US Pat. No. 9,471,331

MAINTAINING RESOURCE AVAILABILITY DURING MAINTENANCE OPERATIONS

Citrix Systems, Inc., Fo...

1. A method, comprising:
processing a configured reboot schedule that includes a desktop group that is to be rebooted;
determining, in accordance with the configured reboot schedule, whether to initiate a reboot cycle for performing automated
machine reboots;

responsive to determining to initiate the reboot cycle, determining whether another reboot schedule-initiated reboot cycle
is active or disconnected for the desktop group;

responsive to determining that there is not another reboot schedule-initiated reboot cycle that is active or disconnected
for the desktop group, initiating, by a computing device, the reboot cycle;

determining a set of eligible machines for the reboot cycle;
determining an interval between each machine reboot; and
based on the interval, performing machine-specific processing for the reboot cycle, wherein an attempt is made to reboot each
machine in the set of eligible machines.

US Pat. No. 9,270,678

MEDIATING RESOURCE ACCESS BASED ON A PHYSICAL LOCATION OF A MOBILE DEVICE

Citrix Systems, Inc., Fo...

1. A method comprising:
executing, by a first computing device, an application on behalf of a second computing device, resulting in an application
resource being hosted by the first computing device for the second computing device in connection with execution of the application,
wherein the application resource includes an indication of one or more authorized locations in which access to the application
resource is authorized;

receiving information indicating a location of the second computing device;
determining that the location of the second computing device is a safe location at least by comparing the location of the
second computing device to at least one of the one or more authorized locations; and

responsive to determining that the location of the second computing device is a safe location, providing, by the first computing
device, the second computing device with access to the application resource and transmitting application output data indicative
of the application resource to the second computing device.

US Pat. No. 9,563,445

REMOTE ASSISTANCE FOR MANAGED MOBILE DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
initiating, by a managed mobile device comprising at least one processor, a network interface, and a memory storing a remote
assistance policy set comprising one or more remote assistance policies, a remote assistance connection with a remote support
server via the network interface;

receiving, by the managed mobile device, via the remote assistance connection initiated with the remote support server, remote
assistance input provided by a user of an administrator console device, the remote assistance input being received by the
remote support server via an interface provided by the remote support server to the administrator console device;

processing, by the managed mobile device, the remote assistance input based on the remote assistance policy set, wherein processing
the remote assistance input based on the remote assistance policy set comprises:

enforcing a first access policy of the remote assistance policy set that allows the user of the administrator console device
to control one or more managed applications on the managed mobile device to which one or more enterprise policies are applied;
and

enforcing a second access policy of the remote assistance policy set that prevents the user of the administrator console device
from controlling one or more unmanaged applications on the managed mobile device to which the one or more enterprise policies
are not applied; and

sending, by the managed mobile device, to the remote support server, one or more user interface updates based on processing
the remote assistance input based on the remote assistance policy set.

US Pat. No. 9,491,161

SYSTEMS AND METHODS FOR PERFORMING SINGLE SIGN-ON BY AN INTERMEDIARY DEVICE FOR A REMOTE DESKTOP SESSION OF A CLIENT

CITRIX SYSTEMS, INC., Fo...

1. A method for performing a single sign on by an intermediary device for a remote desktop session of a client, the method
comprising:
authenticating, by a device intermediary to a client and a server; user credentials of a user accessing the server via the
client;

receiving, by the device via a client connection to the client, a request from the client to access a remote desktop host
of the server;

generating, by the device, remote desktop protocol content for a remote desktop session, the remote desktop protocol content
includes a security token that is valid for a pre-determined time period, the remote desktop protocol content specifies that
the server is to connect to the device;

transmitting, by the device via the client connection to the client, a response to the request from the client, the response
including the remote desktop protocol content generated by the device with the security token;

receiving, by the device, from the client, a second request to launch the remote desktop host, the second request including
the remote desktop protocol content and the security token;

switching, by the device responsive to validating the security token, the client connection between the client and the device
to a first secure connection;

establishing, by the device, a second secure connection with the remote desktop host using session credentials of the device;
communicating, by the device, the user credentials via the second secure connection for acceptance by the remote desktop host;
and

starting, by the device, a remote desktop session with the remote desktop host using the remote desktop protocol content.

US Pat. No. 9,471,335

SHELL INTEGRATION FOR AN APPLICATION EXECUTING REMOTELY ON A SERVER

Citrix Systems, Inc., Fo...

1. A method comprising:
receiving, at a local computing device, an application identifier and a destination list from a remote computing device, said
application identifier and destination list corresponding to an application executing on the remote computing device;

instantiating, at the local computing device, a stub executable program based on the application identifier of the application
executing on the remote computing device;

configuring the stub executable program using the destination list;
outputting for display a user interface item corresponding to the destination list;
intercepting, at the local computing device via the user interface item, a user input; and
in response to intercepting the user input, executing the stub executable program and sending, by the stub executable program,
the user input to the remote computing device.

US Pat. No. 9,176,744

QUICKLY PROVISIONING A VIRTUAL MACHINE BY IDENTIFYING A PATH TO A DIFFERENTIAL FILE DURING PRE-BOOT

Citrix Systems, Inc., Fo...

1. A method, comprising:
provisioning, by a physical machine, a first instance of a virtual machine, the first instance of the virtual machine comprising
a first modifiable disk, the first modifiable disk being generated based on a base disk remotely located from the physical
machine; and

responsive to a reboot of the physical machine:
identifying, by a bootstrap function executing on the physical machine and prior to booting up an operating system of the
physical machine, a path to a file locally stored on the physical machine and comprising data indicating one or more differences
between the first modifiable disk and the base disk remotely located from the physical machine, the one or more differences
corresponding to one or more modifications made to the first modifiable disk via the first instance of the virtual machine;
and

provisioning, by the physical machine, a second instance of the virtual machine, the second instance of the virtual machine
comprising a second modifiable disk, the second modifiable disk being generated based on the base disk remotely located from
the physical machine and the file.

US Pat. No. 9,083,759

SYSTEMS AND METHODS FOR INTERMEDIARIES TO COMPRESS DATA COMMUNICATED VIA A REMOTE DISPLAY PROTOCOL

CITRIX SYSTEMS, INC., Fo...

1. A method for determining to have intermediaries perform compression of a remote display protocol communicated between a
client and a server, the method comprising:
a) transmitting, by a client to a server via a first intermediary and a second intermediary, a communication identifying remote
display protocol capabilities of the client, each of the first intermediary and the second intermediary modifying the communication
to identify their respective remote display protocol capabilities;

b) determining, by the server from the communication forwarded via the first intermediary and the second intermediary, remote
display protocol capabilities of each of the client, the first intermediary and the second intermediary support a predetermined
version of the remote display protocol;

c) transmitting, by the server to the client responsive to the determination, a second communication identifying that the
client and server are not to perform compression on remote display protocol communications;

d) compressing, by the first intermediary, data communicated by the server to the client via the remote display protocol and
forwarding the compressed data to the second intermediary; and

e) uncompressing, by the second intermediary, the compressed data and forwarding the uncompressed data to the client via the
remote display protocol.

US Pat. No. 9,377,925

GUI WINDOW WITH PORTAL REGION FOR INTERACTING WITH HIDDEN INTERFACE ELEMENTS

Citrix Systems, Inc., Fo...

1. A method of operating a computer using a plurality of modes associated with pointer operation, comprising:
displaying a special window on a display device of the computer, the special window being opaque and being overlaid on a system
desktop that includes desktop objects for user interaction with the computer, the desktop objects being in an occluded region
behind and occluded by the special window, the special window displaying user interface elements of an application program
executing on the computer; and

in a portal region of the special window, displaying an image of the system desktop including a counterpart of the occluded
region and the desktop objects therein,

wherein the desktop objects include user-activated desktop objects providing visual feedback of user activation of the desktop
objects in the form of corresponding simulated user interaction with the counterparts of the desktop objects in the portal
region,

and wherein the plurality of modes comprises a first operating mode and a second operating mode, wherein in the first operating
mode a system pointer is active in the special window outside the portal region, and wherein in the second operating mode
a pass-through property is applied to the special window so that input events are passed through the special window to the
desktop objects in the occluded region of the system desktop.

US Pat. No. 9,253,252

SYSTEMS AND METHODS FOR CLOUD BRIDGING BETWEEN INTRANET RESOURCES AND CLOUD RESOURCES

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) establishing, by a first intermediary device deployed for a private network and a second intermediary device deployed
for a cloud network, a network bridge over a secure layer 2 tunnel, the network bridge extending internet protocol (IP) addressing
of the private network to the cloud network to access resources hosted on the cloud network using an IP address of the private
network;

(b) executing, by the first intermediary device, a virtual server to manage a service provided by a plurality of servers across
the private network and the cloud network, a first set of one or more servers of the plurality of servers executing in the
private network and a second set of one or more servers of the plurality of servers executing in the cloud network;

(c) receiving, by the virtual server, a request from a client on the private network to access the service having an internet
protocol address of the private network; and

(d) transmitting, by the first intermediary device via the network bridge responsive to the virtual server, the request to
one of the servers of the second set of servers in the cloud network.

US Pat. No. 9,088,611

SYSTEMS AND METHODS FOR CLIENT IP ADDRESS INSERTION VIA TCP OPTIONS

CITRIX SYSTEMS, INC., Fo...

1. A method
(a) receiving, by an intermediary device between one or more clients and one or more servers, an acknowledgement packet to
a first request by a client to establish a transport layer connection with a server, the acknowledgement packet having a transport
layer option field identified by an option number, the transport layer option field comprising overlay network data identifying
IP addresses of hosts traversed between the client and the intermediary device;

(b) identifying, by the intermediary device, that an IP address of the client is to be inserted into network traffic forwarded
to the server;

(c) obtaining, by the intermediary device, the overlay network data from the transport layer option field of the acknowledgement
packet corresponding to the option number; and

(d) inserting, by the intermediary device, IP addresses of the hosts traversed between the client and the intermediary device
from the overlay network data and the IP address of the client into an application layer protocol header of a second request
of the client to access the server via the transport layer connection.

US Pat. No. 9,294,439

SYSTEMS AND METHODS FOR APPLICATION-BASED INTERCEPTION OF SSL/VPN TRAFFIC

CITRIX SYSTEMS, INC., Fo...

1. A method for intercepting application communications for transmission via a virtual private network connection, the method
comprising:
(a) receiving, by an agent of a client, an application routing table identifying one or more applications authorized for access
via a virtual private network connection established with an device intermediary to the client and at least one server, each
of the one or more applications identified via a name of an executable of the corresponding application;

(b) determining, by the agent, whether a first communication from the client is from a first application with a name of an
executable identified by the received application routing table; and

(c) transmitting, by the agent based on the determination, the first communication via the virtual private network connection
established with the device.

US Pat. No. 9,282,285

PROVIDING USER VIDEO HAVING A VIRTUAL CURTAIN TO AN ONLINE CONFERENCE

Citrix Systems, Inc., Fo...

1. A method of providing a user video signal to an online conference, the method comprising:
receiving a live user video signal from a camera device, the live user video signal defining a field of view;
automatically identifying live initial content of a presentation region within the field of view and live initial content
of a privacy region within the field of view; and

generating, as the user video signal to the online conference, a modified user video signal based on the live user video signal,
the modified video signal including (i) the live initial content of the presentation region within the field of view and (ii)
modified video content in place of the live initial content of the privacy region within the field of view;

wherein the camera device includes a camera and a depth sensor;
wherein receiving the live user video signal from the camera device includes acquiring, as the live user video signal, a series
of video frames including captured images of a user from the camera and depth measurement data from the depth sensor; and

wherein automatically identifying the live initial content of the presentation region and the live initial content of the
privacy region includes:

isolating the live initial content of the privacy region from the live initial content of the presentation region based on
the depth measurement data.

US Pat. No. 9,225,596

UNDIFFERENTIATED SERVICE DOMAINS

Citrix Systems, Inc., Fo...

1. A method for providing server virtualization comprising:
generating a partially initialized service domain by pausing a boot sequence during initialization of a new service domain;
receiving a request for a service;
writing to a storage location accessible by the partially initialized service domain configuration information corresponding
to the service requested;

unpausing the boot sequence of the partially initialized service domain; and
completing initialization of the partially initialized service domain using the configuration information to transform the
partially initialized service domain into an initialized service domain configured to provide the service requested.

US Pat. No. 9,185,150

SYSTEM AND METHOD FOR MONITORING AND SELECTIVELY SHARING AN IMAGE IN AN IMAGE LIBRARY

Citrix Systems, Inc., Fo...

1. A method for sharing a screenshot in a communication session, the method comprising:
running one or more software applications on a first computing device, while a communication application is running on the
first computing device, wherein the first computing device is associated with a presenter in a communication session implemented
via the communication application, and wherein the one or more software applications are different from the communication
application;

determining, at the first computing device and using the communication application, that the one or more images were added
to an image library residing at the first computing device since a time when the communication application started running
on the first computing device, wherein the image library residing at the first computing device stores one or more directories
or folders of images, the one or more directories or folders of images comprising photographs taken using a camera of the
first computing device and screenshots, wherein determining, using the communication application, that the one or more images
were added to the image library comprises:

accessing, using the communication application, the image library once every threshold time period; and
determining that one or more new images were added to the image library during a last threshold time period;
in response to determining that the one or more images were added to the image library residing at the first computing device,
facilitating transmission, using the communication application, of at least one of the one or more images from the first computing
device to one or more second computing devices, wherein the one or more second computing devices are associated with one or
more audience members in the communication session;

initially transferring the communication application to a background of a display of the first computing device to facilitate
the presenter working with the one or more software applications; and

wherein the facilitating transmission further comprises automatically moving the communication application from the background
of the display of the first computing device to a foreground of the display of the first computing device, in response to
determining that the one or more images were added to the image library residing at the first computing device, to facilitate
selection by the presenter of at least one of the one or more new images that were added to the image library during the last
threshold time period for transmission to the one or more second computing devices, and automatically transmitting the at
least one of the one or more images added to the image library during the last threshold time period in response to selection
by the presenter of the at least one of the one or more images added to the image library during the last threshold time period.

US Pat. No. 9,167,021

MEASURING WEB BROWSING QUALITY OF EXPERIENCE IN REAL-TIME AT AN INTERMEDIATE NETWORK NODE

Citrix Systems, Inc., Fo...

1. A method comprising:
acquiring a current Hypertext Transfer Protocol (HTTP) transaction;
determining whether the current HTTP transaction relates to web browsing;
acquiring a previous transactions set of a specific client;
evaluating whether the current HTTP transaction belongs with the previous transactions set;
if the current HTTP transaction belongs with the previous transactions set, adding the current HTTP transaction to the previous
transactions set; and

if the current HTTP transaction does not belong with the previous transactions set, creating a boundary of a page unit that
includes the HTTP transactions of the previous transactions set for computing a page unit time.

US Pat. No. 9,071,543

SYSTEMS AND METHODS FOR ADDITIONAL RETRANSMISSIONS OF DROPPED PACKETS

CITRIX SYSTEMS, INC., Fo...

1. A method for reducing retransmission costs, the method comprising:
determining, by a device, a packet loss rate associated with a connection between the device and a receiver;
identifying, by the device, a number of retransmissions of a transmission of a packet corresponding to the packet loss rate
and a packet loss rate threshold from a plurality of retransmission numbers associated with a corresponding plurality of packet
loss rate thresholds;

transmitting, by the device, a network packet to the receiver; and
retransmitting the network packet, by the device, a number of times equal to the identified number of retransmissions.

US Pat. No. 9,423,994

HIERARCHICAL DISPLAY

Citrix Systems, Inc., Fo...

1. One or more non-transitory computer-readable media having computer-executable instructions stored thereon that, when executed
by a processor, cause the processor to:
receive, from a client device, information identifying a position of a user focus within a display area, wherein the position
of the user focus is determined based on an image captured by a camera associated with the client device;

determine, based on the information identifying the position of the user focus within the display area, a primary display
region of the display area corresponding to the position of the user focus;

determine a secondary display region different from the primary display region; transmit, to the client device, a frame of
the primary display region; and

in response to detecting an image change in the secondary display region, prevent transmission of a frame of the secondary
display region based on a determination that the secondary display region does not correspond to the position of the user
focus.

US Pat. No. 9,246,940

SYSTEMS AND METHODS FOR PROTECTING CLUSTER SYSTEMS FROM TCP SYN ATTACK

CITRIX SYSTEMS, INC., Fo...

1. A method for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating
a cookie signature, the method comprising:
(a) generating, by a master core on a master node of a cluster of nodes comprising a plurality of cores, a random seed to
be synchronized across each core of each node in the cluster of nodes;

(b) storing, by the master core on the master node, the random seed to memory on the master node accessible by each core in
the master node;

(c) receiving, by each master core on each other node in the cluster, the random seed sent by the master core of the master
node;

(d) storing, by each master core on each other node in the cluster, the random seed to memory on each node accessible by each
core in each node; and

(e) generating, by each core of each node in the cluster of nodes, a cookie signature based on the random seed responsive
to a predetermined timer.

US Pat. No. 9,218,494

SECURE CLIENT DRIVE MAPPING AND FILE STORAGE SYSTEM FOR MOBILE DEVICE MANAGEMENT TYPE SECURITY

Citrix Systems, Inc., Fo...

1. A method, comprising:
executing a managed application for presentation on a mobile device;
receiving a request to save a data file locally on the mobile device; and
determining whether the data file contains sensitive data;
when the data file contains sensitive data and responsive to the request:
encrypting the data file;
storing the encrypted data file on the mobile device; and
linking the encrypted data file to an unencrypted version of the data file, the unencrypted version of the data file not containing
the sensitive data.

US Pat. No. 9,264,296

CONTINUOUS UPGRADING OF COMPUTERS IN A LOAD BALANCED ENVIRONMENT

Citrix Systems, Inc., Fo...

1. A method for updating a plurality of devices in a load balanced environment, comprising:
(a) identifying, by a maintenance agent, a first device as requiring maintenance, the first device comprising one of a plurality
of devices available to receive requests from a load balancer;

(b) updating, in a maintenance tracking table, a maintenance status of the first device to indicate that maintenance of the
first device is necessary;

(c) determining, by the load balancer, that spare capacity from the others of the plurality of devices available to receive
requests is above a threshold;

(d) determining, by the load balancer, that the first device is idle; and
(e) removing, for maintenance by the maintenance agent responsive to the determination that (i) the spare capacity from the
plurality of devices available to receive requests is above the threshold and (ii) the first device is idle, the first device
from the plurality of devices available to receive requests.

US Pat. No. 9,112,819

SYSTEMS AND METHODS FOR RECEIVE AND TRANSMISSION QUEUE PROCESSING IN A MULTI-CORE ARCHITECTURE

CITRIX SYSTEMS, INC., Fo...

1. A method for processing packets transmitted via a multi-core device, the method comprising:
(a) storing, by a first core of a device intermediary to one or more senders and one or more receivers, a first packet received
from the one or more senders to a first logical transmit queue of the first core, the device comprising a plurality of cores;

(b) storing, by a second core of the plurality of cores of the device, a second packet received from the one or more senders
to a second logical transmit queue of the second core; and

(c) forwarding, by a core of the plurality of cores of the device, to a transmit queue of a network interface card (NIC) of
the device for transmission to a receiver of the one or more receivers, the first packet from the first logical queue and
the second packet from the second logical queue.

US Pat. No. 9,407,608

SYSTEMS AND METHODS FOR ENHANCED CLIENT SIDE POLICY

CITRIX SYSTEMS, INC., Fo...

1. A method for adjusting tuning settings based on an attribute of a client, the method comprising:
(a) identifying, by a device intermediary to a client and a content server, a policy for evaluating the client responsive
to a first request of the client to access the content server, the policy specifying an expression comprising a clause to
be evaluated by the client to identify an attribute of the client, the attribute identifying at least one of an application
of the client, network data, a characteristic of a network to which the client is connected or user preferences;

(b) transmitting, by the device to the client, responsive to identifying the policy for evaluating the client, a second request
to the client to have the client evaluate the clause to identify the attribute of the client;

(c) receiving, by the device from the client, a response to the second request, the response comprising the attribute of the
client;

(d) receiving, by a server intermediary to at least the client and the content server, the attribute of the client from the
device, the server comprising tuning settings for improving performance of communications of response data from the content
server to the client; and

(e) adjusting, by the server, the tuning settings based on the attribute of the client to improve the performance of communications
of the response data from the content server to the client.

US Pat. No. 9,286,471

RULES BASED DETECTION AND CORRECTION OF PROBLEMS ON MOBILE DEVICES OF ENTERPRISE USERS

Citrix Systems, Inc., Ft...

1. A mobile device comprising:
a processor and memory;
an enterprise agent installed on the mobile device, the enterprise agent being configured to enable enterprise applications
installed on the mobile device to securely access resources of an enterprise system of an enterprise, the enterprise agent
being further configured to collect state metric data values of a plurality of state metrics associated with the mobile device;

a plurality of rules stored in the memory of the mobile device, each particular rule of the plurality of rules comprising
a rule name, a security key, and an encrypted rule body comprising logic of the particular rule, at least some of the plurality
of rules mapping states indicated by one or more of the state metric data values to problems indicative of security risks
or productivity risks associated with the enterprise, a first problem of the problems comprising detecting downloading of
more than a threshold amount of data to the mobile device within a time period, and a second problem of the problems comprising
a disablement of password protection for the mobile device; and

remedial action data stored in the memory of the mobile device, the remedial action data specifying remedial actions for addressing
the problems, each of the remedial actions corresponding to at least one problem of the problems and being included in at
least one rule of the plurality of rules for detecting the at least one problem of the problems, a first remedial action of
the remedial actions comprising producing a message on a user interface of the mobile device, the message instructing a user
of the mobile device to activate the password protection for the mobile device, and a second remedial action of the remedial
actions comprising reducing a download throughput to the mobile device for a portion of the time period;

wherein the enterprise agent installed on the mobile device is configured to:
programmatically detect instances of the problems by using the rules to analyze the state metric data values using a process
comprising:

determining a rule of the rules to be analyzed based on the rule name of the rule to be analyzed;
decrypting the encrypted rule body of the rule to be analyzed using the security key;
evaluating the logic of the rule to be analyzed from the decrypted rule body; and
detecting an instance of one of the problems based on the state metric data values;
determine a remedial action of the remedial actions that corresponds to the one of the problems based on the decrypted rule
body; and

respond to the detected instance of one of the problems by executing the remedial action of the remedial actions on the mobile
device,

wherein the enterprise agent installed on the mobile device is further configured to:
detect the disablement of the password protection for the mobile device;
respond to the detected disablement of the password protection for the mobile device by producing the message on the user
interface of the mobile device, the message instructing the user of the mobile device to activate the password protection
for the mobile device; and

determine whether the user of the mobile device activated the password protection for the mobile device within a threshold
time period.

US Pat. No. 9,244,700

METHODS AND SYSTEMS FOR DELIVERING APPLICATIONS FROM A DESKTOP OPERATING SYSTEM

Citrix Systems, Inc., Fo...

1. A method for delivering an application to a computing device, the application delivered from a desktop session hosting
at least one application and executing on a server, comprising:
(a) receiving, by a delivery module executing on the computing device, a first request from a client device of a first user
for access to an application;

(b) identifying, by the delivery module, a first desktop session executing on the server for hosting a plurality of components
including the requested application;

(c) isolating, by an agent executing on the server, components corresponding to the requested application from the plurality
of components;

(d) extracting, by the agent executing on the server, the isolated components corresponding to the requested application from
presentation layer elements of other components of the first desktop session;

(e) generating responsive to the first request, by the agent via a presentation layer protocol, a first application session
using the isolated components corresponding to the requested application, the first application session delivered to the client
device for display, wherein the other components of the first desktop session are prevented from being delivered to the client
device;

(f) receiving, by the delivery module, a second request from the first user for the application, wherein the second request
is different from the first request;

(g) determining, by the delivery module, that the application is hosted by the first desktop session and delivered in the
first application session; and

(h) providing, by the delivery module, based on the determination and responsive to the second request, a second application
session of the application from the first desktop session to the first user responsive to a determination that the first application
session is disconnected from the first user, the second application session comprising the first application session reconnected
with the first user.

US Pat. No. 9,491,218

SYSTEMS AND METHODS FOR LEARNING MSS OF SERVICES

CITRIX SYSTEMS, INC., Fo...

1. A method for determining by an intermediary a maximum segment size (MSS), the method comprising:
(a) identifying, by a device intermediary to a plurality of clients and a plurality of servers, a plurality of services operating
on the plurality of servers, wherein the plurality of services are executed on different servers of the plurality of servers;

(b) identifying, by the device, for the plurality of services, a plurality of different maximum segment sizes used for transport
layer connections established between the device and the plurality of services and advertised by the plurality of services
to the device;

(c) selecting, by the device, a maximum segment size (MSS) from the plurality of different maximum segment sizes advertised
by the plurality of services to the device;

(d) receiving, by the device, a request from a client to establish a transport layer connection with a service of the plurality
of services; and

(e) communicating, by the device responsive to receiving the request from the client, the selected MSS as the MSS of the service
for the requested transport layer connection.

US Pat. No. 9,407,679

SYSTEMS AND METHODS FOR MANAGING PORTS FOR RTSP ACROSS CORES IN A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method for using ports of a device for handling a protocol that uses multiple ports for a session, the method comprising:
(a) receiving, by a device intermediary to a client and server, a response from a server to request of a client to establish
a session between the client and a server via a protocol that uses multiple ports for the session, the response identifying
ports of the server for the session;

(b) selecting, by a core of a plurality of cores of the device, a first port for a data connection for the session and a second
port for a control connection for the session from a range of ports established by the device for the core; and

(c) transmitting, by the device to the client, the response modified to identify the first port and the second port of the
device for the session instead of the ports of the server.

US Pat. No. 9,256,901

METHODS AND SYSTEM FOR ENABLING COMMUNICATION OF IDENTITY INFORMATION DURING ONLINE TRANSACTION

Citrix Systems, Inc., Fo...

1. A processor-implemented method for authorizing human access to complete an online transaction for a service over the Internet,
comprising:
a) detecting a request to enter information for the service, in response to the detection,
i) identifying a first image for display at a receiver device, the first image defined to cover a display portion of a screen
of the receiver device;

ii) identifying a second image with a detectable trait, the second image configured for display over the first image;
iii) executing a first delta-based analyzer to monitor changes of the first image;
iv) executing a second delta-based analyzer to monitor changes of the second image, the changes of the second image include
changes to the detectable trait;

v) combining the changes to the first image and the second image to generate a plurality of combined frames in a framebuffer,
the combined frames including frames representing the changes of the first image and frames representing the changes of the
second image, the changes to the first and the second images being independently adjustable to a respective first and second
display settings;

b) transmitting the combined frames from the framebuffer to the receiver device for display;
c) transmitting a query regarding the detectable trait of the second image to the receiver device;
d) receiving a response from a user to the query at the receiver device; and
e) enabling user input of the information for the service at the receiver device when the response to the query is determined
to be successful.

US Pat. No. 9,246,822

METHODS AND APPARATUS FOR USING A LAYERED GEAR TO ANALYZE AND MANAGE REAL-TIME NETWORK QUALITY OF SERVICE TRANSMISSION FOR MOBILE DEVICES ON PUBLIC NETWORKS

Citrix Systems, Inc., Fo...

1. A method for providing layered gear mechanism to enable optimal transmission of data packets, comprising:
identifying types of data that are scheduled for transmission over a network;
generating data packets of different depths for a particular type of data identified for transmission, at a source;
transmitting the data packets of different depths in different layers over the network to a destination, each layer of data
packets corresponding to a specific depth;

collecting response for the data packets transmitted in each layer, from the network, as the data packets progress along the
network;

analyzing the collected response for the data packets transmitted in each layer to identify one or more network transmission
characteristics of each layer, the one or more network transmission characteristics identifying one or more transmission metrics
associated with each layer; and

selecting a specific one of the different depths for transmitting subsequent data packets for the particular type of data
based on the analyzing,

wherein operations are performed by a processor.

US Pat. No. 9,052,953

AUTONOMOUS COMPUTER SESSION CAPACITY ESTIMATION

Citrix Systems, Inc., Fo...

1. A method comprising:
storing a capacity estimation value in computer memory, wherein the capacity estimation value estimates how many concurrent
sessions a resource in a virtualized computing environment has workload capacity to handle;

monitoring, by a processor, a plurality of resource consumption metrics of the resource on an ongoing basis, wherein the plurality
of resource consumption metrics comprise a network bandwidth consumption metric, CPU consumption metric, and memory consumption
metric;

updating the capacity estimation value using the plurality of monitored resource consumption metrics;
comparing, by the processor, the capacity estimation value in response to receiving a request to create a new session in the
resource;

receiving a hardware parameter of the resource and the plurality of resource consumption metric values of the resource;
determining a current number of sessions being handled by the resource;
recording, in computer memory, a plurality of utilization measurements over time using at least the resource consumption metric
value and a corresponding current number of sessions;

determining that the recorded measurements fall within a predetermined deviation margin;
averaging the recorded measurements to calculate the capacity estimation value; and
updating the capacity estimation value using the calculated capacity estimation value.

US Pat. No. 9,391,952

METHODS AND SYSTEMS FOR DYNAMICALLY SWITCHING BETWEEN COMMUNICATIONS PROTOCOLS

Citrix Systems, Inc., Fo...

1. A method for dynamically switching between communications protocols used in communicating with each of a plurality of physical
computing devices, the method comprising:
requesting, by a storage delivery management service executing on a first server, an enumeration of communication protocols
supported by a storage system executing on a second server in a storage area network;

requesting, by the storage delivery management service, an enumeration of communication protocols supported by a first physical
computing device executing a virtual machine;

identifying, by the storage delivery management service, a first communication protocol supported by both the storage system
and the first physical computing device;

configuring, by the storage delivery management service, the storage system to communicate according to the first communications
protocol with the first physical computing device, the storage system providing, to the virtual machine, access to a virtual
storage resource;

receiving, by the storage delivery management service, a request to migrate the virtual machine from the first physical computing
device to a second physical computing device; and

configuring, by the storage delivery management service, the storage system to communicate with the second physical computing
device according to a second communications protocol different from the first communications protocol.

US Pat. No. 9,378,140

LEAST DISRUPTIVE CACHE ASSIGNMENT

Citrix Systems, Inc., Fo...

1. A cache management device comprising:
a memory having instructions stored therein; and
one or more processors configured to communicate with the memory and capable of executing the instructions to cause the cache
management device to:

determine a first cache quantity of memory caches in the communication network;
determine a second cache quantity of changed memory caches, the changed memory caches including at least one cache added to
the communication network or at least one cache deleted from the communication network;

determine a third cache quantity based on the first cache quantity and the second cache quantity;
determine a first bucket quantity of storage buckets in the communication network;
determine, based on the third cache quantity and the first bucket quantity, a second bucket quantity of buckets to be assigned
to each cache of the third cache quantity;

reassign one or more buckets assigned to each cache of the third cache quantity based on the second bucket quantity, wherein
the one or more buckets are selected first from a quantity of unassigned buckets, and second from an assigned quantity of
buckets.

US Pat. No. 9,325,525

SYSTEMS AND METHODS FOR VLAN TAGGING VIA CLOUD BRIDGE

CITRIX SYSTEMS, INC., Fo...

1. A method for supporting multiple virtual LANs (VLANs) via a single tunnel between intermediary devices, the method comprising:
(a) adding, by a second intermediary device of a second data center on a second network, on untagged VLAN network traffic
for a first VLAN on a first network interface of the second intermediary device, a VLAN tag including VLAN information identifying
the first VLAN network based on the first network interface on which the untagged VLAN network traffic was received;

(b) encapsulating the tagged network traffic;
(c) transmitting the tagged network traffic via a tunnel established between the first intermediary device and the second
intermediary device to a first intermediary device;

(d) receiving, by the first intermediary device of a first data center on a first network from the second intermediary device
of the second data center on the second network, an encapsulated packet of the tagged network traffic via the tunnel, the
first intermediary device comprising a plurality of network interfaces, each network interface of the plurality of network
interfaces interfacing to a corresponding virtual LAN (VLAN) network of a plurality of VLAN networks;

(e) detecting, by the first intermediary device, that the encapsulated packet has been tagged with the virtual LAN (VLAN)
information by the second intermediary device;

(f) identifying, by the first intermediary device from the VLAN information included in the VLAN tag added by the second intermediary
device, the first VLAN network of the plurality of VLAN networks; and

(g) transmitting, by the first intermediary device, a packet of the encapsulated packet via the network interface of the first
intermediary device corresponding to the identified first VLAN network.

US Pat. No. 9,292,618

CONTENT ADAPTATION

Citrix Systems, Inc., Fo...

1. A system comprising:
an optimization server having one or more processors and being configured to:
receive, from a content server, response data for a webpage corresponding to request data that is transmitted from a mobile
device; and

adapt the response data, wherein adaption of the response data includes the optimization server being further configured to:
extract style data from a data structure, representing the webpage, wherein the style data corresponds to the style of content
on the webpage, wherein the extracted style data includes a subset of style properties that are defined as being essential
style data;

discard, from the subset of style properties that are defined as being essential style data, layout-specific style data extracted
from the data structure;

compare a parent node's essential style data with essential style data of its one or more child nodes;
wrap any of the one or more nodes that share the same essential style data into an enclosure tag based on the comparison;
and

reconstruct an adapted webpage to be sent to the mobile device, wherein the reconstructing is based on the essential style
data provided by the enclosure tag.

US Pat. No. 9,288,251

ADAPTIVE BITRATE MANAGEMENT ON PROGRESSIVE DOWNLOAD WITH INDEXED MEDIA FILES

Citrix Systems, Inc., Fo...

1. A method performed by one or more processors of an adaptive bitrate manager, the method comprising:
receiving streaming media data having an original media frame, an original frame index referencing the original media frame,
and an original file index;

determining an optimal session bitrate, wherein the optimal session bitrate is based on the available network bandwidth between
a server and a terminal;

allocating a frame budget for an output media frame by estimating a frame size of the output media frame based on the original
frame index and the optimal session bitrate, wherein the frame budget represents estimated size of the output media frame;

generating the output media frame by processing the original media frame based on first encoding parameters and, if the allocated
frame budget is greater than a frame size of the processed media frame, padding the processed media frame;

generating an output file index based on the frame budget and the original file index; and
providing the output media frame associated with the output file index.

US Pat. No. 9,275,167

CONTENT ADAPTATION

Citrix Systems, Inc., Fo...

1. A system comprising:
an optimization server comprising one or more processors configured to receive from a content server response data corresponding
to request data that includes a requested webpage and identification data and that is transmitted from a mobile device, to
adapt the response data to the mobile device based on the identification data, and to transmit the adapted response data to
the mobile device, wherein the adaptation of the response data includes a paginating of content, wherein the optimization
server is further configured to:

identify content sections during a traversal of a first Document Object Model (DOM) representing the webpage;
transform the first DOM to a second DOM based on an adaptation parameter that describes features of the mobile device, wherein
the transformation includes a detection of a tab box and a preservation of nodes corresponding to the tab box for the second
DOM;

serialize the second DOM by converting the second DOM into adapted markup language source code; and
construct an adapted webpage from the markup language source code; wherein the adapted webpage is provided to the mobile device
for downloading.

US Pat. No. 9,122,414

METHODS AND SYSTEMS FOR OPTIMIZING A PROCESS OF ARCHIVING AT LEAST ONE BLOCK OF A VIRTUAL DISK IMAGE

Citrix Systems, Inc., Fo...

1. A method for optimizing a process of archiving at least one block of a virtual disk image, the method comprising:
identifying, by a file system analysis component executing on a first physical computing device, a plurality of blocks storing
data comprising a file in an unmounted virtual disk image file;

identifying, by an archiving component executing on the first physical computing device, a difference disk file storing an
identification of a modification to at least one of the identified plurality of blocks storing data comprising the file;

determining a first determination, by the archiving component, responsive to the identification of the modification to the
at least one of the identified plurality of blocks, that the file is obsolete;

transmitting, by the archiving component, responsive to the first determination, to a second physical computing device, at
least one block of a second plurality of blocks stored by the difference disk, the at least one block of the second plurality
of blocks storing data comprising an updated copy of the file;

identifying, by the archiving component executing on the first physical computing device, a third plurality of blocks storing
data comprising a second file in the unmounted virtual disk image file;

determining a second determination, by the archiving component responsive to an identification of a modification to at least
one of the identified third plurality of blocks, that the second file is not obsolete; and

transmitting, by the archiving component responsive to the second determination, at least one block of the third plurality
of blocks storing data comprising the second file to the second physical computing device from the unmounted virtual disk
image.

US Pat. No. 9,110,700

METHODS AND SYSTEMS FOR PREVENTING ACCESS TO DISPLAY GRAPHICS GENERATED BY A TRUSTED VIRTUAL MACHINE

Citrix Systems, Inc., Fo...

1. In a computing device executing a hypervisor hosting a trusted virtual machine and a non-trusted virtual machine, a method
for preventing the non-trusted virtual machine from reading the graphical output of the trusted virtual machine, comprising:
assigning, by a graphics manager to the trusted virtual machine, a secure section of the memory of the graphics processing
unit when a first request is received from the trusted virtual machine;

receiving, by a graphics manager executed by a processor of the computing device, a second request from the non-trusted virtual
machine executed by the computing device to read a first set of graphical data rendered from the trusted virtual machine and
stored in the secure section of the graphics processing unit memory;

preventing, by the graphics manager responsive to receiving the second request, the non-trusted virtual machine from reading
the first set of graphical data stored in the secure section of the graphics processing unit memory;

receiving, by the graphics manager, a third request from an application executing on the non-trusted virtual machine to render
a second set of graphical data using a graphics processing unit of the computing device, the application generating the second
set of graphical data; and

rendering, by the graphics manager, graphics from the second set of graphical data to a section of the graphics processing
unit memory not comprising the secure section of the graphics processing unit memory.

US Pat. No. 9,438,554

CROSS PLATFORM MESSAGING

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving a plurality of email messages at a messaging application having a graphical user interface, wherein the graphical
user interface of the messaging application comprises an instant messaging interface in a first display region displaying
only instant messages and an email messaging interface in a second display region displaying only email messages, and wherein
the first display region is discrete from the second display region; and

processing, by the messaging application, each of the plurality of email messages as either an email message or as an instance
message by:

determining whether to process the email message as only an email message or only as an instant message,
displaying, by the messaging application, the email message in the email messaging interface if it is determined that the
email message should be processed only as an email message, and

displaying, by the messaging application, text included in the email message within the instant message interface if it is
determined that the email message should be processed only as an instant message,

wherein at least one of the plurality of email messages is processed by the messaging application as an email message, and
at least one of the plurality of email messages is processed by the messaging application as an instant message, and wherein
when a particular email message is processed as an instant message that particular email message is not also processed as
an email message.

US Pat. No. 9,386,006

AUTHENTICATION MECHANISM FOR DOMAIN REDIRECTION OF A REPRESENTATIONAL STATE TRANSFER (REST)-COMPLIANT CLIENT

Citrix Systems, Inc., Fo...

1. A method of domain redirection, comprising:
receiving, at a first server system in a first authentication domain, an original request having a method and a body, the
original request transmitted to the first server system in a message from a client program executing on a client system;

parsing, by the first server system, the received original request, wherein the parsing identifies at least one portion of
the original request that requires resources from a second authentication domain, the second authentication domain separate
from the first authentication domain;

generating, by the first server system in response to the parsing identifying the portion of the original request that requires
resources from the second authentication domain, in a memory of the first server system, a redirection object, wherein the
generating includes storing an identifier of a second server system in the redirection object, the second server system located
in the second authentication domain, and storing a session check flag in the redirection object, the session check flag indicating
whether the client system may be required to perform forms-based authentication prior to re-submitting the original request
to the second server system; and

transmitting a response containing the redirection object from the first server system to the client system.

US Pat. No. 9,311,502

METHOD AND SYSTEM FOR ASSIGNING ACCESS CONTROL LEVELS IN PROVIDING ACCESS TO NETWORKED CONTENT FILES

Citrix Systems, Inc., Fo...

1. A system of granting access to resources, comprising:
a policy engine to detect a first request from a first mobile device for access to a resource and a second request from a
second mobile device for access to the resource;

a first collection agent to gather information about the first mobile device responsive to the request to access the resource
made by the first mobile device, wherein the policy engine transmits the first collection agent to the first mobile device;

a second collection agent to gather information about the second mobile device responsive to the request to access the resource
made by the second mobile device, wherein the policy engine transmits the second collection agent to the second mobile device;
and

the policy engine in communication with the first collection agent and the second collection agent, to grant to the first
mobile device a first level of access to the resource responsive to application of a policy to the information gathered about
the first mobile device and to grant to the second mobile device a second level of access to the resource responsive to application
of a policy to the information gathered about the second mobile device;

a transformation server in communication with the policy engine to modify the resource from a first format for the first level
of access to a second format for the second level of access;

wherein the first level of access is selected from a plurality of levels of access and wherein the second level of access
is selected from the plurality of levels of access and is different from the first level of access.

US Pat. No. 9,094,407

SECURITY AND RIGHTS MANAGEMENT IN A MACHINE-TO-MACHINE MESSAGING SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A messaging system server device communicatively connected to multiple Internet of Things (IoT) devices, wherein the messaging
system server device is located remotely from the multiple IoT devices and is configured to detect unauthorized message attempts
among the multiple IoT devices, the computing device comprising:
one or more data processors;
a receiver configured to receive a first registration request from a first IoT device and a second registration request from
a second IoT device, wherein the first registration request includes a request to register the first IoT device with a messaging
system, and wherein the second registration request includes a request to register the second IoT device with the messaging
system; and

a non-transitory computer-readable storage medium of the messaging system server device containing instructions, which when
executed on the one or more data processors, cause the one or more processors to register the first IoT device and the second
IoT device with the messaging system, wherein registering the first IoT device includes assigning a first universally unique
identifier to the first IoT device, wherein registering the second IoT device includes assigning a second universally unique
identifier to the second IoT device and generating a permissions record associated with the second IoT device and the assigned
second universally unique identifier, and wherein the permission record allows the messaging system server to detect unauthorized
message attempts by one or more IoT devices to exchange communications with the second IoT device, the permissions record
including:

a first list of universally unique identifiers assigned to IoT devices that have permission to access the second IoT device
at one or more levels of access; or

a second list of universally unique identifiers assigned to IoT devices that do not have permission to access the second IoT
device at the one or more levels of access;

wherein the receiver is further configured to receive a communication from the first IoT device, wherein the communication
is destined for the second IoT device;

wherein the instructions which when executed on the one or more data processors, further cause the one or more processors
to perform operations including:

obtaining the second universally unique identifier;
determining that the second universally unique identifier is assigned to the second IoT device;
accessing the permissions record associated with the second universally unique identifier assigned to the second IoT device;
determining, using the permissions record associated with the second universally unique identifier, that the first IoT device
is unauthorized to send messages to the second IoT device;

determining that the communication received from the first IoT device is an unauthorized message attempt by the first IoT
device to exchange a message with the second IoT device based on the determination that the first IoT device is unauthorized
to send messages to the second IoT device; and

preventing the first IoT device from exchanging communications with the second IoT device and one or more other IoT devices
upon determining that the communication received from the first IoT device is an unauthorized message attempt, wherein preventing
the first IoT device from exchanging communications includes rejecting messages communicated to the first IoT device and rejecting
messages communicated from the first IoT device.

US Pat. No. 9,286,087

STORAGE OPTIMIZATION SELECTION WITHIN A VIRTUALIZATION ENVIRONMENT

Citrix Systems, Inc., Fo...

1. A method for modifying a virtual disk within a virtualization environment, the method comprising:
creating, by a virtual desktop infrastructure executing on a computing machine, a virtual machine template comprising at least
one virtual disk;

modifying, by the virtual desktop infrastructure, the at least one virtual disk to comprise metadata describing a disk type
of the at least one virtual disk, the at least one virtual disk specifying a storage location for the metadata, the metadata
including a field for recording the disk type, the disk type being a characterization of the functions performed by the virtual
disk;

selecting, by the virtual desktop infrastructure, the virtual machine template for a user using at least one of user performance
metrics, virtual machine metrics, and a user request;

allocating, by the virtual desktop infrastructure, the virtual machine template to the user;
receiving, by a storage subsystem executing on the computing machine, the metadata for the at least one virtual disk from
the storage location; and

selecting, by the storage subsystem, a storage optimization for the at least one virtual disk using the disk type.

US Pat. No. 9,432,269

SYSTEMS AND METHODS FOR EXPORTING APPLICATION DETAILS USING APPFLOW

CITRIX SYSTEMS, INC., Fo...

1. A method for lightweight identification of flow information by application, comprising:
maintaining, by a flow monitor executed by a processor of a device, a counter;
associating, by the flow monitor, an application with the value of the counter;
transmitting, by the flow monitor to a data collector executed by a second device, the counter value and a name of the application;
monitoring, by the flow monitor, a data flow associated with the application to generate a data record; and
transmitting the data record, by the flow monitor to the data collector, the data record including an identification of the
application consisting of the counter value.

US Pat. No. 9,223,970

EVALUATING APPLICATION INTEGRITY

Citrix Systems, Inc., Fo...

1. A method, comprising:
analyzing, by an application store provided by at least one computing device, one or more aspects of an application;
determining, by the application store provided by the at least one computing device, based on the one or more analyzed aspects
of the application, an integrity score for the application;

determining, by the application store provided by the at least one computing device, based on the integrity score, whether
to publish the application in the application store; and

in response to determining to publish the application in the application store, publishing, by the application store provided
by the at least one computing device, the application in the application store,

wherein analyzing the one or more aspects of the application comprises:
executing the application in a managed environment;
observing, based on the executing, one or more interactions associated with execution of the application; and
comparing the one or more observed interactions with one or more expected interactions, and
wherein executing the application in the managed environment comprises:
recording one or more manually-applied application stimuli during a training mode in which the application is executed for
a first time; and

automatically applying the one or more recorded application stimuli during an automated testing mode in which the application
is executed at least one additional time.

US Pat. No. 9,183,380

SECURE EXECUTION OF ENTERPRISE APPLICATIONS ON MOBILE DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
installing a secure launcher on a mobile device, the secure launcher being separate from a general launcher included within
an operating system of the mobile device, the general launcher providing functionality for launching non-enterprise applications
installed on the mobile device;

installing an enterprise application on the mobile device, the enterprise application including functionality for accessing
an enterprise system;

modifying the enterprise application by replacing a request for the general launcher included within the operating system
of the mobile device with a request for the secure launcher, the request for the secure launcher causing the enterprise application
to be launched using the secure launcher, wherein the secure launcher enforces an authentication policy in which a user must
enter valid authentication information when launching the enterprise application;

installing, on the mobile device, a secure virtual machine that is separate from a virtual machine of the operating system
of the mobile device; and

configuring the mobile device such that the enterprise application, but none of the non-enterprise applications, runs within
the secure virtual machine.

US Pat. No. 9,049,299

USING AUDIO SIGNALS TO IDENTIFY WHEN CLIENT DEVICES ARE CO-LOCATED

CITRIX SYSTEMS, INC., Fo...

1. A method of managing an online meeting, the method comprising:
providing, by electronic circuitry, an audio output signal to a first client device currently participating in the online
meeting, the audio output signal directing the first client device to play a particular sound;

receiving, by the electronic circuitry, an audio input signal from a second client device, the audio input signal including
the particular sound; and

identifying, by the electronic circuitry, the second client device as being co-located with the first client device in response
to the audio input signal which includes the particular sound;

wherein a first audio input signal, from a first candidate device, includes the particular sound at a first volume level;
wherein a second audio input signal, from a second candidate device, includes the particular sound at a second volume level;
and

wherein identifying the second client device includes selecting, as the second client device, one of the first and second
candidate devices based on the first and second volume levels.

US Pat. No. 9,356,977

ACQUIRING ONLINE MEETING DATA RELATING TO AN ONLINE MEETING

Citrix Systems, Inc., Fo...

1. A method of acquiring online meeting data relating to an online meeting, the method comprising:
running, by processing circuitry, a set of programs to carry out an online meeting which shares online meeting content among
a set of users;

while the processing circuitry runs the set of programs to carry out the online meeting, performing a set of information collection
operations by the processing circuitry, the set of information collection operations collecting online meeting data from the
set of programs, the collected online meeting data including non-bitmap text-based information extracted from the set of programs;
and

storing, by the processing circuitry, the collected online meeting data in a designated location of computer memory;wherein performing the set of information collection operations includes:
identifying keywords and phrases in the non-bitmap text-based information, and
associating respective tags with portions of the non-bitmap text-based information based on keywords and phrases identified
in the portions of the non-bitmap text-based information; and
wherein associating the respective tags with the portions of the non-bitmap text-based information includes:
comparing the identified keywords and phrases with a predefined dictionary to discover a set of uncommon terms in the non-bitmap
text-based information, and

attaching at least some of the respective tags to the portions of the non-bitmap text-based information based on the set of
uncommon terms discovered in the non-bitmap text-based information.

US Pat. No. 9,288,137

SYSTEMS AND METHODS FOR ALLOCATION OF CLASSES OF SERVICE TO NETWORK CONNECTIONS CORRESPONDING TO VIRTUAL CHANNELS

Citrix Systems, Inc., Fo...

1. A system for allocating a different quality of service to each network connection in a plurality of network connections,
where each network connection corresponds to one or more virtual channels, the system comprising:
a first computing device; and
a second computing device in communication with the first computing device via a remote-display protocol session, the remote-display
protocol session comprising a plurality of virtual channels, each servicing at least a portion of network traffic of the remote-display
protocol session,

a plurality of transport layer network connections comprising a network connection between the first computing device and
the second computing device, a first transport layer network connection carrying a first virtual channel and assigned a first
quality of service, the first virtual channel configured to transmit remote display protocol data via the first transport
layer network connection responsive to the first quality of service and one of an application type and a user of the data,
and a second transport layer network connection carrying a second virtual channel and assigned a second quality of service,
the second quality of service different from the first quality of service; and

an intermediary device to perform network prioritization on the plurality of transport layer network connections, wherein
a priority of the second virtual channel corresponding to the second quality of service is assigned responsive to a content
type, the content type comprising at least one of voice, video, and audio content.

US Pat. No. 9,213,850

POLICY-BASED APPLICATION MANAGEMENT

Citrix Systems, Inc., Fo...

1. A method comprising:
configuring a first managed application installed on an electronic mobile device to operate in accordance with a set of one
or more policy files defined independent of the managed application, wherein each policy file defines one or more access controls
enforced by a mobile device management system on the electronic mobile device when the managed application is executing on
the electronic mobile device;

receiving, by processing circuitry of the electronic mobile device, a copy command;
encrypting, by the processing circuitry and in response to the copy command, original data from the first managed application
to form encrypted data, wherein the encrypting is performed based on encryption information identified in the one or more
policy files; and

writing, by the processing circuitry and in response to the copy command, the encrypted data to a secure clipboard residing
in memory of the electronic mobile device to enable a second managed application to subsequently read and decrypt the encrypted
data from the secure clipboard, the secure clipboard residing at a location of the memory which is different than that of
a general clipboard residing in the memory, the general clipboard being accessible by a set of unmanaged applications running
on the electronic mobile device, and the secure clipboard being accessible only to a set of one or more managed applications
identified by the one or more policy files, wherein the set of one or more managed applications comprises the first and second
managed applications.

US Pat. No. 9,268,736

SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN A MULTI-CORE SYSTEM

Citrix Systems, Inc., Fo...

1. A system for generating cookie signatures in a device comprising a plurality of cores, the system comprising:
a device intermediary to a plurality of clients and one or more servers, the device comprising a plurality of cores;
a shared memory, accessible by each of the plurality of cores, for storing and accessing a random seed;
a timer to signal regeneration of cookie signatures based on the random seed, the time expiring responsive to a predetermined
time period;

wherein the device is configured to store a new random seed generated responsive to each expiration of the cookie timer; and
wherein each core of the plurality of cores is configured to generate one or more cookie signatures based on the random seed
obtained from the shared memory.

US Pat. No. 9,268,466

METHODS AND SYSTEMS FOR UPDATING A DOCK WITH A USER INTERFACE ELEMENT REPRESENTATIVE OF A REMOTE APPLICATION

Citrix Systems, Inc., Fo...

1. A method of updating a dock, generated and displayed by a local computer, with a user interface element representative
of a remote application executing on a remote computer, the method comprising:
receiving, by a local client executing on a local computer, application output generated by a plurality of remote applications
including a first remote application and a second remote application executing on a remote computer, a user interface element
representative of the first remote application, and window configuration information;

generating, by the local client responsive to receiving the application output, a plurality of application output windows
to display the received application output, the plurality of application output windows generated locally at the local client
according to the window configuration information and including a first local window group corresponding to the first remote
application and a second local window group corresponding to the second remote application, wherein the window configuration
information comprises an indication of a parent and child relationship between a parent window and a child window, and wherein
the local client includes both the parent window and the child window in the first local window group based on the indication;

executing, responsive to receiving the application output, a process on the local machine, the process comprising the user
interface element representative of the first remote application;

updating, by an operating system of the local computer responsive to executing the process, a dock of the local computer with
an image of output data for the user interface element representative of the process, the image refreshed at least periodically
or responsive to a user command; and

redirecting, by the process, a user interaction with the user interface element in the dock to an application output window
in the first local window group displaying the application output generated by the first remote application.

US Pat. No. 9,189,645

SHARING CONTENT ACROSS APPLICATIONS AND DEVICES HAVING MULTIPLE OPERATION MODES IN AN ORCHESTRATION FRAMEWORK FOR CONNECTED DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
interconnecting a plurality of computing devices through an orchestration framework that coordinates operation of a computing
activity across multiple computing devices of the plurality of computing devices;

performing a comparison of a first operation mode of a first application at a first one of the computing devices to a second
operation mode of a second application at a second one of the computing devices, wherein the first and second operation modes
are respectively one of

a managed operation mode in which availability of application functionality depends on a management policy, and
an unmanaged operation mode in which availability of application functionality does not depend on the management policy; and
either initiating or blocking a transfer of content from the first application to the second application based on enforcement
of the management policy with respect to the comparison of the first and second operation modes, wherein the transfer comprises

copying the content from the first application to a virtual clipboard, and
pasting the content from the virtual clipboard at the second application;
wherein the management policy
permits the transfer of the content where the first operation mode is the same as the second operation mode,
permits the transfer of the content where the first operation mode is the unmanaged operation mode, and
restricts the transfer of the content where the first operation mode is the managed operation mode and the second operation
mode is the unmanaged operation mode.

US Pat. No. 9,280,741

AUTOMATED ALERTING RULES RECOMMENDATION AND SELECTION

Citrix Systems, Inc., Fo...

1. In a device monitoring system constructed and arranged to communicate alerts, via a set of alerting rules, in response
to changes within a computing environment, a method of providing alerting rules for a particular computing environment, the
method comprising:
storing multiple alerting rule sets in a rule set database, the multiple alerting rule sets providing sets of alerts when
applied to configuration data of existing computing environments;

selecting particular alerting rules among the multiple alerting rule sets stored in the rule set database, the particular
alerting rules providing particular alerts when applied to configuration data of an existing computing environment; and

providing the particular alerting rules to the particular computing environment,
wherein each existing computing environment is managed by an expert user, each expert user receiving alerts from the device
monitoring system in response to configuration changes within the existing computing environment managed by that expert user
according to an alerting rule set stored in the rule set database,

wherein each alerting rule of the multiple alerting rule sets includes (i) a configuration change identifier identifying a
configuration change in an existing computing environment and (ii) a respective alert indicator indicating whether an alert
is to be issued in response to the configuration change identified by the configuration change identifier,

wherein selecting the particular alerting rules includes:
performing a comparison operation between the existing computing environments and the particular computing environment, the
comparison operation producing a comparison result indicative of whether the existing computing environments are similar to
the particular computing environment; and

picking, as the particular alerting rules, rules from the multiple alerting rule sets based on the comparison result.

US Pat. No. 9,270,674

VALIDATING THE IDENTITY OF A MOBILE APPLICATION FOR MOBILE APPLICATION MANAGEMENT

Citrix Systems, Inc., Fo...

1. A method of managing access to enterprise resources comprising:
operating an access manager at a mobile computing device;
storing, at the mobile computing device, identification information corresponding to an identification token embedded in a
mobile application installed at the mobile computing device;

validating, using the access manager, the mobile application based, at least in part, on the identification token and the
identification information stored wherein validating the mobile application comprises

challenging the mobile application to provide a response that is based, at least in part, on the identification token,
generating an expected response based, at least in part, on the identification information stored,
comparing the expected response to the response provided by the mobile application, and
determining that the mobile application is either valid or invalid based on whether the expected response matches the response
provided by the mobile application;

preventing the mobile application from accessing a computing resource upon unsuccessful validation of the mobile application
by the access manager;

identifying the mobile application as a trusted mobile application upon successful validation of the mobile application by
the access manager; and

permitting the trusted mobile application to access the computing resource.

US Pat. No. 9,509,501

STORAGE ENCRYPTION

Citrix Systems, Inc., Fo...

1. A non-transitory computer-readable medium storing instructions that, when executed by a processor of an apparatus, cause
the apparatus to:
encrypt a storage area provisioned for a virtual or actual machine with a first encryption key, the storage area storing data;
store the first encryption key in a header of the storage area, wherein the header and the data stored in the storage area
are logically separate from one another;

generate a second encryption key and store the second encryption key in the header;
encrypt the header and the first encryption key stored therein with the second encryption key; and
migrate the storage area, including:
decrypting the first encryption key with the second encryption key;
encrypting the first encryption key with a third encryption key; and
removing the second encryption key from the header after encrypting the first encryption key with the third encryption key.

US Pat. No. 9,438,488

SYSTEMS AND METHODS FOR APPFLOW FOR DATASTREAM

CITRIX SYSTEMS, INC., Fo...

1. A method for monitoring application level flow by an intermediary device between a client and a server hosting a database,
comprising:
receiving, by an intermediary device from a client device, a first database request designated for a server hosting a database
having a first type, the first database request comprising a request type and a request string, the intermediary device identifying
from parameters of the first database request each of the first type of database, the request type and the request string,
wherein the request type comprises one of a read type of request or a write type of request;

identifying, by the intermediary device, that a parameter of the first database request matches a parameter of a first policy
of a set of one or more policies;

selecting by the intermediary device, the server from a plurality of servers based on the request type, the intermediary device
configured to select a master server for write type of requests and a slave server having a copy of the database for read
type of requests;

generating, by the intermediary device responsive to the identification, a first Internet Protocol Flow Information Export
(IPFIX) message comprising an identification of the first type of database, an identification of the request type of the first
database request, and the request string of the first database request;

transmitting, by the intermediary device to the server, the first database request;
receiving, by the intermediary device from the server, a first response to the first database request, the first response
comprising a response status and a response string;

determining, by the intermediary device, that the first response corresponds to the first database request; and
generating, by the intermediary device responsive to the determination, a second IPFIX message comprising an identification
of the response status and the response string of the first response;

aggregating, by the intermediary device, the first IPFIX message and the second IPFIX message into a single application flow
record.

US Pat. No. 9,401,931

METHOD AND SYSTEM FOR DYNAMICALLY ASSOCIATING ACCESS RIGHTS WITH A RESOURCE

Citrix Systems, Inc., Fo...

1. A method for dynamically associating, by a server, access rights with a resource, the method comprising steps of:
(a) receiving, by a server, a request for a resource from a client;
(b) generating, by a first component of a policy engine, a dataset responsive to an application of a first policy to the client;
(c) transmitting, by the first component of the policy engine to a second component of the policy engine, the dataset;
(d) applying, by the second component of the policy engine, a second policy to the dataset to identify a plurality of levels
of access rights associated with the resource;

(e) requesting, by the server, from the second component of the policy engine, the plurality of levels of access rights to
associate with the resource;

(f) signing, by the server, the resource with the plurality of levels of access rights via an extensible rights markup language;
(g) transmitting, by the server, the resource signed with the plurality of levels of access rights to the client;
(h) making, by an application program responsive to receiving from the server the signed resource, an access control decision
using the plurality of levels of access rights, the application program executing on the client; and

(i) providing, by the application program, restricted access to the resource responsive to the access control decision.

US Pat. No. 9,354,707

COMBINATION COLOR AND PEN PALETTE FOR ELECTRONIC DRAWINGS

Citrix Systems, Inc., Fo...

1. A method of operating an electronic drawing tool, the method comprising:
rendering a drawing window of the electronic drawing tool within a display of a user device, the drawing window including
a color palette, the color palette including color icons;

in response to receiving a color selection command from a user to select a color icon of the color palette, displaying a pen
palette embedded within the selected color icon; and

after receiving a pen selection command from the user to select a pen icon of the pen palette, rendering a drawing stroke
within the drawing window in a color and pen style indicated by the selected color icon and selected pen icon, respectively;

wherein the color icons of the color palette each include a rectangular block having a color that is substantially the color
in which the drawing stroke is rendered in the drawing window;

wherein displaying the pen palette embedded within the selected color icon includes:
revealing the pen palette within the rectangular block of the selected color icon;
wherein the method further comprises:
receiving the color selection command from the user to select a color icon of the color palette; and
wherein revealing the pen palette within the rectangular block of the selected color icon includes:
expanding the rectangular block of the selected color icon to display the pen icons of the pen palette.

US Pat. No. 9,219,579

SYSTEMS AND METHODS FOR CLIENT-SIDE APPLICATION-AWARE PRIORITIZATION OF NETWORK COMMUNICATIONS

CITRIX SYSTEMS, INC., Fo...

1. A method for a client to prioritize network communications of the client associated with an application of the client,
the method comprising the steps of:
intercepting, by the client, a plurality of network packets associated with a first application and second application of
the client;

storing, by the client, the plurality of network packets to a queue, with at least one packet associated with the second application
placed ahead of at least one packet associated with the first application in the queue;

determining, by the client, that the first application is running in the foreground on the client;
setting, by the client, a priority for the at least one packet associated with the first application to a value higher than
a priority for the at least one packet associated with the second application, responsive to the determination that the first
application is running in the foreground on the client;

placing, by the client, the at least one network packet associated with the first application ahead of the at least one network
packet associated with the second application in the queue, responsive to the set priorities for the at least one packet associated
with the first application

providing the at least one network packet associated with the first application of the client for communications via a network
stack of the client before providing the at least one network packet associated with the second application of the client
for communications via the network stack, responsive to the placement of the network packets in the queue; and

holding, by the client, in the queue the at least one network packet associated with the second application, and releasing
the held at least one network packet upon communication of the at least one network packet associated with the first application
prioritized ahead of the held at least one network packet.

US Pat. No. 9,210,213

REVERSE SEAMLESS INTEGRATION BETWEEN LOCAL AND REMOTE COMPUTING ENVIRONMENTS

Citrix Systems, Inc., Fo...

1. One or more non-transitory computer readable media storing computer executable instructions that, when executed by a local
client device, cause the local client device to act in accordance with the instructions, said instructions comprising:
identifying a local real window corresponding to an application executing on the client device;
creating, by a virtual desktop receiver application executing on the client device, a shadow window on the client device,
said shadow window corresponding to the local real window, wherein the shadow window includes a replication of content from
the local real window;

receiving input via the shadow window; and
proxying the input to the local real window.

US Pat. No. 9,191,664

ADAPTIVE BITRATE MANAGEMENT FOR STREAMING MEDIA OVER PACKET NETWORKS

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
receiving media data that includes audio media data and video media data;
receiving feedback information from a terminal;
estimating one or more network conditions of a media network using the feedback information;
determining an optimal audio bitrate and an optimal video bitrate using the estimated one or more network conditions;
encoding the audio media data using the optimal audio bitrate;
encoding the video media data using the optimal video bitrate; and
providing the encoded audio media data and the encoded video media data for transmission to the terminal.

US Pat. No. 9,282,097

SYSTEMS AND METHODS FOR PROVIDING SINGLE SIGN ON ACCESS TO ENTERPRISE SAAS AND CLOUD HOSTED APPLICATIONS

CITRIX SYSTEMS, INC., Fo...

1. A method for providing via an intermediary device single sign on across one or more disparately hosted applications, the
method comprising:
(a) intercepting, by a device intermediary to a plurality of clients and a plurality of servers, a first request of a client
of the plurality of clients to access a login page of a third-party hosted application of a plurality of disparately hosted
applications on the plurality of servers accessible via the device using a single set of authentication credentials;

(b) redirecting, by the device intermediary to the client and a server of the plurality of servers hosting the third-party
hosted application, the client to a single sign on system for redirection to a domain of the third-party hosted application
identified by a corresponding fully qualified domain name, the single sign on system providing single sign on access to one
or more third-party hosted applications of the plurality of disparately hosted applications;

(c) intercepting, by the device, a second request from the client to be redirected to the domain of the third-party hosted
application identified by the corresponding fully qualified domain name;

(d) redirecting, by a content redirection virtual server executing on the device, using the fully qualified domain name and
responsive to applying a first policy to the second request and the first policy matching one or more keywords of a first
uniform resource locator of the second request, the second request to the single sign on system for redirection to the domain;

(e) intercepting, by the device, the second request redirected by the single sign on system to the domain, the redirected
second request having a second uniform resource locator instead of the first uniform resource locator; and

(f) responsive to intercepting the redirected second request and determining that the first policy does not match one or more
keywords of the second uniform resource locator, forwarding, by the device, the redirected second request to the domain of
the third-party hosted application.

US Pat. No. 9,210,081

SYSTEMS AND METHODS FOR BRIDGING A WAN ACCELERATOR WITH A SECURITY GATEWAY

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) receiving, at a first network layer of a device, a network packet from a source, the network packet comprising a destination
media access control address identifying a destination for the network packet and a source media access control address identifying
an adapter type;

(b) determining, by the device, that the adapter type of the source is a physical network interface card instead of a local
network interface of the device;

(c) modifying, by the device in response to the determination, the destination media access control address of the network
packet to identify the local network interface of the device;

(d) applying, at the second network layer of the device, a policy to the network packet received from the first network layer;
(e) modifying, at the first network layer of the device, the destination media access control address of the network packet,
received from the second network layer, to identify the media access control address of the destination; and

(f) transmitting, by the device, the network packet to the destination.

US Pat. No. 9,280,458

RECLAIMING MEMORY PAGES IN A COMPUTING SYSTEM HOSTING A SET OF VIRTUAL MACHINES

Citrix Systems, Inc., Fo...

1. In a virtualization platform, a method for reclaiming memory pages, the method comprising:
receiving, by a virtual machine of the virtualization platform, an inflate command which directs a balloon driver of the virtual
machine to inflate;

issuing, by the virtual machine and in response to the inflate command, a sweep request to a hypervisor,
wherein the sweep request directs the hypervisor to (i) perform a scan of memory pages allocated to the virtual machine for
a predetermined pattern of characters, (ii) de-allocate memory pages having the predetermined pattern of characters from the
virtual machine, the de-allocated memory pages including super pages and regular pages, and (iii) update a list of memory
page mappings to reflect the de-allocated memory pages; and

after the list of memory page mappings is updated, completing balloon driver inflation,
wherein issuing the sweep request to the hypervisor includes directing the hypervisor to (i) scan memory pages allocated to
the virtual machine for zeroed pages, and (ii) de-allocate memory pages which are zeroed pages from the virtual machine,

wherein the list of memory page mappings is a physical address to machine address (P2M) table for the virtual machine, the
P2M table including a set of P2M entries, each P2M entry being configured to map a physical memory page address to a real
memory page address; and

wherein updating the list of memory page mappings includes:
for each memory page that the hypervisor de-allocates from the virtual machine, replacing a real memory page address in a
corresponding P2M entry of the P2M table with a populate-on-demand identifier.

US Pat. No. 9,282,289

SYSTEMS, METHODS, AND DEVICES FOR GENERATING A SUMMARY DOCUMENT OF AN ONLINE MEETING

Citrix Systems, Inc., Fo...

1. A method for generating a summary document of an online meeting, the method comprising:
storing, in computer memory, at least a portion of screen data representing a previously presented portion of an ongoing online
meeting;

capturing a plurality of screenshots in response to trigger events, each screenshot i) being based at least in part on the
stored screen data and ii) being representable as an image thumbnail, wherein capturing each screenshot of the screen data
includes associating a timestamp with the screenshot, the timestamp indicating a point in time in the previously presented
portion of the meeting;

combining the plurality of screenshots, thereby dynamically generating a summary document summarizing the ongoing online meeting,
wherein the image thumbnails representing the plurality of screenshots are for facilitating navigating through the summary
document while the ongoing online meeting is still ongoing; and

signaling for presenting, at a viewer computing device attending the meeting, simultaneously and while the ongoing online
meeting is still ongoing, first screen data corresponding to a currently presented portion of the ongoing online meeting and
second screen data corresponding to one of the plurality of screenshots in the summary document, wherein the second screen
data includes stored screen data from a previously presented portion of the ongoing online meeting, and wherein the first
screen data is presented picture-in-picture inside the second screen data or the second screen data is presented picture-in-picture
inside the first screen data, wherein signaling for presenting the first screen data corresponding to the currently presented
portion of the ongoing online meeting includes presenting live screen and audio data of the ongoing online meeting, and wherein
signaling for presenting the second screen data corresponding to the screenshot includes displaying screen data from the previously
presented portion of the online meeting corresponding to the point in time in the previously presented portion of the meeting
indicated by the timestamp associated with the one of the plurality of screenshots in the summary document.

US Pat. No. 9,223,635

NETWORK OFFERING IN CLOUD COMPUTING ENVIRONMENT

Citrix Systems, Inc., Fo...

10. A method, comprising:
identifying, by a cloud system management server, a plurality of network elements in a cloud of computing resources;
storing, by the cloud system management server, a first network offering associated with a first subset of network elements
of the plurality of network elements;

storing, by the cloud system management server, a second network offering associated with a second subset of the plurality
of network elements;

receiving, by the cloud system management server, an end user request to create a new virtual machine within the cloud of
computing resources,

wherein the request includes, a selection identifying a selected network offering of the first network offering or the second
network offering;

matching the selected network offering to a definition of a first virtual machine network comprising a first set of network
services; and

creating, by the cloud system management server, a first virtual machine in response to the end user request, wherein the
first virtual machine is configured to use the first virtual machine network and the subset of network elements corresponding
to the selected network offering.

US Pat. No. 9,280,377

APPLICATION WITH MULTIPLE OPERATION MODES

Citrix Systems, Inc., Fo...

1. A method comprising:
presenting, to a user, an interface comprising a plurality of applications on a computing device;
receiving, from the user, a selection for one of the plurality of applications;
determining a context for the selected application based on one or more operational parameters of the computing device executing
the selected one of the plurality of applications, wherein determining the context comprises:

analyzing an account used within the selected application;
analyzing a location for the computing device;
monitoring whether a predetermined application is running on the computing device;
analyzing one or more network connections for the computing device; and
analyzing one or more settings for the computing device;
comparing the determined context with one or more policies for the selected application, wherein the one or more policies
for the selected application differ from one or more policies for a second application, wherein each policy defines one or
more access controls set for the selected application, wherein the one or more access controls are enforced by a management
system on the computing device when the selected application is executing on the computing device, and wherein the comparison
comprises:

comparing the account used within the selected application to one or more account policies for the selected application;
comparing the location for the computing device to one or more location policies for the selected application;
comparing the monitored predetermined application to one or more application policies for the selected application;
comparing the one or more detected network connections to one or more network connection policies for the selected application;
and

comparing the one or more analyzed settings to one or more settings policies for the selected application;
determining one of a plurality of operation modes for the selected application based on the comparison of the determined context
with the one or more policies for the selected application, wherein the plurality of operation modes comprises at least an
unmanaged mode and a managed mode; and

running the selected application in the determined operation mode on the computing device.

US Pat. No. 9,276,925

MANAGING CLOUD ZONES

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving, by one or more computing devices and from an agent, associated with a private zone of computing resources, that
facilitates communications between the one or more computing devices and at least a portion of computing resources of the
private zone, a request to add the at least a portion of computing resources to a cloud of computing resources that is managed
by the one or more computing devices and comprises shared computing resources and private computing resources; and

responsive to the request and a determination that addition of the at least a portion of computing resources to the cloud
is authorized:

adding, by the one or more computing devices, the at least a portion of computing resources to the cloud;
generating, by the one or more computing devices, an authentication token; and
communicating, by the one or more computing devices and to the agent, the authentication token.

US Pat. No. 9,276,957

SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES

CITRIX SYSTEMS, INC., Fo...

1. A method of identifying an secure socket layer (SSL) session as not reusable among cores in a multi-core system, the method
comprising:
a) indicating, by a first packet engine executing on a first core of a multi-core system, that an SSL session is not reusable;
b) identifying, by the first packet engine responsive to the indication, one or more cores of the multi-core system that have
requested session information for the SSL session;

c) transmitting, by the first packet engine, to each of the identified one or more cores of the multi-core system a message
indicating that the SSL session is not reusable;

d) receiving, by a second packet engine of a second core of the one or more cores of the multi-core system, a request to reuse
the SSL session, the request comprising a session identifier of the SSL session, the session identifier identifying the first
core as an establisher of the SSL session;

e) identifying, by the second packet engine, from the session identifier that the second core is not the establisher of the
SSL session; and

f) establishing, by the second packet engine, a new SSL session responsive to a determination to not reuse the SSL session,
the determination based on the message from the first core and the identification that the second core is not the establisher
of the SSL session.

US Pat. No. 9,165,157

METHODS AND APPARATUS FACILITATING ACCESS TO STORAGE AMONG MULTIPLE COMPUTERS

CITRIX SYSTEMS, INC., Fo...

1. A method, embodied in a system in which a given computer and multiple other computers in a cluster share access to a set
of named resources, for granting access rights associated with the set of named resources, the method comprising:
maintaining current access rights associated with the given computer for the set of named resources, the set of named resources
including a first named resource, a second named resource, and a third named resource;

associating exclusive access rights to the first named resource for the given computer indicating that the multiple other
computers have no associated access rights to the first named resource;

associating no access rights to the second named resource for the given computer indicating that the given computer has no
knowledge about access associated with the multiple other computers for the second named resource;

associating shared access rights to the third named resource for the given computer indicating that none of the multiple other
computers has associated exclusive access rights to the third named resource;

maintaining respective sets of identifiers of neighbor computers in the cluster, the respective sets of identifiers forming
a respective tree associated with a respective resource, each node in the respective tree representing a computer in the cluster,
each computer in the tree having a pointer pointing to computers at a higher level towards a root computer of the tree;

maintaining each respective tree to include a root computer in the cluster with other computers having one of the computers
in their neighbors set as a leader neighbor for that tree, either pointing directly or indirectly to the root computer via
a chain composed of leader neighbors;

wherein a single computer in the cluster has exclusive access rights for a given shared resource while other computers in
the cluster have no access rights for the given shared resource;

maintaining the single computer having exclusive access to the given shared resource as a root computer of a respective tree
corresponding to the given shared resource, the root computer associated with no neighbor computers;

maintaining computers other than the single computer in the cluster as having no access rights to the given shared resource
in which each of such computers has only a single neighbor computer associated with the given shared resource, the single
neighbor computer being a respective leader computer towards the root computer;

maintaining a requesting computer having no access rights to the given shared resource to send a request for exclusive access
rights for the given shared resource to the respective leader computer associated with a tree of the given shared resource,
the request including identification of the requesting computer and a name of the given shared resource for which exclusive
access is being requested;

upon receiving the request for exclusive access rights by another computer in the cluster also having no current access rights
for the given shared resource as specified by the request, forwarding the request to a respective leader computer towards
a root computer having the exclusive access rights to the given shared resource;

upon receiving the request for exclusive access rights by the root computer currently having the exclusive access rights for
the given shared resource which name is specified in the request, changing access rights to no access rights for the receiving
root computer for the given shared resource, associating the computer requesting the exclusive access rights to be a leader
and only neighbor computer for the given shared resource and sending the requesting computer a lead message indicating that
the requesting computer is allowed to associate itself with exclusive access rights for the given shared resource, the message
including the name of the given shared resource; and

upon receiving the lead message associated with the given shared resource at the requesting computer in the cluster, assigning
the requesting computer with exclusive access rights for the given shared resource and associating an empty neighbors set
for the given shared resource at the requesting computer.

US Pat. No. 9,253,193

SYSTEMS AND METHODS FOR POLICY BASED TRIGGERING OF CLIENT-AUTHENTICATION AT DIRECTORY LEVEL GRANULARITY

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) receiving, by a device intermediary to a client and a server, a first request from the client to access a protected resource
of the server;

(b) determining, by the device, that a predetermined portion of the first request matches a corresponding portion specified
by a policy, the policy applied responsive to the first request to access the protected resource and specifying an action
for the device to request an authentication certificate from the client responsive to the determination that the predetermined
portion of the first request matches the corresponding portion specified by the policy, wherein the predetermined portion
of the first request includes at least one of a uniform resource locator (URL) pattern, an identifier of one of a method or
function, a directory identifier, a client network identifier, a server network identifier, a network port, and a secure socket
layer (SSL) parameter; and

(c) transmitting, by the device responsive to the action specified by the policy and while queuing the first request, a second
request to the client for the authentication certificate.

US Pat. No. 9,367,947

REMOTE RENDERING OF THREE-DIMENSIONAL IMAGES USING VIRTUAL MACHINES

Citrix Systems, Inc., Fo...

1. A method for rendering draw commands generated by an application, the method comprising:
intercepting, by an agent executing on a first virtual machine, draw commands generated by an application on the first virtual
machine;

receiving, by the agent, a notification denying the agent access to a graphics processing unit, the notification identifying
a second virtual machine allocated with the graphics processing unit;

redirecting, by the agent, the intercepted draw commands to a rendering agent on the second virtual machine;
rendering, by the graphics processing unit, an image based on the redirected draw commands; and
forwarding, by the rendering agent on the second virtual machine, the rendered image from the graphics processing unit to
the agent executing on the first virtual machine.

US Pat. No. 9,355,223

PROVIDING A MANAGED BROWSER

Citrix Systems, Inc., Fo...

1. A method, comprising:
loading, by a first computing device, a managed browser, the managed browser being configured to provide at least one managed
mode in which one or more policies are applied to the managed browser, the one or more policies being configured to limit
at least one function of the managed browser;

establishing, by the first computing device, a connection to a second computing device to initiate a device cloud with the
second computing device, wherein establishing the connection to the second computing device comprises:

evaluating, by the first computing device, state information of the second computing device, the state information of the
second computing device comprising one or more of: device state information indicative of an operating system on the second
computing device or one or more applications on the second computing device, device state information indicative of one or
more network connections available to or used by the second computing device, or device state information indicative of a
location of the second computing device; and

determining, by the first computing device, based on the state information evaluated by the first computing device, to allow
the second computing device to participate in the device cloud; and

extending, by the first computing device, a session of the managed browser across the device cloud, wherein extending the
session of the managed browser comprises:

causing at least one other managed browser to be loaded on the second computing device; and
sharing session data with the at least one other managed browser on the second computing device,
wherein the device cloud is configured to dynamically link functionalities of the first computing device and the second computing
device, and

wherein the device cloud is configured to provide at least one function that is not supported by the first computing device,
the at least one function being supported by the second computing device.

US Pat. No. 9,331,991

AUTHENTICATING A CLIENT USING LINKED AUTHENTICATION CREDENTIALS

Citrix Systems, Inc., Fo...

1. A method of facilitating authenticating of a client device, the method comprising:
providing, to a client device in a first communication session, a first authentication credential;
providing, to the client device in a second communication session that is different from the first communication session,
a second authentication credential, the second authentication credential being linked to the first authentication credential,
wherein the second authentication credential includes a status indicator that indicates that the second authentication credential
is inactive, and wherein the second authentication credential, including the status indicator that indicates that the second
authentication credential is inactive, by itself, fails to authenticate the client device;

receiving the first authentication credential and the second authentication credential from the client device in a third communication
session that is different from the second communication session;

determining that the first authentication credential and the second authentication credential are linked; and
based on the determination that the first authentication credential and the second authentication credential are linked, enabling
the second authentication credential to be used as a mechanism in authenticating the client device, wherein enabling the second
authentication credential comprises setting the status indicator to indicate that the second authentication credential is
active, wherein the second authentication credential, once identified as enabled by setting the status indicator to indicate
that the second authentication credential is active, authenticates the client device without also presenting the first authentication
credential.

US Pat. No. 9,292,323

CONTEXT AWARE VIRTUAL DESKTOP

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving, at a host device comprising a hypervisor that provides a virtual machine to a computing device, location information
indicating a location of the computing device;

determining a subset of predefined context data based on the location of the computing device;
storing the subset of predefined context data;
transmitting, by the host device, the subset of predefined context data to the computing device;
receiving, at the host device, contextual information identified from context data captured using an input device of the computing
device, wherein the identifying of the contextual information comprises comparing the captured context data with the subset
of predefined context data;

generating content based on the contextual information;
generating composite screen display data configured to display a composite screen, comprising a virtual desktop screen and
the content, the virtual desktop screen comprising a user interface for an operating system of the virtual machine; and

transmitting, by the host device, the composite screen display data to the computing device.

US Pat. No. 9,208,104

CONTENT REPLACEMENT AND REFRESH POLICY IMPLEMENTATION FOR A CONTENT DISTRIBUTION NETWORK

Citrix Systems, Inc., Fo...

1. A non-transitory computer-readable medium storing instructions for managing content in a communication network, the communication
network having a core network and an access network with a cache, the access network comprising a base station for communicating
with an electronic user device, the medium storing instructions that, when executed by a processor at a location in the access
network between the base station and the core network, cause the processor to:
receive a cache management replacement policy comprising a plurality of content replacement rules, the plurality of content
replacement rules each defining a policy specifying when an object in the cache should be replaced;

classify the object into an object group based on an attribute of the object;
determine a first content replacement rule of the plurality of content replacement rules based on the classified object group
to apply to the object;

define a trigger condition in the cache management policy specifying when to apply the first content replacement rule, the
trigger condition being based on a property of the communication network;

monitor the property of the communication network;
evaluate the monitored property against a threshold amount of available bandwidth or a threshold message latency time;
detect, based on the evaluation, a satisfaction of the trigger condition; and
apply, responsive to the trigger condition being satisfied, the first content replacement rule and replace the object.

US Pat. No. 9,146,762

SPECIALIZED VIRTUAL MACHINE TO VIRTUALIZE HARDWARE RESOURCE FOR GUEST VIRTUAL MACHINES

Citrix Systems, Inc., Fo...

1. A computing system, comprising:
a graphics processing unit; and
main processing circuitry operative to execute a set of computer program instructions to form:
a hypervisor operative to virtualize hardware of the computing system;
a control virtual machine; and
a rendering virtual machine,
the control virtual machine being operative to manage the rendering virtual machine and a guest virtual machine, the guest
virtual machine including an application program generating graphics information,

the rendering virtual machine including a graphics driver native to the graphics processing unit and being assigned pass-through
access to the graphics processing unit by the control virtual machine, the rendering virtual machine being operative to (i)
receive the graphics information from the application program via an inter-virtual-machine communication channel, (ii) provide
the received graphics information to the graphics driver, and (iii) use the graphics driver to control operation of the graphics
processing unit to perform graphics rendering operations based on the graphics information.

US Pat. No. 9,418,132

SYSTEM FOR AN OPEN ARCHITECTURE DEPLOYMENT WITH CENTRALIZED SYNCHRONIZATION

CITRIX SYSTEMS, INC., Ft...

1. A method comprising:
logging into a session services module of an application server by a client device, wherein the session services module is
configured to manage the transfer of information between the application server and a plurality of mobile clients including
the client device; and

receiving, by the client device and over a wireless network, a software package selected by an administrative management service
module of the application server based on a client profile of the client device maintained by the application server,

wherein the software package is automatically pushed to the client device by the session services module in response to the
client device logging into the session services module.

US Pat. No. 9,413,814

SYSTEMS AND METHODS FOR PROVIDING QUALITY OF SERVICE VIA A FLOW CONTROLLED TUNNEL

CITRIX SYSTEMS, INC., Fo...

11. A system for providing via a client agent a quality of service of a plurality of applications, the system comprising:
a client computing device configured for:
executing an agent on a client, the agent configured to receive, responsive to an indication that data is available to be
read, data from each of a plurality of transport layer connections corresponding to each application of a plurality of applications
executing on the client in an order according to a priority assigned to each application; and

executing a tunneling application on the client, the tunneling application configured to receive, from the agent, a predetermined
amount of data received from each of the plurality of transport layer connections in the order according to the assigned priority,
the tunneling application configured to transmit, via a network, each of the predetermined of amount data in the order according
to the assigned priority.

US Pat. No. 9,407,554

SYSTEMS AND METHODS FOR PROVIDING A MULTI-CORE ARCHITECTURE FOR AN ACCELERATION APPLIANCE

CITRIX SYSTEMS, INC., Fo...

1. A method for distributing flows of network traffic across cores of a device having multiple cores, the method comprising:
(a) receiving, by a flow distributor of a device having a plurality of cores deployed intermediary between a plurality of
clients and a server, a first packet distributed by a receive-side scaler of the device to a first core of the plurality of
cores;

(b) identifying, by the flow distributor, a first flow of network traffic from the plurality of different flows of network
traffic between a plurality of clients and a server to which the first packet belongs, based on tuple information of the first
packet; and

(c) redistributing, by the flow distributor, the first packet from the first core to a second core of the plurality of cores,
responsive to the identification of the first flow and a determination that the second core established a transport layer
connection between a client of the plurality of clients and the server for the first flow.

US Pat. No. 9,325,625

MOBILE BROADBAND PACKET SWITCHED TRAFFIC OPTIMIZATION

Citrix Systems, Inc., Fo...

1. A method for bypassing a radio network controller in transmitting data in a communication network, the method performed
in an electronic device in the communication network having an access network and a core network, the method comprising:
receiving, by the electronic device, data traveling from the core network;
intercepting, by the electronic device, the data before the data enters into the radio network controller in the access network,
wherein the data includes a first subset of the data and a second subset of the data;

selecting, by the electronic device, one of the first subset of the data and the second subset of the data;
processing, by the electronic device, the first subset of the data;
forwarding the processed first subset of the data to a base station in the access network; and
forwarding the second subset of the data to the base station via the radio network controller.

US Pat. No. 9,462,132

ONE-TAP CONFERENCE CALLING ON DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
receiving, from a client device, a request to establish a mobile conference room, the request originating from a conferencing
application on the client device;

establishing the mobile conference room based on the request by assigning a phone number to the mobile conference room;
sending, to the client device, a message indicating that the mobile conference room has been established based on the request;
receiving, from the client device, data regarding one or more contacts to be added to the mobile conference room;
adding the one or more contacts to the mobile conference room based on the received data;
receiving, from the client device, an unscheduled request to initiate a conference call with a subset of contacts in the mobile
conference room, the subset of contacts selected from the contacts in the mobile conference room by the user of the client
device through a user interface of the client device;

in response to receiving the unscheduled request to initiate the conference call, concurrently calling each of the subset
of contacts in the mobile conference room;

determining which of the subset of contacts have answered the call; and
bridging the client device and all contacts that have answered the call on the conference call.

US Pat. No. 9,357,033

METHOD AND SYSTEM FOR DYNAMIC INTERLEAVING

Citrix Systems, Inc., Fo...

1. In a network environment having a client station coupled to a server via a first network, a method comprising:
establishing a persistent connection between the client station and the server over the first network, wherein the client
station is an end device in the communication of requests and responses and wherein one or more user agents operate in the
client station;

interleaving, at the client station, requests over the established persistent connection to the server, wherein the requests
collectively include control information indicating that content for at least one request has higher priority than content
for at least another request;

acquiring, at the server, content for the requests including the content for at least one request and the content for at least
another request; and

interleaving, at the server, responses including acquired content over the established persistent connection, wherein the
control information allows the server to control the ordering of responses associated with the content for at least one request
and the content for at least another request.

US Pat. No. 9,298,846

SYSTEMS AND METHODS FOR EFFICIENT XPATH PROCESSING

CITRIX SYSTEMS, INC., Fo...

1. A method for efficient Xpath matching of an Extensible Markup Language (XML) or JavaScript Object Notation (JSON) document,
the method comprising:
(a) identifying, by a device, an Xpath expression for processing values in a document comprising Extensible Markup Language
(XML) or JavaScript Object Notation (JSON), the document represented by a stack of nodes;

(b) traversing, by the device, the stack of nodes from top to bottom to match each step of a path expression of the Xpath
expression to a type and name of one or more nodes in the stack of nodes, the stack of nodes comprising the name of the node
and a flag indicating a matching step;

(c) storing, by the device, the flag with each node in the stack of nodes that matches a step of the path expression;
(d) responsive to encountering a leaf node, tracing, by the device, bottom to top from the leaf node through each of the flagged
nodes in the stack of nodes, and comparing each of the flagged nodes against a corresponding step of the path expression;
and

(e) determining, by the device responsive to the tracing through the flagged nodes, whether the path expression is matched
based on whether there are enough nodes in the stack of nodes to match a minimum number of steps remaining in the path expression
and each step in the path expression is matched to a corresponding flagged node.

US Pat. No. 9,075,970

SYSTEMS AND METHODS FOR SECURE HANDLING OF SECURE ATTENTION SEQUENCES

Citrix Systems, Inc., Fo...

1. A method for providing, by a trusted component, to a user of a desktop appliance, access to secure desktop functionality
provided by a remote machine, the method comprising:
executing, by a trusted computing base within an operating system executing on a desktop appliance, a user interaction component,
responsive to receiving a secure attention sequence from a user;

receiving, by the executed user interaction component, a request directed to the operating system for access to a local secure
desktop function that is one of:

a request to lock the desktop appliance;
a request to logoff from the desktop appliance;
a request to shut down the desktop appliance;
a request to change a password on the desktop appliance; and
a request to launch a Task Manager application on the desktop appliance;
transmitting, by the desktop appliance, to a broker service, the received request; and
providing, by a remote machine, to the desktop appliance, access to a remote secure desktop function in satisfaction of the
request for access to the local secure desktop function.

US Pat. No. 9,064,125

IMAGE ANALYSIS AND MANAGEMENT

Citrix Systems, Inc., Fo...

1. A method, comprising:
registering a mobile device with an enterprise resource or enterprise service provided by an enterprise;
installing an image manager on the mobile device;
executing the image manager on the mobile device;
selecting, by the image manager, a first image stored on the mobile device;
performing, by the image manager, image analysis on the first image to identify one or more text elements present in the first
image and one or more graphical elements present in the first image;

analyzing the one or more text elements and the one or more graphical elements to determine that at least one of the one or
more text elements or the one or more graphical elements includes sensitive or proprietary information;

determining, by the image manager, that the first image is a work product image based on the at least one of the one or more
text elements or the one or more graphical elements including sensitive or proprietary information;

responsive to determining that the first image is a work product image, the image manager storing a copy of the first image
to a work product image backup location and editing the first image to prevent unauthorized viewing of the first image on
the mobile device;

determining, by the image manager, that an enterprise action has occurred which indicates a user of the mobile device is no
longer employed by the enterprise; and

responsive to determining that the enterprise action has occurred, performing a deletion of work product images from the mobile
device, wherein performing the deletion includes deleting, by the image manager, the first image from the mobile device.

US Pat. No. 9,065,854

SYSTEMS AND METHODS FOR MANAGING A GUEST VIRTUAL MACHINE EXECUTING WITHIN A VIRTUALIZED ENVIRONMENT

CITRIX SYSTEMS, INC., Fo...

1. A method of managing a guest virtual machine executing within a virtualized environment, the method comprising:
establishing a daemon on a guest virtual machine executing within a virtualized environment, the daemon configured to communicate
with a management service virtual machine executing within the virtualized environment;

configuring a port of the guest virtual machine via which the management service virtual machine is to communicate with the
daemon;

creating a default security certificate,
wherein the security certificate enables communications via an application layer protocol;
receiving, by the daemon from the management service virtual machine via the application layer protocol, a request identifying
an action type of a plurality of predetermined action types;

identifying, by the daemon, from the received request, the action type of the plurality of predetermined action types; and
performing, by the daemon, an action corresponding to the identified action type.

US Pat. No. 9,363,328

SYSTEMS AND METHODS FOR CONTENT INJECTION

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) identifying, by a policy engine of an intermediary, a policy to apply to a communication between a client and a server,
the policy identifying a plurality of variables for which a value is to be determined by the intermediary and included in
the communication;

(b) determining, by the intermediary, a first time of forwarding a first byte of the communication between the client and
the server forwarded by the intermediary and a second time of forwarding a last byte of the communication between the client
and the server forwarded by the intermediary;

(c) modifying, by the intermediary, the communication to include the first time as a first value for a first variable of the
plurality of variables and the second time as a second value for a second variable for the plurality of variables; and

(d) forwarding, by the intermediary, the modified communication.

US Pat. No. 9,286,094

HUMAN INTERFACE DEVICE VIRTUALIZATION USING PARAVIRTUAL USB SYSTEM

Citrix Systems, Inc., Fo...

1. A method, comprising:
detecting an input received at a human interface device;
notifying a control domain of the input;
determining, by the control domain, a guest domain for which the input is intended;
passing the input from the control domain to the guest domain by exposing, at the control domain, a separate virtualized version
of the human interface device using a paravirtual USB system for each guest domain instantiated on a same host device as the
guest domain;

recognizing, by an operating system of the determined guest domain, its corresponding virtualized version of the human interface
device as a HID-compliant device using a paravirtual USB driver installed on the determined guest domain; and

driving, by the operating system of the determined guest domain, the virtualized version of the human interface device as
the HID-compliant device using an operating system HID driver operative with HID-compliant devices.

US Pat. No. 9,210,534

LOCATION ASSISTANCE IN A MACHINE TO MACHINE INSTANT MESSAGING SYSTEM

Citrix Systems, Inc., Fo...

1. A cloud computing network messaging system for facilitating a location-based search for an Internet of Things (IoT) device,
the cloud computing network messaging system comprising:
one or more data processors;
a receiver;
a transmitter; and
a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors,
cause the one or more processors to perform operations including:

receiving, using the receiver, a communication from a first IoT device, wherein the first IoT device is communicatively connected
with the cloud computing network messaging system using a first connection protocol, wherein the communication comprises a
location query and a function query, and wherein the communication is received using the first connection protocol;

providing a list of a plurality of IoT devices, wherein plurality of IoT devices includes only IoT devices having both a location
matching the location query and a function matching the function query;

determining a second IoT device from the list of the plurality of IoT devices with which to communicate, the second IoT device
having a location and a function, wherein the location matches the location query and the function matches the function query,
and wherein the second IoT device is connectable using a second connection protocol;

transmitting, using the transmitter, information to the first IoT device, wherein the information is related to the second
IoT device, and wherein the information is transmitted using the first connection protocol;

receiving a transmission from the first IoT device for the second IoT device using the first connection protocol;
translating the transmission from the first connection protocol to the second connection protocol; and
transmitting the translated transmission to the second IoT device using the second connection protocol.

US Pat. No. 9,176,638

USER INTERFACE FOR LARGE SCALE SYSTEM MONITORING

Citrix Systems, Inc., Fo...

1. One or more non-transitory computer-readable media having instructions stored thereon that when executed by one or more
computers cause the one or more computers to:
identify one or more items of configuration information collected from a plurality of virtualized computing systems running
on a same physical machine, each virtualized computing system of the plurality of virtualized computing systems comprising
an operating system instance distinct from operating system instances of other virtualized computing systems of the plurality
of virtualized computing systems;

display a user interface comprising a data tree that summarizes, at a first level of granularity, the one or more items of
configuration information collected from the plurality of virtualized computing systems and comprises one or more differentiating
node icons that visually identify one or more groups of virtualized computing systems, of the plurality of virtualized computing
systems, identified based on their domain membership and association with a portion of the one or more items of configuration
information collected from the plurality of virtualized computing systems that comprises configuration information differing
from saved reference data for the one or more groups of virtualized computing systems; and

responsive to a user selection of a differentiating node icon, of the one or more differentiating node icons, corresponding
to a group of the one or more groups of virtualized computing systems, display, on the user interface, at a second level of
granularity, and for the group of the one or more groups of virtualized computing systems, a portion of the configuration
information differing from the saved reference data for the one or more groups of virtualized computing systems, wherein the
second level of granularity is more detailed than the first level of granularity.

US Pat. No. 9,137,321

PAIRING USERS WITH SOCIAL MEDIA COMMUNITIES

Citrix Systems, Inc., Fo...

1. A method of pairing a user to a social media community, comprising:
initiating a monitoring client to monitor user activity in an application;
detecting, by the monitoring client, a user action taken in the application;
determining, by a computing device, a first social media community corresponding to the detected user action, wherein the
first social media community is classified among a plurality of social media communities; and

pairing the user with the first social media community corresponding to the detected user action.

US Pat. No. 9,813,352

METHOD FOR PRIORITIZING NETWORK PACKETS AT HIGH BANDWIDTH SPEEDS

Citrix Systems, Inc., Fo...

1. An appliance having a memory and one or more processors, the appliance comprising:
a packet scheduler configured to:
assign received data packets or representation of data packets to one or more connection nodes of a classification tree having
a link node and first and second intermediary nodes associated with the link node via one or more semi-sorted queues, wherein
the one or more connection nodes correspond with the first intermediary node;

process the one or more connection nodes using a credit-based round robin queue; and
authorize the sending of the received data packets based on the processing.

US Pat. No. 9,497,281

SYSTEMS AND METHODS TO CACHE PACKET STEERING DECISIONS FOR A CLUSTER OF LOAD BALANCERS

CITRIX SYSTEMS, INC., Fo...

12. A system for caching packet steering information for steering data packets between intermediary devices of a cluster of
intermediary devices, comprising:
a cluster of intermediary devices including a plurality of intermediary devices, the cluster intermediary to a client and
a plurality of servers, a processor, coupled to memory, of a first intermediary device of the plurality of intermediary devices
configured to:

determine from a hash of a tuple of a data packet received by the first intermediary device, a second intermediary device
of the cluster of intermediary devices to which to steer the first data packet;

store, to a session that stores packet steering information used to steer data packets between the intermediary devices of
the cluster of intermediary devices, the identity of the second intermediary device and the tuple for which the hash was calculated;

receive a second data packet having a corresponding tuple that matches the tuple of the first data packet;
determine, based on a lookup for the session using the tuple of the second data packet, that the second intermediary device
is the intermediary device to which to steer the second data packet; and

steer the second data packet to the second intermediary device.

US Pat. No. 9,485,244

EXECUTING AN OPERATION OVER FILE REPOSITORIES LOCATED IN DIFFERENT AUTHENTICATION DOMAINS USING A REPRESENTATIONAL STATE TRANSFER (REST)-COMPLIANT CLIENT

Citrix Systems, Inc., Fo...

1. A method of executing an operation across different authentication domains, comprising:
receiving, by an initial server system located in an initial authentication domain, a requested operation transmitted in a
message from a client system, wherein the requested operation comprises a search operation including at least one search query;

in response to determining, by the initial server system, that the requested operation requires at least one resource located
in an authentication domain other than the initial authentication domain, creating, by the initial server system in a memory
of the initial server system, a redirections list indicating one or more other authentication domains to be contacted by the
client system in order to complete the requested operation;

transmitting the redirections list from the initial server system to the client system, the redirections list instructing
the client system to contact the other authentication domains indicated in the redirections list in order to complete the
requested operation;

receiving, by the client system, partial results from the other authentication domains, wherein each partial result received
from a respective one of the other authentication domains comprises at least one result obtained by applying the requested
operation to at least one resource contained in that authentication domain, and wherein each of the received partial results
from the other authentication domains comprises a list of documents stored in the other authentication domain that match the
search query;

aggregating, by the client system in response to the redirections list, the partial results received from the other authentication
domains into a single final result, and wherein the client system aggregates the partial results by combining the lists of
documents into a final list of documents that match the search query; and

displaying, by the client system, the final result to a user of the client system.

US Pat. No. 9,367,703

METHODS AND SYSTEMS FOR FORCING AN APPLICATION TO STORE DATA IN A SECURE STORAGE LOCATION

Citrix Systems, Inc., Fo...

1. A method for forcing an application to store data in a secure storage location, the method comprising:
identifying, by a policy engine executed by a first computing device, a first application executed by the first computing
device as a trusted application based on user credentials of a user;

directing, by a file system filter driver, responsive to the identification of the first application as the trusted application,
the first computing device to write a first set of data to a secure storage location;

intercepting, by the file system filter driver, a first request of the first application to read a file from an unsecure storage
location;

identifying, by the policy engine, a second application executed by the first computing device as a non-trusted application;
directing, by the file system filter driver, responsive to the identification of the second application as the non-trusted
application, the first computing device to write a second set of data to the unsecure storage location; and

providing, by the file system filter driver, responsive to the identification of the first application as the trusted application,
read-only access to the file to the first application.

US Pat. No. 9,268,477

PROVIDING CONTEXTUAL MENUS

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving, by a computing device, first user input;
determining, by the computing device, based on the first user input, that a first drag-and-drop operation has been completed,
the first drag-and-drop operation including a first item being dragged from a source palette to a target palette;

causing, by the computing device, a first contextual menu associated with the first item to be displayed in response to determining
that the first drag-and-drop operation has been completed by animating the first contextual menu as a first panel that slides
into view from at least one edge of a displayed user interface, the first contextual menu being a first configuration menu
for configuring a software package, and the first contextual menu comprising a first set of controls for modifying first settings
of the software package corresponding to the first item;

receiving, by the computing device, second user input;
determining, by the computing device, based on the second user input, that a second drag-and-drop operation has been completed,
the second drag-and-drop operation including a second item being dragged from the source palette to the target palette, the
second item being different from the first item; and

causing, by the computing device, a second contextual menu associated with the second item to be displayed in response to
determining that the second drag-and-drop operation has been completed by animating the second contextual menu as a second
panel that slides into view from the at least one edge of the displayed user interface, the second contextual menu being a
second configuration menu for configuring the software package different from the first configuration menu for configuring
the software package, and the second contextual menu comprising a second set of controls for modifying second settings of
the software package corresponding to the second item different from the first set of controls for modifying the first settings
of the software package corresponding to the first item.

US Pat. No. 9,241,062

METHODS AND SYSTEMS FOR USING EXTERNAL DISPLAY DEVICES WITH A MOBILE COMPUTING DEVICE

Citrix Systems, Inc., Fo...

1. A method of repurposing a mobile computing device as a virtual input device for a first resource being displayed on an
external display device comprising:
displaying, by a mobile computing device, on a display of the mobile computing device, output data for a first resource executing
on the mobile computing device;

determining, by the mobile computing device, that an external display device has been connected to the mobile computing device;
displaying, by the mobile computing device, on the external display device output data for the first resource executing on
the mobile device, responsive to the determination;

transmitting, by the mobile computing device to a server, data indicating input capabilities of the mobile computing device
and input requirements of the first resource;

receiving, by the mobile computing device from the server, a second resource executable by the mobile computing device to
repurpose the mobile computing device as a first virtual input device for the first resource, the second resource selected
by the server responsive to an identification by the server of the input capabilities of the mobile computing device and input
requirements of the first resource;

executing, by the mobile computing device, the second resource to repurpose the mobile computing device as the first virtual
input device for the first resource executing on the mobile device; and

delivering, by the server to the mobile computing device, a third resource that generates a second virtual input device in
conjunction with the first virtual input device of the second resource.

US Pat. No. 9,203,627

SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) receiving, by a device intermediary between a plurality of clients and one or more servers, while waiting a predetermined
time period, a plurality of client certificates of the plurality of clients for a plurality of Secure Socket Layer (SSL) handshakes,
each of the plurality of SSL handshakes between the device and a corresponding client of the plurality of clients, the plurality
of clients communicating with the one or more servers via the device;

(b) determining, by the device, that the received plurality of client certificates corresponds to a single certificate authority;
(c) transmitting, by the device responsive to expiration of the predetermined time period and to the determination that the
received plurality of client certificates corresponds to the single certificate authority, and while portions of each of the
plurality of SSL handshakes are outstanding, a single request for the plurality of SSL handshakes to an Online Certificate
Status Protocol (OCSP) responder to determine the status of each of the plurality of client certificates;

(d) identifying, by the device, the status of each of the plurality of client certificates from a response received from the
OCSP responder; and

(e) determining, by the device responsive to the status, whether to establish a SSL connection for each of the SSL handshakes
of the plurality of SSL handshakes.

US Pat. No. 9,183,052

SYSTEMS AND METHODS FOR SPILLOVER IN A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method of allocating a number of a uses of a resource across cores in a multi-core device based on a threshold, the method
comprising:
(a) identifying, by a pool manager of a device comprising a plurality of cores, a threshold for a number of uses of a resource
by the device;

(b) establishing, by the pool manager, an exclusive quota pool based on the threshold, the exclusive quota pool comprising
a predetermined exclusive number of uses of the resource for the device; and

(c) allocating, by the pool manager, to each core of the plurality of cores an exclusive number of uses of the resource from
the exclusive quota pool.

US Pat. No. 9,159,082

ACTIVE AND PASSIVE PERSONALIZATION TECHNIQUES

Citrix Systems, Inc., Fo...

1. A method comprising:
identifying, for a user and based on a first set of user activity, a set of long term interests associated with one or more
features of a feature set;

generating, by one or more computing devices, a first profile associated with the user based on the set of long term interests;
identifying, for the user and based on a second set of user activity, a set of short term interests associated with the one
or more features of the feature set; and

generating, by the one or more computing devices, a second profile associated with the user based on set of short term interests.

US Pat. No. 9,148,493

APPARATUS, METHOD AND COMPUTER PROGRAM PRODUCT FOR EFFICIENTLY POOLING CONNECTIONS BETWEEN CLIENTS AND SERVERS

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
(a) establishing, by a device, a pool of one or more transport layer connections between the device and a server;
(b) forwarding, by the device, a first request of a first client to the server received via a first connection between the
first client and the device over a second transport layer connection from the pool of one or more transport layer connections
between the device and the server;

(c) determining, by the device while the device maintains open the transport layer connection of the pool of one or more transport
layer connections between the device and the server, that the second transport layer connection is available for forwarding
a second request of a second client via a third transport layer connection between the second client and the device to the
server based on the server completing communicating a response to the first request of the first client via the second transport
layer connection;

(d) forwarding, by the device responsive to the determination, the second request of the second client over the transport
layer connection to the server prior to receiving a close command from the first client via the first transport layer connection
between the first client and the device.

US Pat. No. 9,047,251

SYSTEMS AND METHODS FOR IMPLEMENTING CONNECTION MIRRORING IN A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method for providing failover connection mirroring between multi-core devices intermediary between a client and a server,
the method comprising:
(a) receiving, by a first multi-core device intermediary between a client and a server, a hash key of a second multi-core
device, the hash key used by the second multi-core device for determining which cores to distribute packets received by the
second multi-core device, the hash key different from a second hash key used by the first multi-core device for determining
which cores to distribute packets received by the first multi-core device;

(b) identifying, by the first multi-core device, a core of the second multi-core device using (i) the hash key of the second
multi-core device and (ii) tuple information corresponding to a connection between the client and the server via the first
multi-core device;

(c) determining, by the first multi-core device, that the identified core of the second multi-core device is not a target
core for providing a failover connection between the client and the server;

(d) modifying, by the first multi-core device, the tuple information so as to identify the target core when used with the
hash key of the second multi-core device; and

(e) using, by the first multi-core device, the modified tuple information in establishing the failover connection in the second
multi-core device.

US Pat. No. 9,602,465

SYSTEMS AND METHODS FOR CARRIER GRADE NAT OPTIMIZATION

Citrix Systems, Inc., Fo...

1. A method of maintaining network address translation (NAT) session management on a multi-core system, comprising:
inserting, by a first core of a multi-core device intermediary between a plurality of clients and a plurality of servers,
for a session established between a client of the plurality of clients and a server of the plurality of servers, a network
address translation (NAT) session in to a local outbound session table stored in a memory of the first core;

determining, by the first core, that a second core of the multi-core device will serve as a receiving core for a response
to the request from the server to the client;

inserting, by the first core, the NAT session into a global session table responsive to determining that the second core will
serve as the receiving core;

identifying, by the second core of the multi-core device, that the NAT session is not included in a local inbound session
table stored in a memory of the second core;

identifying the NAT session in the global session table; and
inserting, by the second core, the NAT session in the local inbound session table stored on the memory of the second core.

US Pat. No. 9,529,996

CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES

Citrix Systems, Inc., Fo...

1. A system comprising:
one or more processors; and
non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors,
cause the system to:

receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information
regarding an application installed on the mobile device;

store the mobile device property information that includes the information regarding the application installed on the mobile
device;

store user information regarding a user of the mobile device, the user information including information specifying a role
of the user in an enterprise;

store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise,
the at least one enterprise access policy being based on the application installed on the mobile device and the information
specifying the role of the user in the enterprise;

receive a request from the application installed on the mobile device to access the particular enterprise resource;
inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource;
and

determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile
device, in response to the request, based on the mobile device property information that includes the information regarding
the application installed on the mobile device, the user information including the information specifying the role of the
user in the enterprise, and the at least one enterprise access policy.

US Pat. No. 9,519,518

SYSTEMS AND METHODS FOR DEPLOYING A SPOTTED VIRTUAL SERVER IN A CLUSTER SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method for deploying a virtual server on a subset of devices in a cluster of devices, the method comprising:
(a) identifying, by a first device of a cluster of devices intermediary between at least one client and at least one server,
a first virtual server to establish on one or more devices of the cluster;

(b) associating, by the first device to the identified virtual server, a group comprising a subset of devices in the cluster
of devices; and

(c) establishing the first virtual server on each device in the group responsive to associating the group to the first virtual
server, each virtual server on each device of the group assigned a same internet protocol address.

US Pat. No. 9,268,588

OPTIMIZING VIRTUAL MACHINE MIGRATION VIA IDENTIFICATION AND TREATMENT OF VIRTUAL MEMORY SWAP FILE

Citrix Systems, Inc., Fo...

1. A method comprising:
hosting, by a first set of resources of a virtualization computing platform, a virtual machine;
identifying a second set of resources of the virtualization computing platform for hosting the virtual machine, the second
set of resources comprising resources distinct from the first set of resources and to which the virtual machine is to be migrated;

copying at least a portion of a plurality of files associated with the virtual machine from the first set of resources to
the second set of resources;

identifying, from amongst the plurality of files, a virtual memory swap file;
receiving, from the virtual machine, a first message and a second message, the first message being received before the second
message and indicating that the virtual memory swap file is currently being utilized, and the second message indicating that
the virtual memory swap file is no longer being utilized;

based on the first message, copying one or more files, of the plurality of files, other than the virtual memory swap file,
from the first set of resources to the second set of resources; and

failing to copy the virtual memory swap file from the first set of resources to the second set of resources until the second
message is received.

US Pat. No. 9,231,815

SYSTEMS AND METHODS FOR SCRIPT INJECTION

Citrix Systems, Inc., Fo...

1. A method of measuring parameters associated with loading a web page, the method comprising:
intercepting, by a network appliance, a first request from a first computing device for a web page in a first network domain;
transmitting, by the network appliance, a second request for the web page to a web server;
receiving, by the network appliance, a first response to the second request transmitted from the web server, the first response
including at least a portion of the requested web page and not including a first script;

determining, by the network appliance responsive to receiving the first response from the web server, whether an injection
is required based on an inspection of the contents of the first response;

creating, by the network appliance, responsive to determining that the injection is required, a modified response comprising
the first script comprising instructions that, when executed by the computing device, transmits information, responsive to
a notification of an occurrence of a web page event, to a performance monitoring server in a second network domain different
than the first network domain; and

transmitting, from the network appliance, the modified response to the first computing device in response to the intercepted
first request;

transmitting, by the computing device, information of the web page event and a third request to download web content data
to the performance monitoring server in the second network domain different than the first network domain, wherein the performance
monitoring server is different than the network appliance that injected the script;

waiting, by the computing device, a period of time to receive the web content data, the performance monitoring server caching
the web content data and closing the connection to the computing device after receiving the third request; and

aborting, by the computing device, the web content data download when the web content data is not received within the period
of time.

US Pat. No. 9,137,262

PROVIDING SECURE MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES USING APPLICATION TUNNELS

Citrix Systems, Inc., Fo...

1. A non-transitory computer-readable medium having stored thereon an agent component that is configured to be installed on
a mobile device of a user to provide secure access over a network to an enterprise resource of an enterprise system, the agent
component comprising executable code that implements a process that comprises:
intercepting, by the agent component installed on the mobile device, a hypertext transfer protocol (HTTP) request generated
by an application installed on the mobile device;

modifying the HTTP request by replacing a hostname of the HTTP request with a hostname of the enterprise resource;
encapsulating, by the agent component installed on the mobile device, a representation of the modified HTTP request according
to a tunneling protocol; and

sending, by the agent component installed on the mobile device, the encapsulated representation of the HTTP request from the
mobile device over a network to a tunnel mediator that is configured to extract and forward the representation of the HTTP
request to a corresponding enterprise resource, wherein the agent component is configured to send the encapsulated representation
of the HTTP request using a tunnel definition that is specific to the application installed on the mobile device.

US Pat. No. 9,124,668

MULTIMEDIA REDIRECTION IN A VIRTUALIZED ENVIRONMENT USING A PROXY SERVER

Citrix Systems, Inc., Fo...

1. A method comprising:
receiving from a user computing device a request to instantiate an application in a virtualized environment at a virtualization
server;

receiving from the user computing device a location of web content stored on a resource server;
transmitting, by a proxy server, a request to the resource server for the web content stored on the resource server;
receiving, by the proxy server, the web content from the resource server;
modifying, by the proxy server, the web content using predetermined scripting code stored in a computer memory, wherein the
predetermined scripting code is configured to override at least one method in the received web content;

transmitting, by the proxy server, the modified web content to the instantiated application in the virtualized environment
on the virtualization server for execution by the instantiated application, wherein the instantiated application comprises
an operational sandbox within which the application confines execution of scripting code;

in response to the instantiated application on the virtualization server executing any one of the at least one overridden
method, receiving, by the proxy server, from the instantiated application, information associated with the executed one of
the at least one overridden method;

receiving, by a media player remotely located from the user computing device, redirected multimedia content and the received
information associated with the executed one of the at least one overridden method; and

transmitting, in accordance with a remote presentation protocol, the redirected multimedia content and the received information
associated with the executed one of the at least one overridden method for rendering at the user computing device.

US Pat. No. 9,392,077

COORDINATING A COMPUTING ACTIVITY ACROSS APPLICATIONS AND DEVICES HAVING MULTIPLE OPERATION MODES IN AN ORCHESTRATION FRAMEWORK FOR CONNECTED DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
interconnecting a plurality of computing devices through an orchestration framework configured to distribute functionality
of an application residing at a first computing device of the plurality of computing devices across one or more computing
devices of the plurality of computing devices;

receiving, at the orchestration framework from the first computing device, a request to perform, at a second computing device
of the plurality of computing devices, at least a portion of a computing activity initiated at the application residing at
the first computing device;

determining, by the orchestration framework, whether the second computing device is permitted to perform the portion of the
computing activity based, at least in part, on a comparison of a first operation mode of the first computing device to a second
operation mode of the second computing device;

instructing, by the orchestration framework, the second computing device to perform the portion of the computing activity
responsive to a determination that the second computing device is permitted to perform the portion of the computing activity;
and

wherein the first operation mode and the second operation mode are one of a plurality of operation modes that include a managed
operation mode wherein interaction with operation system services, other applications, and remote computing resources are
subject to a management policy and an unmanaged operation mode wherein interaction with operation system services, other applications,
and remote computing resources are not subject to the management policy.

US Pat. No. 9,369,368

SYSTEMS AND METHODS FOR CAPTURING AND CONSOLIDATING PACKET TRACING IN A CLUSTER SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A system for consolidating packet trace messages of a cluster of intermediary devices, the system comprising:
a cluster of intermediary devices interconnected by a communication back plane, each of the intermediary devices comprising
one or more network interfaces for communications via a network,

a plurality of packet processors each configured to process network packets received at one or more of the network interfaces
and write messages to a respective trace buffer, the messages comprising information to trace the network packets and source
information identifying the respective packet processor and a sequence number, and

at least one trace aggregator configured to gather the messages into a device log and a first intermediary device of the cluster
further configured to collect the respective device logs into an aggregated device log for the cluster.

US Pat. No. 9,361,141

SYSTEMS AND METHODS FOR CONTROLLING, BY A HYPERVISOR, ACCESS TO PHYSICAL RESOURCES

Citrix Systems, Inc., Fo...

1. A method for controlling access to a physical resource, the method comprising:
identifying, by a monitoring agent for a hypervisor, a status of a physical disk utilized by a virtual disk;
selecting, by the monitoring agent, an action based on the identified status, the action selected from a plurality of predefined
actions for controlling access to the physical disk, wherein the selected action allows for continued access to the physical
disk by the virtual disk and wherein the selected action includes reducing active usage of the virtual disk by a virtual machine
by one of: rate-limiting execution of the virtual machine or pausing execution of a process executed by the virtual machine;
and

performing, by the hypervisor, the selected action to limit access by the virtual disk of the physical disk.

US Pat. No. 9,231,983

METHODS AND SYSTEMS FOR PROVIDING TRUSTED SIGNALING OF DOMAIN-SPECIFIC SECURITY POLICIES

CITRIX SYSTEMS, INC., Fo...

1. A method of regulating the use of a network-based on-line presentation application, comprising:
storing domain specific administrator policies in a security gateway located in a local domain, wherein the domain specific
administrator policies define rights and capabilities of client on-line presentation software when the client on-line presentation
software is downloaded from a remote application server computer located outside the local domain and executed on any of a
plurality of client computers located in the local domain;

intercepting, by the security gateway, a secure connection request transmitted from a copy of the client on-line presentation
software executing on a local client computer to the remote server computer, wherein the local client computer is one of the
plurality of client computers located in the local domain, the client on-line presentation software executing on the local
client computer providing an online presentation to a user of the local client computer, and wherein the client on-line presentation
software executing on the local client computer was downloaded from the remote application server computer onto the local
client computer;

generating, by the security gateway, a replacement certificate, at least in part by copying the domain specific administrator
policies into application specific extensions of the replacement certificate; and

transmitting, by the security gateway to the local client computer, the replacement certificate, the domain specific administrator
policies stored in the application specific extensions of the replacement certificate limiting actions performed by the client
on-line presentation software executing on the local client computer in providing the on-line presentation to the user of
the local client computer.

US Pat. No. 9,225,806

SYSTEMS AND METHODS FOR GENERATING IPID ACROSS A CLUSTER NETWORK

CITRIX SYSTEMS, INC., Fo...

1. A method of generating Internet Protocol (IP) identifiers across a cluster of intermediary devices, the method comprising:
(a) establishing for a cluster of intermediary devices, a range of internet protocol (IP) identifiers (IPIDs) to be allocated
among each intermediary device in the cluster, the range of IPIDs comprising values to be identified in an IP identifier (IPID)
field in an IP layer of packets transmitted from the cluster;

(b) allocating to each intermediary device a subrange of IPIDs in the range of IPIDs;
(c) generating, by a first intermediary device of the cluster, an IPID within the subrange of IPIDs allocated to the first
intermediary device; and

(d) transmitting, by the first intermediary device, the packet having the IPID field in the IP layer of the packet set to
the IPID, the IPID field in the IP layer used for reassembly of fragmented packets.

US Pat. No. 9,055,100

SYSTEMS AND METHODS FOR HTTP-BODY DOS ATTACK PREVENTION WITH ADAPTIVE TIMEOUT

CITRIX SYSTEMS, INC., Fo...

1. A method for changing an application layer transaction timeout to prevent Denial of Service (DOS) attacks, the method comprising:
(a) receiving, by a device intermediary to a client and a server, via a transport layer connection between the device and
the client, a packet of an application layer transaction, the transport layer connection having a maximum segment size;

(b) incrementing, by the device, an attack counter for the transport layer connection by a first predetermined amount responsive
to a size of the packet being less than a predetermined fraction of the maximum segment size for the transport layer connection,
the device decrementing the attack counter by a predetermined decrement for each packet that has a size greater than the predetermined
fraction of the maximum segment size;

(c) incrementing, by the device, the attack counter for the transport layer connection by a second predetermined amount responsive
to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip
time; and

(d) changing, by the device, a timeout for the application layer transaction responsive to comparing the attack counter to
a predetermined threshold.

US Pat. No. 9,948,657

PROVIDING AN ENTERPRISE APPLICATION STORE

Citrix Systems, Inc., Fo...

1. A method comprising:receiving, at an application store provided by a computing device, a single sign-on (SSO) credential that includes data enabling access to the application store and one or more other enterprise resources;
determining, at the application store, whether the SSO credential is valid;
based on determining that the SSO credential is valid, providing, by the application store, an enterprise application store interface;
receiving, by the application store, via the enterprise application store interface, a request for a software application;
configuring the software application at the application store based on the SSO credential, the software application being configured as a stub application that corresponds to a virtualized application;
storing, by the application store, data indicating that the stub application was configured based on the SSO credential, the stored data enabling a virtualization platform associated with the virtualized application to authenticate a user of the stub application when the stub application is launched; and
providing, by the application store, the configured software application to at least one recipient device associated with the SSO credential.

US Pat. No. 9,400,833

GENERATING ELECTRONIC SUMMARIES OF ONLINE MEETINGS

Citrix Systems, Inc., Fo...

1. A method of organizing content of online meetings, the method comprising:
collecting first content presented during a first online meeting;
generating an electronic summary of the first online meeting, the electronic summary providing a textual description of the
first content of the first online meeting based on textual metadata derived from the first online meeting; and

storing the electronic summary and the first content of the first online meeting in a repository, the repository also storing
second content of a second online meeting;

wherein the first content includes a set of slides presented during the first online meeting, each slide of the set of slides
including a title; and

wherein generating the electronic summary includes:
for each slide, identifying the title of that slide from the textual metadata derived from the first online meeting, and
storing the titles in a title array within the electronic summary, the textual description of the content being derived from
the titles in the title array;

wherein each title in the title array contains a set of words;
wherein the repository also stores a list of uncommon words; and
wherein generating the electronic summary further includes:
removing titles from the title array that do not contain any words contained in the list of uncommon words.

US Pat. No. 9,294,549

CLIENT BANDWIDTH EMULATION IN HOSTED SERVICES

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
hooking an application programming interface (API) on a session host in a virtualization system;
determining a client bandwidth of a session client connected to the session host;
when the API is called by a first application executing on the session host:
intercepting the API call based on the hook;
throttling a bandwidth of the API based on the determined client bandwidth and maintaining a bandwidth of another API associated
with a different application on the session host; and

returning data to the first application based on the throttled bandwidth of the API; and
determining, by the first application, an available bandwidth based on analyzing the data returned by the API.

US Pat. No. 9,294,381

SYSTEMS AND METHODS FOR TRAP MONITORING IN MULTI-CORE AND CLUSTER SYSTEMS

CITRIX SYSTEMS, INC., Fo...

1. A method for distributing Simple Network Management Protocol (SNMP) trap monitoring in a multi-core device, the method
comprising:
(a) establishing, by a first core of a plurality of cores of a device comprising the plurality of cores, a threshold for a
value of an entity to be monitored by the plurality of cores of the device via a Simple Network Management Protocol (SNMP);

(b) monitoring, by each core of the plurality of cores, the value of the entity in comparison to a portion of the threshold,
each core assigned a corresponding portion of the threshold;

(c) determining, by a second core of the plurality of the cores, that the value of the entity as monitored by that core has
reached the second core's corresponding portion of the threshold; and

(d) communicating, by the second core to the first core, an indicator of an SNMP trap condition responsive to the determination.

US Pat. No. 9,282,286

PARTICIPATING IN AN ONLINE MEETING WHILE DRIVING

Citrix Systems, Inc., Fo...

1. A method of participating in an online meeting, comprising:
receiving, by processing circuitry of a vehicle, a join instruction to join the online meeting;
performing, by the processing circuitry of the vehicle, a communications exchange with a remote online meeting server in response
to the join instruction, the communications exchange establishing an online meeting session with the remote online meeting
server to join the processing circuitry of the vehicle to the online meeting; and

after the online meeting session is established, outputting, by the processing circuitry of the vehicle, video of the online
meeting on a display screen which is integrated with the vehicle;

wherein outputting the video of the online meeting on the display screen includes:
receiving a motion signal indicating whether the vehicle is in motion,
displaying first video of the online meeting on the display screen when the motion signal indicates that the vehicle is in
motion, and

displaying second video of the online meeting on the display screen when the motion signal indicates that the vehicle is not
in motion, the second video being different than the first video.

US Pat. No. 9,178,805

SYSTEMS AND METHODS FOR POLICY BASED ROUTING FOR MULTIPLE NEXT HOPS

CITRIX SYSTEMS, INC., Fo...

1. A method for policy based routing of a plurality of next hops, the method comprising:
(a) matching, by a device intermediary to a plurality of devices and a plurality of next hops, one or more characteristics
of a packet to one or more parameters of a policy, the policy specifying whether or not a routing action to a next hop of
the plurality of next hops is allowed or denied and an enumerated list of next hops;

(b) determining, by the device responsive to the matching, that the routing action is allowed and that one or more next hops
in the enumerated list of next hops is up;

(c) selecting, by the device responsive to a load balancing decision among the next hops in the enumerated list of next hops,
a next hop from the enumerated list of next hops identified by the policy; and

(d) routing, by the device, the packet to the selected next hop.

US Pat. No. 9,088,501

SYSTEMS AND METHODS FOR LEAST CONNECTION LOAD BALANCING BY MULTI-CORE DEVICE

CITRIX SYSTEMS, INC., Fo...

1. A method for load balancing a plurality of connections to a plurality of services across a plurality of packet engines
of a multi-core device, the method comprising:
(a) establishing a number of sub-slots in each slot of each of a plurality of packet engines executing on a device intermediary
between a plurality of clients and a plurality of services, the number of sub-slots corresponding to a number of the packet
engines executing on the device, each of the packet engines executing on a respective core from a plurality of cores on the
device, each slot of each packet engine for tracking a different number of active connections allocated to a service accessible
via the corresponding packet engine;

(b) assigning, by the device, a first service and a second service each having no active connections, to each of the packet
engines in a first slot corresponding to no active connections, the first service and the second service assigned to different
sub-slots of the first slot in adjacent packet engines, the first service and the second service configured to be allocated
with active connections for load balancing by the device; and

(c) updating, by the device responsive to allocation of a first active connection to the first service, the first service
from a sub-slot in the first slot of a first packet engine of the plurality of packet engines, to a corresponding sub-slot
in a second slot of the first packet engine, the second slot corresponding to one active connection allocated to the first
service via the load balancing.

US Pat. No. 9,563,459

CREATING MULTIPLE DIAGNOSTIC VIRTUAL MACHINES TO MONITOR ALLOCATED RESOURCES OF A CLUSTER OF HYPERVISORS

Citrix Systems, Inc., Fo...

1. A method comprising:
creating a diagnostic virtual machine configured to monitor a cluster of hypervisors and have access to physical resources,
of an infrastructure as a service cloud, associated with a virtual machine hosted by the cluster of hypervisors;

reporting, by the diagnostic virtual machine and to a resource management service of the infrastructure as a service cloud,
one or more performance metrics related to the physical resources;

determining, by the resource management service and based on the one or more performance metrics, that additional physical
resources of the infrastructure as a service cloud should be allocated to the cluster of hypervisors;

triggering, by the resource management service, allocation of the additional physical resources to the cluster of hypervisors;
and

triggering, by the resource management service, creation of a new diagnostic virtual machine, the new diagnostic virtual machine
having access to the additional physical resources.

US Pat. No. 9,507,615

METHODS AND SYSTEMS FOR ALLOCATING A USB DEVICE TO A TRUSTED VIRTUAL MACHINE OR A NON-TRUSTED VIRTUAL MACHINE

Citrix Systems, Inc., Fo...

1. A method for allocating at least one universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted
virtual machine, in a computing device executing a hypervisor hosting the trusted virtual machine and the non-trusted virtual
machine, the method comprising:
establishing, by a control program executed by a processor of the computing device, a trust level of a virtual machine responsive
to a user providing authentication credentials;

receiving, by the control program, data indicating a USB port on the computing device received a first USB device;
identifying, by the control program, at least one attribute of the first USB device;
selecting, by the control program, a first security policy based on the at least one attribute of the first USB device;
applying, by the control program, the first security policy to the at least one attribute of the first USB device to determine
a security level of the first USB device;

granting, by the control program to the trusted virtual machine, access to the first USB device based on the security level
of the first USB device;

preventing, by the control program to the non-trusted virtual machine, access to the first USB device based on the security
level of the first USB device; and

selecting, by the control program, based on (i) the at least one attribute of the first USB device and (ii) the security level
of the first USB device, the trusted virtual machine among a plurality of virtual machines executing on the computing device.

US Pat. No. 9,406,099

METHODS AND SYSTEMS FOR MAINTAINING STATE IN A VIRTUAL MACHINE WHEN DISCONNECTED FROM GRAPHICS HARDWARE

Citrix Systems, Inc., Fo...

1. In a computing device executing a hypervisor hosting a plurality of virtual machines, a method for maintaining state in
one or more of the plurality of virtual machines when disconnected from graphics hardware, comprising:
storing, by a control virtual machine hosted by the hypervisor executing on the computing device, state information of a graphics
processing unit (GPU) of the computing device, the GPU configured to render an image from a first virtual machine of the plurality
of virtual machines;

determining, by the control virtual machine, that a second virtual machine of the plurality of virtual machines requests access
to the GPU;

redirecting, by the control virtual machine, access to the GPU from the first virtual machine to the second virtual machine;
and

rendering, by a GPU emulation program executed on the control virtual machine, the image for the first virtual machine using
at least a portion of the state information to provide continuity in graphics processing for the first virtual machine.

US Pat. No. 9,215,225

MOBILE DEVICE LOCKING WITH CONTEXT

Citrix Systems, Inc., Fo...

1. A method comprising:
receiving a user name to log onto a mobile device;
determining a context for the mobile device based on one or more operational parameters of the mobile device;
determining, based on the context and the user name, that the mobile device is to operate in a springboard lock mode;
selecting, based on the context and the user name, one or more applications to present to a user in the springboard lock mode,
wherein in the springboard lock mode, the mobile device displays a springboard user interface that presents and enables the
user to access only the selected one or more applications, and wherein the user name is associated with one of a plurality
of roles such that a first group of applications is selected for presentation when the user name is associated with a first
role and a second group of applications is selected for presentation when the user name is associated with a second role;
and

running the mobile device in the springboard lock mode.

US Pat. No. 9,203,883

SYSTEMS AND METHODS FOR A CLIENT-SIDE REMOTE PRESENTATION OF A MULTIMEDIA STREAM

Citrix Systems, Inc., Fo...

1. A method for displaying on a local computing device, by an application executing on a remote computing device, multimedia
data generated by a multimedia device connected to the local computing device, the remote computing device in communication
with the local computing device via a virtual channel, the method comprising:
constructing a packet, by a local remoting application executing on a local computing device, wherein the local computing
device not executing an instance of a presentation application configured for display of multimedia data generated by a multimedia
device, to include raw multimedia data from a multimedia device interface in a protocol wrapper, the raw multimedia data generated
by the multimedia device associated with the local computing device and comprising input to the presentation application;

streaming, by the local computing device, the packet to a remote computing device via a virtual channel, the remote computing
device executing the instance of the presentation application to process the raw multimedia data as locally generated raw
multimedia data to generate formatted multimedia data for forwarding to the local computing device;

receiving, from the remote computing device, the formatted multimedia data generated by the instance of the presentation application,
the received formatted multimedia data including a first stream of multimedia data generated from the raw multimedia data;
and

receiving, from a second instance of the presentation application, a second stream of multimedia data.

US Pat. No. 9,172,650

SYSTEMS AND METHODS FOR SERVER SURGE PROTECTION IN A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method for providing connection surge protection to a server by
a device having multiple cores, the method comprising:
receiving, by a first packet processing engine of a plurality of packet processing engines executing on a corresponding plurality
of cores of a device, a first request from a client to connect to a server;

determining, by the first packet processing engine, that a global number of requests received by the plurality of packet processing
engines to connect to the server has reached a connection rate limit;

retrieving, by the first packet processing engine, the global number of requests to connect the server from the value of a
global counter, the global counter comprising a sum of local counters of received requests maintained by each packet processing
engine of the plurality of packet processing engines; and

delaying, by the device responsive to the determination, processing of the first request to connect to the server for a predetermined
time based on a number of packet processing engines.

US Pat. No. 9,075,969

SYSTEMS AND METHODS FOR SECURE HANDLING OF SECURE ATTENTION SEQUENCES

Citrix Systems, Inc., Fo...

1. A method for authenticating, by a trusted component, a user of a desktop appliance to a remote machine, the method comprising:
receiving, by a desktop appliance, a secure attention sequence from a user, wherein the secure attention sequence is one of:
a first key combination of a control key, an alt key, and a delete key, a second key combination including a menu key, or
a third key combination including an operating system specific meta key;

invoking, responsive to receiving the secure attention sequence from the user, execution by the desktop appliance of a user
interaction component, wherein the desktop appliance passes control over display and input focus to the user interaction component;

receiving, by the invoked user interaction component, via the control passed, authentication credentials associated with the
user;

receiving, by the user interaction component executed by the desktop appliance, a request for access to a hosted resource
executing remotely from the desktop appliance, the hosted resource presented to the user as a resource executing locally to
the desktop appliance;

transmitting, by the desktop appliance, to a broker service, the received authentication credentials;
authenticating, by the broker service, the user, responsive to the received authentication credentials;
transmitting, by the broker service, to a remote machine, authentication data associated with the received authentication
credentials;

authenticating, by the remote machine, the user, responsive to the received authentication data; and
providing, by the remote machine, to the desktop appliance, access to the hosted resource.

US Pat. No. 9,065,866

SYSTEMS AND METHODS FOR POLICY BASED INTEGRATION TO HORIZONTALLY DEPLOYED WAN OPTIMIZATION APPLIANCES

CITRIX SYSTEMS, INC., Fo...

1. A method for redirecting client requests, by an intermediary device, to a horizontally deployed Wide Area Network (WAN)
optimization device providing service to the client request, the method comprising:
(a) receiving via a first transport layer connection, by an intermediary device deployed between a plurality of clients and
one or more servers, a first request from a first client of the plurality of clients to access a first server of the one or
more servers, the first request modified by a first Wide Area Network (WAN) optimization device deployed between the client
and the intermediary device to include information in a first option field of a transport layer header of the first request
for processing by a second WAN optimization device;

(b) determining, by a virtual server executing on the intermediary device and managing services on the one or more servers
on a second network path, responsive to a redirection policy, to send the first request to the second WAN optimization device
instead of the server, the second WAN optimization device deployed horizontally to the intermediary device, the horizontally
deployed second WAN optimization device communicating with the intermediary device via a first network path that is different
from and not a part of a second network path over which network traffic between the plurality of clients and one or more servers
traverses the intermediary device;

(c) establishing, by the intermediary device, a second transport layer connection with the second WAN optimization device;
and

(d) transmitting, by the intermediary device, the first request to the second WAN optimization device via the second transport
layer connection on the first network path.

US Pat. No. 9,396,042

METHODS AND SYSTEMS FOR EVALUATING HISTORICAL METRICS IN SELECTING A PHYSICAL HOST FOR EXECUTION OF A VIRTUAL MACHINE

Citrix Systems, Inc., Fo...

1. A method comprising:
retrieving a first plurality of metrics for each of a plurality of physical hosts available for executing a virtual machine,
the first plurality of metrics including at least a first metric identifying a level of usage for each of the plurality of
physical hosts as of a first predetermined time period;

retrieving a second plurality of metrics associated with the virtual machine, the second plurality of metrics including at
least one metric identifying a level of usage exerted on a physical host by the virtual machine as of a second predetermined
time period;

assigning a first power score to each of the plurality of physical hosts responsive to the retrieved first and second pluralities
of metrics, wherein each first power score is based on the first plurality of metrics and the second plurality of metrics
associated with a respective physical host of the plurality of physical hosts;

identifying a particular physical host of the plurality of physical hosts having a highest first power score of the plurality
of first power scores, wherein the assigning the plurality of first power scores assigned to the plurality of physical hosts
other than the particular physical host is specified in proportion to the highest first power score;

determining a second power score, for each of the plurality of physical hosts, based at least in part on a metric identifying
an anticipated level of usage exerted on each of the plurality of physical hosts by the virtual machine as of a third predetermined
time period, wherein the metric is from one of the first plurality of metrics or the second plurality of metrics;

identifying a first physical host of the plurality of physical hosts on which to execute the virtual machine, wherein the
second power score of said first physical host satisfies at least one predetermined criteria;

responding to the identification of the first physical host on which to execute the virtual machine by:
i. adjusting processor performance states for one or more of the plurality of physical hosts; and
ii. adjusting processor operating states for one or more of the plurality of physical hosts.

US Pat. No. 9,396,330

SYSTEMS AND METHODS FOR REDUCING DENIAL OF SERVICE ATTACKS AGAINST DYNAMICALLY GENERATED NEXT SECURE RECORDS

CITRIX SYSTEMS, INC., Fo...

1. A method for reducing denial of service (DoS) attacks against dynamically generated next secure (NSEC) records, comprising:
receiving, by a domain name system (DNS) proxy executed by a first computing device, a first user datagram protocol (UDP)
request from a client for a DNS resource record maintained by a server executed by a second computing device;

transmitting, by the DNS proxy to the server, a second request for the DNS resource record;
receiving, by the DNS proxy from the server, a response to the second request indicating a name error or that no corresponding
resource record exists;

generating, by the DNS proxy, a default response comprising a predetermined truncated response with a truncation bit set and
with a fictitious resource record;

transmitting, by the DNS proxy to the client, responsive to receiving the response to the second request indicating the name
error or that no corresponding resource record exists, a second response, generated by the DNS proxy, to the first request
different from the response received from the server, the second response comprising the default response generated by the
DNS proxy;

storing, by the DNS proxy, to a cache, the default response;
receiving, by the DNS proxy, a second UDP request for the same DNS resource record from one of the client or a second client;
and

responding, by the DNS proxy, to the second UDP request with the default response stored in the cache.

US Pat. No. 9,374,337

SYSTEMS AND METHODS FOR SUPPORTING IP OWNERSHIP IN A CLUSTER

CITRIX SYSTEMS, INC., Fo...

1. A method for using the same internet protocol (IP) address on each intermediary device in a cluster of intermediary devices,
the method comprising:
(a) establishing the same internet protocol (IP) address on each intermediary device in a cluster of intermediary devices,
each intermediary device intermediary to one or more clients and one or more servers;

(b) allocating to each intermediary device in the cluster a unique set of ports from a same range of ports across the cluster
based on at least a hash that is applied to network traffic sent to the cluster;

(c) establishing, by a first intermediary device of the cluster, a first transport layer connection with the same IP address
as a first source IP address and, as a first source port, a first port from the unique set of ports allocated to the first
intermediary device;

(d) establishing, by a second intermediary device of the cluster, a second transport layer connection with the same IP address
as a second source IP address and, as a second source port, a second port from the unique set of ports allocated to the second
intermediary device;

(e) receiving, by the first intermediary device, a response to a connection sourced by the second intermediary device, the
response identifying a tuple including the same IP address and the second source port;

(f) determining, by the first intermediary device, that the second intermediary device is an owner of the connection based
on a hash of the tuple of the response; and

(g) forwarding, by the first intermediary device, the response to the second intermediary device.

US Pat. No. 9,258,290

SECURE ADMINISTRATION OF VIRTUAL MACHINES

Citrix Systems, Inc., Fo...

1. A method comprising:
receiving a first request from an unverified entity to instantiate a first instance of a virtual machine, said first request
defining a first set of one or more resources to be made available by a virtual machine server device to the first instance
of the virtual machine, said first request including first security information;

validating the first request by verifying the unverified entity using the first security information;
accessing an authorization database, said authorization database identifying one or more resources, based on the verified
entity, that the first instance of the virtual machine is authorized to use on the virtual machine server device, said authorization
database defining one or more affinity-based restrictions for a multitenancy environment of the vitual machine server device;

based on the one or more resources and the one or more affinity-based restrictions identified by the authorization database,
determining a subset of the first set of one or more resources that exists on the virtual machine server device and is available
to be provided by the virtual machine server device to the first instance of the virtual machine; and

responsive to validating the first request:
instantiating the first instance of the virtual machine with access to the subset of the first set of one or more resources.

US Pat. No. 9,602,474

CONTROLLING MOBILE DEVICE ACCESS TO SECURE DATA

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving, by a mobile device via an access gateway, policy information that defines a management framework for executing
a managed application of the mobile device; and

as part of a process that configures the mobile device such that the managed application is able to be executed in accordance
with the management framework:

configuring, based on at least one first setting of the policy information, a private secure container, which is to be private
to the managed application, such that a first type of read or write operation from the managed application is to be redirected
to the private secure container;

configuring, based on at least one second setting of the policy information, a shared secure container, which is to be accessible
by the managed application and at least one other managed application of the mobile device, such that a second type of read
or write operation from the managed application is to be redirected to the shared secure container;

determining that legacy data, which is associated with an application of the mobile device that was executed not in accordance
with the management framework, is to be configured for the managed application;

responsive to determining that the legacy data is to be configured for the managed application, encrypting the legacy data,
resulting in encrypted legacy data;

storing a first set of the encrypted legacy data in the private secure container; and
storing a second set of the encrypted legacy data in the shared secure container.

US Pat. No. 9,571,599

MULTIMEDIA REDIRECTION IN A VIRTUALIZED ENVIRONMENT USING A PROXY SERVER

Citrix Systems, Inc., Fo...

1. A proxy server communicatively coupled with a content server and an instantiated application in a virtualized environment
on a virtualization server, the proxy server comprising:
a computer processor; a computer memory storing computer-executable instructions that, when executed by the computer processor,
cause the proxy server to:

send a request for web content to the content server; override at least one element in the web content received from the content
server; and inject scripting code stored in the computer memory of the proxy server into the received web content, wherein
the stored scripting code is configured to cause the instantiated application to send information associated with the at least
one overridden element to the proxy server, wherein the information comprises at least a location of multimedia content; and
a media player receiving at least the location of the received web content and transmitting at least multimedia content using
a remote presentation protocol to a client agent application at a user computing device, wherein the virtualization server
hosts at least the instantiated application in the virtualized environment, wherein the instantiated application comprises
an operational sandbox within which the instantiated application confines execution of the stored scripting code injected
into the received web content.

US Pat. No. 9,401,906

METHOD AND APPARATUS FOR PROVIDING AUTHORIZED REMOTE ACCESS TO APPLICATION SESSIONS

Citrix Systems, Inc., Fo...

1. A method of providing authorized remote access to an application session, comprising:
requesting, by a first client node, access to a resource via a first communications channel, the first communications channel
between a first device and a session server;

transmitting, by a policy engine, to the first client node, a collection agent;
gathering, by the collection agent, information about the first client node responsive to requesting access to the resource
via the first communications channel;

making, by the policy engine, an access control decision based on the information about the first client node for access to
the resource via the first communications channel;

identifying, by the policy engine, the application session in response to the information;
requesting, by a second client node, a connection between the second client node and the application session via a second
communications channel, the second communications channel between a second device and the session server;

determining, by the session server, an active connection of the application session to the first client node; and
in response to both the connection request by the second client node to connect to the application session and determining
the active connection:

disconnecting, by the session server, the application session from the first client node;
continuing, by the session server, the application session;
establishing, by the session server, a connection between the second client node and the application session via the second
communications channel; and

restricting, by the session server and during the connection of the second client node and the application session, a re-connection
between the first client node and the application session to prevent the first client node from connecting to the application
session.

US Pat. No. 9,386,120

SINGLE SIGN-ON ACCESS IN AN ORCHESTRATION FRAMEWORK FOR CONNECTED DEVICES

Citrix Systems, Inc., Fo...

1. A method comprising:
interconnecting a plurality of computing devices through an orchestration framework that coordinates operation of a computing
activity across multiple computing devices of the plurality of computing devices;

identifying a single sign-on (SSO) credential that a first computing device of the plurality of computing devices uses to
access a file server;

providing the SSO credential to a second computing device of the plurality of computing devices to enable the second computing
device to access the file server using the SSO credential;

accessing the file server from the first computing device using the SSO credential;
sending content stored at the first computing device to the file server for storage; and
notifying the second computing device that the content is available from the file server.

US Pat. No. 9,294,378

SYSTEMS AND METHODS FOR QUALITY OF SERVICE OF ENCRYPTED NETWORK TRAFFIC

CITRIX SYSTEMS, INC., Fo...

1. A method for providing classification of encrypted network traffic, the method comprising:
(a) including, by a first classifier of a device, a first application identifier with an encrypted packet from classification
of the encrypted packet by modifying, by the first classifier, the encrypted packet to include the first application identifier;

(b) identifying, by a second classifier of the device, a second application identifier from classification of decrypted content
of the encrypted packet;

(c) determining, by the second classifier, that the second application identifier identifies a higher layer protocol than
the first application identifier or identifies an application group that is a subset of an application group identified by
the first application identifier; and

(d) replacing, by the second classifier responsive to the determination, the first application identifier with the second
application identifier as an application identifier for classification of the encrypted packet.

US Pat. No. 9,264,429

SYSTEMS AND METHODS FOR USING END POINT AUDITING IN CONNECTION WITH TRAFFIC MANAGEMENT

CITRIX SYSTEMS, INC., Fo...

1. A method comprising:
a) determining, by a first virtual server of an intermediary device external to a client device and a target server, a result
of an end point scan of the client device initiated by the first virtual server responsive to an access request from the client
device to the target server, the first virtual server configured to perform authentication of client device to allow access
to the target server;

b) establishing, by the first virtual server, an authentication session upon authentication of the client device;
c) receiving, by a second virtual server of the intermediary device different from the first virtual server, a request from
the client that identifies the authentication session, wherein the second virtual server is configured to manage traffic of
the client device; and

d) using, by the second virtual server, information from the authentication session to make a decision on controlling traffic
of a connection of the client device based on one or more traffic management policies.

US Pat. No. 9,537,958

METHODS AND SYSTEMS FOR ENABLING FEATURES PROVIDED BY A FIRST PRESENTATION LAYER PROTOCOL IN A SESSION IMPLEMENTED ACCORDING TO A SECOND PRESENTATION LAYER PROTOCOL

Citrix Systems, Inc., Fo...

1. A method for enabling a feature provided by a first presentation layer protocol, within a session established according
to a second presentation layer protocol, the method comprising:
forwarding, by an operating system executing on a first machine, a query to a metrics acquisition interface to identify that
the first machine established a session with a second machine according to a first presentation layer protocol;

receiving, by the operating system, an indication that the first machine established a session with the second machine according
to a second presentation layer protocol;

identifying, based on a type of function that generated the query, that the first machine established the session with the
second machine according to the first presentation layer protocol; and

enabling, by the operating system responsive to identifying that the first machine established the session according to the
first presentation layer protocol, the type of function provided via the second presentation layer protocol provided for use
on the first machine in the session established according to the first presentation layer protocol.

US Pat. No. 9,509,692

SECURED ACCESS TO RESOURCES USING A PROXY

Citrix Systems, Inc., Fo...

1. A method comprising:
during an authentication session between a proxy device and a resource management device to authenticate the proxy device
with the resource management device, generating, by the proxy device, a request for a client device to provide a signature,
wherein the request for the client device to provide the signature comprises context information identifying authentication
information previously exchanged between the proxy device and the resource management device during the authentication session
between the proxy device and the resource management device to authenticate the proxy device or authentication information
to be sent by the proxy device to the resource management device during the authentication session between the proxy device
and the resource management device to authenticate the proxy device;

receiving, at the proxy device and from the client device, the signature; and
sending, from the proxy device to the resource management device, the signature.

US Pat. No. 9,467,346

INTERPRETING A GESTURE-BASED INSTRUCTION TO SELECTIVELY DISPLAY A FRAME OF AN APPLICATION USER INTERFACE ON A MOBILE COMPUTING DEVICE

Citrix Systems, Inc., Fo...

1. A method of selectively displaying a frame of an application user interface on a mobile computing device, the method comprising:
receiving, by a client agent of a mobile computing device, an application user interface from an application executing remotely
on a server;

storing, by the client agent, the application user interface to an extended virtual screen buffer maintained by the mobile
computing device;

identifying, by the client agent, a plurality of distinct frames of the application user interface, the plurality of distinct
frames including at least:

a first frame grouping one or more first features of the application user interface, and
a second frame grouping one or more second features of the application user interface;
displaying, by the client agent, on a native display of the mobile computing device, the first frame of the plurality of frames
of the application user interface;

interpreting, by the client agent, an input as a request to view a frame adjacent to the first frame; and
displaying, by the client agent, the second frame on the native display of the mobile computing device.

US Pat. No. 9,269,072

SYSTEMS, METHODS, AND DEVICES FOR FACILITATING NAVIGATION OF PREVIOUSLY PRESENTED SCREEN DATA IN AN ONGOING ONLINE MEETING

Citrix Systems, Inc., Fo...

1. A method for facilitating navigation of previously presented screen data in an ongoing online meeting, the method comprising:
storing screen data representing a previously presented portion of an ongoing online meeting;
capturing, in response to a trigger event, a screenshot of the screen data for the ongoing online meeting;
causing the display, on a viewer computing device while the ongoing online meeting is still ongoing, of an image thumbnail
generated from the screenshot, the image thumbnail facilitating navigation, on the viewer computing device, of the previously
presented portion of the ongoing online meeting;

receiving, at the viewer computing device while the ongoing online meeting is still ongoing, a selection of the image thumbnail;
and

causing the display, in response to the selection of the image thumbnail, on the viewer computing device, simultaneously and
while the ongoing online meeting is still ongoing, first screen data corresponding to a currently presented portion of the
ongoing online meeting and second screen data corresponding to the screenshot, wherein the first screen data is presented
picture-in-picture inside the second screen data or the second screen data is presented picture-in-picture inside the first
screen data;

wherein the trigger event comprises a size of an accumulative bounding box encapsulating changes to the stored screen data
increasing past a threshold.

US Pat. No. 9,210,100

SYSTEMS AND METHODS FOR ESTABLISHING A CLOUD BRIDGE BETWEEN VIRTUAL STORAGE RESOURCES

Citrix Systems, Inc., Fo...

1. A method for establishing a cloud bridge between a first virtual storage resource and a second virtual storage resource
for transmitting data from one of the first virtual storage resource and the second virtual storage resource to another of
the first virtual storage resource and the second virtual storage resource, the method comprising:
invoking, by a storage delivery management service, a storage adapter for a first virtual storage resource, the storage adapter
associated with a user credential, wherein the storage delivery management service is executing on a computer within the first
virtual storage resource and the first virtual storage resource is provisioned on at least one storage system comprising one
or more hardware devices;

enumerating, by the storage delivery management service, a list of virtual storage resources associated with the user credential,
wherein the list includes a second virtual storage resource provisioned on at least one storage system comprising one or more
hardware devices;

executing, via an interface for the storage adapter, an instruction to identify the second virtual storage resource in the
enumerated list, the interface comprising an interface translation file mapping each of a plurality of proprietary vendor-specific
formats for representing properties and descriptive data of respective vendor's storage resources to a standardized format
for representing properties and descriptive data of storage resources; and

establishing, by the storage delivery management service, a cloud bridge between the first virtual storage resource and the
second virtual storage resource using management information stored in a proprietary vendor-specific format for the second
virtual storage resource, the management information translated to the standardized format by the storage adapter using the
interface translation file.

US Pat. No. 9,191,425

SYSTEMS AND METHODS FOR REMOTELY PRESENTING A MULTIMEDIA STREAM

Citrix Systems, Inc., Fo...

1. A system for displaying on a local computing device, by an application executing on a remote computing device, raw multimedia
data generated by a multimedia device connected to the local computing device, the remote computing device in communication
with the local computing device via a virtual channel, the system comprising:
a local computing device;
a multimedia device communicating with the local computing device, the multimedia device generating raw multimedia data;
a remote computing device hosting the execution of a proxy streaming module to receive raw multimedia data passed by the local
computing device to the proxy streaming module via a virtual channel and to forward the raw multimedia data to a presentation
application executing on the remote computing device;

wherein the presentation application generates formatted multimedia application output from the raw multimedia data and the
remoting application intercepts the generated formatted multimedia application output generated from the raw multimedia data
prior to the display of the formatted multimedia application output by the remote computing device, encapsulates the intercepted
formatted multimedia application output generated from the raw multimedia data in a presentation level protocol, and transmits
the formatted multimedia application output generated from the raw multimedia data to the local computing device, wherein
the local computing device receives and unencapsulates the encapsulated formatted multimedia application output generated
from the raw multimedia data and displays the formatted multimedia application output generated from the raw multimedia data
in an application output window of the local computing device.

US Pat. No. 9,069,438

ALLOCATING VIRTUAL MACHINES ACCORDING TO USER-SPECIFIC VIRTUAL MACHINE METRICS

Citrix Systems, Inc., Fo...

1. A method of allocating a virtual machine via a computer network, comprising:
receiving, by a first computing device having a processor configured with a virtual desktop infrastructure, a request from
a second computing device for a virtual machine corresponding to a user session having a user identifier;

determining, by a virtual machine manager configured on the first computing device, a categorization for the user identifier
based on virtual machine performance metrics that quantify a load placed by a historical virtual machine on a device executing
the historical virtual machine during a historical user session associated with the user identifier;

allocating, by the virtual machine manager, the virtual machine for the user identifier based on the categorization;
responsive to allocating the virtual machine, providing, by the virtual machine manager, a notification of the virtual machine
to a performance monitoring system configured on the first computing device; and

transmitting, by the first computing device, the virtual machine to the second computing device for use during the user session.

US Pat. No. 9,813,346

SYSTEMS AND METHODS FOR ALLOCATION OF CLASSES OF SERVICE TO NETWORK CONNECTIONS CORRESPONDING TO VIRTUAL CHANNELS

Citrix Systems, Inc., Fo...

1. A system for allocating a different quality of service to each network connection in a plurality of network connections,
where each network connection corresponds to one or more virtual channels, the system comprising:
a first computing device; and
a second computing device in communication with the first computing device via a remote-display protocol session, the remote-display
protocol session comprising a plurality of virtual channels, each servicing at least a portion of network traffic of the remote-display
protocol session,

a plurality of transport layer network connections comprising a network connection between the first computing device and
the second computing device, a first transport layer network connection carrying a first virtual channel and assigned a first
quality of service, the first virtual channel configured to transmit remote display protocol data via the first transport
layer network connection responsive to the first quality of service and one of an application type and a user of the data,
and a second transport layer network connection carrying a second virtual channel and assigned a second quality of service,
the second quality of service different from the first quality of service; and

a flow controller to control data transfer rates on the plurality of transport layer network connections, wherein the flow
controller executes operations to:

receive a data packet transmitted by the first computing device to the second computing device;
copy the data packet for retransmission by the flow controller;
forward the received data packet to the second computing device;
generate an acknowledgement packet in response to receiving the forwarded data packet;
transmit the acknowledgement packet to the first computing device, to cause one or more resources associated with the first
computing device to become available for subsequent processing of one or more data packets;

monitor one or more data packet acknowledgements generated by the second computing device in response to receipt of the forwarded
data packet; and

retransmit the forwarded data packet to the first computing device in response to non-receipt of the one or more data packet
acknowledgements from the second computing device within a temporal window of time.

US Pat. No. 9,270,781

ASSOCIATING VIRTUAL MACHINES ON A SERVER COMPUTER WITH PARTICULAR USERS ON AN EXCLUSIVE BASIS

Citrix Systems, Inc., Fo...

1. A non-transitory computer-accessible storage medium storing program instructions executable to implement:
associating a first virtual machine with a first user on an exclusive basis, wherein the first virtual machine is one of a
plurality of virtual machines in a server computer system, wherein said associating comprises storing information indicating
that users other than the first user cannot use the first virtual machine, wherein the plurality of virtual machines comprises
a pool of active but unconnected virtual machines, wherein the size of the pool is at least one, and wherein the maximum pool
size is N;

receiving a first request from a client device of the first user to connect to the server computer system, wherein the first
request identifies the first user;

in response to the first request:
accessing the stored information and determining that the first virtual machine is associated with the first user on the exclusive
basis; and

in response to determining that the first virtual machine is associated with the first user on the exclusive basis:
selecting the first virtual machine from the plurality of virtual machines for assignment to the first user; and
establishing a communication session between the client device and the first virtual machine in order to enable the first
user to use the first virtual machine;

terminating the communication session between the client device and the first virtual machine, including disconnecting the
client device from the server computer system;

maintaining the first virtual machine in an active but unconnected state, thereby keeping the virtual machine ready for reconnecting
to the client device of the first user in response to a subsequent request from the client device, wherein during said maintaining,
no other users are allowed to utilize the first virtual machine, wherein said maintaining increments the pool size; and

hibernating one or more active but disconnected virtual machines in response to determining that the pool size is greater
than N.

US Pat. No. 9,160,768

SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES

Citrix Systems, Inc., Fo...

1. A method for executing by an application firewall an application security profile for a type of network traffic, the method
comprising:
(a) identifying, by an application firewall executing on a device intermediary to a plurality of clients and one or more servers,
an application security profile specifying a type of network traffic the firewall profile applies to and one or more application
firewall security checks selected from a plurality of application firewall security checks to apply to the type of network
traffic;

(b) identifying, by the application firewall, a firewall policy that specifies the application security profile from a plurality
of application security profiles instead of an action to take as a result of evaluating a rule of the firewall policy;

(c) applying, by the application firewall, the firewall policy to a packet received by the device corresponding to the type
of network traffic; and

(d) processing, by the application firewall responsive to evaluation of the rule of the firewall policy, the one or more application
firewall security checks of the application security profile to the packet.

US Pat. No. 9,152,436

GESTURE SUPPORT FOR SHARED SESSIONS

CITRIX SYSTEMS, INC., Fo...

1. A method for providing a shared session environment comprising:
facilitating the establishment of a first connection with a first remote computing device to provide access to a shared session
window to the first device;

facilitating the establishment of a second connection with a second remote computing device to provide access to the shared
session window to the second device;

determining a first time difference between a current time according to the first remote computing device and a base current
time;

determining a second time difference between a current time according to the second remote computing device and the base current
time;

negotiating gesture capabilities with the first and second remote computing devices;
receiving via the first connection data corresponding to a first gesture inputted at the shared session window displayed at
the first device to interact with the shared session window, the first gesture being associated with a first timestamp generated
at the first remote computing device;

receiving via the second connection data corresponding to a second gesture inputted at the shared session window displayed
at the second device to interact with the shared session window, the second gesture being associated with a second timestamp
generated at the second remote computing device;

reconciling the data corresponding to the first and second gestures to generate a modification instruction representing the
operations defined by the interactions with the shared session windows at the first and second remote computing devices, reconciling
the data comprising normalizing the first timestamp based on the first time difference and normalizing the second timestamp
based on the second time difference, wherein normalizing the first timestamp includes subtracting the first time difference
from the first timestamp, and wherein normalizing the second timestamp includes subtracting the second time difference from
the second timestamp; and

transmitting a modified shared session window over the first and second connections to the first and second computing devices.

US Pat. No. 9,143,529

MODIFYING PRE-EXISTING MOBILE APPLICATIONS TO IMPLEMENT ENTERPRISE SECURITY POLICIES

Citrix Systems, Inc., Fo...

1. A method comprising:
disassembling, by a computing device, executable code of a mobile application associated with an enterprise into disassembled
code;

analyzing, by the computing device, the disassembled code;
modifying, by the computing device, the disassembled code to add new code that causes the mobile application to:
detect that the mobile application is being used within a pre-defined time window;
detect a request by the mobile application to access a site not associated with the enterprise; and
add one or more headers to the request that cause the request to be sent via an application tunnel to a content-filtering
device configured to:

determine whether the site not associated with the enterprise is authorized for access within the pre-defined time window;
strip the one or more headers from the request responsive to determining that the site not associated with the enterprise
is authorized for access; and

after stripping the one or more headers from the request, forward the request to the site not associated with the enterprise;
obfuscating at least a portion of the new code to inhibit reverse engineering of the new code; and
rebuilding the mobile application using the modified disassembled code.

US Pat. No. 9,098,335

SYSTEMS AND METHODS FOR MANAGING SPILLOVER LIMITS IN A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method of managing spillover via a plurality of cores of a multi-core device intermediary to a plurality of clients and
one or more services, the method comprising:
a) identifying, for a device intermediary to a plurality of clients and one or more services, a spillover limit of a resource,
the device comprising a plurality of virtual servers operating on a corresponding core of a plurality of cores of the device;

b) allocating, by a pool manager of the device, to each of the plurality of virtual servers, a number of uses of a resource
from an exclusive quota pool and shared quota pool based on the spillover limit, the number of uses of the resources comprising
a number of times the resource can be used;

c) determining, by the device, that the number of times the resource is used by a virtual server of the plurality of virtual
servers has reached the allocated number of uses of the resource of the virtual server; and

d) forwarding, by the device responsive to the determination, to a backup virtual server a request of a client of the plurality
of clients received by the device for the virtual server.

US Pat. No. 9,948,610

METHOD AND APPARATUS FOR ACCESSING THIRD-PARTY RESOURCES

Citrix Systems, Inc., Fo...

1. A device comprising:one or more processors;
memory; and
a network gateway configured to:
acquire a first token from a client, the first token encrypting a second token, wherein the first token is used to access the network gateway and the second token is used to access a third-party resource provider, the network gateway granting access to the client based on at least the first token;
provide the first token to a token management service, wherein the token management service is inaccessible to the client;
decrypt the second token from the first token;
request one of a refresh or replacement of the second token from the token management service, wherein the token management service is inaccessible to the client;
receive the second token from the token management service;
access the third-party resource provider using the second token; and
grant the client access to the third-party resource provider.

US Pat. No. 9,485,239

IMPLEMENTING SINGLE SIGN-ON ACROSS A HETEROGENEOUS COLLECTION OF CLIENT/SERVER AND WEB-BASED APPLICATIONS

Citrix Systems, Inc., Fo...

1. A method, comprising:
establishing, based on an authentication credential provided by a user via a first client application, a first authenticated
session for a computing device, the first authenticated session being associated with the first client application;

generating a master authentication token and a first authentication token corresponding to the first authentication session;
responsive to an authentication request associated with a second client application, generating, based on the master authentication
token and an identification of the second client application, a second authentication token comprising a session identifier
different from a session identifier of the first authentication token; and

using the second authentication token to establish a second authenticated session for the computing device, the second authenticated
session being associated with the second client application.

US Pat. No. 9,264,293

SYSTEMS AND METHODS FOR HANDLING A MULTI-CONNECTION PROTOCOL BETWEEN A CLIENT AND SERVER TRAVERSING A MULTI-CORE SYSTEM

CITRIX SYSTEMS, INC., Fo...

1. A method of handling a multi-connect protocol connection between a client and a server traversing a multi-core system,
the multi-connection protocol comprising a control connection and a data connection, the method comprising:
a) receiving, by a first packet processing engine of a first core of a multi-core system, via a control connection of a multi-connection
protocol a request from a client to a server for a port of the server to establish a data connection with the server;

b) receiving, by the first packet processing engine, a response from the server identifying the port of the server for establishing
the data connection;

c) identifying, by the first packet processing engine, a virtual port number and virtual internet protocol address of the
multi-core system;

d) sending, by the first packet processing engine, to a plurality of cores of the multi-core system, a first message identifying
the virtual internet protocol address and the virtual port number;

e) establishing, by each of the plurality of cores, a listening service on the virtual internet protocol address and the virtual
port number;

f) receiving, by the listening service of a second core of the plurality of cores, a data connection request from the client
to the server;

g) sending, by the second core, a second message to the plurality of cores that the second core has the data connection; and
h) incrementing, by the first packet processing engine of the first core, a reference counter for the data connection of the
control connection in response to the second message.

US Pat. No. 9,235,448

SYSTEMS AND METHODS FOR BATCHABLE HIERARCHICAL CONFIGURATION

CITRIX SYSTEMS, INC., Fo...

1. A method for configuring one or more global server load balancing (GSLB) appliances and one or more load balancing appliances
via a single configuration to represent a GSLB site hierarchy, the method comprising:
a) receiving, by each of a plurality of appliances, a single configuration representing a GSLB site hierarchy, comprising
a plurality of levels, the GSLB site hierarchy comprising a plurality of sites, each site of the plurality of sites having
one or more appliances of the plurality of appliances, each of the appliances deployed at a level of the plurality of levels;

b) identifying, by a first appliance of the plurality of appliances, from the single configuration during configuration of
the first appliance that the first appliance is a first node corresponding to a first GSLB site in the GSLB site hierarchy,
the first appliance providing GSLB to the plurality of sites in the GSLB site hierarchy;

c) identifying, by a second appliance of the plurality of appliances, from the single configuration during configuration of
the second appliance that the second appliance is a second node corresponding to a second site in the GSLB site hierarchy,
the second appliance providing load balancing for a plurality of servers at the second site in the GSLB site hierarchy;

d) identifying, by the second appliance, from the single configuration during configuration of the second appliance that the
first node of the first GSLB site is a parent node at a first level of the plurality of levels in the GSLB site hierarchy
to the second node of the second appliance at the second site at a second level of the plurality of levels;

e) establishing, by each of the plurality of appliances, a metric exchange connection with at least one appliance at a different
level of the plurality of levels of the GSLB site hierarchy based on the topology of the GSLB site hierarchy to exchange load
balancing statistics via transport layer connections; and

f) exchanging, by each of the plurality of appliances, load balancing statistics with the at least one appliance at the different
level of the plurality of levels of the GSLB site hierarchy based on the topology of the GSLB site hierarchy.

US Pat. No. 9,215,212

SYSTEMS AND METHODS FOR PROVIDING A VISUALIZER FOR RULES OF AN APPLICATION FIREWALL

CITRIX SYSTEMS, INC., Fo...

1. A method of generating a representation of a plurality of learned rules from a learning engine of an application firewall
based on a history of uniform resource locator (URL) communications with a web server, the method comprising:
a) determining, by a learning engine of an application firewall, a plurality of learned rules based on a history of URL communications
with a web server, each of the plurality of learned rules assigned a URL string;

b) categorizing, by a visualizer, a subset of the plurality of learned rules under a first check type of a plurality of check
types;

c) generating, by the visualizer, a first tree representation of URL strings of the subset of learned rules, each node of
the first tree corresponding to a segment of the URL strings identified based on application of a first selected delimiter
to the URL strings to segment the URL strings into a first plurality of segments, each URL string comprising a path to a resource
and comprising multiple segments identified based on application of the first selected delimiter;

d) changing, via the visualizer responsive to a user operating the visualizer, the first delimiter to a second selected delimiter
for the same URL strings of the subset of learned rules; and

e) generating, by the visualizer, a second tree representation of the same URL strings responsive to the change to the second
selected delimiter, each node of the second tree corresponding to a segment of the URL strings identified based on application
of the second selected delimiter to the URL strings to segment the URL strings into a second plurality of segments, the change
allowing a visual comparison of hierarchical distributions of the first plurality of segments and the second plurality of
segments between the first tree and the second tree, and distributions of the subset of learned rules corresponding to the
first plurality of segments and the second plurality of segments.

US Pat. No. 9,330,106

SELECTIVE SYNCHRONIZATION OF REMOTELY STORED CONTENT

Citrix Systems, Inc., Fo...

1. A method of synchronizing data between a client device and a storage repository, the method comprising:
establishing a communications channel between the client device and the storage repository;
from a storage location for files to be synchronized between the client device and the storage repository, selecting a set
of files which is related to a particular file based on a set of selection criteria; and

while the communications channel is established, copying data of the selected set of files between the client device and the
storage repository to synchronize the selected set of files between the client device and the storage repository;

wherein a group of files resides within the storage location; and
wherein copying the data of the selected set of files between the client device and the storage repository includes transferring
the data of the selected set of files between the client device and the storage repository ahead of transferring data of remaining
files of the group to synchronize the selected set of files ahead of the remaining files of the group;

wherein selecting the set of files which is related to the particular file includes:
providing, for each file of the group of files, a respective overall score based on the set of selection criteria, and
distinguishing the selected set of files from the remaining files of the group based on the respective overall score of each
file of the group; and

wherein providing, for each file of the group of files, the respective overall score based on the set of selection criteria
includes:

generating the overall score for each file based at least in part on a filename similarity between a filename of that file
and a filename of the particular file.

US Pat. No. 9,325,759

METHODS AND APPARATUS FOR GENERATING GRAPHICAL AND MEDIA DISPLAYS AT A CLIENT

Citrix Systems, Inc., Fo...

1. A method of generating a media presentation at a client, comprising:
receiving, by a server, an indication of a media format supported by a client agent that executes on a client device;
determining, based on the received indication of the media format supported by the client agent, that a media format of a
media stream rendered by an application program executing on the server is supported by the client device;

monitoring, by an output filter module executing on the server, the media stream rendered by the application program, the
media stream comprising a compressed data set;

intercepting, by the output filter module, the compressed data set of the media stream prior to rendering by the application
program; and

transmitting, from the server, the compressed data set intercepted by the output filter module to the client device for decompression
by the client device.

US Pat. No. 9,280,760

INTEGRATED ONLINE WORKSPACES

Citrix Systems, Inc., Fo...

1. A computer-implemented method for providing a workspace, the method comprising:
providing, to a client computing device, access to a workspace, the workspace comprising one or more members and one or more
content items, the workspace being a first web-delivered shared environment for the members of the workspace to collaborate
asynchronously by sharing access to the content items, the access being provided in response to verifying that the client
computing device is associated with one of the one or more members of the workspace;

providing, to the client computing device, a workspace display associated with the workspace, the workspace display including
(1) a representation of remote resources of the workspace including the content items, (2) a representation of the members
of the workspace, and (3) a representation of meeting resources for online meetings that can be initiated and joined by the
one member via the workspace display, the online meetings provided by an online meeting tool in a second web-delivered shared
environment providing real-time video and/or audio interaction among online meeting participants, the representation of the
meeting resources in the workspace display being connected to receive online meeting information from the second web-delivered
shared environment and including (a) in a first operating condition, a first user interface element to initiate an online
meeting in the second web-delivered shared environment with a first portion of the one or more members of the workspace, and
(b) in a second operating condition, a second user interface element to join an ongoing online meeting in the second web-delivered
shared environment with a second portion of the one or more members; and

in response to initiation of an online meeting by activation of the first user interface element and to joining of an online
meeting by activation of the second interface element, receiving meeting descriptive information and meeting content for the
online meeting from the second web-delivered shared environment and displaying the meeting descriptive information and meeting
content for the online meeting in the representation of the meeting resources of the workspace display,

wherein the second user interface element is coupled with a thumbnail of a screen sharing view or webcam view from the ongoing
online meeting.

US Pat. No. 9,235,618

SYSTEMS AND METHODS FOR CACHING OF SQL RESPONSES USING INTEGRATED CACHING

CITRIX SYSTEMS, INC., Fo...

1. A method for caching by a device intermediary to a client and a database a result of a structured query language (SQL)
query request, the method comprising:
(a) receiving, by a device intermediary to a plurality of clients and a database, a SQL response from the database to a first
structured query language (SQL) query request of a client of the plurality of clients, the device maintaining a cache of SQL
responses from the database;

(b) identifying, by the device, that the first SQL query request matches a rule of a policy for caching SQL responses from
the database, the policy comprising a cache action to take on a response to a query when the rule is matched; and

(c) performing, by the device responsive to the policy, on the SQL response received from the database the cache action identified
by the policy matching the first SQL query request.

US Pat. No. 9,948,633

SYSTEMS AND METHODS FOR POLICY DRIVEN FINE GRAIN VALIDATION OF SERVERS' SSL CERTIFICATE FOR CLIENTLESS SSLVPN ACCESS

Citrix Systems, Inc., Fo...

1. A method for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access, the method comprising:receiving, by a device intermediary between a client and a plurality of servers, a first request from the client for establishing a clientless SSL VPN connection with a first server of the plurality of servers;
maintaining, by the device, one or more preconfigured policies for use by the device to restrict SSL certificate validation to a set of servers or domain names specified in the one or more preconfigured policies, each of the one or more preconfigured policies specifying: (1) a respective condition that specifies at least one respective server or domain name of the set of servers or domain names, and (2) at least one respective action, triggered by the at least one respective condition and comprising a corresponding method of performing SSL certificate validation;
identifying, by the device from the first request, one or more parameters associated with the first server;
determining, by the device using the one or more parameters associated with the first server, that the first server in the first request meets a first condition of a first preconfigured policy of the one or more preconfigured policies which triggers a first action of the first preconfigured policy to validate a SSL certificate of the first server; and
performing, by the device responsive to the determination, the first action to validate the SSL certificate of the first server at the device for the clientless SSL VPN connection according to a SSL validation method corresponding to the first action, using one or more certificate authority (CA) certificates specified by the first preconfigured policy, the one or more CA certificates comprising a subset of a plurality of CA certificates available to the device; and
establishing the clientless SSL VPN connection responsive to validating the SSL certificate of the first server.

US Pat. No. 9,588,637

TRANSPARENT USER INTERFACE INTEGRATION BETWEEN LOCAL AND REMOTE COMPUTING ENVIRONMENTS

Citrix Systems, Inc., Fo...

1. A method, comprising:
receiving, by a client device and from a remote host, data associated with a user interface component of an application executing
within a virtual machine hosted by the remote host; and

rendering, by the client device, within a user interface associated with the client device, and with a graphical appearance
based on at least one user interface component of the user interface associated with the client device, a user interface component
corresponding to the user interface component of the application executing within the virtual machine hosted by the remote
host.

US Pat. No. 9,531,714

ENTERPRISE AUTHENTICATION VIA THIRD PARTY AUTHENTICATION SUPPORT

Citrix Systems, Inc., Fo...

1. A method comprising:
transmitting, by a computing device to an authentication device via a network, a request to authenticate a client device application
via a forms login protocol;

retrieving, by the computing device from the authentication device via the network, an authentication challenge and a first
credential form requesting a first authentication credential, wherein the first credential form is generated, by an extension
device connected to the authentication device, based on information received from an authentication service associated with
the client device application, the extension device being configured with one or more authentication protocols of the authentication
service associated with the client device application;

transmitting, by the computing device to the client device application via the network, the first credential form and the
authentication challenge;

receiving, by the computing device from the client device application via the network, the first authentication credential
and a response to the authentication challenge;

transmitting, by the computing device to the authentication service via the extension device, the first authentication credential
and the response to the authentication challenge; and

transmitting, by the computing device via the network and in response to a successful validation of the first authentication
credential and a successful response to the authentication challenge, an approval of the request made by the client device
application to authenticate via the forms login protocol.

US Pat. No. 9,467,474

CONJURING AND PROVIDING PROFILES THAT MANAGE EXECUTION OF MOBILE APPLICATIONS

Citrix Systems, Inc., Fo...

1. A method, comprising:
displaying, by one or more computing devices, a user interface that displays one or more policy settings for a managed application
that is to be made available for download to a mobile device, wherein each of the one or more policy settings provides a constraint
to be enforced by the mobile device prior to the managed application being provided access to at least one resource that is
accessible through an access gateway;

receiving input via the user interface that creates or modifies a user authorization or user identification setting of the
one or more policy settings, wherein the user authorization or user identification setting specifies a condition for authorizing
or identifying a user in connection with the managed application being provided access to the at least one resource;

producing a policy file for the managed application that includes the user authorization or user identification setting, wherein
the policy file is assigned to a first user role;

providing the policy file such that the policy is available for download to the mobile device;
receiving additional input specifying one or more additional policy settings, wherein the one or more additional policy settings
includes an additional user authorization or user identification setting that specifies a constraint different from the one
or more constraints that are specified by the user authorization or user identification setting;

producing an additional policy file for the managed application that includes the one or more additional policy settings,
wherein the additional policy file is assigned to a second user role that is different from the first user role; and

providing the additional policy file for download in accordance with a requesting user that is assigned the second user role.

US Pat. No. 9,378,359

GATEWAY FOR CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES

Citrix Systems, Inc., Fo...

1. A system comprising:
an enterprise resource comprising computer hardware configured to electronically communicate with a computing device over
a communication network; and

a gateway comprising computer hardware, the gateway configured to:
receive a request from a mobile device to access the enterprise resource, the request formatted according to a protocol and
including a property of the mobile device, the request comprising a header and a payload;

store a gateway rule comprising an indication to encrypt data transmitted to the mobile device via the gateway when the property
of the request from the mobile device corresponds to a property value in the gateway rule;

parse the payload of the request from the mobile device to determine a character-encoding scheme of the payload of the request;
based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the
mobile device corresponds to the property value in the gateway rule; and

responsive to determining that the property of the request from the mobile device corresponds to the property value in the
gateway rule, cause the data transmitted to the mobile device via the gateway to be encrypted.

US Pat. No. 9,143,575

DISTRIBUTED CONTENT CACHING SOLUTION FOR A MOBILE WIRELESS NETWORK

Citrix Systems, Inc., Fo...

1. A method comprising:
acquiring, at a device of a first network, a request for data content from a user device, the request being targeted at a
server located in a second network;

communicating with a cache of the first network, using the request, to acquire at least some data content using the request,
wherein the at least some data content is provided to the user device via the first network;

acquiring a threshold value and a timer value, the threshold value indicating a threshold size of data to be transmitted in
the second network and the timer value indicating a duration of time for sending the threshold size of data to maintain a
quality of service provided by the second network for the user device;

determining that the cache of the first network is providing the at least some data content via the first network; and
responsive to the determination, transmitting one or more data packets to the second network within a duration based on the
acquired threshold value and the acquired timer value.

US Pat. No. 9,137,708

MECHANISM FOR APPLICATION MOBILITY IN A CELL SITE-BASED CONTENT DISTRIBUTION NETWORK

Citrix Systems, Inc., Fo...

1. A method in an electronic device for providing content to a user device in a communication network having an access network
and a core network, the method comprising:
serving a first data stream of content from a source content server in the access network to the user device, the content
being accessed using a protocol;

identifying that the user device is transitioning from a connection to the source content server to a connection to a destination
content server; and

handing over responsibility for serving the content from the source content server to the destination content server, wherein
handing over responsibility for serving the content comprises:

creating a tunnel between the source content server and the destination content server,
creating a second data stream over the tunnel, the second data stream being a duplicate of the first data stream,
interacting with a proxy at the destination content server, the proxy corresponding to the protocol used to access the content
at the source content server, the proxy having a context, and

moving the context from the protocol at the source content server to the proxy at the destination content server.

US Pat. No. 9,948,612

SECURE SINGLE SIGN ON AND CONDITIONAL ACCESS FOR CLIENT APPLICATIONS

Citrix Systems, Inc., Fo...

1. A method comprising:establishing a secure communication tunnel between an application running on a mobile device and an identity provider gateway device;
receiving, by the identity provider gateway device, from the application running on the mobile device, and via the secure communication tunnel, an authentication request comprising a client certificate;
extracting, by the identity provider gateway device, and from the client certificate, a device identifier associated with the mobile device;
transmitting, by the identity provider gateway device, and to a device management server, a request to determine whether the mobile device is compliant with security policies, wherein the request to determine whether the mobile device is compliant with security policies comprises the device identifier associated with the mobile device;
in response to transmitting the request to determine whether the mobile device is compliant with security policies, receiving, by the identity provider gateway device, and from the device management server, an indication of whether the mobile device is compliant with security policies; and
determining, by the identity provider gateway device, and based on the indication of whether the mobile device is compliant with security policies, whether to grant the application running on the mobile device access to a service associated with the application running on the mobile device.

US Pat. No. 9,866,475

SYSTEMS AND METHODS FOR FORWARDING TRAFFIC IN A CLUSTER NETWORK

Citrix Systems, Inc., Fo...

1. A method for determining between steered and forwarded network traffic among a cluster of intermediary devices, the method
comprising:
(a) establishing, by a master intermediary device for each intermediary device in a cluster of intermediary devices a predetermined
Media Access Control (MAC) identifier and a node identifier, each predetermined MAC identifier comprising a cluster identifier
identifying the cluster and the node identifier identifying a corresponding intermediary device, the cluster of intermediary
devices comprising a plurality of separate intermediary devices in communication with each other over a common backplane to
receive network packets forwarded among intermediary devices in the cluster;

(b) identifying, by an intermediary device of the cluster from a received network packet having a source address field and
a destination address field, that a MAC identifier of the network packet is the predetermined MAC identifier; and

(c) determining, by the intermediary device responsive to identifying that the predetermined MAC identifier is located and
present in the source address field of a network layer of the received network packet to process the network packet or responsive
to identifying that the predetermined MAC identifier is located and present in the destination address field of the network
layer of the received network packet to forward the network packet via the common backplane to another intermediary device
of the plurality of intermediary devices.

US Pat. No. 9,237,106

SYSTEMS AND METHODS OF QOS FOR SINGLE STREAM ICA

CITRIX SYSTEMS, INC., Fo...

1. A method for providing quality of service (QoS) for a stream of protocol data units, the method comprising:
(a) receiving, by a device via a single transport layer connection, a plurality of packets carrying a plurality of protocol
data units, each protocol data unit of the plurality of protocol data units identifying a priority, at least one or more of
the plurality of protocol data units comprising a first priority different than a second priority of other protocol data units
of the plurality of protocol data units;

(b) determining, by the device, an average priority for a plurality of protocol data units within a predetermined window of
protocol data units of the plurality of protocol data units;

(c) assigning, by the device, the average priority as a connection priority of the single transport layer connection; and
(d) transmitting, by the device via the single transport layer connection, the plurality of packets carrying those protocol
data units within the predetermined window of protocol data units while the connection priority of the single transport layer
connection is assigned the average priority for the predetermined window of protocol data units.

US Pat. No. 9,129,258

SYSTEMS, METHODS, AND DEVICES FOR COMMUNICATING DURING AN ONGOING ONLINE MEETING

CITRIX SYSTEMS, INC., Fo...

1. A method for sharing, during an ongoing online meeting, an annotation, the method comprising:
receiving, at a server computing device from a first computing device, an annotation to a screenshot representing a previously
presented portion of an online meeting of which the first computing device is a participant, the screenshot having been captured
in response to a trigger event during the online meeting and the screenshot being representable as an image thumbnail, wherein
a live screen data is represented by a first arrangement of tiles, wherein an earlier captured screenshot is represented by
a second arrangement of tiles, and wherein the trigger event occurs when a number of tiles that include a pixel in the earlier
captured screenshot that is different from a corresponding pixel in the live screen data increases past a threshold, the threshold
corresponding to a proportion of the tiles;

identifying a second computing device participating in the online meeting, the second computing device having not received
the annotation;

transmitting, over a first communications channel, the annotation from the server computing device to the second computing
device for display at the second computing device during the ongoing online meeting;

capturing, at the server computing device, a plurality of screenshots each representing a previously presented portion of
the online meeting;

transmitting each of the plurality of screenshots to the first and second computing devices over a second communications channel;
encrypting the annotation prior to transmitting the annotation over the first communications channel;
encrypting the plurality of screenshots prior to transmitting the plurality of screenshots over the second communications
channel;

transmitting the online meeting over a third communication channel without encryption;
wherein the first communications channel, second communications channel, and third communications channel are separate communications
channels; and

wherein the first communications channel and the second communications channel have relatively lower bandwidth than the third
communications channel.

US Pat. No. 9,591,081

VIRTUAL DESKTOP ACCESS USING WIRELESS DEVICES

Citrix Systems, Inc., Fo...

1. A first computing device comprising:
one or more processors;
memory storing instructions that, when executed by one of the processors, cause the first computing device to:
establish a communication session with a second computing device using a remote display protocol,
execute a virtual application configured to interact with a client application at the second computing device using the remote
display protocol during the communication session,

generate, using a virtual software driver, one or more packets associated with the virtual application, the one or more packets
having a first type, and

transmit the one or more packets having the first type to the client application at the second computing device using the
remote display protocol during the communication session; and

wherein receipt of the one or more packets having the first type at the client application causes the client application to:
translate the one or more packets having the first type into one or more packets having a second type, and
initiate transmission of the one or more packets having the second type from the second computing device to a wireless device.