Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: Some embodiments configure an edge forwarding element to perform service insertion operations to identify stateful services to perform for data messages received for forwarding by the edge forwarding element at multiple virtual interfaces of the edge forwarding element. The service insertion operation, in some embodiments, includes applying a set of service insertion rules. The service insertion rules (1) specify a set of criteria and a corresponding action to take for data messages matching the criteria and (2) are associated with a set of interfaces to which the service insertion rules are applied. In some embodiments, the action is specified using a universally unique identifier (UUID) that is then used as a matching criteria for a subsequent policy lookup that identifies a type of service insertion and a set of next hop data.

Abstract: Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node.

Abstract: A communal computing device, such as an interactive digital whiteboard, can become unlocked if a user is near the device. The communal computing device may use a sensor such as a camera to capture images of a person and obtain an identifier from a personal device such as a smartphone. A cloud-based provider that is trusted by both the communal computing device and the personal device may associate both the image and the identifier of the personal device with the same user identity. Obtaining the user identity from multiple, different sources provides a secure technique for the communal computing device to recognize a user without the user directly interacting with the communal computing device. If the sensor no longer detects the user or the personal device is no longer detected, then the communal computing device may log off the user. The personal device may be used to confirm log off.

Abstract: Some embodiments provide stateful services in a chain of services identified for some data messages. The edge forwarding element receives a data message at a particular interface of the edge forwarding element that is traversing the edge forwarding element in a forward direction between two machines. The edge forwarding element identifies (1) a set of stateful services for the received data message and (2) a next hop associated with the identified set of stateful services in the forward direction and a next hop associated with the identified set of stateful services in the reverse direction. Based on the identified set of services and the next hops for the forward and reverse directions, the edge forwarding element generates and stores first and second connection tracking records for the forward and reverse data message flows, respectively used to forward data messages received subsequently for the flow.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node.

Abstract: A communal computing device, such as an interactive digital whiteboard, can become unlocked if a user is near the device. The communal computing device may use a sensor such as a camera to capture images of a person and obtain an identifier from a personal device such as a smartphone. A cloud-based provider that is trusted by both the communal computing device and the personal device may associate both the image and the identifier of the personal device with the same user identity. Obtaining the user identity from multiple, different sources provides a secure technique for the communal computing device to recognize a user without the user directly interacting with the communal computing device. If the sensor no longer detects the user or the personal device is no longer detected, then the communal computing device may log off the user. The personal device may be used to confirm log off.

Abstract: A novel method for dynamic network service allocation that maps generic services into specific configurations of service resources in a network is provided. An application that is assigned to be performed by computing resources in the network is associated with a set of generic services, and the method maps the set of generic services to the service resources based on the assignment of the application to the computing resources. The mapping of generic services is further based on a level of service that is chosen for the application, where the set of generic services are mapped to different sets of network resources according to different levels of services.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: A user provides an identification (ID) signal (e.g. a biometric ID signal like a self-snapshot) to a trusted cloud-based provider. When the user attempts to authenticate with the cloud-based provider, a similar ID signal (e.g. another self-snapshot) for the user is captured and provided to the cloud-based provider. The cloud-based provider then obtains a secondary ID signal, or a combination of secondary ID signals, and utilizes the secondary ID signal, or signals, to identify a subset of user records to be searched for the ID signal. The subset of the records, rather than all of the user records, can then be searched for the ID signal. The cloud-based provider can then authenticate the user based on the results of the search of the subset of the user records.

Abstract: A user provides an identification (ID) signal (e.g. a biometric ID signal like a self-snapshot) to a trusted cloud-based provider. When the user attempts to authenticate with the cloud-based provider, a similar ID signal (e.g. another self-snapshot) for the user is captured and provided to the cloud-based provider. The cloud-based provider then obtains a secondary ID signal, or a combination of secondary ID signals, and utilizes the secondary ID signal, or signals, to identify a subset of user records to be searched for the ID signal. The subset of the records, rather than all of the user records, can then be searched for the ID signal. The cloud-based provider can then authenticate the user based on the results of the search of the subset of the user records.

Abstract: Files can be located using a durable and universal file identifier. A content URI includes a file protocol URI specifying a path to a file. The file protocol URI includes a query string specifying properties of the file that can be utilized to locate the file, such as an object ID property specifying a GUID for the file and a volume ID property specifying a GUID for a storage volume storing the file. The content URI can be utilized to locate the file using the file protocol URI and its associated query string even if the file has been moved, renamed, or is accessed on a different computing device. Operations can then be performed using the file, such as resuming a previously performed activity that used the file.

Abstract: A multi-user computing device, such a communal computing device like an interactive digital whiteboard, can execute single user aware (“SUA”) applications and multi-user aware (“MUA”) applications. Instances of SUA applications execute in the context of a single user. MUA applications can execute in the contexts of multiple authenticated users simultaneously. A multi-user aware OS platform authenticates and de-authenticates users of the multi-user computing device. The multi-user aware OS platform provides notifications to MUA applications when users are authenticated and de-authenticated. When a new user is authenticated, MUA applications begin executing in the context of the newly authenticated user and any other previously authenticated users. When users are de-authenticated, MUA applications stop executing in the context of the de-authenticated user but continue executing in the context of the remaining authenticated users of the multi-user computing device.

Abstract: In non-limiting examples of the present disclosure, systems, methods and devices for integrating web services in shell constructs are provided. Web browsing data, application activity data, and/or device data for a user may be received. A machine learning model may be applied to the data. One or more recommendations may be surfaced based on application of the machine learning model to the data. The recommendations may comprise one or more of: recommendations to install applications; recommendations to add service extensions; recommendations to pin and/or add a shortcut to a website; and/or recommendations to add platform integration services amongst multiple devices.

Abstract: A communal computing device, like an interactive digital whiteboard, can detect the start and end of user sessions with the device. When a communal computing device detects the end of a user session, the it can determine if a personal device that was connected at the start of the user session or during the user session was also connected at the end of the user session. If so, the device can initiate actions based on the session start or end signals such as, but not limited to, transmitting a message to an organizer of a meeting scheduled during the time of the user session, transmitting a message to a participant of a meeting scheduled during the time of the user session, transmitting a message to an administrator, or generating a notification, such as a user interface reminding a user to take their personal device.

Abstract: Files can be located using a durable and universal file identifier. A content URI includes a file protocol URI specifying a path to a file. The file protocol URI includes a query string specifying properties of the file that can be utilized to locate the file, such as an object ID property specifying a GUID for the file and a volume ID property specifying a GUID for a storage volume storing the file. The content URI can be utilized to locate the file using the file protocol URI and its associated query string even if the file has been moved, renamed, or is accessed on a different computing device. Operations can then be performed using the file, such as resuming a previously performed activity that used the file.

Abstract: In non-limiting examples of the present disclosure, systems, methods and devices for integrating web services in shell constructs are provided. Web browsing data, application activity data, and/or device data for a user may be received. A machine learning model may be applied to the data. One or more recommendations may be surfaced based on application of the machine learning model to the data. The recommendations may comprise one or more of: recommendations to install applications; recommendations to add service extensions; recommendations to pin and/or add a shortcut to a website; and/or recommendations to add platform integration services amongst multiple devices.