Abstract: A method is provided method to control deployment of an application over a network in response to a client request sent over the network to access the application comprising: capturing at one or more first computing machines coupled to the network, an identifier of the requested application from the client request; sending information over the network from the one or more first computing machines coupled to the network to one or more second machines coupled to the network, wherein the information identifies the requested application and identifies a network address of an edge node at which to deploy the requested application; receiving the information at the one or more second machines coupled to the network; and causing by the one or more second machines coupled to the network, deployment of the application over the network to the edge node at the identified network address, based at least in part upon the received information.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: In one embodiment, an apparatus includes a processor and logic configured to designate one of a plurality of endpoint virtual network identifiers (EPVNIDs) for each endpoint device in a network, wherein each EPVNID is configured to be shared by one or more endpoint devices, designate a common waypoint virtual network identifier (WPVNID) for all transparent waypoint devices in the network which perform a same function, designate a unique WPVNID for each routed waypoint device in the network, designate a common virtual network identifier (VNID) for all virtual switches in a single virtual network, wherein a different VNID is designated for each virtual network, and create a service chain table comprising each VNID, WPVNID, and EPVNID designated in the network individually correlated with at least a pair of VNIDs: a source VNID and a destination VNID, based on one or more policies affecting application of services to packets in the network.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

Abstract: In one embodiment, an apparatus includes a processor and logic configured to designate one of a plurality of endpoint virtual network identifiers (EPVNIDs) for each endpoint device in a network, wherein each EPVNID is configured to be shared by one or more endpoint devices, designate a common waypoint virtual network identifier (WPVNID) for all transparent waypoint devices in the network which perform a same function, designate a unique WPVNID for each routed waypoint device in the network, designate a common virtual network identifier (VNID) for all virtual switches in a single virtual network, wherein a different VNID is designated for each virtual network, and create a service chain table comprising each VNID, WPVNID, and EPVNID designated in the network individually correlated with at least a pair of VNIDs: a source VNID and a destination VNID, based on one or more policies affecting application of services to packets in the network.

Abstract: A method includes receiving a packet from a first virtual machine (VM) in a distributed overlay virtual Ethernet (DOVE) network. A first virtual switch appends the packet with a tunnel header that is addressed for a second virtual switch. The first virtual switch acts as a virtual default gateway based on replacement of a first destination address for the virtual default gateway with a second destination address for a second VM. Multiple virtual gateways in the DOVE network share a same media access control (MAC) address.

Abstract: In one embodiment, an apparatus includes a processor and logic integrated with and/or executable by the processor. The logic is configured to cause the processor to receive one or more packets to be switched to a next hop, the one or more packets indicating a destination address and a first virtual network identifier (VNID). The logic is also configured to cause the processor to send a query to a controller in order to determine a service chain for the one or more packets, the query including the first VNID and the destination address. Moreover, the logic is configured to cause the processor to receive a response that includes the next hop and a next routed hop for the one or more packets. Other systems, methods, and computer program products are described in accordance with more embodiments.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance.

Abstract: One embodiment includes using a bridge device in support of a kernel bridge infrastructure. The kernel bridge infrastructure is modified using netfilter hooks to prevent forwarding of broadcast packets between bridge ports and to set a source media access control (MAC) address of an egress packet to a corresponding MAC address of a virtual network interface card (vNIC).

Abstract: Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

Abstract: Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

Abstract: A method includes receiving a packet from a first virtual machine (VM) in a distributed overlay virtual Ethernet (DOVE) network. A first virtual switch appends the packet with a tunnel header that is addressed for a second virtual switch. The first virtual switch acts as a virtual default gateway based on replacement of a first destination address for the virtual default gateway with a second destination address for a second VM. Multiple virtual gateways in the DOVE network share a same media access control (MAC) address.

Abstract: A method includes encapsulating, by a first virtual switch, a packet from a first virtual machine (VM) into a tunneled packet by appending the packet with a tunnel header that is addressed for a second virtual switch, wherein the packet includes a first destination address for a virtual default gateway. The first virtual switch forwards an inner packet of the encapsulated packet to a second VM. The first virtual switch acts as a virtual default gateway based on replacement of a first destination address for the virtual default gateway with a second destination address for the second VM.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

Abstract: A system to deliver an application, hosted by a private application provider, over a network to a user device comprising: an application delivery system that includes, a frontend network interface that includes at least one first traffic director (FTD) instance; a network security interface that includes a plurality of traffic processing server (TPS) instances; a backend network interface that includes at least one backend traffic director (BTD) instance; and at least one agent that is associated with the application and that is disposed within the private application provider system; wherein a federated TLS ticket is used to filter TLS connection requests received by an FTD instance; and wherein a TLS extension is used to filter TLS connection requests received by a BTD instance