection.

Abstract: A method, computer readable medium, and network traffic management apparatus that manages contended resource utilization includes obtaining at least one value for at least one utilization parameter for at least one contended resource and determining when the obtained value of the utilization parameter for the at least one contended resource exceeds a threshold value. When the obtained value of the utilization parameter is determined to exceed the threshold value, a work rate for one or more of a plurality of processing units is reduced or the at least one contended resource is reallocated among the plurality of processing units.

Abstract: A system, non-transitory machine readable medium and method of delayed packetization of data packets is disclosed. The system and method includes requesting authorization from a QoS queue to transmit an intended data packet over a network, wherein the authorization request is sent from an application module of a transmitting network device. The system and method includes receiving from the QoS queue a transmission order to transmit the intended data packet at a future time. The system and method includes packetizing the intended data packet in accordance with the transmission order at the future time. The system and method includes transmitting the packetized data packet over a network to a receiving network device.

Abstract: A system and method for selectively storing one or more web objects in a memory is disclosed. A server response is received at a network traffic management device, wherein the server response is associated with a client request sent from a client device and includes at least one web object. The server response is analyzed using a security module of the network traffic management device which determines if the at least a portion of the server response contains suspicious content in relation to one or more defined policy parameters handled by the security module. An instruction is sent from the security module to a cache module of the network traffic management device upon determining that the at least a portion of the server response contains suspicious information, wherein the cache module does not store the at least one web object upon receiving the instruction.

Abstract: A method, system, and apparatus are directed towards dynamically managing certificates for a virtual host server. A certificate may be uniquely associated with each of the websites hosted on the virtual host. In one embodiment, the certificate is an X.509 certificate. Also, the certificate may be managed by a network device residing between a client and the virtual host server. When the client that is browsing one of the hosted websites, the network device may store a persistence record that maps client information to the hosted website. The client may employ an SSL protocol to establish a secure connection. When a certificate associated with the hosted website is to be provided, the network device uses the persistence record to determine which hosted website the client was browsing, selects, and provides the appropriate certificate to the client.

Abstract: A system and method is directed to routing a packet over a network to a probe. The system includes a replicator and a distributor. The replicator receives a packet from a client and replicates the packet. The distributor is either out-of-band or in-band to a flow of traffic between the client and a server. In the out-of-band configuration, the distributor forwards the replicate packet to at least one probe in a plurality of probes. The distributor receives a response to the replicate packet and transforms a source MAC address in the response to a MAC address of the distributor. The distributor forwards the transformed packet. The replicator forwards the original packet. In the in-band configuration, the distributor selects and forwards the original packet to a server using a first forwarding mechanism, and selects and forwards the replicate packet to a probe using a second forwarding mechanism.

Abstract: A system, apparatus, and method are directed towards selectively combining data into a packet to modify a number of packets transmitted over a network based on a detection of a transaction boundary. If it is determined to concatenate the data, such concatenation may continue until an acknowledgement (ACK) is received, or a predetermined amount of data is concatenated in the packet, or a transaction boundary is detected. If at least one of these conditions is satisfied, concatenation may be inhibited, and the packet may be sent. Concatenation is then re-enabled. In one embodiment, Nagle's algorithm is used for concatenating data into a packet. In one embodiment, an ACK may be sent based on a write completion indicator included within a packet. Receipt of the ACK may disable concatenation.

Abstract: Embodiments are directed to providing access to a resource over a network. A client device may request access to a server. An application may be provided to the client device. The application may cause control of the client device to be switched from a first desktop to a secure desktop. The secure desktop may be configured to restrict applications access to within the secure desktop. An indication of the resource on the server to map to may be received at the client device. The indicated resource may be mapped onto a file system on the client device. Mapping may comprise using a remote file access protocol, using DLL injection, or adding a kernel module to an operating system on the client device. The mapped resource may be constrained to be accessed through the secure desktop.

Abstract: A method, computer readable, and apparatus for read-ahead prediction of subsequent requests to send data between a client coupled to a server via a network includes receiving at a traffic management device a request for a part of at least one of a data file and metadata. The traffic management device selects from two or more of a sequential prediction engine, an expert prediction engine and a learning prediction engine to predict a read-ahead of the at least one of the data file and metadata. One or more additional read-ahead parts of the at least one of the data file and metadata are determined with the traffic management device based on the selecting.

Abstract: Embodiments are directed towards improving the performance of network traffic management devices by optimizing the management of hot connection flows. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. Making efficient use of the high speed flow cache capacity may be improved by maximizing the number of hot connection flows and minimizing the number of malicious and/or in-operative connections flows (e.g., non-genuine flows) that may have flow control data stored in the high-speed flow cache.

Abstract: A method, non-transitory computer readable medium, and network device that generates a network communication including a destination address associated with a second network device and a destination port number, wherein the destination port number corresponds to a service operating on the second network device. An initial SSL handshake protocol message is generated and at least the destination port number is inserted into a server name indicator (SNI) extension of the initial SSL handshake protocol message. An SSL connection is established with the second network device using a predetermined port number and the initial SSL handshake protocol message is sent to the second network device. Information included in the network communication is sent to the second network device using the SSL connection.