Configure... | By performing these tasks... |
1. Network Requirements | • Ensure that the SteelHead appliance can connect to the Internet from its primary and in-path interfaces. • Check that the following connections used by the SteelHead are allowed on the firewall facing the Internet: – Outbound stateful* TCP port 443 from the SteelHead appliance’s primary interface. – Outbound stateful UDP port 9545 from the SteelHead appliance’s in-path interfaces. – NTP (UDP/123) from the SteelHead primary interface, if the SteelHead appliance is configured with an Internet NTP. – DNS (TCP/UDP/53) from the SteelHead primary interface, if the SteelHead appliance is configured with an Internet DNS server. *Stateful = reverse traffic inbound needs to reach the SteelHead. |
2. SaaS Requirements | • Enable access from the Akamai Cloud SteelHeads (ACSHs) if access to the SaaS is restricted to certain source IP addresses. • Log in to the Riverbed Knowledge Base and search for S16182 to find a list of ACSH IP. |
3. SSL Certificates (Cloud Portal) | Choose the SSL CA to use for SaaS proxy certificates in the SaaS Platforms page. The CA must be trusted by all the clients. Read the following Knowledge Base article that explains which certificates to sign: https://supportkb.riverbed.com/support/index?page=content&id=S16076 Customer-hosted Note that certificates signed by an internal CA may already be trusted by the internal clients. • Log in to the Riverbed Cloud Portal and choose customer-hosted. • Generate Certificate Signing Requests (CSRs) corresponding to your optimized SaaS and download the CSRs. • Sign the CSRs in PEM format with the internal CA certificate that each of your clients trust. • Upload the signed CSRs in PEM format back on to the portal. Cloud-hosted Choose Cloud-hosted certificates if you want the service to create and manage a dedicated SSL CA for you (the CA certificate must be pushed to all internal clients). • Go to the Riverbed Cloud Portal and choose cloud-hosted. • Download the CA Certificate and install it on every client in the company. • In the Riverbed Cloud Portal, request new proxy certificates for each platform hostname. |
4. Secure Peering Mode | • Upload the CA public certificate in the secure peering page if the internal SteelHead appliance peering certificates are CA-signed. • Verify on the Riverbed Cloud Portal that the Trust Enterprise SteelHead Peering Certificates check box is selected if the internal SteelHead appliance peering certificates are self-signed. |
5. SteelHead appliance | • Upgrade the SteelHead to RiOS 8.0.3 or later. All-SaaS/Universal SaaS license requires RiOS 9.1 or later. • Ensure that the SteelHead has enough capacity to optimize the extra SaaS connections. • Enable INFO level logging to troubleshoot in the event a problem arises. • Enable and configure NTP to point to at least two NTP servers that are synced within 1 minute of exact time. • Enable and configure DNS settings to point to at least two DNS servers that can resolve Internet names. • Enable Simplified Routing All if the in-path gateway is on the WAN side, or use the LAN-side gateway. • Enable HTTP optimization. • Configure SSL. – Check that the SteelHead appliance has an SSL license. If not, apply for one at: http://sslcert.riverbed.com – Check that the SteelHead appliance has a valid SSL peering certificate (self-signed or CA-signed). – Enable SSL optimization. – Add pass-through in-path rules for internal SSL servers that you do not want to optimize. – Add passthrough peering rules in the case of SteelHead deployment with backhauled internet links through other branches or data centers with SteelHeads. – Remove port 443 from the Secure port label list (the default pass-through in-path rule for secure ports will no longer apply to 443). – If using RiOS 9.0 or later, run the following command in case there are clients that do not have the proxy CA certificate installed: protocol ssl no-data conn-bypass enable • For Microsoft Office 365, enable MAPI optimization. – Enable MAPI auto-detect outlook anywhere. – Enable encrypted optimization transparent mode. – For RiOS 9.1 and later, enable MAPI/HTTP Down-Negotiate if applicable. To find out if this is applicable to your situation, refer to the following Knowledge Base article: http://supportkb.riverbed.com/support/index?page=content&id=S26717 • If testing with only a few clients, it is recommended to configure an in-path rule to perform auto-discovery and cloud acceleration on port 443. The rule should be placed above the pass-through rule that is associated with the secure port label. • Enable GeoDNS through the CLI (RiOS 8.6 and later) by using the following command: service cloud-accel geodns enable • Register the SteelHead for SteelHead SaaS optimization with the registration key found on the Riverbed Cloud Portal. • Enable Cloud Acceleration. |
6. SteelHead appliance authorization | • Go to the Riverbed Cloud Portal and grant service to the newly configured SteelHead appliance. |
7. Enable the SaaS application on both the Riverbed Cloud Portal and the SteelHead SaaS appliance | • Go to the Riverbed Cloud Portal > SaaS Platforms page and enable Acceleration Service for the SaaS application you want to optimized. • In the SteelHead SaaS appliance’s management console, go to Optimization > Cloud Accelerator and enable Acceleration Service for the SaaS application you want to optimize. |