Policy Pages Reference : Optimization policy settings : CIFS (SMB1)
  
CIFS (SMB1)
You can display and modify CIFS optimization feature settings for the selected optimization policy in the CIFS page.
CIFS SMB1 optimization performs latency and SDR optimizations on SMB1 traffic. Without this feature, SteelHeads perform only SDR optimization without improving CIFS latency.
When sharing files, Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks. Each CIFS message has a unique signature that prevents the message from being tampered with. This security feature is called SMB signing.
You can enable the RiOS SMB signing feature on a server-side SteelHead to alleviate latency in file access with CIFS acceleration while maintaining message security signatures. With SMB signing on, the SteelHead optimizes CIFS traffic by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations—even when the CIFS messages are signed.
RiOS 8.5 and later include support for optimizing SMB3-signed traffic for native SMB3 clients and servers. You must enable SMB3 signing if the client or server uses any of these settings:
•  SMB2/SMB3 signing set to required. SMB3 signing is enabled by default.
•  SMB3 secure dialect negotiation (enabled by default on the Windows 8 client).
•  SMB3 encryption.
RiOS 6.5 and later include support for optimizing SMB2-signed traffic for native SMB2 clients and servers. SMB2 signing support includes:
•  Windows domain integration, including domain join and domain-level support.
•  Authentication using transparent mode and delegation mode. Delegation mode is the default for SMB2. Transparent mode works out of the box with Windows Vista (but not Windows 7). To use transparent mode with Windows 7, you must join the server-side SteelHead as an Active Directory integrated (Windows 2003) or an Active Directory integrated (Windows 2008 and later).
•  Secure inner-channel SSL support.
Domain security
The RiOS SMB signing feature works with Windows domain security and is fully compliant with the Microsoft SMB signing version 1, version 2, and version 3 protocols. RiOS supports domain security in both native and mixed modes for:
•  Windows 2000
•  Windows 2003 R2
•  Windows 2008
•  Windows 2008 R2
The server-side SteelHead in the path of the signed CIFS traffic becomes part of the Windows trust domain. The Windows domain is either the same as the domain of the user or has a trust relationship with the domain of the user. The trust relationship can be either a parent-child relationship or an unrelated trust relationship.
RiOS optimizes signed CIFS traffic even when the logged-in user or client machine and the target server belong to different domains, provided these domains have a trust relationship with the domain the SteelHead has joined. RiOS supports delegation for users that are in domains trusted by the server's domain. The trust relationships include:
•  a basic parent and child domain relationship. Users from the child domain access CIFS/MAPI servers in the parent domain. For example, users in ENG.RVBD.COM accessing servers in RVBD.COM.
•  a grandparent and child domain relationship. Users from grandparent domain access resources from the child domain. For example, users from RVBD.COM accessing resources in DEV.ENG.RVBD.COM.
•  a sibling domain relationship. For example, users from ENG.RVBD.COM access resources in MARKETING.RVBD.COM.
Authentication
The process RiOS uses to authenticate domain users depends upon its version.
RiOS features these authentication modes:
•  NTLM transparent mode - Uses NTLM authentication end to end between the client-side and server-side SteelHeads and the server-side SteelHead and the server. This is the default mode for SMB1 and SMB2/3 signing starting with RiOS 9.6. Transparent mode in RiOS 6.1 and later support all Windows servers, including Windows 2008 R2, that have NTLM enabled. We recommend using this mode.
•  NTLM delegation mode - Uses Kerberos delegation architecture to authenticate signed packets between the server-side SteelHead and any configured servers participating in the signed session. NTLM is used between the client-side and server-side SteelHead. SMB2 delegation mode in RiOS 6.5 and later support Windows 7 and Samba 4 clients. Delegation mode requires additional configuration of Windows domain authentication.
•  Kerberos authentication support - Uses Kerberos authentication end to end between the client-side and server-side SteelHead and the server-side SteelHead and the server. Kerberos authentication requires additional configuration of Windows domain authentication.
Transparent mode in RiOS 6.1 and later doesn’t support:
•  Windows 7 clients. RiOS 7.0 and later support transparent mode when you join the server-side SteelHead as an Active Directory integrated (Windows 2008) or an Active Directory integrated (Windows 2008).
•  Windows 2008 R2 domains that have NTLM disabled.
•  Windows servers that are in domains with NTLM disabled.
•  Windows 7 clients that have NTLM disabled.
You can enable extra security using the secure inner channel. The peer SteelHeads using the secure channel encrypt signed CIFS traffic over the WAN.
For detailed information about configuring Windows domains and prerequisites for enabling SMB signing, see the SteelHead User Guide for SteelHead CX.
Important: You must restart the client appliance optimization service after enabling SMB1 latency optimization.
Settings
Complete the configuration as described in this table.
Control
Description
Enable Latency Optimization
Enables SMB1 optimized connections for file opens and reads. Latency optimization is the fundamental component of the CIFS module and is required for base optimized connections for file opens and reads. Although latency optimization incorporates several hundred individual optimized connection types, the most frequent type of file opens is where exclusive opportunistic locks have been granted, and read-ahead operations are initiated on the file data. RiOS optimizes the bandwidth used to transfer the read-ahead data from the server side to the client side.
This is the default setting.
Only clear this check box if you want to disable latency optimization. Typically, you disable latency optimization to troubleshoot problems with the system.
Note: Latency optimization must be enabled (or disabled) on both SteelHeads. You must restart the optimization service on the client-side SteelHead after enabling latency optimization.
Disable Write Optimization
Prevents write optimization. If you disable write optimization, the SteelHead still provides optimization for CIFS reads and for other protocols, but you might experience a slight decrease in overall optimization.
Select this control only if you have applications that assume and require write-through in the network.
Most applications operate safely with write optimization because CIFS allows you to explicitly specify write-through on each write operation. However, if you have an application that doesn’t support explicit write-through operations, you must disable it in the SteelHead.
If you don’t disable write-through, the SteelHead acknowledges writes before they’re fully committed to disk, to speed up the write operation. The SteelHead doesn’t acknowledge the file close until the file is safely written.
Optimize Connections with Security Signatures (that do not require signing)
Prevents Windows SMB signing. This is the default setting.
This feature automatically stops Windows SMB signing. SMB signing prevents the SteelHead from applying full optimization on CIFS connections and significantly reduces the performance gain from a SteelHead deployment. Because many enterprises already take additional security precautions (such as firewalls, internal-only reachable servers, and so on), SMB signing adds minimal additional security at a significant performance cost (even without SteelHeads).
Before you enable this control, consider these factors:
•  If the client-side machine has Required signing, enabling this feature prevents the client from connecting to the server.
•  If the server-side machine has Required signing, the client and the server connect but you can’t perform full latency optimization with the SteelHead. Domain Controllers default to Required.
Note: If your deployment requires SMB signing, you can optimize signed CIFS messages using the Enable SMB Signing feature.
For details about SMB signing and the performance cost associated with it, see the SteelHead Deployment Guide - Protocols.
Enable Dynamic Write Throttling
Enables the CIFS dynamic throttling mechanism that replaces the current static buffer scheme. When there’s congestion on the server side of the optimized connection, dynamic write throttling provides feedback to the client side, allowing the write buffers to be used more dynamically to smooth out any traffic bursts. We recommend that you enable dynamic write throttling because it prevents clients from buffering too much file-write data.
This is the default setting.
If you enable CIFS dynamic throttling, it’s activated only when there are suboptimal conditions on the server-side causing a backlog of write messages; it doesn’t have a negative effect under normal network conditions.
Enable Applock Optimization
Enables CIFS latency optimizations to improve read and write performance for Microsoft Word (.doc) and Excel (.xls) documents when multiple users have the file open. This setting is enabled by default in RiOS 6.0 and later.
This control enhances the Enable Overlapping Open Optimization feature by identifying and obtaining locks on read write access at the application level. The overlapping open optimization feature handles locks at the file level.
Enable the applock optimization feature on the client-side SteelHead.
Enable Print Optimization
Improves centralized print traffic performance. For example, when the print server is located in the data center and the printer is located in the branch office, enabling this option speeds the transfer of a print job spooled across the WAN to the server and back again to the printer. By default, this setting is disabled.
Enable this control on the client-side SteelHead. Enabling this control requires an optimization service restart.
This option supports Windows XP (client), Vista (client), Windows 2003 (server), and Windows 2008 (server).
Both the client-side and server-side SteelHead must be running RiOS 6.0 or later.
This feature doesn’t improve optimization for a Windows Vista client printing over a Windows 2008 server, because this client and server pair uses a different print protocol.
Overlapping open optimization (advanced)
You can configure the client-side SteelHead with overlapping open optimization.
Complete the configuration as described in this table.
Control
Description
Enable Overlapping Open Optimization
Enables overlapping opens to obtain better performance with applications that perform multiple opens on the same file (for example, CAD applications). By default, this setting is disabled.
Enable this setting on the client-side SteelHead.
 
With overlapping opens enabled the SteelHead optimizes data where exclusive access is available (in other words, when locks are granted). When an oplock isn’t available, the SteelHead doesn’t perform application-level latency optimizations but still performs SDR and compression on the data as well as TCP optimizations.
Note: If a remote user opens a file that is optimized using the overlapping opens feature and a second user opens the same file, they might receive an error if the file fails to go through a SteelHead (for example, certain applications that are sent over the LAN). If this occurs, disable overlapping opens for those applications.
Use the radio buttons to set either an include list or exclude list of file types subject to overlapping open optimization.
Optimize only these extensions
Specify a list of extensions you want to include in overlapping open optimization.
Optimize all except these extensions
Specify a list of extensions you don’t want to include. For example, specify any file extensions that Enable Applock Optimization is being used for.
SMB settings
Complete the configuration as described in this table.
Control
Description
Enable SMB Signing
Enables CIFS traffic optimization by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations, even when the CIFS messages are signed. By default, this control is disabled. You must enable this control on the server-side SteelHead.
Note: If you enable this control without first joining a Windows domain, a message tells you that the SteelHead must join a domain before it can support SMB signing.
NTLM Transparent Mode
Provides SMB1 signing with transparent authentication. The server-side SteelHead uses NTLM to authenticate users. Select transparent mode with Vista for the simplest configuration. You can also use transparent mode with Windows 7, provided that you join the server-side SteelHead as an Active Directory integration.
NTLM Delegation Mode
Re-signs SMB signed packets using the Kerberos delegation facility. This setting is enabled by default when you enable SMB signing. Delegation mode is required for Windows 7, but works with all clients (unless the client has NTLM disabled).
Delegation mode requires additional configuration. Choose Optimization > Active Directory: Service Accounts or click the link provided in the CIFS Optimization page.
Enable Kerberos Authentication Support
Provides SMB signing with end-to-end authentication using Kerberos. The server-side SteelHead uses Kerberos to authenticate users.
In addition to enabling this feature, you must also join the server-side SteelHead to a Windows domain and add replication users on the Optimization > Active Directory: Auto Config page.
The server-side SteelHead must be running RiOS 7.0.x or later. The client-side SteelHead must be running RiOS 5.5 or later.
No configuration is needed on the client-side SteelHead.
If you want to use password replication policy (PRP) with replication users, Kerberos authentication requires additional replication user configuration on the Windows 2008 Domain Controller.
Apply
Applies your settings.