Abstract: Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems that identify a first service based on inspection of a message received from a server. The message is associated with a flow between a client and the server. The first service is incorporated in, or removed from a service chain associated with the flow. The message, or other received network traffic associated with the flow, is then steered according to the service chain. With this technology, network traffic can advantageously be processed and steered according to services within a service chain that more accurately reflect the communications occurring within particular flows with this technology. In particular, service chains for flows can advantageously be established or modified to account for server-speaks-first protocols, as well as protocols that may be used inside secure or encrypted connections.

Abstract: A method, non-transitory computer readable medium, and access policy manager (APM) device that provides access to applications hosted by server computing devices to client computing devices each associated with an authenticated user. Interactions of the client computing devices with the applications are monitored to obtain usage statistics. The usage statistics are correlated with identifying information for each of the authenticated users or an indication of each of the applications. Notification rule(s) or parameter(s) of a request for information are applied to the correlated usage statistics. Based on the applying, a notification is sent to one or more of the client computing devices or at least a portion of the correlated usage statistics is sent to at least one of an application administrator or an APM administrator.

Abstract: A server is dynamically reconfigured by storing a plurality of server configurations in a configuration store. Requests, received by the server, are routed to one of a plurality of workers for processing the requests. Each request is associated with a current configuration of the plurality of configurations that a worker uses to process the request. The number of workers using each configuration of the plurality of configurations is counted. Responsive to the counting, it is determined that a prior configuration of the plurality of configurations is not being used by the workers. The prior configuration is deleted from the configuration store responsive to the determination that the prior configuration is not being used.

Abstract: Methods, non-transitory computer readable media, access policy management apparatuses, and network traffic management systems that send a request received from a client to an application server along with an access token. A determination is made when a received response to the request comprises an unauthorized HyperText Transfer Protocol (HTTP) response status code. The access token is refreshed using a stored refresh token, when the determining indicates that the response is an unauthorized HTTP response status code. The request is resent to the application server along with the refreshed access token. With this technology, an intermediary access policy management apparatus can refresh access tokens automatically and without sending any unauthorized HTTP response status codes received from application servers to client devices, or requiring user re-authorization at the client devices thereby improving the user experience in single sign-on (SSO) federated identity environments.

Abstract: Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems that receive a directory service authentication request from an application. The directory service authentication request comprising a first password. The first password is compared to a stored second password received from a previously-authenticated client to determine when there is a match. A positive authentication result is returned to the application in response to the directory service authentication request, when the determining indicates that there is a match. This technology advantageously facilitates client certificate authentication for applications that only support password-based login.

Abstract: Client requests for server resources are received by a network traffic management device (NTMD). The NTMD initially responds to the client requests on behalf of the associated servers. The initial responses include client side language scripts for execution by the clients. Executing the scripts causes the clients to resend their initial requests identified as a potential attack by the NTMD along with information indicating the client's legitimacy, such as the result of a computational JavaScript challenge. The NTMD receives the resent initial request, determines it was sent from a legitimate requestor and is therefore not an attack, and forwards it to the associate server.

Abstract: A method, non-transitory computer readable medium, and device that provides multi-path TCP (MPTCP) proxy options includes receiving a SYN packet comprising one or more MPTCP options as a request for a new TCP connection. A new SYN packet including information from the received SYN packet is generated and the generated new SYN packet is forwarded to the server. A SYN acknowledgement including information associated with one or more supported MPTCP options is received from the server. A new SYN acknowledgement packet including the information from the received SYN acknowledgement is generated and forwarded to the requesting client computing device.

Abstract: Embodiments are directed towards using policy rules that may be extended by scripting operative on a traffic management device. Each policy rule may have a condition and a corresponding action. If the condition is a script, a script engine separate from the policy engine may be employed to execute the script to determine if the condition is met. Otherwise, the policy engine may determine if the condition is met based on declarative expressions that comprise the condition. If the condition is met the action corresponding to the policy rule may be executed. Scripts may be used to compute the values of operands that may be used in one or more of the expression that comprise a condition for a policy rule. Also, the action corresponding to a policy rule may be implemented using a script that is executed by a script engine.

Abstract: Systems, methods, and devices are directed towards identifying a web browser by targeting a document parser component in a layout engine of a web browser. Malformed HTML may be provided to a client device having the web browser. Based on how the layout engine responds to the received malformed HTML, a fingerprint can be generated classifying/identifying a class, type, and other features of the web browser/layout engine. Other fingerprinting techniques may be combined with this malformed HTML approach to improve an accuracy of web browser identification, or to be used to detect/counter user-agent spoofing. Identification of the web browser/layout engine may then be used, among other things, to provide web content that is formatted to be useable by the receiving client device.

Abstract: A method, computer readable medium, and system independently managing network applications within a network traffic management device communicating with networked clients and servers include monitoring with a network device a plurality of applications communicating over a plurality of direct memory access (DMA) channels established across a bus. The network device receives a request from a first application communicating over a first DMA channel in the plurality of DMA channels to restart the first DMA channel. In response to the request, the first DMA channel is disabled with the network device while allowing other executing applications in the plurality of applications to continue to communicate over other DMA channels in the plurality of DMA channels. A state of the first DMA channel is cleared independently from other DMA channels in the plurality of DMA channels, and communications for the first application over the first DMA channel are resumed with the network device.

Abstract: Embodiments are directed towards employing a traffic management system (TMS) that is enabled to deploy component virtual machines (CVM) to the cloud to perform tasks of the TMS. In some embodiments, a TMS may be employed with one or more CVMs. In at least one embodiment, the TMS may maintain an image of each CVM. Each CVM may be configured to perform one or more tasks, to operate in specific cloud infrastructures, or the like. The TMS may deploy one or more CVMs locally and/or to one or more public and/or private clouds. In some embodiments, deployment of the CVMs may be based on a type of task to be performed, anticipated resource utilization, customer policies, or the like. The deployment of the CVMs may be dynamically updated based on monitored usage patterns, task completions, customer policies, or the like.

Abstract: A method, non-transitory computer readable medium, and a system for communicating with networked clients and servers through a network device includes receiving a first network data packet destined for a first executing traffic management application of a plurality of executing traffic management applications operating in the network device. A first DMA channel is identified to allocate the received first network data packet. Further, the first network data packet is transmitted to the first traffic management executing application over the first identified DMA channel.

Abstract: A method, computer readable medium, and network traffic management apparatus that manages contended resource utilization includes obtaining at least one value for at least one utilization parameter for at least one contended resource and determining when the obtained value of the utilization parameter for the at least one contended resource exceeds a threshold value. When the obtained value of the utilization parameter is determined to exceed the threshold value, a work rate for one or more of a plurality of processing units is reduced or the at least one contended resource is reallocated among the plurality of processing units.

Abstract: Embodiments are directed towards improving the performance of network traffic management devices by optimizing the management of hot connection flows. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. Making efficient use of the high speed flow cache capacity may be improved by maximizing the number of hot connection flows and minimizing the number of malicious and/or in-operative connections flows (e.g., non-genuine flows) that may have flow control data stored in the high-speed flow cache.

Abstract: A method, non-transitory computer readable medium, and network device that generates a network communication including a destination address associated with a second network device and a destination port number, wherein the destination port number corresponds to a service operating on the second network device. An initial SSL handshake protocol message is generated and at least the destination port number is inserted into a server name indicator (SNI) extension of the initial SSL handshake protocol message. An SSL connection is established with the second network device using a predetermined port number and the initial SSL handshake protocol message is sent to the second network device. Information included in the network communication is sent to the second network device using the SSL connection.

Abstract: Embodiments are directed towards upgrading hypervisors operating in hardware clusters that may be hosting one or more virtual clusters of virtual traffic managers. Virtual clusters may be arranged to span multiple computing devices in the hardware cluster. Spanning the virtual clusters across multiple hardware nodes the virtual cluster may enable the virtual clusters to remain operative while one or more hardware nodes may be upgraded. Hypervisor may include a management control plane for virtual clusters of virtual traffic managers. Hypervisors running on hardware nodes may manage the lower level networking traffic topology while the virtual traffic managers may manage the higher level network processing.

Abstract: Layer-7 application layer message (“message”) classification is disclosed. A network traffic management device (“NTMD”) receives incoming messages over a first TCP/IP connection from a first network for transmission to a second network. Before transmitting the incoming messages onto the second network, however, the NTMD classifies the incoming messages according to some criteria, such as by assigning one or more priorities to the messages. The NTMD transmits the classified messages in the order of their message classification. Where the classification is priority based, first priority messages are transmitted over second priority messages, and so forth, for example.

Abstract: A method, computer readable medium, and device for dynamic DNS implementation, comprises receiving, at a network traffic management device, a first DNS response from a DNS server, wherein the first DNS response is compliant with Internet Protocol version 4 (IPv4). The first DNS response corresponds to a first DNS request from a client device being compliant with Internet Protocol version 6 (IPv6). The first DNS response is converted into a DNS second response that is compliant with IPv6, by attaching a prefix that identifies a network gateway device which is to handle receive subsequent non-DNS requests from the client device. The second DNS response is routed to the client device. Subsequent non-DNS requests from the client device that contain at least a part of the prefix allow the network traffic management device to route the non-DNS request through the designated network gateway device.

Abstract: A method, computer readable medium, and system for generating a unified virtual snapshot in accordance with embodiments of the present invention includes invoking with a file virtualization system a capture of a plurality of physical snapshots. Each of the physical snapshots comprises content at a given point in time in one of the plurality of data storage systems. A unified virtual snapshot is generated with the file virtualization system based on the captured plurality of the physical snapshots.

Abstract: A method, non-transitory computer readable medium, and device that identifies network traffic characteristics to correlate and manage one or more subsequent flows includes transmitting a monitoring request comprising one or more attributes extracted from an HTTP request received from a client computing device and a timestamp to a monitoring server to correlate one or more subsequent flows associated with the HTTP request. The HTTP request is transmitted to an application server after receiving an acknowledgement response to the monitoring request from the monitoring server. An HTTP response to the HTTP request is received from the application server. An operation with respect to the HTTP response is performed.