Abstract: A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server device. The TMD may serve a stored copy of a login page corresponding to the requested content to the client device. In response, the client device may submit login information associated with the login page to the TMD. The TMD may extract the login information from the submitted response and send a request to the server device to authenticate the client device based on the extracted login information. If the client device is authenticated, the TMD may transmit a ‘login successful’ page to the client device.

Abstract: Methods, computer-readable storage media, and systems for applying a user defined operation on collected network data include defining a user defined operation (UDO). A network device is monitored for data relating to the UDO and data relating to the UDO is collected from the network device. The UDO is applied to the collected network data and a result is produced.

Abstract: A system, apparatus, and method selectively provides content compression to a client based, in part, on whether the network connection from the client is determined to be a high latency, low-bandwidth connection. The present invention gathers one or more network metrics associated with the connection from the client. In one embodiment, the metrics include estimated TCP metrics, including smoothed round trip time, maximum segment size (MSS), and bandwidth delay product (BWDP). These estimated network metrics are employed to make an application layer decision of whether the client connection is a high latency, low-bandwidth connection. If it is, then content may be selectively compressed virtually on the fly for transfer over the network connection. In one embodiment, the selective compression uses a content encoding compression feature of the HTTP protocol standard.

Abstract: A method and system of simplified configuration of a network element. A network element having a direct access module and an arbitrary unknown address is coupled to a same physical subnet as a management node. The management node broadcasts a discovery broadcast to identify the existence of the network element. If a response is received indicating an address outside an access range of the management node, it sends an additional broadcast targeted to the network element force the network element to change its address to one within an access range of the management node. Once the address is changed, the management node may connect to and configure the network element using standard protocols.

Abstract: A system, apparatus, and method selectively provides content compression to a client based, in part, on whether the network connection from the client is determined to be a high latency, low-bandwidth connection. The present invention gathers one or more network metrics associated with the connection from the client. In one embodiment, the metrics include estimated TCP metrics, including smoothed round trip time, maximum segment size (MSS), and bandwidth delay product (BWDP). These estimated network metrics are employed to make an application layer decision of whether the client connection is a high latency, low-bandwidth connection. If it is, then content may be selectively compressed virtually on the fly for transfer over the network connection. In one embodiment, the selective compression uses a content encoding compression feature of the HTTP protocol standard.

Abstract: A switched file system, also termed a file switch, is logically positioned between client computers and file servers in a computer network. The file switch distributes user files among multiple file servers using aggregated file, transaction and directory mechanisms. The file switch supports caching of a particular aggregated data file either locally in a client computer or in the file switch in accordance with the exclusivity level of an opportunistic lock granted to the entity that requested caching. The opportunistic lock can be obtained either on the individual data files stored in the file servers or on the metadata files that contain the location of each individual data files in the file servers. The opportunistic lock can be broken if another client tries to access the aggregated data file. Opportunistic locks allows client-side caching while preserving data integrity and consistency, hence the performance of the switched file system is increased.

Abstract: A method and system is directed to distributing a flow of packets over a network to multiple traffic management devices. An apparatus receives each packet from a network and may act as a layer 2 switch, or router, to distribute the packet to one of a group of traffic management devices. The apparatus also may receive packets from servers for which the traffic management devices are managing communications. When distributing packets, a target traffic management device is selected from the group of traffic management devices. A connection key associated with the received packet and an identifier associated with the selected traffic management device are saved such that subsequent received packets in the flow of packets are delivered to the same traffic management device.

Abstract: A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

Abstract: A method, system, an apparatus are directed towards selectively prefetching content over a network. A request for a content object is received. The content object may comprise a link to another content object. A cachability measure for the link may be determined based on whether a plurality of previous requests for the link returned the other content object, an annotation in a link map, a probability of traversing the link, a network metric, or the like. A prefetchability measure for the link may be determined based on the cachability measure and/or another factor relating to the link. The other factor may be an annotation of the link indicating that caching the other content object will cause a related object to be uncachable. Based on the prefetchability measure, the other content object is selectively prefetched for subsequent provisioning and/or display.

Abstract: A system for accessing network services includes a plurality of resolvers including a root resolver and a secondary resolver, each resolver arranged to perform actions comprising determining a set of service locations based at least in part on the service and an address associated with a client. the system includes an intermediate device that manipulates scores returned by a set of resolvers of the plurality of resolvers, wherein the root resolver is further arranged to combine sets of the determined service locations and return a combined set of service locations to the client, and wherein at least one resolver of the plurality of resolvers employs an algorithm that is different from an algorithm employed by another resolver of the plurality of resolvers, wherein each algorithm is employed to determine scores of service locations, wherein the combined set of services locations comprises the scores of service locations.

Abstract: A proxy (e.g., a switch) resides in a respective network environment between one or more clients and multiple servers. One purpose of the proxy is to provide the clients a unified view of a distributed file system having respective data stored amongst multiple remote and disparate storage locations over a network. Another purpose of the proxy is to enable the clients retrieve data stored at the multiple servers. To establish a first connection between the proxy and a respective client, the proxy communicates with an authentication agent (residing at a location other than at the client) to verify a challenge response received from the client. When establishing a set of second connections with the multiple servers, the proxy communicates with the authentication agent to generate challenge responses on behalf of the client. The proxy facilitates a flow of data on the first connection and the set of second connections.

Abstract: A system, apparatus, and method for managing TCP over TCP communications using multiple TCP network connections. A plurality of tunneled network connections may be established between network devices. The network devices may employ one of the tunneled network connections over which to establish a plurality of application sessions. If congestion is detected on the employed tunneled network connection that exceeds a threshold, then a reset flag may be sent to abort that tunneled network connection. At least some of the application sessions are also transferred to another one of plurality of tunneled network connections, without terminating the moved application sessions. In one embodiment, at least one more tunneled network connection may be established between the network devices.

Abstract: A method and system for caching content, such as content requested from a server on the World Wide Web. Requests for dynamic content are forwarded directly to a content server to avoid caching data that might only be used once. Requests for static content are forwarded to a hot or a regular cache depending on the frequency at which the content is requested. When a hot cache does not contain the content, it forwards the request to the forwarder which then forwards the request to a regular cache. When the regular cache does not contain the content, it requests the content from the forwarder which then forwards the request to a content server. There may be more than two layers of cache.

Abstract: A system, apparatus, and method are directed to managing network communications between a client and a server by enabling the client to make decisions involving the selection of alternate network paths. The client and/or the server may be multi-homed to a network. In one embodiment, a link load balancer provides the client with a message and/or path data that enables the client to improve its connections with the server by redirecting network packets using an alternate network path. The message may be based on a static policy at the server, changes in availability of the network connections between the client and server, changes in a quality of the network connections, paths, or the like. Redirecting the network packet by the client may include closing one network connection and establishing another network connection, and/or employing an available alternate network path to re-route network packets towards the server.

Abstract: A method, apparatus, and system are directed toward managing a Transmission Control Protocol/Internet Protocol (TCP/IP) handshake. A SYN-ACK cookie is determined based on a cryptographic operation using a secret key and at least one network characteristic. The SYN-ACK cookie is provided in a SYN message's field. The SYN message is sent from a client to a server. Another sequence number based on the received SYN-ACK cookie is included in a SYN-ACK message. The SYN-ACK message is sent to and received by the client. The other sequence number is validated based on the secret key to generate at least another network characteristic. A TCP/IP connection is established if the network characteristic matches the other network characteristic. In one embodiment, the component sending the SYN message may be a different component than the component receiving the SYN-ACK message. In this embodiment, the secret key may be shared between the two components.

Abstract: A method and system for preventing excessive flood packets from switching devices in a network for routing packets between a source station having an address and a destination station in the network having an address. A first packet directed toward the destination station is received over the network via an incoming traffic switch. The incoming traffic switch includes a table without the address of the destination station. The first packet is flooded over the plurality of switches. The flooded first packet is received at a front facing switch coupled to the destination station. The front facing switch has a table including the source address of the packet. The source address of packet is flushed from the table of the front facing switch. A response packet is sent from the destination station to the source station. The response packet is flooded to the incoming traffic switch. The flooded response packet is received at the incoming traffic switch.

Abstract: Upon detecting a data event initiating an update to a table, a first classifier index associated with the data event is identified. From a classifier table, the current position in a first dimension of the table associated with the classifier index is determined. An open position in the first dimension of the table is also identified. Updated data is stored in the open position within the table. In the classifier table, the open position storing the updated data is associated with the classifier index.

Abstract: In an aggregated file system, metadata is partitioned into multiple metadata volumes. On receipt of a file processing request, a file switch examines its mount entry cache to identify a target metadata volume that hosts the metadata of the requested file. The identification begins with mount entries at a root volume and continues recursively by examining a portion of the absolute pathname of the file until the target metadata volume is identified. Finally, the file switch forwards the request to a metadata server managing the target metadata volume. Since the identification process is carried out completely within the file switch, there is no need for multiple expensive network accesses to different metadata servers.

Abstract: A system, method, and apparatus are directed towards identifying adaptive length segments of redundant data for encoding a data structure. Initial boundaries are identified for an input matching segment within input data and for a candidate store matching segment in a synchronized store. The data prior to and after the boundaries are compared to identify matching data. As matching data is identified, at least one of the boundaries of the matching segments is revised. An encoded representation of the resulting input matching segment is then generated based in part on pointers and offsets into the synchronized store. A data structure is generated based on the encoded representation and unmatched portion, which is sent to a receiver. The receiver uses the data structure to extract matching data from the synchronized store, and together with the unmatched input data in the data structure, reconstruct the input data.

Abstract: Methods and apparatus provide an adaptive load balancer that presents a virtual data system to client computer systems. The virtual data system provides access to an aggregated set of data, such as files or web service objects, available from a plurality of server data systems respectively operating within a plurality of server computer systems. The adaptive load balancer receives a client data access transaction from a client computer system that specifies a data access operation to be performed relative to the virtual data system presented to the client computer system. The adaptive load balancer processes the client data access transaction in relation to metadata associated with the virtual data system to provide access to the file or service object within a server computer system, or to access the metadata.