Abstract: Methods and systems are described for analyzing and attesting physical access to a location. In an example, an administrator can create a survey for users in an organization. The survey can be sent to a user device as a notification. The user can complete the survey, and the user's physical access rights can be determined based on the survey answers. When the user attempts to gain access to a location of the organization, the user can provide a digital access badge. The digital access badge can be mapped to the user's access permissions. The user can be granted or denied access depending on whether the user answered the survey and, if answered, what answers the user provided.

Abstract: Systems and methods are described for extracting and populating content from an email link. In an example, a machine learning (“ML”) model can be trained based on user interactions with emails. When an email is received for the user, the ML model can be applied to score the email. An application can extract a link in the email. The application can retrieve a web page with the link and store it locally. The application can create a card for the email that includes the link and insert the card into a graphical user interface (“GUI”). A user can access the GUI and select the card. The web page can be retrieved from the local storage and displayed in the GUI.

Abstract: Disclosed are various approaches for providing a virtual badge credential to a user's device that is enrolled with a management service as a managed device. Upon authentication of a user's identity via an identity provider, a virtual badge credential can be provided to an application on the client device. The virtual badge credential can be presented by the client device to access control readers to gain access to physical resources, such as doors and buildings, that are secured by the access control readers.

Abstract: A method for selecting between a plurality of paths for sending an encrypted packet from a source endpoint to a destination endpoint is provided. The method selects a first path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint, each of the plurality of paths associated with a different one of a plurality of source ports, the encrypted packet being encrypted based on a security association established between the source endpoint and the destination endpoint in accordance with an IPSec protocol. The method further encapsulates, based on the SA having NAT-T enabled, the encrypted packet with a UDP header having a first source port associated with the first path. The method then transmits the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path.

Abstract: The detection of utilized virtual machines through usage pattern analysis is described. In one example, a computing device can collect utilization metrics from a virtual machine over time. The utilization metrics can be related to one or more processing usage, disk usage, network usage, and memory usage metrics, among others. The utilization metrics can be used to determine a number of clusters, and the clusters can be used to organize the utilization metrics into groups. Depending upon the number or overall percentage of the utilization metrics assigned to individual ones of the plurality of clusters, it is possible to determine whether or not the virtual machine is a utilized or an idle virtual machine. Once identified, utilized virtual machines can be migrated in some cases. Idle virtual machines can be shut down to conserve processing resources and costs in some cases.

Abstract: The disclosure provides an approach for cross-network communication by self-replicating applications. Embodiments include identifying, by a first instance of a self-replicating application on a first computing device having a first network connection to a parent component, a second computing device that is connected to the first computing device via a second network connection. Embodiments include self-replicating, by the first instance of the self-replicating application, across the second network connection to produce a second instance of the self-replicating application on the second computing device. Embodiments include initiating, by the first instance of the self-replicating application, a proxy tunnel on the first computing device. Embodiments include receiving, by the proxy tunnel, a first communication from the second instance of the self-replicating application via the second network connection.

Abstract: A method of enabling remote access to a console of a virtual machine (VM) running in a host and managed by a VM management server, from a remote computing device, includes the steps of: in response to a request to access the console of the VM from the remote computing device, issuing a request for a first ticket, the first ticket including an identifier of the host in which the VM is running; upon receiving the first ticket, issuing a request for a second ticket to access a proxy server; and upon receiving the second ticket, transmitting a uniform resource locator (URL) identifying the proxy server and the second ticket to the remote computing device. The remote computing device accesses the console of the VM through the URL and the proxy server.

Abstract: A method of upgrading an application in a software-defined data center (SDDC) includes: deploying, by lifecycle management software executing in the SDDC, a second appliance, a first appliance executing services of the application at a first version, the second appliance having services of the application at a second version, the services in the first appliance being active and the services in the second appliance being inactive; expanding, by the lifecycle management software, state of the first appliance to support both the services at the first version and the services at the second version; replicating, by the lifecycle management software, the state of the first appliance to the second appliance; performing, by the lifecycle management software, a switchover to stop the services of the first appliance and start the services of the second appliance; and contracting, by the lifecycle management software, state of the second appliance to remove a portion unused by the services at the second version.

Abstract: Disclosed are various examples for enrollment of gateways using a client device. In one example, a request is transmitted from a client device to a management service. The request comprises the gateway identifier. Gateway credentials are relayed through the client device from the management service to the gateway device. The gateway credentials are unexposed to users of the client device.

Abstract: A method of executing workflows in virtual machines that have been deployed to implement virtual network functions of a network service, wherein the virtual machines are running in a plurality of data centers each having a cloud management server running a cloud computing management software to provision virtual infrastructure resources thereof for a plurality of tenants, includes upon receiving a request to execute a workflow along with a plurality of parameters including first and second parameters at a data center, identifying a virtual machine deployed in the data center, in which the workflow is to be executed based on the first parameter, designating one of a plurality of methods by which the workflow is to be executed in the virtual machine according to the second parameter, and issuing a command to the virtual machine to execute the workflow according to the designated method.

Abstract: The disclosure provides an approach for reducing congestion within a network, the network comprising a plurality of subnets, the plurality of subnets comprising a plurality of host machines and a plurality of virtual computing instances (VCIs) running on the plurality of host machines. Embodiments include receiving, by an edge services gateway (ESG) of a first subnet of the plurality of subnets, membership information for a group identifying a subset of the plurality of host machines. Embodiments include receiving a multicast packet directed to the group and selecting from the plurality of host machines, a replicator host machine for the multicast packet. Embodiments include sending, to the replicator host machine, the multicast packet along with metadata indicating that the replicator host machine is to replicate the multicast packet to remaining host machines of the subset of the plurality of host machines identified in the membership information for the group.

Abstract: Examples described herein include systems and methods for efficiently and effectively applying upgrade bundles to an SDDC. The upgrade bundles can update various software components of the SDDC. A version-compliance configuration matrix provides version-compliance information across various software components to ensure that all components function properly after upgrading. Each upgrade bundle can include metadata that provides information sufficient to utilize the configuration matrix. A super bundle can include multiple upgrade bundles, as well as instructions for applying the multiple upgrade bundles in a particular order to avoid compatibility issues. The super bundle can be used to upgrade multiple software components of an SDDC without disrupting the functionality of the SDDC.

Abstract: In some embodiments, a method determines when a packet is fragmented into multiple fragmented packets in a flow between a first workload and a second workload. The method switches from generating an outer source port in the outer header using layer 4 information from the inner header to using layer 3 information from the inner header. A fragmented packet is encapsulated with the outer header that includes an outer source port value that is generated using the layer 3 information. The method initiates a process to determine when to switch back to using layer 4 information from the inner header to generate the outer source port. When it is determined to switch back to using layer 4 information, the method switches back to using layer 4 information from the inner header to generate the source port in the outer header of a packet from the first workload.

Abstract: Anomalies are detected in a distributed application that runs on a plurality of nodes to execute at least first and second workloads. The method of detecting anomalies includes collecting first network traffic data of the first workload and second network traffic data of the second workload during a first period of execution of the first and second workloads, collecting third network traffic data of the first workload and fourth network traffic data of the second workload during a second period of execution of the first and second workloads, and detecting an anomaly in the distributed application based on a comparison of the third network traffic data against the first network traffic data or a comparison of the fourth network traffic data against the second network traffic data. Anomalies may also be detected by comparing network traffic data of two groups of containers executing the same workload.

Abstract: A virtual computer system includes virtualization software, and one or more physical network interfaces for connecting to one or more computer networks. The virtualization software supports one or more virtual machines (VMs), and exports one or more virtual network interfaces to the VM(s) to enable the VM(s) to access the computer network(s) through the physical network interface(s). The virtualization software modifies and filters network data frames from the VM(s) and from the physical network interface(s) to restrict one or more VMs to one or more virtual local area networks (VLANs) that are implemented within a VLAN topology. Restricting a VM to a VLAN limits the broadcast domain to which the VM belongs, which may reduce security risks facing the VM. Implementing the VLAN functionality within the virtualization software provides the functionality to every VM in the computer system, without requiring every VM to provide the functionality.

Abstract: A method of writing to a tiered memory system of a computing device, the tiered memory system including volatile memory and persistent memory (PMEM), includes the steps of: in response to a first write request including first data to write to a first page of the tiered memory system, copying contents of the first page to a second page located in the PMEM; after copying the contents of the first page to the second page, writing the first data to the second page; and after writing the first data to the second page, updating a first mapping of the tiered memory system to reference the second page instead of the first page.

Abstract: The disclosure provides automated update notifications. Embodiments include receiving, by a cloud provider, a request to manage updates for a computing device communicating with the cloud provider via a network. Embodiments include registering an agent at the computing device with the cloud provider as a recipient for an automated update notification based on configuration details of the computing device and detection of an update item related to an aspect of the configuration details. Embodiments include identifying, by the agent, the configuration details of the computing device, the configuration details comprising details of a hardware configuration of the computing device and a software configuration of the computing device. Embodiments include monitoring one or more databases for the update item. Embodiments include transmitting the automated update notification to the agent based on detection of the update item in the one or more databases.

Abstract: Disclosed are various approaches for determining an optimal communication channel for contacting a user. In one such embodiment, application usage data corresponding to user interactions on available communication channels within an enterprise environment is obtained and used to generate a knowledge graph representing an individual user communicating over two or more of the available communication channels with other users. Thus, based on the knowledge graph, at least one optimal communication channel can be provided for contacting the individual user, wherein the at least one optimal communication channel is represented in the knowledge graph.

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

Abstract: The current document is directed to a meta-level management system (“MMS”) that aggregates information and functionalities provided by multiple underlying management systems in addition to providing additional information and management functionalities. In one implementation, the MMS creates and maintains a single inventory-and-configuration-management database (“ICMDB”), implemented using a graph database, to store a comprehensive inventory of managed entities known to, and managed by, the multiple underlying management systems. Each managed entity is associated with an entity identifier and is represented in the ICMBD by a node. Managed entities that are managed by two or more of the multiple underlying management systems are represented by nodes that include references to one or more namespaces.