Abstract: A cloud computing platform provides zero trust network access as a service to a customer that maintains an application on-premises. In this context, the customer may be required to demonstrate ownership of a domain before the cloud computing platform will provide access to the on-premises application via the domain.

Abstract: A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. In this context, the number of secure tunnels maintained for an application between the customer premises and the cloud computing platform may be dynamically managed to support variations in user demand for the application.

Abstract: A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises. In this context, the cloud computing platform may associate customers and/or applications with specific service proxies, and add an abstraction layer for network access that maps an alias domain for each customer and/or application to a network load balancer associated with the specific service proxies associated with the corresponding application(s). This approach advantageously simplifies the configuration of service proxies at the cloud computing platform by permitting dedicated relationships among network load balancers, specific service proxies, and specific applications, while concurrently reducing or avoiding the administrative burden on customers of updating network pointers when the clusters of service proxies are periodically reconfigured to adjust to varying user traffic.

Abstract: Infrastructure for zero trust network access (ZTNA) is deployed as a cloud-based service remotely from a customer premises where user applications are hosted. By connecting an appliance on the customer premises to the cloud-based service through a secure tunnel or the like, an application hosted on the customer premises can then be accessed externally as a ZTNA application without the customer premises opening a firewall to public networks or otherwise exposing potential attack surfaces to the customer premises.

Abstract: A cloud computing platform provides zero trust network access as a service to customers that maintain applications on-premises, and a zero trust network access appliance at the customer premises that couples the on-premises applications to the cloud computing platform. A customer may host multiple instances of the appliance in order to support scalable access, where each instance creates a separate secure tunnel to the cloud computing platform. In this context, when a new appliance authenticates a new secure tunnel, information such as a connector name, customer, and port for the tunnel may be shared on a control plane for the computing platform to facilitate programmatic load balancing within the cloud computing platform.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.

Abstract: A Transport Layer Security (TLS) handshake can be terminated early—i.e., before certificate validation—to reduce server-side demand, which can be particularly advantageous in counteracting Denial-of-Service (DOS) attacks and the like. To this end, an endpoint may provide a one-time password (OTP) in the client hello message during the initial steps of a TLS handshake or similar connection protocol. A gateway, upon receiving the client hello message, may generate its own OTP for comparison with the OTP in the client hello message. The endpoint and gateway may advantageously generate the OTP based on a secret provided by a threat management facility with a preexisting secure connection to the two entities. If the OTP provided in the client hello message and the OTP generated on the gateway are the same, then the TLS handshake may continue; otherwise, the Transmission Control Protocol (TCP) connection will be terminated by the gateway.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: In a cluster of network devices using a consensus protocol for cluster synchronization, a full software rollback is performed by backing up a cluster state on a primary instance for the cluster, and then restarting all devices at the same time from a prior partition. The primary instance can then start a cluster management service and other devices can join the cluster using the consensus state stored by the primary instance.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.