Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

Abstract: Described embodiments provide systems and methods for accessing a web application hosted in an intranet from outside said intranet. A server hosting a domain name service configured for the intranet can receive a request from a client that is outside the intranet to access the web application. The request may include a fully qualified domain name (FQDN) of the web application in the intranet. Responsive to the FQDN of the web application in the intranet, the server may send a notification to an access service, to cause the access service to pre-establish a connection to the intranet. Responsive to the FQDN of the web application in the intranet, the server may direct the client to send a handshake message to the access service to request access to the web application.

Abstract: Described implementations provide systems and methods generating and using live performance maps of a network environment for selecting combinations of proxies and servers for fulfilling client device requests. Proxy devices or connectors may gather network telemetry data from actual network flows between client devices and application servers or other resources traversing the proxy devices or connectors, when available, or by generating synthetic transactions to measure network telemetry data when actual flows are unavailable. The telemetry data may be provided to a management service, which may generate a performance map. The performance map may be provided to the proxy devices and/or a cloud proxy service for selection of optimal combinations of connectors and resources for client requests. Incoming client requests may be steered or redirected to the selected optimal combination. The performance map may be dynamically regenerated as network conditions change and/or as servers are deployed or undeployed.

Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

Abstract: Described embodiments provide systems and methods for launching a connection to a resource link from a client device. A device can authenticate the client device for access to a plurality of resource links accessible via one or more servers. The device can provide a list of the plurality of resource links responsive to the authentication, and receive a request from the client device, identifying a first resource link to access. The device can cause first authenticated credentials for the first resource link to be stored on the client device responsive to the request. The first authenticated credentials can correspond to the client device and provide access the first resource link. The client device can be configured to launch a connection to the first resource link from the client device using the first authenticated credentials stored on the client device.

Abstract: The present disclosure is directed towards systems and methods for associating multiple transport layer hops between a client and a server. A first intermediary device may receive a request for a transport layer connection between the client and the server. The first intermediary device may generate a unique identifier to identify a connection chain between the client and the server across a plurality of transport layer connections via the plurality of devices. The first intermediary device may set a hop count to a number of hops that the first device is between the client and the server. The first intermediary device may forward information about the unique identifier and the hop count to a next device of the plurality of devices.

Abstract: The present disclosure is directed towards systems and methods for associating multiple transport layer hops between a client and a server. A first intermediary device may receive a request for a transport layer connection between the client and the server. The first intermediary device may generate a unique identifier to identify a connection chain between the client and the server across a plurality of transport layer connections via the plurality of devices. The first intermediary device may set a hop count to a number of hops that the first device is between the client and the server. The first intermediary device may forward information about the unique identifier and the hop count to a next device of the plurality of devices.

Abstract: The present disclosure is directed to systems and methods for performing single sign on by an intermediary device for a remote desktop session of a client. A first device intermediary to a plurality of clients and a plurality of servers authenticates a user and establishes a connection to the user's client device. The device provides a homepage including links to one or more remote desktop hosts associated with the user. The device receives a request to launch an RDP session with a remote desktop host via the homepage and generates RDP content, including a security token, for the user. The device receives a second request that includes the security token to launch the RDP session. The device validates the user using the security token and establishes a connection to the remote desktop host. The device signs into the desktop host using session credentials.

Abstract: The present disclosure is directed to systems and methods for performing single sign on by an intermediary device for a remote desktop session of a client. A first device intermediary to a plurality of clients and a plurality of servers authenticates a user and establishes a connection to the user's client device. The device provides a homepage including links to one or more remote desktop hosts associated with the user. The device receives a request to launch an RDP session with a remote desktop host via the homepage and generates RDP content, including a security token, for the user. The device receives a second request that includes the security token to launch the RDP session. The device validates the user using the security token and establishes a connection to the remote desktop host. The device signs into the desktop host using session credentials.

Abstract: Embodiments of the present solution provide a cloud bridge to bring network transparency between the otherwise disparate networks of the datacenter and cloud service provider. For example, appliances may be deployed in the datacenter and on the edge of the cloud. These appliances may be configured or designed and constructed to communicate with each other and recognize and understand the local IP and/or public IP network information of the on-premise datacenter of the enterprise and the cloud datacenter. These appliances may manage the flow of network traffic between the on-premise and cloud datacenters in a manner to appear and act seamlessly and transparently as a single network spanning both the on-premise and cloud data centers.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: The present disclosure describes systems and methods for load balancing multiple application delivery controllers (ADCs) in multiple tiers. An upper layer of the tier comprises ADCs that load balance the plurality of ADCs of a lower layer of the tier. In order to appropriately share and maintain client IPs for transparent cache redirection scenarios, the transport layer (Transport Control Protocol (TCP)) port range is split among the ADCs of the lower tier. The lower tier ADCs would then create a connection only using a source port assigned to them. The response from the origin will then be sent to the upper level ADC which looks at the destination port and forward the packet to the correct lower tier ADC. Hence, the ADCs at two levels will work in conjunction to provide transparent cache direction.

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract: The present solution is directed towards systems and methods for managing cookies by a multi-core device. The device is intermediary to a client and one or more servers. A first core of a multi-core device receives a response from a server to a request of the client through a user session. The response comprises a cookie. The first core removes the cookie from the response and stores the cookie in a corresponding storage for the session. The first core forwards the response without the cookie to the client. A second core then receives via a session, a second request from the client. The second core determines the identification of the first core as owner of the session from the second request. The second core then communicates to the first core a third request for cookie information for the session.

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract: Embodiments of the present solution provide a cloud bridge to bring network transparency between the otherwise disparate networks of the datacenter and cloud service provider. For example, appliances may be deployed in the datacenter and on the edge of the cloud. These appliances may be configured or designed and constructed to communicate with each other and recognize and understand the local IP and/or public IP network information of the on-premise datacenter of the enterprise and the cloud datacenter. These appliances may manage the flow of network traffic between the on-premise and cloud datacenters in a manner to appear and act seamlessly and transparently as a single network spanning both the on-premise and cloud data centers.