Techniques for dynamic per subscriber policy enablement for security platforms within service provider network environments are disclosed. In some embodiments, a system/process/computer program product for dynamic per subscriber policy enablement for security platforms within service provider network environments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber with a new IP flow; associating the subscriber with the new IP flow at the security platform; and determining a security policy to apply at the security platform to the new IP flow based on the subscriber.

Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application. Requests to view network resources may be responded to with references to a decoy server.

Various techniques for dynamic path selection and data flow forwarding are disclosed. For example, various systems, processes, and computer program products for dynamic path selection and data flow forwarding are disclosed for providing dynamic path selection and data flow forwarding that can facilitate preserving/enforcing symmetry in data flows as disclosed with respect to various embodiments.

A system and method is disclosed of extracting information from real-time network packet data to analyze connectivity data for client devices in a network. The method includes: detecting when client devices initiate a connectivity event; after detecting a connectivity event, waiting a period of time for the client device to either reach or fail to reach a network connected state; after waiting a period of time, recording connectivity event information; and sending the recorded connectivity event information to an analytics system for network incident and/or network congestion analysis.

Methods and systems for providing load balancing are provided. Example embodiments provide an Application Workspace System “AWS” which enables users to access remote server-based applications using the same interface that they use to access local applications, without needing to know where the application is being accessed. In one embodiment, a load balancing message bus is provided that performs load balancing and resource discovery within the AWS. For example, the AWS may use a broadcast message-bus based load balancing to determine which servers to use to launch remote application access requests or to perform session management. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Methods and systems for providing load balancing are provided. Example embodiments provide an Application Workspace System “AWS” which enables users to access remote server-based applications using the same interface that they use to access local applications, without needing to know where the application is being accessed. In one embodiment, a load balancing message bus is provided that performs load balancing and resource discovery within the AWS. For example, the AWS may use a broadcast message-bus based load balancing to determine which servers to use to launch remote application access requests or to perform session management. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

Various techniques for dynamic path selection and data flow forwarding are disclosed. For example, various systems, processes, and computer program products for dynamic path selection and data flow forwarding are disclosed for providing dynamic path selection and data flow forwarding that can facilitate preserving/enforcing symmetry in data flows as disclosed with respect to various embodiments.

Various techniques for dynamic path selection and data flow forwarding are disclosed. For example, various systems, processes, and computer program products for dynamic path selection and data flow forwarding are disclosed for providing dynamic path selection and data flow forwarding that can facilitate preserving/enforcing symmetry in data flows as disclosed with respect to various embodiments.

A system, a method, or a computer program for provisioning a non-enterprise client device with access to an extranet enterprise domain. The system includes an enterprise client device connected to an intranet, a provisioner that receives an extranet registration request from the enterprise client device, an active directory connected to the intranet, a database that stores a non-enterprise client record populated with the non-enterprise client data, a primary transmission system connected to the intranet that transmits a portion of the non-enterprise client data and a linkage message outside of the intranet, and a secondary transmission system connected to the intranet and configured to transmit to an access message outside of the intranet, wherein the provisioner generates a unique permanent identification ID.sub.INDEX for the non-enterprise client record.