Cluster state information is generated in response to a request to establish a connection with a cloud service system. The cluster state information includes a first instance of a security token and host information. The cluster state information is provided to a web browser associated with a user. The web browser associated with the user is redirected to a cloud identity provider. The cloud identity provider is configured to provide to the cloud service system via the web browser associated with the user, the cluster state information that includes the first instance of the security token and the host information. A certificate is requested from the cloud service system. The cluster state information that includes a second instance of the security token is provided to the cloud service system. The cloud service system is configured to establish the connection based on comparison between the first instance of the security token and the second instance of the security token. The established connection enables the user to manage a secondary storage system via the cloud service system.

Cluster state information is generated in response to a request to establish a connection with a cloud service system. The cluster state information includes a first instance of a security token and host information. The cluster state information is provided to a web browser associated with a user. The web browser associated with the user is redirected to a cloud identity provider. The cloud identity provider is configured to provide to the cloud service system via the web browser associated with the user, the cluster state information that includes the first instance of the security token and the host information. A certificate is requested from the cloud service system. The cluster state information that includes a second instance of the security token is provided to the cloud service system. The cloud service system is configured to establish the connection based on comparison between the first instance of the security token and the second instance of the security token. The established connection enables the user to manage a secondary storage system via the cloud service system.

An endpoint of a distributed federation with proxy synchronization including a data center infrastructure, a storage, and an endpoint. The storage stores a state of the data infrastructure and further stores a mirrored state for each of at least one other endpoint. The endpoint includes a communication interface for communicating via a communication network, where the endpoint, in response to receiving a command via the communication interface for changing the mirrored state, forwards the command towards an endpoint that owns the mirrored state via the communication interface. Commands may be forwarded directly or indirectly via one or more intermediary endpoints. An owner endpoint receives a command, updates its local state, and sends one or more events to one or more proxy endpoints to update corresponding mirrored states. A restricted proxy endpoint may store a partial mirrored state. The federation may support bidirectional sharing, synchronization, and resource data sharing.

An endpoint of a distributed federation with proxy synchronization including a data center infrastructure, a storage, and an endpoint. The storage stores a state of the data infrastructure and further stores a mirrored state for each of at least one other endpoint. The endpoint includes a communication interface for communicating via a communication network, where the endpoint, in response to receiving a command via the communication interface for changing the mirrored state, forwards the command towards an endpoint that owns the mirrored state via the communication interface. Commands may be forwarded directly or indirectly via one or more intermediary endpoints. An owner endpoint receives a command, updates its local state, and sends one or more events to one or more proxy endpoints to update corresponding mirrored states. A restricted proxy endpoint may store a partial mirrored state. The federation may support bidirectional sharing, synchronization, and resource data sharing.

Techniques are described herein that are capable of dynamically failing over authentication traffic to a backup authentication system by a proxy system. An authentication request, which requests authentication of a principal, is received at the proxy system. The authentication request is directed to a primary authentication system. A determination is made, by the proxy system, that the primary authentication system is incapable of providing a valid response to the authentication request. The backup authentication system is caused, by the proxy system, to authenticate the principal using an authentication package received from the primary authentication system by dynamically routing the authentication request to the backup authentication system as a result of the primary authentication system being incapable of providing a valid response to the authentication request.

Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.

Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.

A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

Systems and methods for vehicle registration are disclosed. A server computer and at least one database are constructed and configured for network communication with at least one vehicle. The at least one vehicle transmits a registration request to the server computer. The server computer assigns a unique registration ID for the at least one vehicle. The at least one database comprises a geofence database storing information of a multiplicity of registered geofences. Each of the multiplicity of registered geofences comprises a plurality of geographic designators defined by a plurality of unique Internet Protocol version 6 (IPv6) addresses. One of the plurality of unique IPv6 addresses is encoded as a unique identifier for each of the multiplicity of registered geofences. The server computer caches the information of the multiplicity of registered geofences on the at least one vehicle.