Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance.

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance

Abstract: A system is provided to deliver an application, hosted by a private application provider system, over a network to a user device, comprising: an application delivery system that includes a first network interface, a network security interface and a second network interface; wherein the network security interface is configured to determine whether a user or device request for access to an application is valid, and in response to determining that the user or device request for access to the first application is valid, to send the user or device request to the application agent.

Abstract: A system is provided to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes a first network interface, a network security interface, and a second network interface; an application agent is disposed within the private application provider system. wherein the first network interface receives an encrypted user or device request for access to the hosted application sent over the network and to send the user or device request to the network security interface; wherein the network security interface is configured to decrypt the request, to validate request, to re-encrypt the request and to send the encrypted request to the second network interface; wherein the second network interface is configured to send the encrypted request over the network to the agent; and wherein the agent is configured to send the request to the hosted application.

Abstract: A system is provided comprising: an application delivery system that includes, a first network interface, a network security interface, and a second network interface; an agent is disposed within one or more private application provider systems; a security network interface instance determines whether a received request is valid, and in response to determining that the received user or device request is valid, to send the received request to a respective second network interface instance for delivery to the agent.