Abstract: Embodiments are directed towards improving the performance of network traffic management devices by optimizing the management of hot connection flows. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. Making efficient use of the high speed flow cache capacity may be improved by maximizing the number of hot connection flows and minimizing the number of malicious and/or in-operative connections flows (e.g., non-genuine flows) that may have flow control data stored in the high-speed flow cache.

Abstract: Handling network data packets classified as being high throughput and low latency with a network traffic management device is disclosed. Packets are received from a network and classified as high throughput or low latency based on packet characteristics or other factors. Low latency classified packets are generally processed immediately, such as upon receipt, while the low latency packet processing is strategically interrupted to enable processing coalesced high throughput classified packets in an optimized manner. The determination to cease processing low latency packets in favor of high throughput packets may be based on a number of factors, including whether a threshold number of high throughput classified packets are received or based on periodically polling a high throughput packet memory storage location.

Abstract: Embodiments are directed to providing access to a resource over a network. A client device may request access to a server. An application may be provided to the client device. The application may cause control of the client device to be switched from a first desktop to a secure desktop. The secure desktop may be configured to restrict applications access to within the secure desktop. An indication of the resource on the server to map to may be received at the client device. The indicated resource may be mapped onto a file system on the client device. Mapping may comprise using a remote file access protocol, using DLL injection, or adding a kernel module to an operating system on the client device. The mapped resource may be constrained to be accessed through the secure desktop.

Abstract: A method, non-transitory computer readable medium, and apparatus that enhance management of backup data sets include receiving an operation on a region of a production data set. A corresponding region of a backup data set is marked as having a change state status until the received operation is completed on the region of the production data set and mirrored on a corresponding region of a backup data set.

Abstract: A method and network traffic management device to protect a network from network based attacks is disclosed. The method comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.

Abstract: A system, method and medium is disclosed which includes selecting, at a software component of a network traffic management device, a first bucket having a first predetermined transmit time. The disclosure includes populating one or more selected data packet descriptors associated with one or more corresponding data packets in the first bucket. The disclosure includes releasing the first bucket to a hardware component of the network traffic management device, wherein the hardware component processes the one or more data packet descriptors of the first bucket for the first predetermined transmit time.

Abstract: A method, non-transitory computer readable medium, and device that identifies network traffic characteristics to correlate and manage one or more subsequent flows includes transmitting a monitoring request comprising one or more attributes extracted from an HTTP request received from a client computing device and a timestamp to a monitoring server to correlate one or more subsequent flows associated with the HTTP request. The HTTP request is transmitted to an application server after receiving an acknowledgement response to the monitoring request from the monitoring server. An HTTP response to the HTTP request is received from the application server. An operation with respect to the HTTP response is performed.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium directed towards automatically configuring an AAA proxy device (also referred to herein as “the proxy”) to load-balance AAA request messages across a plurality of AAA server devices. In one embodiment the proxy receives an AAA handshake message from an AAA client device. The proxy forwards the handshake message to each of the plurality of server devices and, in reply, receives an AAA handshake response message from each of the plurality of server devices. The proxy extracts attributes from each of the handshake response messages and automatically configures itself based on the extracted attributes. The proxy then load-balances, modifies and/or routes subsequently received AAA request messages based on the extracted attributes.

Abstract: A system and method for message based load balancing comprises receiving, at a network traffic management device, an encapsulated request from a client device to a destination server for an established session. The request is encapsulated in accordance with a first connection-oriented protocol. The encapsulated message is segmented into a plurality of encapsulated data segments in accordance with a message boundary parameter. Identifying information of a first payload data packet of a first TCP encapsulated data segment is extracted and the first payload data packet is converted into a first connection-less protocol datagram. A message-based load balancing decision is performed on the datagram to assign the datagram to a first server. The first connection-less protocol datagram is converted into a first encapsulated data packet in accordance with a second connection-oriented protocol and is sent from a first virtual server to the first server based on the message-based load balancing decision.

Abstract: A method, non-transitory computer readable medium, and network device that generates a network communication including a destination address associated with a second network device and a destination port number, wherein the destination port number corresponds to a service operating on the second network device. An initial SSL handshake protocol message is generated and at least the destination port number is inserted into a server name indicator (SNI) extension of the initial SSL handshake protocol message. An SSL connection is established with the second network device using a predetermined port number and the initial SSL handshake protocol message is sent to the second network device. Information included in the network communication is sent to the second network device using the SSL connection.

Abstract: A network traffic management apparatus includes a first memory including a flow cache table including a plurality of entries. The network traffic management apparatus further includes configurable hardware logic coupled to the first memory and a processor, the configurable hardware logic including a valid split table including a plurality of entries, wherein each of the plurality of entries includes a validity bit. The configurable hardware logic is configured to implement periodically determining whether the validity bit of each of the valid split table entries is set. Additionally, the configurable hardware logic is further configured to implement retrieving one of the plurality of flow cache table entries corresponding to an index value associated with one of the valid split table entries, when it is determined that the validity bit of the one of the valid split table entries is set.

Abstract: A method, non-transitory computer readable medium, and network traffic management apparatus that receives an authentication request from a user of a client computing device, the request comprising credentials for the user. A connection is established with a selected one of a plurality of active directory servers using a stored Internet Protocol (IP) address for the selected active directory server. At least a portion of a fully qualified domain name of the selected active directory server is received in response to an anonymous lightweight directory access protocol (LDAP) query sent to the selected active directory server using the established connection. The user of the client computing device is authenticated using the at least a portion of the fully qualified domain name and the credentials.

Abstract: Embodiments are directed towards managing communication over a network with a packet traffic management device that performs delayed proxy action. The PTMD includes a buffer for buffering network traffic. Also, the PTMD includes proxy data paths and standard data paths. Network policies associated with the network flows may be determined using the buffered data. If a determined network policy includes proxy policy rules it is a proxy network, policy. Then the network flows are associated with a proxy data path. If the buffer is exhausted, the network flow is associated with a standard data path before a policy is determined. Otherwise, if the network policy includes only standard policy rules, the network flows are moved to a standard data path. After the network flow is associated with a data path, the network traffic may be communicated until it is closed or otherwise terminated.

Abstract: A method, computer readable medium, and network traffic management apparatus includes determining whether at least one existing request should be removed from a request queue. At least one existing request stored in the request queue is identified by applying one or more queue management rules. The identified existing request is removed from the request queue and the current request is added to the request queue when it is determined that at least one existing request should be removed from the request queue.

Abstract: A traffic management device or other intermediate network device is configured to enable the device to support connection splitting and/or connection aggregation or to otherwise process network transactions for an arbitrary transaction-oriented protocol. The configuration may be accomplished by providing one or more traffic management rules defined by way of a scripting language and provided to an interpreter. The traffic management rule may follow a basic approach common to many protocols and is adapted to the particular protocol being supported. The rule may configure the network device to inspect incoming data, extract length and record type specifiers, buffer an appropriate amount of data to determine transactions or transaction boundaries, and perform other operations.

Abstract: A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

Abstract: A system, apparatus, and method are directed to managing access to a resource using rule-based deep packet extractions of a credential. A network device, such as a traffic management device, is situated between a client device and a server device. When the client device sends a request for a resource, the request is intercepted by the network device. The network device may employ a multi-layer deep packet extraction of the credential from the request. The network device may then use the credential to determine whether the request enabled to access the resource. Based, in part, on a variety of rules, the network device may deny access, enable access, route the request to a different server, or the like. In one embodiment, the network device may receive a rule from another device that directs the network device to request a different credential.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client.

Abstract: A method and apparatus for managing proxy autoconfiguration for a multihomed client. A client browser may employ a combined autoconfiguration module to split traffic based on a destination address of the traffic. The traffic may be split among at least two proxy servers. A proxy configuration manager may be employed to receive configuration information associated with each of the proxy servers. The proxy configuration manager enables the combined autoconfiguration module to be created based, in part, on the received configuration information. The proxy configuration manager further enables the client browser to split the traffic, based at least in part on the destination address.

Abstract: A method and system is directed to routing a flow of packets over a network to multiple traffic management devices. An apparatus receives each packet from a network and forwards the packet to one of a group of traffic management devices. The apparatus also may receive packets from servers for which the traffic management devices are managing communications. When forwarding packets, a traffic management device is selected from the group of traffic management devices by employing a hash of an IP address and port number. The IP address and port number are selected from source or destination information in the packet that has a greater port number. When the traffic management device performs a network address translation, further actions may be performed so that packets that are part of a flow between two network devices are delivered to the same traffic management device.