F5 NETWORKS, INC. Patent applications |
Patent application number | Title | Published |
20150142948 | EXTENDING POLICY RULESETS WITH SCRIPTING - Embodiments are directed towards using policy rules that may be extended by scripting operative on a traffic management device. Each policy rule may have a condition and a corresponding action. If the condition is a script, a script engine separate from the policy engine may be employed to execute the script to determine if the condition is met. Otherwise, the policy engine may determine if the condition is met based on declarative expressions that comprise the condition. If the condition is met the action corresponding to the policy rule may be executed. Scripts may be used to compute the values of operands that may be used in one or more of the expression that comprise a condition for a policy rule. Also, the action corresponding to a policy rule may be implemented using a script that is executed by a script engine. | 05-21-2015 |
20150067753 | GENERATING FRAME CHUNKING FOR VIDEO FAST STARTS - A network device is arranged to perform frame chunking directed towards enabling fast video content starts on a client device. When a request for video content is received, characteristics of a connection to the client device, and the client device are used to determine a threshold bitrate that provides a defined amount of video content to the client device within a configurable amount of first play time. When a bitrate for the video content that satisfies the threshold bitrate is currently unavailable, then the first chunks or bytes of the video content may be optimized to satisfy the threshold bitrate. The optimized first chunks are then provided to the client device followed by the remaining video content at an available bitrate. | 03-05-2015 |
20150067472 | WEB BROWSER FINGERPRINTING - Systems, methods, and devices are directed towards identifying a web browser by targeting a document parser component in a layout engine of a web browser. Malformed HTML may be provided to a client device having the web browser. Based on how the layout engine responds to the received malformed HTML, a fingerprint can be generated classifying/identifying a class, type, and other features of the web browser/layout engine. Other fingerprinting techniques may be combined with this malformed HTML approach to improve an accuracy of web browser identification, or to be used to detect/counter user-agent spoofing. Identification of the web browser/layout engine may then be used, among other things, to provide web content that is formatted to be useable by the receiving client device. | 03-05-2015 |
20150049763 | HANDLING HIGH THROUGHPUT AND LOW LATENCY NETWORK DATA PACKETS IN A TRAFFIC MANAGEMENT DEVICE - Handling network data packets classified as being high throughput and low latency with a network traffic management device is disclosed. Packets are received from a network and classified as high throughput or low latency based on packet characteristics or other factors. Low latency classified packets are generally processed immediately, such as upon receipt, while the low latency packet processing is strategically interrupted to enable processing coalesced high throughput classified packets in an optimized manner. The determination to cease processing low latency packets in favor of high throughput packets may be based on a number of factors, including whether a threshold number of high throughput classified packets are received or based on periodically polling a high throughput packet memory storage location. | 02-19-2015 |
20150019923 | NETWORK DEVICES WITH MULTIPLE FULLY ISOLATED AND INDEPENDENTLY RESETTABLE DIRECT MEMORY ACCESS CHANNELS AND METHODS THEREOF - A method, computer readable medium, and system independently managing network applications within a network traffic management device communicating with networked clients and servers include monitoring with a network device a plurality of applications communicating over a plurality of direct memory access (DMA) channels established across a bus. The network device receives a request from a first application communicating over a first DMA channel in the plurality of DMA channels to restart the first DMA channel. In response to the request, the first DMA channel is disabled with the network device while allowing other executing applications in the plurality of applications to continue to communicate over other DMA channels in the plurality of DMA channels. A state of the first DMA channel is cleared independently from other DMA channels in the plurality of DMA channels, and communications for the first application over the first DMA channel are resumed with the network device. | 01-15-2015 |
20140344429 | SYSTEMS AND METHODS FOR IDLE DRIVEN SCHEDULING - A system and method of idle driven scheduling in a network device is disclosed. An interrupt signal is received from a timer, wherein a network processing component of a network device awakes from sleep mode of a first sleep duration for a first cycle upon receiving the interrupt signal. Load information of a computer processing unit in the network device for the first cycle is determined. A second sleep duration is selected for the network processing component in a second cycle based on the load information, wherein the second sleep duration is different from the first sleep duration. The timer is then instructed to send the interrupt signal to the network processing component at an expiration of the second sleep duration. | 11-20-2014 |
20140258369 | SERVER TO CLIENT REVERSE PERSISTENCE - Embodiments may be directed towards enabling one or more load balance servers to maintain connection flow persistence if the server initiates to the communication to a client. A packet traffic management device may (PTMD) intercept the request from the server and generate reverse persistence information. The PTMD may include a portion of the reverse persistence information in the request before forwarding the request to the targeted client device. The client device may send the response to the PTMD. The PTMD may employ reverse persistence information to identify the target server. The PTMD may remove the reverse persistence information from the response sent by the client and forward the response to the determined server. Removing the reverse persistence information may remove evidence that the PTMD intervened in the connection between the client and server. | 09-11-2014 |
20140189686 | ELASTIC OFFLOAD OF PREBUILT TRAFFIC MANAGEMENT SYSTEM COMPONENT VIRTUAL MACHINES - Embodiments are directed towards employing a traffic management system (TMS) that is enabled to deploy component virtual machines (CVM) to the cloud to perform tasks of the TMS. In some embodiments, a TMS may be employed with one or more CVMs. In at least one embodiment, the TMS may maintain an image of each CVM. Each CVM may be configured to perform one or more tasks, to operate in specific cloud infrastructures, or the like. The TMS may deploy one or more CVMs locally and/or to one or more public and/or private clouds. In some embodiments, deployment of the CVMs may be based on a type of task to be performed, anticipated resource utilization, customer policies, or the like. The deployment of the CVMs may be dynamically updated based on monitored usage patterns, task completions, customer policies, or the like. | 07-03-2014 |
20140143375 | METHODS FOR OPTIMIZING SERVICE OF CONTENT REQUESTS AND DEVICES THEREOF - A method, non-transitory computer readable medium, and network traffic management apparatus that receives a request for content from a client computing device. A length of the content is determined. A plurality of requests for a portion of the length of the content is sent to a plurality of server computing devices, wherein the portion of the length of the content is specified as a byte range in a range header of each of the plurality of requests. A plurality of responses to the plurality of requests is received. At least a subset of the plurality of responses is output to the client computing device. | 05-22-2014 |
20140068103 | STATEFUL FAILOVER MANAGEMENT IN A NETWORK TRAFFIC MANAGER - Methods, systems, and devices are described for stateful failover in traffic manager module functioning as a proxy between at least one first network device and at least one server. In a first set of embodiments, an amount of synchronized state information may be reduced through a controlled use of acknowledgment messages. In a second set of embodiments, state information may be synchronized to a standby traffic manager module in response to changes in a sequence number delta between two logically paired connections. In a third set of embodiments, connections may be restored at a standby traffic manager module based on stored connection information, a synchronized sequence number delta stack, and rediscovered sequence numbers. | 03-06-2014 |
20140059247 | NETWORK TRAFFIC MANAGEMENT USING SOCKET-SPECIFIC SYN REQUEST CACHES - Methods, systems, and devices are described for managing network communications at a traffic manager module serving as a proxy to at least one network service for at least one client device. The traffic manager module may maintaining a SYN request cache for a socket implemented by the traffic manager module. Active SYN request messages may be stored at the socket in the SYN request cache. The traffic manager module may determine a status of the SYN request cache and ignore additional SYN request messages at the socket based on the determined status of the SYN request cache. | 02-27-2014 |
20140056161 | NETWORK TRAFFIC MANAGER ARCHITECTURE - Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a message from a first network device to a second network device. The traffic manager module may serve as a proxy between the first network device and the second network device. The traffic manager module may perform an application layer inspection at the traffic manager module on at least one of the message or a response to the message from the second network device, and forward the message or the response to the message to a third network device based on the application layer inspection at the traffic manager module. | 02-27-2014 |
20140056144 | NETWORK TRAFFIC MANAGEMENT USING STREAM-SPECIFIC QoS BITS - Methods, systems, and devices are described for managing network communications. A traffic manager module configured to serve as a proxy between a plurality of client devices and a network service may receive a plurality of messages for the network service. Each message may be associated with at least one QoS parameter. The traffic manager module may transmit the plurality of messages to the network service over a connection between the traffic manager module and the network service. The QoS of the connection between the traffic manager module and the network service may be dynamically altered during the transmission of a first message of the plurality of messages based on the at least one QoS parameter associated with the first message. | 02-27-2014 |
20140052838 | SCRIPTING FOR IMPLEMENTING POLICY-BASED TRAFFIC STEERING AND MANAGEMENT - Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a script over a management plane of a packet core, interpret the script to identify a traffic management policy; and dynamically modify at least one aspect of a proxy connection over a bearer plane of the packet core at the traffic manager module based on the identified traffic management policy. | 02-20-2014 |
20140040477 | CONNECTION MESH IN MIRRORING ASYMMETRIC CLUSTERED MULTIPROCESSOR SYSTEMS - Embodiments are directed towards establishing a plurality of connections between each of a plurality of first computing devices in a primary chassis with each of a plurality of second computing devices in a failover chassis. A first computing device uses the plurality of connections as mesh connections to select a second computing device in which to route information about received packets. Routing of information about the packets to the selected second computing device includes modifying a source port number in the packets to include an identifier of the first computing device and an identifier of the second computing device. The information may indicate that the failover chassis is to perform specialized routing of the modified packets. | 02-06-2014 |
20140025823 | METHODS FOR MANAGING CONTENDED RESOURCE UTILIZATION IN A MULTIPROCESSOR ARCHITECTURE AND DEVICES THEREOF - A method, computer readable medium, and network traffic management apparatus that manages contended resource utilization includes obtaining at least one value for at least one utilization parameter for at least one contended resource and determining when the obtained value of the utilization parameter for the at least one contended resource exceeds a threshold value. When the obtained value of the utilization parameter is determined to exceed the threshold value, a work rate for one or more of a plurality of processing units is reduced or the at least one contended resource is reallocated among the plurality of processing units. | 01-23-2014 |
20130294239 | DATA FLOW SEGMENT OPTIMIZED FOR HOT FLOWS - Embodiments are directed towards improving the performance of network traffic management devices by optimizing the management of hot connection flows. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. Making efficient use of the high speed flow cache capacity may be improved by maximizing the number of hot connection flows and minimizing the number of malicious and/or in-operative connections flows (e.g., non-genuine flows) that may have flow control data stored in the high-speed flow cache. | 11-07-2013 |
20130290699 | METHODS FOR SECURE COMMUNICATION BETWEEN NETWORK DEVICE SERVICES AND DEVICES THEREOF - A method, non-transitory computer readable medium, and network device that generates a network communication including a destination address associated with a second network device and a destination port number, wherein the destination port number corresponds to a service operating on the second network device. An initial SSL handshake protocol message is generated and at least the destination port number is inserted into a server name indicator (SNI) extension of the initial SSL handshake protocol message. An SSL connection is established with the second network device using a predetermined port number and the initial SSL handshake protocol message is sent to the second network device. Information included in the network communication is sent to the second network device using the SSL connection. | 10-31-2013 |
20130219030 | IN SERVICE UPGRADES FOR A HYPERVISOR OR HARDWARE MANAGER HOSTING VIRTUAL TRAFFIC MANAGERS - Embodiments are directed towards upgrading hypervisors operating in hardware clusters that may be hosting one or more virtual clusters of virtual traffic managers. Virtual clusters may be arranged to span multiple computing devices in the hardware cluster. Spanning the virtual clusters across multiple hardware nodes the virtual cluster may enable the virtual clusters to remain operative while one or more hardware nodes may be upgraded. Hypervisor may include a management control plane for virtual clusters of virtual traffic managers. Hypervisors running on hardware nodes may manage the lower level networking traffic topology while the virtual traffic managers may manage the higher level network processing. Further, hypervisor based management control planes may interface with the virtual clusters and virtual traffic manager's using pluggable translation modules may enable different versions of hypervisor based management control planes and virtual traffic managers to communicate and cooperatively manage network traffic. | 08-22-2013 |
20130212295 | APPLICATION LAYER NETWORK TRAFFIC PRIORITIZATION - Layer-7 application layer message (“message”) classification is disclosed. A network traffic management device (“NTMD”) receives incoming messages over a first TCP/IP connection from a first network for transmission to a second network. Before transmitting the incoming messages onto the second network, however, the NTMD classifies the incoming messages according to some criteria, such as by assigning one or more priorities to the messages. The NTMD transmits the classified messages in the order of their message classification. Where the classification is priority based, first priority messages are transmitted over second priority messages, and so forth, for example. | 08-15-2013 |
20130212240 | METHODS FOR DYNAMIC DNS IMPLEMENTATION AND SYSTEMS THEREOF - A method, computer readable medium, and device for dynamic DNS implementation, comprises receiving, at a network traffic management device, a first DNS response from a DNS server, wherein the first DNS response is compliant with Internet Protocol version 4 (IPv4). The first DNS response corresponds to a first DNS request from a client device being compliant with Internet Protocol version 6 (IPv6). The first DNS response is converted into a DNS second response that is compliant with IPv6, by attaching a prefix that identifies a network gateway device which is to handle receive subsequent non-DNS requests from the client device. The second DNS response is routed to the client device. Subsequent non-DNS requests from the client device that contain at least a part of the prefix allow the network traffic management device to route the non-DNS request through the designated network gateway device. | 08-15-2013 |
20130204893 | METHODS FOR GENERATING A UNIFIED VIRTUAL SNAPSHOT AND SYSTEMS THEREOF - A method, computer readable medium, and system for generating a unified virtual snapshot in accordance with embodiments of the present invention includes invoking with a file virtualization system a capture of a plurality of physical snapshots. Each of the physical snapshots comprises content at a given point in time in one of the plurality of data storage systems. A unified virtual snapshot is generated with the file virtualization system based on the captured plurality of the physical snapshots. | 08-08-2013 |
20130173779 | METHODS FOR IDENTIFYING NETWORK TRAFFIC CHARACTERISTICS TO CORRELATE AND MANAGE ONE OR MORE SUBSEQUENT FLOWS AND DEVICES THEREOF - A method, non-transitory computer readable medium, and device that identifies network traffic characteristics to correlate and manage one or more subsequent flows includes transmitting a monitoring request comprising one or more attributes extracted from an HTTP request received from a client computing device and a timestamp to a monitoring server to correlate one or more subsequent flows associated with the HTTP request. The HTTP request is transmitted to an application server after receiving an acknowledgement response to the monitoring request from the monitoring server. An HTTP response to the HTTP request is received from the application server. An operation with respect to the HTTP response is performed. | 07-04-2013 |
20130097383 | METHODS FOR PROVIDING A RESPONSE AND SYSTEMS THEREOF - A method, computer readable medium, and system for generating a response includes determining from which of a plurality of levels of cache to retrieve a response. The determination is based on a number of matches between current user session data associated with a current request and stored user session data rewritten into each of one or more metadata data variables for the response when a current request for the response matches at least one prior stored request for the response. The response from the determined level of the plurality of levels of cache is provided. | 04-18-2013 |
20130064093 | METHOD FOR LOAD BALANCING OF REQUESTS' PROCESSING OF DIAMETER SERVERS - A system, computer readable medium and method of load balancing of requests between Diameter-enabled network devices is disclosed. Processing occurs at a signal controller in communication with a first Diameter-enabled network device and a second Diameter-enabled network device, request handling capacity of at least the second Diameter-enabled network device. One or more tokens are allocated for inbound requests from the first Diameter-enabled network device to the second Diameter-enabled network device. The second Diameter-enabled network device is notified of the one or more allocated tokens for handling a corresponding number of requests from the first Diameter-enabled network device. Transmission of the corresponding number of requests from the first Diameter-enabled network device to the second Diameter-enabled network device is coordinated by the signal controller. | 03-14-2013 |
20130047026 | UPGRADING NETWORK TRAFFIC MANAGEMENT DEVICES WHILE MAINTAINING AVAILABILITY - A method, system, machine-readable storage medium, and apparatus are directed towards upgrading a cluster by bifurcating the cluster into two virtual clusters, an “old” virtual cluster (old active cluster) and a “new” virtual cluster (new standby cluster), and iteratively upgrading members of the old cluster while moving them into the new cluster. While members are added to the new cluster, existing connections and new connections are seamlessly processed by the old cluster. Optionally, state mirroring occurs between the old cluster and the new cluster once the number of members of the old and new clusters are approximately equal. Once a threshold number of members have been transferred to the new cluster, control and processing may be taken over by the new cluster. Transfer of control from the old cluster to the new cluster may be performed by failing over connectivity from the old cluster to the new cluster. | 02-21-2013 |
20120278851 | AUTOMATED POLICY BUILDER - A system, method and machine readable medium for automated policy building in a policy module of a network traffic management device is disclosed. Parsed network traffic data is received at a policy builder of a network traffic management device. The received network traffic data is analyzed in accordance with one or more threshold conditions specified by a user, via a user interface, for an existing policy. The existing policy is modified by the policy builder if the one or more threshold conditions for the network traffic have been met. | 11-01-2012 |
20120254123 | METHODS AND SYSTEMS FOR SNAPSHOT RECONSTITUTION - A method, computer readable medium, and a system for reconstituting a virtual snapshot of files in a file virtualization system includes forming at a file virtualization device a virtual snapshot that includes a plurality of physical snapshots associated with one or more file storage devices participating in the virtual snapshot, receiving a request for performing an operation on one or more physical snapshots in the plurality of physical snapshots, providing the one or more physical snapshots in response to the request for performing the operation when the one or more physical snapshots exists in the virtual snapshot, and reconstituting the virtual snapshot by including the one or more physical snapshots to form a reconstituted virtual snapshot in response to the request for performing the operation when the one or more physical snapshots do not exist in the virtual snapshot. | 10-04-2012 |
20120240184 | SYSTEM AND METHOD FOR ON THE FLY PROTOCOL CONVERSION IN OBTAINING POLICY ENFORCEMENT INFORMATION - A system, machine readable medium and method for utilizing protocol conversions in policy changing enforcement is disclosed. A message, in a first protocol, is received from a network gateway device including identifying information unique to a client attempting to access a resource from a server. The message is processed using one or more portions of the client identifying information as a unique key identifier. A policy access request is generated, in a second protocol, and includes at least the unique key identifier. The policy access request is sent to a policy server, wherein the policy server is configured to provide policy enforcement information of the client associated with the policy access request. The policy enforcement information is received and one or more policies from the policy enforcement information are enforced to network traffic between the client and the server. | 09-20-2012 |
20120198512 | SYSTEM AND METHOD FOR COMBINING AN ACCESS CONTROL SYSTEM WITH A TRAFFIC MANAGEMENT SYSTEM - A system and method for handling a request from a client device to access a service from a server. The method comprises receiving a request from a user using a client device to access a service from a server. The request is received by a network traffic management device having a local external access management (EAM) agent. The EAM agent directly communicates with an EAM server that provides authentication policy information of a plurality of users able to at least partially access the server. User credential information is sent from the EAM agent to the EAM server, whereby the EAM agent receives access policy information of the user from the EAM server. The system and method selectively controls access of the user's request to the server in accordance with the received access policy information at the network traffic management device. | 08-02-2012 |
20120191800 | METHODS AND SYSTEMS FOR PROVIDING DIRECT DMA - A method and system for efficient direct DMA for processing connection state information or other expediting data packets. One example is the use of a network interface controller to buffer TCP type data packets that may contain connection state information. The connection state information is extracted from a received packet. The connection state information is stored in a special DMA descriptor that is stored in a ring buffer area of a buffer memory that is accessible by a host processor when an interrupt signal is received. The packet is then discarded. The host processor accesses the ring buffer memory only to retrieve the stored connection state information from the DMA descriptor without having to access a packet buffer area in the memory. | 07-26-2012 |
20120185937 | SYSTEM AND METHOD FOR SELECTIVELY STORING WEB OBJECTS IN A CACHE MEMORY BASED ON POLICY DECISIONS - A system and method for selectively storing one or more web objects in a memory is disclosed. A server response is received at a network traffic management device, wherein the server response is associated with a client request sent from a client device and includes at least one web object. The server response is analyzed using a security module of the network traffic management device which determines if the at least a portion of the server response contains suspicious content in relation to one or more defined policy parameters handled by the security module. An instruction is sent from the security module to a cache module of the network traffic management device upon determining that the at least a portion of the server response contains suspicious information, wherein the cache module does not store the at least one web object upon receiving the instruction. | 07-19-2012 |
20120117379 | METHODS FOR HANDLING REQUESTS BETWEEN DIFFERENT RESOURCE RECORD TYPES AND SYSTEMS THEREOF - A method, computer readable medium, and device for handling requests between different resource record types includes receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The traffic management device validates the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device. | 05-10-2012 |
20120072523 | NETWORK DEVICES WITH MULTIPLE DIRECT MEMORY ACCESS CHANNELS AND METHODS THEREOF - A method, computer readable medium, and a system for communicating with networked clients and servers through a network device is disclosed. A first network data packet is received at a first port of a network device. The first network data packet is destined for a first executing application of a plurality of executing applications operating in the network device. The plurality of executing applications are associated with corresponding application drivers utilizing independent and unique direct memory access (DMA) channels. A first DMA channel is identified, wherein the first DMA channel is mapped to the first port and associated with a first application driver corresponding to the first executing application. The first network data packet is transmitted to the first executing application over the first identified DMA channel. | 03-22-2012 |
20120036107 | RULE BASED AGGREGATION OF FILES AND TRANSACTIONS IN A SWITCHED FILE SYSTEM - A switched file system, also termed a file switch, is logically positioned between client computers and file servers in a computer network. The file switch distributes user files among multiple file servers using aggregated file, transaction and directory mechanisms. The file switch distributes and aggregates the client data files in accordance with a predetermined set of aggregation rules. Each rule can be modified independently of the other rules. Different aggregation rules can be used for different types of files, thereby adapting the characteristics of the switched file system to the intended use and to the expected or historical access patterns for different data files. | 02-09-2012 |
20110231923 | LOCAL AUTHENTICATION IN PROXY SSL TUNNELS USING A CLIENT-SIDE PROXY AGENT - A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server device. The TMD may serve a stored copy of a login page corresponding to the requested content to the client device. In response, the client device may submit login information associated with the login page to the TMD. The TMD may extract the login information from the submitted response and send a request to the server device to authenticate the client device based on the extracted login information. If the client device is authenticated, the TMD may transmit a ‘login successful’ page to the client device. | 09-22-2011 |
20110231655 | PROXY SSL HANDOFF VIA MID-STREAM RENEGOTIATION - A traffic management device (TMD), system, and processor-readable storage medium directed towards re-establishing an encrypted connection of an encrypted session, the encrypted connection having initially been established between a client device and a first server device, causing the encrypted connection to terminate at a second server device. As described, a traffic management device (TMD) is interposed between the client device and the first server device. In some embodiments, the TMD may request that the client device renegotiate the encrypted connection. The TMD may redirect the response to the renegotiation request towards a second server device, such that the renegotiated encrypted connection is established between the client device and the second server device. In this way, a single existing end-to-end encrypted connection can be used to serve content from more than one server device. | 09-22-2011 |
20110231653 | SECURE DISTRIBUTION OF SESSION CREDENTIALS FROM CLIENT-SIDE TO SERVER-SIDE TRAFFIC MANAGEMENT DEVICES - A traffic management device (TMD), system, and processor-readable storage medium are directed to securely transferring session credentials from a client-side traffic management device (TMD) to a second server-side TMD that replaces a first server-side TMD. In one embodiment, a client-side TMD and the first server-side TMD have copies of secret data associated with an encrypted session between a client device and a server device, including a session key. For any of a variety of reasons, the first server-side TMD is replaced with the second server-side TMD, which may not have the secret data. In response to a request to create an encrypted connection associated with the encrypted session, the client-side TMD encrypts the secret data using the server device's public key and transmits the encrypted secret data to the second server-side TMD. If the second server-side TMD has a copy of the server device's private key, and is therefore considered to be an authentic and trusted TMD, the second sever-side TMD decrypts the secret data and participates in the encrypted connection. | 09-22-2011 |
20110231652 | PROXY SSL AUTHENTICATION IN SPLIT SSL FOR CLIENT-SIDE PROXY AGENT RESOURCES WITH CONTENT INSERTION - A traffic management device (TMD), system, and processor-readable storage medium are directed to determining that an end-to-end encrypted session has been established between a client and an authentication server, intercepting and decrypting subsequent task traffic from the client, and forwarding the intercepted traffic toward a server. In some embodiments, a second connection between the TMD and server may be employed to forward the intercepted traffic, and the second connection may be unencrypted or encrypted with a different mechanism than the encrypted connection to the authentication server. The encrypted connection to the authentication server may be maintained following authentication to enable termination of the second connection if the client becomes untrusted, and/or to enable logging of client requests, connection information, and the like. In some embodiments, the TMD may act as a proxy to provide client access to a number of servers and/or resources. | 09-22-2011 |
20110231651 | STRONG SSL PROXY AUTHENTICATION WITH FORCED SSL RENEGOTIATION AGAINST A TARGET SERVER - Embodiments are directed towards establishing an encrypted session between a client device and a target server device when the client device initiates network connections through a proxy device. In one embodiment, the client device initiates an encrypted session with the proxy device. Once the encrypted session is established, the client device communicates the address of the target server device to the proxy device. Then, the proxy device sends an encrypted session renegotiation message to the client device. The client device responds to the encrypted session renegotiation message by transmitting an encrypted session handshake message to the proxy device. The proxy device forwards the encrypted session handshake message to the target server device, and continues to forward handshake messages between the client device and the target server device, enabling the client device and the target server device to establish an encrypted session | 09-22-2011 |
20110231649 | AGGRESSIVE REHANDSHAKES ON UNKNOWN SESSION IDENTIFIERS FOR SPLIT SSL - A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client. | 09-22-2011 |
20110119354 | METHOD AND SYSTEM FOR DISTRIBUTING REQUESTS FOR CONTENT - A method and system for caching content, such as content requested from a server on the World Wide Web. Requests for dynamic content are forwarded directly to a content server to avoid caching data that might only be used once. Requests for static content are forwarded to a hot or a regular cache depending on the frequency at which the content is requested. When a hot cache does not contain the content, it forwards the request to the forwarder which then forwards the request to a regular cache. When the regular cache does not contain the content, it requests the content from the forwarder which then forwards the request to a content server. There may be more than two layers of cache. | 05-19-2011 |
20110087696 | SCALABLE SYSTEM FOR PARTITIONING AND ACCESSING METADATA OVER MULTIPLE SERVERS - In an aggregated file system, metadata is partitioned into multiple metadata volumes. On receipt of a file processing request, a file switch examines its mount entry cache to identify a target metadata volume that hosts the metadata of the requested file. The identification begins with mount entries at a root volume and continues recursively by examining a portion of the absolute pathname of the file until the target metadata volume is identified. Finally, the file switch forwards the request to a metadata server managing the target metadata volume. Since the identification process is carried out completely within the file switch, there is no need for multiple expensive network accesses to different metadata servers. | 04-14-2011 |
20100042869 | UPGRADING NETWORK TRAFFIC MANAGEMENT DEVICES WHILE MAINTAINING AVAILABILITY - A method, system, machine-readable storage medium, and apparatus are directed towards upgrading a cluster by bifurcating the cluster into two virtual clusters, an “old” virtual cluster (old active cluster) and a “new” virtual cluster (new standby cluster), and iteratively upgrading members of the old cluster while moving them into the new cluster. While members are added to the new cluster, existing connections and new connections are seamlessly processed by the old cluster. Optionally, state mirroring occurs between the old cluster and the new cluster once the number of members of the old and new clusters are approximately equal. Once a threshold number of members have been transferred to the new cluster, control and processing may be taken over by the new cluster. Transfer of control from the old cluster to the new cluster may be performed by failing over connectivity from the old cluster to the new cluster. | 02-18-2010 |
20090292734 | RULE BASED AGGREGATION OF FILES AND TRANSACTIONS IN A SWITCHED FILE SYSTEM - A switched file system, also termed a file switch, is logically positioned between client computers and file servers in a computer network. The file switch distributes user files among multiple file servers using aggregated file, transaction and directory mechanisms. The file switch distributes and aggregates the client data files in accordance with a predetermined set of aggregation rules. Each rule can be modified independently of the other rules. Different aggregation rules can be used for different types of files, thereby adapting the characteristics of the switched file system to the intended use and to the expected or historical access patterns for different data files. | 11-26-2009 |
20090240705 | FILE SWITCH AND SWITCHED FILE SYSTEM - An apparatus and method are provided in a computer network to decouple the client from the server, by placing a transparent network node, also termed a file switch or file switch computer, between the client and the server. Usage of such a file switch allows reduced latency in file transfers, as well as scalable mirroring, striping, spillover, and other features. | 09-24-2009 |
20090234856 | AGGREGATED OPPORTUNISTIC LOCK AND AGGREGATED IMPLICIT LOCK MANAGEMENT FOR LOCKING AGGREGATED FILES IN A SWITCHED FILE SYSTEM - A switched file system, also termed a file switch, is logically positioned between client computers and file servers in a computer network. The file switch distributes user files among multiple file servers using aggregated file, transaction and directory mechanisms. The file switch supports caching of a particular aggregated data file either locally in a client computer or in the file switch in accordance with the exclusivity level of an opportunistic lock granted to the entity that requested caching. The opportunistic lock can be obtained either on the individual data files stored in the file servers or on the metadata files that contain the location of each individual data files in the file servers. The opportunistic lock can be broken if another client tries to access the aggregated data file. Opportunistic locks allows client-side caching while preserving data integrity and consistency, hence the performance of the switched file system is increased. | 09-17-2009 |
20080256239 | METHOD AND SYSTEM FOR OPTIMIZING A NETWORK BY INDEPENDENTLY SCALING CONTROL SEGMENTS AND DATA FLOW - A server array controller that includes a Data Flow Segment (DFS) and at least one Control Segment (CS). The DFS includes the hardware-optimized portion of the controller, while the CS includes the software-optimized portions. The DFS performs most of the repetitive chores including statistics gathering and per-packet policy enforcement (e.g. packet switching). The DFS also performs tasks such as that of a router, a switch, or a routing switch. The CS determines the translation to be performed on each flow of packets, and thus performs high-level control functions and per-flow policy enforcement. Network address translation (NAT) is performed by the combined operation of the CS and DFS. The CS and DFS may be incorporated into one or more separate blocks. The CS and DFS are independently scalable. Additionally, the functionality of either the DFS or the CS may be separately implemented in software and/or hardware. | 10-16-2008 |