Abstract: Some embodiments provide a method that, at a first domain name system (DNS) cluster of a set of DNS clusters, receives a DNS request from a client. The first DNS cluster identifies, based on an identifier of the client in the DNS request, a home DNS cluster of the client. The method forwards the DNS request to the home DNS cluster. The home DNS cluster supplies a DNS response to the client. Identifying the home DNS cluster, in some embodiments, includes performing a hash on the identifier of the client. Supplying the DNS response, in some embodiments, includes receiving a virtual IP (VIP) address associated with one of a plurality of sets of application servers to the client and providing the received VIP address to the client in the DNS response.

Abstract: Examples described herein include systems and methods for controlling access to a server, such as an email server or a gateway, in situations where the identity of the requesting device is unknown or where the user device accesses the server using an unknown or unmanaged application. In one example, the system can utilize a user authentication credential included in the request to identify other devices belonging to the user that happen to be enrolled with the system. An out-of-band message can be sent to those enrolled devices, requesting confirmation from the user and, in conjunction with an authentication token, allowing the system to trust the previously unknown device. In the example of an unmanaged application attempting to access an email server, the system can confirm compliance of the requesting device and issue an authentication token that, along with an appropriate command sent to the email server, provides access.

Abstract: Disclosed are various approaches for verifying the compliance of a TLS session with TLs policies. Traffic between an application and a destination server can be routed through a TLS gateway. The TLS gateway can inspect TLS handshake messages for compliance with TLS policies.

Abstract: Systems herein allow an administrator to efficiently enroll computing devices into a mobile device management system, even when those computing devices are offline and not connected to the system. A management server can include a console that allows the administrator to enroll an offline computing device by selecting an offline enrollment option on a registration record. This option can cause the management server to create a device record, indicating the computing device is enrolled. The management server can also create and save a provisioning file onto a storage device, such as a USB drive. Assets, such as graphics and applications, specified by the device record are also saved onto the storage device. The storage device can be physically connected to the computing device, at which point the provisioning file guides automatic installation of the assets and implementation of device settings and compliance rules specified by the device record.

Abstract: System and computer-implemented method for managing multi-availability zone (AZ) clusters of host computers in a cloud computing environment automatically detects a degraded state of a first AZ in the cloud computing environment based on host failure events for host computers in a first cluster section of a multi-AZ cluster of host computers located in the first AZ and a recovered state of the first AZ based a successful scale-in operation of another multi-AZ cluster located partially in the first AZ. In response to the detection of the degraded state of the first AZ, a second cluster section of the multi-AZ cluster of host computers located in a second AZ is scaled out. In response to the detection of the recovered state of the first AZ, the second cluster section of the multi-AZ cluster of host computers located in the second AZ is scaled in.

Abstract: Disclosed are various embodiments for distributed resource scheduling. An eviction request from a first host is received. The eviction request comprises data regarding a virtual machine to be migrated from the first host. The eviction request is then broadcast to a plurality of hosts. A plurality of responses are received from the plurality of hosts, each response comprising a score representing an ability of a respective one of the plurality of hosts to act as a new host for the virtual machine. A second host is selected from the plurality of hosts to act as the new host for the virtual machine based at least in part on the score in each of the plurality of responses. Then, a response is sent to the first host, the response containing an identifier of the second host.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Distributed storage system and method for transmitting storage-related messages between host computers in a distributed storage system uses a handshake operation of a first-type communication connection between a source data transport daemon of a source host computer and a target data transport daemon of a target host computer to derive a symmetric key at each of the source and target data transport daemons. The two symmetric keys are sent to a source data transport manager of the source host computer and to a target data transport manager of the target host computer. The source and target data transport managers then use the same symmetric keys to encrypt and decrypt storage-related messages that are transmitted from the source data transport manager to the target data transport manager through multiple second-type communication connections between the source and target data transport managers.

Abstract: Systems and methods are described for improved error logging during system boot and shutdown. A hardware initialization firmware on a computing device can include a logging module. When errors occur during early system booting or late system shutdown, the firmware can create error logs. The logging module can receive the error logs and prioritize them according to a set of rules. The logging module can select error logs of the highest priority up to a predetermined maximum amount. The logging module can modify the error logs using a shorthand form and write them to nonvolatile random-access memory. The firmware can initialize runtime services and launch an operating system. A system logger on the operating system can retrieve the error logs, save them to a file, and erase them from the memory.

Abstract: Some embodiments of the invention provide a method for network-aware load balancing for data messages traversing a software-defined wide area network (SD-WAN) (e.g., a virtual network) including multiple connection links between different elements of the SD-WAN. The method includes receiving, at a load balancer in a multi-machine site, link state data relating to a set of SD-WAN datapaths including connection links of the multiple connection links. The load balancer, in some embodiments, provides load balancing for data messages sent from a machine in the multi-machine site to a set of destination machines (e.g., web servers, database servers, etc.) connected to the load balancer over the set of SD-WAN datapaths. The load balancer selects, for the data message, a particular destination machine (e.g., a frontend machine for a set of backend servers) in the set of destination machines by performing a load balancing operation based on the received link state data.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

Abstract: Described herein are systems, methods, and software to handle requests to an application file shared by a plurality of applications on a computing system. In one implementation, a method of handling request for an application file shared by a plurality of applications on a computing system includes identifying a request for the application file on the computing system, wherein each application in the plurality of applications is associated with an individualized version of the application file, and wherein the plurality of applications is stored on separate application storage volumes attached to the computing system. The method further provides identifying an application associated with the request, and identifying an application storage volume in the application storage volumes that stores the application. Once identified, the method also includes retrieving the application file from the identified storage volume to support the request.

Abstract: Computer-implemented methods, media, and systems for remediation of containerized workloads based on context breach at edge devices are disclosed. One example computer-implemented method includes monitoring telemetry data from a first software defined wide area network (SD-WAN) edge device, where the telemetry data includes multiple context elements at the first SD-WAN edge device. It is determined that a context change occurs for at least one of the context elements at the first SD-WAN edge device. It is determined that due to the context change, the first SD-WAN edge device does not satisfy one or more requirements for running one or more workloads scheduled to run. In response to the determination that the first SD-WAN edge device does not satisfy the one or more requirements, the at least one of the one or more workloads is offloaded from the first SD-WAN edge device to a second SD-WAN edge device.

Abstract: Some embodiments provide novel methods for providing a set of services for a logical network associated with an edge forwarding element acting between a logical network and an external network. In some embodiments, the services are provided using a logical service forwarding plane that connects the edge forwarding element to a set of service nodes that each provide a service in the set of services. The service classification operation of some embodiments identifies a chain of multiple service operations that has to be performed on the data message. In some embodiments, identifying the chain of service operations includes selecting a service path to provide the multiple services. After selecting the service path, the data message is sent along the selected service path to have the services provided.

Abstract: Some embodiments of the invention provide a method for configuring a physical network card or physical network controller (pNIC) to provide flow processing offload (FPO) for a host computer connected to the pNIC. The host computers host a set of compute nodes in a virtual network. The set of compute nodes are each associated with a set of interfaces that are each assigned a locally-unique virtual port identifier (VPID) by a flow processing and action generator. The pNIC includes a set of interfaces that are assigned physical port identifiers (PPIDs) by the pNIC. The method includes providing the pNIC with a set of mappings between VPIDs and PPIDs. The method also includes sending updates to the mappings as compute nodes migrate, connect to different interfaces of the pNIC, are assigned different VPIDs, etc.

Abstract: A system to automatically generate an extended reality (XR) presentation from a presentation comprising: a presentation, where the presentation has a speaker notes system, directions for the creation of the XR presentation where the directions are written in the speaker notes system, a script fit to read the directions and generate a metadata file, and a program to read the metadata file and construct the XR presentation.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives data indicating port usage for a particular time period for each of multiple destination data compute nodes (DCNs) executing on the host computers. For each DCN of a set of the destination DCNs, identifies whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN. When the port usage for a particular DCN deviates from the historical baseline for the particular DCN, the method identifies the particular DCN as a target of a security threat.

Abstract: System and method for converting disk format types of virtual disks in storage executes, in response to a request to convert a disk format type of a target virtual disk from a source disk format type to a destination disk format type, a conversion procedure on each data block of the target virtual disk that satisfies a predefined condition. The conversion procedure executed is based on the source and destination disk format types. The conversion procedure includes taking possession of a granular offset lock for a data block of the target virtual disk, performing a conversion operation on the data block of the target virtual disk only when the data block of the target virtual disk satisfies a required condition, and releasing the granular offset lock for the data block of the target virtual disk after the conversion operation on the data block has been performed.

Abstract: The disclosure provides for repositioning applications from physical devices to a cloud location without removing the applications from the physical devices. This provides advantages of cloud-based availability for the applications while preserving device configurations. Thus, a user may continue to use the local version during transition to cloud usage so that if a problem arises during transition, adverse effects on user productivity are mitigated. Examples include generating, on a device, a first virtualization layer, and uninstalling an application from the first virtualization layer while capturing uninstallation traffic within the first virtualization layer. Examples further include generating, on the device, a second virtualization layer, installing the application in the second virtualization layer, and generating, from the second virtualization layer with the installed application, an application package. Examples are able to position the application package on a remote node for execution.

Abstract: Disclosed are various approaches for recommending remotely executed applications for opening files. In one approach, an indication is received that a user desires to open the local file of a client device remotely. At least one remotely executed application is identified to open the local file remotely. A user interface is rendered by the client device that facilitates selection from among the remotely executed application(s). A user selection of a particular remotely executed application generated through the user interface is received. The particular remotely executed application opens the local file remotely.