Abstract: A system, apparatus, and method are directed to network communication over a tunnel by downloading selective tunneling (STM) components into memory of a client device. The STM components selectively employ tunneling to route network traffic to a requested resource. The STM components may include a network API, application, and a tunnel manager that have been modified based in part on a client configuration. As a network request is made it is evaluated against the client configuration. If the connection is to be tunneled, a network tunnel is selectively established. If the client configuration and/or the request indicate that the request is to be un-tunneled, an un-tunneled network connection may instead be established. The client configuration may also indicate that the client device is to be redirected to enable remediation. When the application component is closed, or otherwise terminated, the client's memory may be purged of the loaded STM components.

Abstract: A system, apparatus, and method are directed towards selectively combining data into a packet to modify a number of packets transmitted over a network based on a detection of a transaction boundary. If it is determined to concatenate the data, such concatenation may continue until an acknowledgement (ACK) is received, or a predetermined amount of data is concatenated in the packet, or a transaction boundary is detected. If at least one of these conditions is satisfied, concatenation may be inhibited, and the packet may be sent. Concatenation is then re-enabled. In one embodiment, Nagle's algorithm is used for concatenating data into a packet. In one embodiment, an ACK may be sent based on a write completion indicator included within a packet. Receipt of the ACK may disable concatenation.

Abstract: A system, apparatus, and method are directed to converting from a use of a HTTPS connection to a tunnel connection while maintaining an underlying connection between a client and a server. An HTTPS connection is employed to establish a network connection between a client device and a network device. A gateway is selected to receive a request from the client device. In one embodiment, selecting may comprise using load-balancing, cookie-persistence, or the like. Subsequently, the HTTPS connection is transitioned to another application layer communication protocol connection. Transitioning may comprise converting from a use of a first protocol stack configured to process a HTTP connection to a second protocol stack configured to process a non-HTTP based application protocol connection, and establishing a tunnel between the client device and a server through the selected gateway.

Abstract: A method and system for checking data against a plurality of rules simultaneously. A data string having keywords in the data string is received. All of the keywords in the data string are simultaneously examined against rule keywords using for example, a finite state machine constructed by the Aho-Corasick algorithm. The rule keyword represents at least one rule of the plurality of rules. It is determined which of the plurality of rules are satisfied by the data string based on whether each keyword matches the rule keywords. Such rules may be used for application such as negative security policies.

Abstract: An apparatus and method are directed to managing access to an enterprise resource over a virtual private network by employing a dynamic policy. A client device is configured to log into a network device. The network device receives information about the client device, including information about its configuration and environment. Based, in part, on received information a policy for access is applied to the client device. For example, in one embodiment, the policy may allow only email access from a public kiosk client device, but full intranet access from an enterprise configured client device. The policy may further enable a restriction for the client device that may restrict, for example, what documents may be saved by the client device. In one embodiment, the restriction is enabled using a virtual sandbox.

Abstract: A system, apparatus, and method are directed towards selectively combining data into a packet to modify a number of packets transmitted over a network based on a detection of a transaction boundary. If it is determined to concatenate the data, such concatenation may continue until an acknowledgement (ACK) is received, or a predetermined amount of data is concatenated in the packet, or a transaction boundary is detected. If at least one of these conditions is satisfied, concatenation may be inhibited, and the packet may be sent. Concatenation is then re-enabled. In one embodiment, Nagle's algorithm is used for concatenating data into a packet. In one embodiment, an ACK may be sent based on a write completion indicator included within a packet. Receipt of the ACK may disable concatenation.

Abstract: A method, computer readable medium, and system for generating a response includes determining from which of a plurality of levels of cache to retrieve a response. The determination is based on a number of matches between current user session data associated with a current request and stored user session data rewritten into each of one or more metadata data variables for the response when a current request for the response matches at least one prior stored request for the response. The response from the determined level of the plurality of levels of cache is provided.

Abstract: A method, computer readable medium, and system that handles a multi-protocol name in a virtualization environment includes determining and predicting with a virtualization management computing device when a name collision occurs between content names of different content accessible by two or more protocols. The virtualization management computing device restricts access to the different content in one or more network attached storage devices when the name collision is determined to occur to one or more of the protocols which can distinguish the different content. It preserves access to the different content in certain cases where the collision can be predicted.

Abstract: A method and apparatus for removing duplicated data in a file system utilizing the concept of storage tiers. A synthetic namespace is created via file virtualization, and is comprised of one or more file systems. Deduplication is applied at the namespace level and on all of the file systems comprising the synthetic namespace. All files in a file system in a higher storage tier whose contents are identical to at least one other file in the synthetic namespace are moved to a destination file system in a lower storage tier. For each set of duplicated files that are moved from the original servers, a single instance copy of the file is left behind as a mirror copy. Read access to a duplicated file is redirected to its mirror copy. When the first write to a duplicated file is received, the association from the duplicated file stored in the destination server to its mirror copy that is stored in the origin server is discarded.

Abstract: A system and method for directing network connections. The invention enables a network device to direct subsequent connections from a client to a server for accessing resources. A process extracts a persistence key from a received message, and employs the persistence key to identify the appropriate server. An interface is provided, enabling a user program to direct the process of extracting the persistence key. The invention also provides a way for multiple clients to persist to a common server.

Abstract: Upon detecting a data event initiating an update to a table, a first classifier index associated with the data event is identified. From a classifier table, the current position in a first dimension of the table associated with the classifier index is determined. An open position in the first dimension of the table is also identified. Updated data is stored in the open position within the table. In the classifier table, the open position storing the updated data is associated with the classifier index.

Abstract: A traffic management device or other intermediate network device is configured to enable the device to support connection splitting and/or connection aggregation or to otherwise process network transactions for an arbitrary transaction-oriented protocol. The configuration may be accomplished by providing one or more traffic management rules defined by way of a scripting language and provided to an interpreter. The traffic management rule may follow a basic approach common to many protocols and is adapted to the particular protocol being supported. The rule may configure the network device to inspect incoming data, extract length and record type specifiers, buffer an appropriate amount of data to determine transactions or transaction boundaries, and perform other operations.

Abstract: The present invention provides a method and system for performing operations on data using XML streams. An XML schema defines a limited set of operations that may be performed on data. These operations include addition, subtraction, multiplication and division. The operations are placed in an XML stream that conforms to the XML schema. The XML stream may perform one or more of the defined operations on the data. The limited set of operations allows data to be validated and processed without excessive overhead.

Abstract: A system and method is directed to replicating packet transactions over a network. The system includes a replication component and a plurality of servers enabled to include substantially the same content. The replication component receives a packet from a client and forwards it to a first server. If the packet is to be replicated, a replicate of the packet is forwarded to the other servers in the plurality of servers so that at least a portion of the content on the first server and the other servers are synchronized. Forwarding of the replicate packet may be delayed for some period of time, and need not be concurrent. If responses received from each server are substantially the same, a message is sent to the client. Moreover, transaction replication can occur across servers arranged in different configurations, including disparate databases.

Abstract: Embodiments are directed towards upgrading hypervisors operating in hardware clusters that may be hosting one or more virtual clusters of virtual traffic managers. Virtual clusters may be arranged to span multiple computing devices in the hardware cluster. Spanning the virtual clusters across multiple hardware nodes the virtual cluster may enable the virtual clusters to remain operative while one or more hardware nodes may be upgraded. Hypervisor may include a management control plane for virtual clusters of virtual traffic managers. Hypervisors running on hardware nodes may manage the lower level networking traffic topology while the virtual traffic managers may manage the higher level network processing.

Abstract: A method, system, and apparatus are directed towards compression of content over a network. The content may include content length information, such as within a header. In one embodiment, a portion of the content may be compressed to approximately fill a buffer of a predefined size. If there remains additional uncompressed content, a new content length may be determined based in part on the length of the compressed content and the remaining uncompressed content. The buffered content and the new content length may then be forwarded in response to the request. The remaining uncompressed content may be split into predefined blocks using identity compression. Identity compression may then be applied to the remaining uncompressed content which is then forwarded to a destination in response to the request.

Abstract: A system, apparatus, and method selectively provides content compression to a client based, in part, on whether the network connection from the client is determined to be a high latency, low-bandwidth connection. The present invention gathers one or more network metrics associated with the connection from the client. In one embodiment, the metrics include estimated TCP metrics, including smoothed round trip time, maximum segment size (MSS), and bandwidth delay product (BWDP). These estimated network metrics are employed to make an application layer decision of whether the client connection is a high latency, low-bandwidth connection. If it is, then content may be selectively compressed virtually on the fly for transfer over the network connection. In one embodiment, the selective compression uses a content encoding compression feature of the HTTP protocol standard.

Abstract: Layer-7 application layer message (“message”) classification is disclosed. A network traffic management device (“NTMD”) receives incoming messages over a first TCP/IP connection from a first network for transmission to a second network. Before transmitting the incoming messages onto the second network, however, the NTMD classifies the incoming messages according to some criteria, such as by assigning one or more priorities to the messages. The NTMD transmits the classified messages in the order of their message classification. Where the classification is priority based, first priority messages are transmitted over second priority messages, and so forth, for example.

Abstract: A method, computer readable medium, and device for dynamic DNS implementation, comprises receiving, at a network traffic management device, a first DNS response from a DNS server, wherein the first DNS response is compliant with Internet Protocol version 4 (IPv4). The first DNS response corresponds to a first DNS request from a client device being compliant with Internet Protocol version 6 (IPv6). The first DNS response is converted into a DNS second response that is compliant with IPv6, by attaching a prefix that identifies a network gateway device which is to handle receive subsequent non-DNS requests from the client device. The second DNS response is routed to the client device. Subsequent non-DNS requests from the client device that contain at least a part of the prefix allow the network traffic management device to route the non-DNS request through the designated network gateway device.

Abstract: A method, computer readable medium, and system for generating a unified virtual snapshot in accordance with embodiments of the present invention includes invoking with a file virtualization system a capture of a plurality of physical snapshots. Each of the physical snapshots comprises content at a given point in time in one of the plurality of data storage systems. A unified virtual snapshot is generated with the file virtualization system based on the captured plurality of the physical snapshots.