Patent application number | Description | Published |
20110231649 | AGGRESSIVE REHANDSHAKES ON UNKNOWN SESSION IDENTIFIERS FOR SPLIT SSL - A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client. | 09-22-2011 |
20110231651 | STRONG SSL PROXY AUTHENTICATION WITH FORCED SSL RENEGOTIATION AGAINST A TARGET SERVER - Embodiments are directed towards establishing an encrypted session between a client device and a target server device when the client device initiates network connections through a proxy device. In one embodiment, the client device initiates an encrypted session with the proxy device. Once the encrypted session is established, the client device communicates the address of the target server device to the proxy device. Then, the proxy device sends an encrypted session renegotiation message to the client device. The client device responds to the encrypted session renegotiation message by transmitting an encrypted session handshake message to the proxy device. The proxy device forwards the encrypted session handshake message to the target server device, and continues to forward handshake messages between the client device and the target server device, enabling the client device and the target server device to establish an encrypted session | 09-22-2011 |
20110231652 | PROXY SSL AUTHENTICATION IN SPLIT SSL FOR CLIENT-SIDE PROXY AGENT RESOURCES WITH CONTENT INSERTION - A traffic management device (TMD), system, and processor-readable storage medium are directed to determining that an end-to-end encrypted session has been established between a client and an authentication server, intercepting and decrypting subsequent task traffic from the client, and forwarding the intercepted traffic toward a server. In some embodiments, a second connection between the TMD and server may be employed to forward the intercepted traffic, and the second connection may be unencrypted or encrypted with a different mechanism than the encrypted connection to the authentication server. The encrypted connection to the authentication server may be maintained following authentication to enable termination of the second connection if the client becomes untrusted, and/or to enable logging of client requests, connection information, and the like. In some embodiments, the TMD may act as a proxy to provide client access to a number of servers and/or resources. | 09-22-2011 |
20110231653 | SECURE DISTRIBUTION OF SESSION CREDENTIALS FROM CLIENT-SIDE TO SERVER-SIDE TRAFFIC MANAGEMENT DEVICES - A traffic management device (TMD), system, and processor-readable storage medium are directed to securely transferring session credentials from a client-side traffic management device (TMD) to a second server-side TMD that replaces a first server-side TMD. In one embodiment, a client-side TMD and the first server-side TMD have copies of secret data associated with an encrypted session between a client device and a server device, including a session key. For any of a variety of reasons, the first server-side TMD is replaced with the second server-side TMD, which may not have the secret data. In response to a request to create an encrypted connection associated with the encrypted session, the client-side TMD encrypts the secret data using the server device's public key and transmits the encrypted secret data to the second server-side TMD. If the second server-side TMD has a copy of the server device's private key, and is therefore considered to be an authentic and trusted TMD, the second sever-side TMD decrypts the secret data and participates in the encrypted connection. | 09-22-2011 |
20110231655 | PROXY SSL HANDOFF VIA MID-STREAM RENEGOTIATION - A traffic management device (TMD), system, and processor-readable storage medium directed towards re-establishing an encrypted connection of an encrypted session, the encrypted connection having initially been established between a client device and a first server device, causing the encrypted connection to terminate at a second server device. As described, a traffic management device (TMD) is interposed between the client device and the first server device. In some embodiments, the TMD may request that the client device renegotiate the encrypted connection. The TMD may redirect the response to the renegotiation request towards a second server device, such that the renegotiated encrypted connection is established between the client device and the second server device. In this way, a single existing end-to-end encrypted connection can be used to serve content from more than one server device. | 09-22-2011 |
20110231923 | LOCAL AUTHENTICATION IN PROXY SSL TUNNELS USING A CLIENT-SIDE PROXY AGENT - A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server device. The TMD may serve a stored copy of a login page corresponding to the requested content to the client device. In response, the client device may submit login information associated with the login page to the TMD. The TMD may extract the login information from the submitted response and send a request to the server device to authenticate the client device based on the extracted login information. If the client device is authenticated, the TMD may transmit a ‘login successful’ page to the client device. | 09-22-2011 |
20140189686 | ELASTIC OFFLOAD OF PREBUILT TRAFFIC MANAGEMENT SYSTEM COMPONENT VIRTUAL MACHINES - Embodiments are directed towards employing a traffic management system (TMS) that is enabled to deploy component virtual machines (CVM) to the cloud to perform tasks of the TMS. In some embodiments, a TMS may be employed with one or more CVMs. In at least one embodiment, the TMS may maintain an image of each CVM. Each CVM may be configured to perform one or more tasks, to operate in specific cloud infrastructures, or the like. The TMS may deploy one or more CVMs locally and/or to one or more public and/or private clouds. In some embodiments, deployment of the CVMs may be based on a type of task to be performed, anticipated resource utilization, customer policies, or the like. The deployment of the CVMs may be dynamically updated based on monitored usage patterns, task completions, customer policies, or the like. | 07-03-2014 |