Methods, systems, and computer storage media for providing a local protocol server associated with a secure networking engine that provides client-side forwarding in a secure networking system. The local protocol server (e.g., local TCP/UDP server)—on a client device—operates based on client-side forwarding operations that include: IP assignment, operating system (OS) routing, destination network address translation, and original destination retrieval to support accessing a network resource (e.g., socket connection) on the client device and support communications between client applications on the client device and the local protocol server on the same client device. In this way, the local protocol server supports communications of a diverse set of data traffic or network traffic (e.g., different types of cross-platform communications), where the diverse set of network traffic is initially communicated from a client application and processed for network security operations at the local protocol sever of within the same client device.

A method for modifying packet data of a packet in a network device, where the method includes receiving, at an ingress pipeline of the network device, the packet, performing a lookup, in a packet translation ruleset, to compare the packet data to rule criteria of a rule in the packet translation ruleset, making a first determination that at least a portion of the packet data matches the rule criteria, and based on the first determination, adding a packet translation tag to the packet, where the packet translation tag includes a rule action, copying the packet translation tag and a portion of the packet to obtain a copied packet, modifying the copied packet as described in the rule action to obtain a modified copied packet, and forwarding the modified copied packet to an egress pipeline.

A network device may delegate a first prefix length to a primary WAN interface and delegate a second prefix length to a backup WAN interface. The network device may assign a first primary prefix and a first backup prefix to a first VLAN interface and may assign a second primary prefix and a second backup prefix to a second VLAN interface. The network device may provide egress traffic from host devices, connected to the first VLAN interface and to the second VLAN interface, to the primary WAN interface and without prefix translation, when the primary WAN interface is available. The network device may provide ingress traffic to the host devices, via the primary WAN interface and without prefix translation, when the primary WAN interface is available.

In order to enable dynamic scaling of network services at the edge, novel systems and methods are provided to enable addition of add new nodes or removal of existing nodes while retaining the affinity of the flows through the stateful services. The methods provide a cluster of network nodes that can be dynamically resized to handle and process network traffic that utilizes stateful network services. The existing traffic flows through the edge continue to function during and after the changes to membership of the cluster. All nodes in the cluster operate in active-active mode, i.e., they are receiving and processing traffic flows, thereby maximizing the utilization of the available processing power.

Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

A telecommunication and multimedia management apparatus and method that supports voice and other media communications and that enables users to: (i) participate in multiple conversation modes, including live phone calls, conference calls, instant voice messaging or tactical communications; (ii) review the messages of conversations in either a live mode or a time-shifted mode and to seamlessly transition back and forth between the two modes; (iii) participate in multiple conversations either concurrently or simultaneously; (iv) archive the messages of conversations for later review or processing; and (v) persistently store media either created or received on the communication devices of users. The latter feature enables users to generate or review media when either disconnected from the network or network conditions are poor and to optimize the delivery of media over the network based on network conditions and the intention of the users participating in conversations.

A telecommunication and multimedia management apparatus and method that supports voice and other media communications and that enables users to: (i) participate in multiple conversation modes, including live phone calls, conference calls, instant voice messaging or tactical communications; (ii) review the messages of conversations in either a live mode or a time-shifted mode and to seamlessly transition back and forth between the two modes; (iii) participate in multiple conversations either concurrently or simultaneously; (iv) archive the messages of conversations for later review or processing; and (v) persistently store media either created or received on the communication devices of users. The latter feature enables users to generate or review media when either disconnected from the network or network conditions are poor and to optimize the delivery of media over the network based on network conditions and the intention of the users participating in conversations.

An apparatus includes a transceiver to support a media flow involving a user equipment and an Internet Protocol (IP) Multimedia Subsystem (IMS) network that are connected via a media path that traverses a first realm associated with the user equipment, a second realm, and a third realm associated with the IMS network. In some cases, the apparatus includes a processor to establish a first context to perform interworking between the first realm and the second realm in response to an offer message from the user equipment. The processor later de-allocates the first context in response to receiving an answer message indicating that a second context performs interworking between the first realm and the third realm. In other cases, the processor bypasses allocation of a context to perform interworking between the second realm and the third realm in response to an indication that the media flow is anchored on an incoming side.

An apparatus includes a transceiver to support a media flow involving a user equipment and an Internet Protocol (IP) Multimedia Subsystem (IMS) network that are connected via a media path that traverses a first realm associated with the user equipment, a second realm, and a third realm associated with the IMS network. In some cases, the apparatus includes a processor to establish a first context to perform interworking between the first realm and the second realm in response to an offer message from the user equipment. The processor later de-allocates the first context in response to receiving an answer message indicating that a second context performs interworking between the first realm and the third realm. In other cases, the processor bypasses allocation of a context to perform interworking between the second realm and the third realm in response to an indication that the media flow is anchored on an incoming side.