Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Methods, systems and computer readable media for securing mDNS in enterprise networks are described. In some implementations, the method can include authorizing one or more service advertisements and validating one or more service advertisements. The method can also include adding one or more information details to a record associated with an advertised service.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance.

Abstract: Embodiments herein include systems and methods for providing a mechanism to enable smooth, seamless, and reliable connectivity for wireless devices in a unified network. The system supports roaming of mobile units across mobility switches. A given mobile unit can retain its IP address in both intra-subnet and inter-subnet roaming scenarios. The given mobile unit also retains its membership to a mobility VLAN to which it had been assigned, even during roaming scenarios. Embodiments include a framework for wireless switches to advertise VLANs they support to peer wireless switches in the mobility domain, and to advertise their capability to act as VLAN servers for those VLANs. Embodiments support VLAN membership management capabilities that allow access points and peer wireless switches to request wireless switches to add VLANs to the tunnels they share.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: One or more implementations can include methods, systems and computer readable media for client location discovery. In some implementations, the method can include receiving, at an access point, a location discovery request message from a client and sending a request from the access point to a location server requesting location information for the client, when a location server is available. The method can also include receiving location information from the location server, when a location server is available and providing the access point location as location information, when a location server is not available. The method can further include sending the location information as a response to the client.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: A mobility network architecture includes a control plane and data plane. The control plane supports notification of VLAN configurations. The data plane supports routing of data amongst VLANs. Each VLAN has an associated identifier value as well as a version number. The version number for a respective VLAN can be updated to a new value each time there is a change to the VLAN. Typically, a controller communicates over the control plane to notify each member switch when a version number has changed for a VLAN. If controller notification fails, a member switch can receive a notification from a neighboring switch that the version number for a VLAN has been modified. In response to detecting such a condition, the switch receiving the notification can prevent forwarding of data even though the switch does not receive notification from the controller that the version number for the VLAN has changed.

Abstract: Methods, systems and computer readable media for rogue access point detection are disclosed. In some implementations, the method can include initiating, at one or more processors of a wireless controller, a rogue access point detection process for a wireless network, and transmitting, from the one or more processors, a signature frame to a mobility agent in a wireless switch. The method can also include receiving, at an authorized access point, the signature frame transmitted via a wireless signal from a rogue access point. The method can further include reporting reception of the signature frame to the wireless controller, and generating, at the one or more processors, a signal to shut down a port associated with the rogue access point.

Abstract: Implementations relate to configuring wireless access points in a wireless network. In some implementations, a method includes selecting, from a plurality of wireless access points in a communication network, a configuring subset of wireless access points and a different compensating subset of wireless access points. New settings are applied to the compensating subset of wireless access points to change a physical coverage of wireless communication provided by the compensating subset, thus at least partially compensating for disabled wireless communication of the configuring subset. The method disables wireless communication provided by the configuring subset, and configures the disabled configuring subset of wireless access points.

Abstract: A wireless access point employs monitor to scrutinize priority of mobility unit assigned priority values, and replaces invalid or reserved values to prevent rogue or poorly constructed applications (apps) from improper priority specification and subsequent imbalance of priority message transmission for control and other high-priority message traffic. The access point receives an indication of reserved message priorities from a wireless switching point at a remote end of an access tunnel providing backhaul network access to mobility units coupled to the access point. The access point stores the reserved message priorities for comparison with priorities assigned at the mobility units. Messages having invalid priorities are modified to reduce the priority to an allowed value, such as best effort, prior to the message transmission through the access tunnel to the backhaul network.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: Some implementations can include a method including reserving a range of multicast addresses for handling link-local multicasts and generating a multicast group within the range for each VLAN. The method can also include subscribing at an access point to a corresponding multicast group for a VLAN when a client associates with the access point, and tunneling link local multicast traffic from the client to a WSP component via an access tunnel. The method can further include forwarding the link local multicast traffic from the WSP component to subscribing access points.

Abstract: Methods, systems and computer readable media for predictive client VLAN extension are described. In some implementations, the method can include determining client movement within a wireless network domain. The method can also include predicting one or more next hop access points for the client. The method can further include extending a client network to the one or more next hop access points prior to the client roaming to the one or more next hop access points.

Abstract: Methods, systems and computer readable media for rogue access point detection are disclosed. In some implementations, the method can include initiating, at one or more processors of a wireless controller, a rogue access point detection process for a wireless network, and transmitting, from the one or more processors, a signature frame to a mobility agent in a wireless switch. The method can also include receiving, at an authorized access point, the signature frame transmitted via a wireless signal from a rogue access point. The method can further include reporting reception of the signature frame to the wireless controller, and generating, at the one or more processors, a signal to shut down a port associated with the rogue access point.