This chapter describes how to monitor SaaS Accelerator components and usage. It includes these sections:

You can review the connection activity and status on the appliance on the Reports > Networking: Current Connections page.

For a new cluster, the SaaS application classification for the first connection is not recognized (it does not yet match the in-path rule) and the connection is passed through.

The appliance uses the first connection to classify the application, and the application classification will be recognized for the second connection.

Subsequent connections are recognized and redirected to the SaaS service cluster. The initial connection to each service instance will generate an SSL error while the SaaS service cluster obtains the proxy certificate for the traffic to accelerate.

For SteelHead Mobile, you can review the connection activity and status of clients either from the Endpoint Report on the SteelCentral Controller for SteelHead Mobile or from the Status tab of an individual SteelHead Mobile client.

SteelHead Mobile begins to accelerate SaaS traffic after receiving the updated policy with the SaaS application in-path rule and SaaS Accelerator is enabled. For SteelHead Mobile communication with a new cluster, the first connection is intentionally passed through to classify the application and acceleration begins with the second connection. SteelHead Mobile might encounter SSL errors and pass through traffic until the proxy certificate for the SaaS application is available on the SaaS service cluster.

AppUnits are required for SaaS acceleration, and you need available AppUnits to configure applications for SaaS acceleration.

This dialog box also shows the current assignments for configured SaaS applications.

The SaaS Accelerator Connection Count report shows information about SSL/TLS connections for accelerated applications. Monitor this page to ensure your connection count remains below your connection limit.

The report shows the concurrent SSL/TLS connections count for the selected application. Click the Connection Limit link at the bottom of the chart to display the connection limit based on the user limit specified on the SaaS Accelerator page when you configured the acceleration for the application.

The SaaS Data Usage report shows the amount of SaaS service data used since the SaaS Accelerator feature was licensed.

The SaaS Traffic Summary reports shows the total data reduction provided by SaaS Accelerator since it was configured and lets you filter it by time period. The report also shows the data reduction for each configured SaaS application.

You can filter the results by time period ranging from the last hour to the last year.

The LAN Data column displays the amount of data transferred between the SaaS service cluster and the SaaS servers. The LAN data includes ingress and egress traffic on the SaaS LAN side.

The WAN Data column displays the amount of data transferred between the SaaS service cluster and the client-side appliances. The WAN data includes ingress and egress traffic on the WAN side.

Data Reduction is a percentage based on LAN data compared to WAN data.

From SAM, you can download a compressed archive of log files that shows the history and details of the certificate signing operations for SaaS acceleration. The log includes information for root CA, intermediate CAs, proxy, and peering certificates.

Your browser downloads a ZIP-format archive file to your computer. Depending on your browser configuration, it might prompt you for a location to store the file or simply store the file in your default Downloads folder. The default name for this file is Organization_SaaS Accelerator_CA_Audit_Log.zip where Organization is the short name of your organization.

Opening the archive displays a text file with a name in the format:

where Organization-xxxxxxxxxxxxxxxx identifies your organization. This is the most recent audit log of certificate activity. There might be additional files with a date/time string appended. Each of these files contains audit log records for a previous period up to the date and time in the filename.

Each audit log consists of multiple lines of text that provide you the following details:

When signing certificates for a SaaS Accelerator service instance, the log line includes the Service Endpoint IP address. This enables you to easily correlate proxy certificates with the accelerated SaaS service in case the common name is not self-explanatory.

From the SteelHead, you can use the SaaS Acceleration Status pane to monitor activity. This pane shows all SaaS applications configured for acceleration and shows the status of their in-path rules.

If the In-Path Rule Status is Operational, an in-path rule has been configured for this application. If the In-Path Rule Status is Not Configured, an in-path rule has not been configured. If the feature has been disabled, all SaaS applications display Not Operational.

The SteelHead gets data from SAM every five minutes and shows the time for the displayed data. Click Refresh Data to get the latest information.

From the Mobile Controller, you can use the SaaS Acceleration Status pane to monitor activity. This pane shows all SaaS applications configured for acceleration and the list of policies for which in-path rules have been set up for SaaS acceleration.

The SteelHead Mobile gets data from SAM every five minutes and shows the time for the displayed data. Click Refresh Data Now to get the latest data.

From SAM, you can monitor the status of the SaaS service cluster for each accelerated application. Choose the Configure > SaaS Accelerator page to display the status.

The service status can be one of these values: