Abstract: Embodiments that facilitate the fair and dynamic distribution of disk input/output (IO) bandwidth are disclosed. In accordance with one embodiment, the method includes organizing one or more disk IO time intervals into one or more queues. The method further includes allocating a disk IO time interval to each queue. The allocation of a disk IO time interval to each queue is accomplished by equally distributing a disk IO cycle based on the number of queues. The one or more disk IO requests are then processed during the corresponding disk IO time interval.

Abstract: Embodiments that facilitate the use of pluggable policy modules and authentication modules for access to a Terminal Services (TS) server are disclosed. In accordance with various embodiments, a method includes accessing one or more pluggable modules at a Terminal Services Gateway (TSG) server or a Terminal Services (TS) server. The method further includes processing a TS server access request from a TS client at the TSG server or the TS server. The TS server access request is processed in part based on the one or more pluggable modules. In one particular embodiment, the one or more pluggable modules include at least one of a connection authorization policy (CAP) module, a resource authorization policy (RAP) module, and an authentication module.

Abstract: Aspects of the subject matter described herein relate to delegating application invocation back to a client. In aspects, a server hosts an application that has a user interface that is presented on a client. User interaction on the user interface is encoded and sent to the server to give to the application. When the user uses the application such that another application is to be executed, a server delegator determines whether to execute the other application on the server or the client. If the application is to be executed on the client, the server delegator instructs a component that executes on the client to execute the application on the client. Otherwise, the application is executed on the server and data representing the user interface of the application is sent to the client so that the client may present the user interface to a user.

Abstract: A client quarantine agent requests bill of health from a quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client's bill of health. If the bill of health is valid, the client is admitted to the network. If the bill of health is invalid, the client is placed in quarantine.

Abstract: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Abstract: A system and method for facilitating automatic detection of a type of wireless network is provided. In accordance with an aspect of the present invention, wireless network client(s) can automatically detect the “type” of a network (e.g., method of authentication and encryption) without requiring input from the user. For example, unencrypted network, WEP encrypted network requiring a WEP key, WPA encrypted network requiring a pre-shared key, an IEEE 802.1x enabled network supporting WPA and/or an IEEE 802.1x enabled network not supporting WPA. In accordance with an aspect of the present invention, a wireless network detection system having a connection component and a detection component is provided. The connection component facilitates connection of a client system to at least one of a plurality of wireless networks. The detection component identities a type of an available wireless network.

Abstract: An integration system is disclosed that provides a virtual desktop integration with terminal services. A client computer is connected to one the virtual desktops operating in a server. The client computer examines information contained in a remote desktop protocol (RDP) compliant packet supplied by the server. The client computer connects to one of the many virtual desktops based on information. Use of the information enables integration of the virtual desktop with the existing terminal session deployment model. Client devices can establish a session using a single network name and can be appropriately directed to either a virtual desktop or terminal session.

Abstract: Described are systems and methods for implementing quarantine over a remoting protocol. The systems and methods verify whether remotely connected computing devices or client devices comply with specified system health requirements. This includes determining whether the remotely connected computing devices have correct security software installed, current operating system updates, correct configuration, etc.

Abstract: Embodiments herein address some of the problems associated with compromised configuration files used in a remote sessions of a virtual computing environment. Accordingly, a subset of settings in a configuration file are secured from malicious or accidental modification, while other portions of the configuration file are modifiable by a user as desired without invalidating the integrity of the secure subset. This not only allows for the user to be assured of the integrity of the settings, but also allows an administrator of the remote or terminal server with the ability to control how and what access a client has to resources thereon. Such access may be further controlled based on a trust level between the client, server, and/or publisher of the configuration file.

Abstract: The present invention extends to methods, systems, and computer program products for providing remote application access in accordance with decentralized configuration information. Client side data representing a request for a list of remote applications is received. One or more lists of remote applications resident at terminal servers are accessed. Filter criteria to apply to the one or more lists of available remote applications are identified based on the client side data. The identified filter criteria are applied to the one or more lists of available remote applications to reduce the one or more lists of available remote applications to a targeted subset of remote applications. Application access data is returned for each remote application in the subset of remote applications to the client computer system such that the client computer system can use the application access data to remotely execute targeted remote applications.

Abstract: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Abstract: Methods of obtaining information during an authentication session. Information may be obtained, during the authentication session, about a device that is attempting to connect to a network. The information that is obtained may be related to health parameters of the device, or any other suitable information. Obtaining this information during an authentication session may enable determining whether to allow the device to connect to the network.

Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: Implementations of the present invention relate to a communication framework that is readily adaptable to a wide variety of resources intended to be accessible through a firewall. In general, a communication framework at a gateway server can provide a specific connection to a requested resource in accordance with a wide range of resource and/or network access policies. In one instance, a client requests a connection to a specific resource behind a firewall. The communication framework authenticates the connection, and quarantines the connection until determining, for example, that the client is using an appropriate resource features. If appropriately authenticated, the communication framework can pass control of the connection to an appropriately identified protocol plug-in processor, which facilitates a direct connection to the requested resource at an application layer of a communication stack.

Abstract: The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.

Abstract: A policy server program evaluates one or more policy statements based on the group or groups to which a user belongs as well as other conditions. Each policy statement expresses an implementation of the access policy of the network, and is associated with a profile. The profile contains one or more actions that are to be applied to the user. The policy server program determines the identity of the group or groups to which the user belongs by referencing one or more group attributes contained in a user object which is located in a directory on the network. The user object and its group parameters are established when the user is added to the directory, while a policy statement for a group can be created at any time.

Abstract: A system and method for ensuring that machines having invalid or corrupt states are restricted from accessing network resources are provided. A quarantine coordination client (QCC) located on a client machine acquires statements of health from a plurality of quarantine policy clients. The QCC packages the statements and provides the package to a quarantine enforcement client (QEC). The QEC sends the package to a quarantine enforcement server (QES) with a request for network access. The QES passes the package to a quarantine coordination server (QCS) that disassembles the package and passes the individual statements of health to corresponding quarantine policy servers (QPS). The QPSs validate the statements of health and inform the QCS of the result. If the client provided valid statements of health, the QES grants the client access to the network.

Abstract: A policy server program evaluates one or more policy statements based on the group or groups to which a user belongs as well as other conditions. Each policy statement expresses an implementation of the access policy of the network, and is associated with a profile. The profile contains one or more actions that are to be applied to the user. The policy server program determines the identity of the group or groups to which the user belongs by referencing one or more group attributes contained in a user object which is located in a directory on the network. The user object and its group parameters are established when the user is added to the directory, while a policy statement for a group can be created at any time.

Abstract: A system and method for ensuring that machines having invalid or corrupt states are restricted from accessing network resources are provided. A quarantine server located on a trusted machine in a network provides a bill of health to a quarantine agent located on a client computer that wishes to gain access to network resources administered by an organization. The quarantine agent requests bill of health from the quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client's bill of health.

Abstract: A system and method for facilitating automatic detection of a type of wireless network is provided. In accordance with an aspect of the present invention, wireless network client(s) can automatically detect the “type” of a network (e.g., method of authentication and encryption) without requiring input from the user. For example, unencrypted network, WEP encrypted network requiring a WEP key, WPA encrypted network requiring a pre-shared key, an IEEE 802.1x enabled network supporting WPA and/or an IEEE 802.1x enabled network not supporting WPA. In accordance with an aspect of the present invention, a wireless network detection system having a connection component and a detection component is provided. The connection component facilitates connection of a client system to at least one of a plurality of wireless networks. The detection component identities a type of an available wireless network.