Abstract: Keep-alive processing for NAT devices and reducing power consumption in wireless clients. A server driven keep-alive mechanism facilitates keep-alive messages to a NAT device currently providing a connection to a mobile client to refresh the NAT state, thereby reducing or eliminating power consumption in a wireless device to respond to the connection with keep-alive packets. In one instance, keep-alive packets are sent to the NAT device to reset the NAT timeout timer, and then to the mobile client. The client responds only when expected keep-alive packets are not received at the client. In another instance, keep-alive packets reset the NAT timer to maintain the connection but are dropped or self-destruct before reaching the mobile client thereby providing the optimum power conservation in the mobile device. Thus, the client is not forced into extra client activity to send or receive wireless data, thereby draining the battery.

Abstract: Architecture for maintaining connection state of network address translation (NAT) devices by employing an out-of-band (OOB) technique externally to application connections without imposing additional requirements on the underlying native application(s). The OOB solution can be applied to arbitrary connections without requiring modification to an application protocol and works with TCP and UDP. A keep-alive (KA) application is employed as an OOB mechanism that injects KA packets that appear to the NAT device to be coming from the native connection. These injected packets fool the NAT device into resetting the inactivity timer for that connection, but do not fool or confuse the native application, which is oblivious to the spoofing. Accordingly, the connection will not terminate due to NAT timeouts, and therefore, a client/server protocol, for example, will not need to generate fake activity packets to keep the connection alive.

Abstract: Concurrent testing of NAT connections using different timeout values to compute a keep-alive value for the NAT device. Computation of the approximate timeout value is accomplished concurrently over multiple test connections within about a time equivalent to the actual NAT timeout value. The architecture validates the computation of the approximate timeout value by distinguishing NAT connection failure from external failure using a control connection. Moreover, computation of the keep-alive value is performed only once for a given NAT device rather than being an on-going process for that NAT device. When one of the test connections fails, it is determined that the NAT timeout value is less than the test timeout value associated with the failed test connection. Accordingly, a smaller test timeout value is then selected as the keep-alive value for keep-alive processing of the NAT device.

Abstract: A general-purpose proxy mobile device management architecture. The architecture serves as a proxy for a mobile client seeking services from backend systems. A virtual client image of state information associated with the mobile client is stored such that when the mobile client interacts with the proxy, the virtual image updates to the latest client state. Based on the changes to the state, the proxy system asynchronously accesses one or more arbitrary services of the backend systems on behalf of the mobile client. When the mobile client connects to the proxy, the proxy will have the latest services associated with the states of the virtual image, and updates the state of the mobile client. Updating and accessing occurs asynchronously on the frontend between the proxy and mobile devices and on the backend between the proxy and the backend systems.

Abstract: Systems and methods for performing explicit delegation with strong authentication are described herein. Systems can include one or more clients, one or more end servers, and one or more gateways intermediate or between the client and the end server. The client may include an explicit strong delegation component that is adapted to strongly authenticate the client to the gateway. The explicit strong delegation component may also explicitly delegate to the gateway a right to authenticate on behalf of the client, and to define a period of time over which the explicit delegation is valid. The system may be viewed as being self-contained, in the sense that the system need not access third-party certificate or key distribution authorities. Finally, the client controls the gateways or end servers to which the gateway may authenticate on the client's behalf.

Abstract: A network super-administrator can delegate to one or more network sub-administrators a scope of authority to create policy-based rules used to control access and usage of network resources. The super-administrator can define the delegated scope of authority through a set of policy-based rules and can indicate to which sub-administrator the scope of authority is delegated through an identifier associated with the particular sub-administrator.