Abstract: An apparatus and method are directed to managing a policy-based access to a resource employing dynamic client integrity checking. The system may include a client device configured to log into a server. The server may provide a component to the client device. The component is configured to provide integrity information about the client device back to the server. The component may provide updates to the integrity information at a pre-determined schedule, thereby monitoring changes to the integrity of the client device during a connected session. Based, in part, on the received integrity information a policy for access is applied to the client device. In one embodiment, access may be increased to the resource. In another embodiment, the policy may deny access to the resource, if it is determined that the client device has an enabled network sniffer, an improperly configured antivirus application, or the like.

Abstract: A method and system of automatic share allocation in a shared resource environment. Upon connection of a device to a server, the server identifies if the device is a known device. The server then applies a share allocation previously established if the device is a known device and automatically creates a share allocation for the device if the device is not a known device.

Abstract: A switched file system, also termed a file switch, is logically positioned between client computers and file servers in a computer network. The file switch distributes user files among multiple file servers using aggregated file, transaction and directory mechanisms. The file switch ensures consistent and atomic behavior of the switched file system by aggregating in a deterministic way the transactions initiated by the client of multiple independent file switches so that only one of the multiple concurrent transactions attempted on the same aggregated data file may succeed, or so that the transactions are serialized so as to be performed as a sequence of atomic operations. In addition, the integrity of the aggregated data file is safeguarded by issuing locking requests on behalf of certain client applications that do not observe locking mechanism consistently.

Abstract: A system is described having a network, a bus and an interface coupling the network to the bus. A host is coupled to the network and executes software to generate packets for communication on the network. A bus device is coupled to the bus. The interface and host coordinate to transport bus device packets between the host and the bus device via tunneling over the network.

Abstract: A system and method is directed to routing a packet over a network to a probe. The system includes a replicator and a distributor. The replicator receives a packet from a client and replicates the packet. The distributor is either out-of-band or in-band to a flow of traffic between the client and a server. In the out-of-band configuration, the distributor forwards the replicate packet to at least one probe in a plurality of probes. The distributor receives a response to the replicate packet and transforms a source MAC address in the response to a MAC address of the distributor. The distributor forwards the transformed packet. The replicator forwards the original packet. In the in-band configuration, the distributor selects and forwards the original packet to a server using a first forwarding mechanism, and selects and forwards the replicate packet to a probe using a second forwarding mechanism.

Abstract: A system, apparatus, and method for managing TCP over TCP communications using multiple TCP network connections. A plurality of tunneled network connections may be established between network devices. The network devices may employ one of the tunneled network connections over which to establish a plurality of application sessions. If congestion is detected on the employed tunneled network connection that exceeds a threshold, then a reset flag may be sent to abort that tunneled network connection. At least some of the application sessions are also transferred to another one of plurality of tunneled network connections, without terminating the moved application sessions. In one embodiment, at least one more tunneled network connection may be established between the network devices.

Abstract: A method and system for forwarding messages received at a traffic manager. A traffic manager receives a message from a first connection to a client computer. At least a part of the message is to be forwarded to a server. If a connection exists to the server that matches the first connection, at least a part of the message is forwarded to the server by employing the existing connection. Otherwise, a source address is selected with which to communicate with the server. A new connection that includes the source address and a destination address associated with the server is opened. In addition, information associating the source address and the destination address with the first connection is stored. This information may then be used to map a response received from the server to the first connection.

Abstract: A method and system of simplified configuration of a network element. A network element having a direct access module and an arbitrary unknown address is coupled to a same physical subnet as a management node. The management node broadcasts a discovery broadcast to identify the existence of the network element. If a response is received indicating an address outside an access range of the management node, it sends an additional broadcast targeted to the network element force the network element to change its address to one within an access range of the management node. Once the address is changed, the management node may connect to and configure the network element using standard protocols.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: Methods and systems are directed to dynamically mirroring a connection between network devices. Mirroring is managed by forwarding a packet between a first network device and a second network device. In one method, the first network device receives the packet from a client and communicates the packet to the second network device. A forwarding device, pre-determined from the first and second network devices, forwards the packet to a server. The first network device receives a response from the server, and communicates it to the second network device. The forwarding device forwards the response packet to the client. In one configuration, the first network device and forwarding device is an active device, and the second network device is a standby device. In another configuration, the first network device is a standby device, and the second network device and forwarding device is an active device.

Abstract: A system and method for balancing the load on virtual servers managed by server array controllers at separate data centers that are geographically distributed on a wide area network such as the Internet is described. The virtual servers provide access to resources associated with a domain name request by a client program. When a Primary Domain Name System (DNS) determined the requested domain name is delegated to a EDNS, the EDNS employs metric information and statistics to resolve an IP address for a virtual server that is selected by the EDNS to optimally balance the load and provide access to resources associated with the domain name. The EDNS may load balance name servers. Additionally, the name server load balancing system may bridge disparate content delivery networks. Internet addresses are divided into geographical information that is used to delegate traffic. Also, metric information is collected and analyzed to help distribute the traffic.

Abstract: A server array controller that includes a Data Flow Segment (DFS) and at least one Control Segment (CS). The DFS includes the hardware-optimized portion of the controller, while the CS includes the software-optimized portions. The DFS performs most of the repetitive chores including statistics gathering and per-packet policy enforcement (e.g. packet switching). The DFS also performs tasks such as that of a router, a switch, or a routing switch. The CS determines the translation to be performed on each flow of packets, and thus performs high-level control functions and per-flow policy enforcement. Network address translation (NAT) is performed by the combined operation of the CS and DFS. The CS and DFS may be incorporated into one or more separate blocks. The CS and DFS are independently scalable. Additionally, the functionality of either the DFS or the CS may be separately implemented in software and/or hardware.

Abstract: A system, apparatus, and method for managing the flow of data on a network. A plurality of processors are used to implement a virtual queue, for controlling a rate of flow of data on the network. Each of the processors has a member queue, the combination of member queues combining to form the virtual queue. Aspects of the invention use messages to communicate among the processors, to properly control the rate of flow.

Abstract: A method and system is directed to routing a flow of packets over a network to multiple traffic management devices. An apparatus receives each packet from a network and forwards the packet to one of a group of traffic management devices. The apparatus also may receive packets from servers for which the traffic management devices are managing communications. When forwarding packets, a traffic management device is selected from the group of traffic management devices by employing a hash of an IP address and port number. The IP address and port number are selected from source or destination information in the packet that has a greater port number. When the traffic management device performs a network address translation, further actions may be performed so that packets that are part of a flow between two network devices are delivered to the same traffic management device.

Abstract: A system and method for performing asynchronous cryptographic operations. A cryptographic toolkit receives requests for cryptographic operations, and initiates the cryptographic operations within a thread of execution. The toolkit detects when the cryptographic operations are complete, retrieves the results, and returns the results to a calling program. The cryptographic operations are performed in an asynchronous manner, without blocking a calling program. The calling program can specify whether the requested operations are to be performed without blocking.

Abstract: A method and system for creating and maintaining an allocation table that associates allocation buckets with corresponding target identifiers. Each target identifier has a corresponding weighting value. The allocation table has a number of allocation buckets, each associated with a target identifier. When one or more weighting values change, one or more buckets are reassigned to different target identifiers. A number of factors are considered in determining whether to delay modification of the allocation table, in order to further reduce disruption. The allocation table may be used to distribute packets among network devices, or more generally, to route packets along paths in a network.

Abstract: A system is described having a network, a bus and an interface coupling the network to the bus. A host is coupled to the network and executes software to generate packets for communication on the network. A bus device is coupled to the bus. The interface and host coordinate to transport bus device packets between the host and the bus device via tunneling over the network.

Abstract: A method and apparatus for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. A network device directs subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associated mode inserts a Cookie that uniquely identifies the client into an HTTP response. The passive mode inserts Cookie information that uniquely identifies a previously selected destination into an HTTP response. In the rewrite mode, a network device manages the destination information that is rewritten over blank Cookie information generated by the destination producing the HTTP response. The insert mode inserts and removes Cookie information in the data packets for HTTP requests and response prior to processing by the destination.

Abstract: A server array controller that includes a Data Flow Segment (DFS) and at least one Control Segment (CS). The DFS includes the hardware-optimized portion of the controller, while the CS includes the software-optimized portions. The DFS performs most of the repetitive chores including statistics gathering and per-packet policy enforcement (e.g. packet switching). The DFS also performs tasks such as that of a router, a switch, or a routing switch. The CS determines the translation to be performed on each flow of packets, and thus performs high-level control functions and per-flow policy enforcement. Network address translation (NAT) is performed by the combined operation of the CS and DFS. The CS and DFS may be incorporated into one or more separate blocks. The CS and DFS are independently scalable. Additionally, the functionality of either the DFS or the CS may be separately implemented in software and/or hardware.

Abstract: A method and system for accessing network services. A client sends a request for a service. The request includes an address of the client. One or more resolvers receive the request for a service. The one or more resolvers determine at least one service location to return to the client based at least partially on the service requested and the address of the client. The at least one service location is then returned to the client. The service locations returned to the client may also be based on a policy, user preferences, client preferences, or client characteristics.