Configuring SaaS Acceleration
You configure SaaS acceleration through the SaaS Accelerator Manager (SAM) as well as the client-side appliance. After you configure the environment, you configure applications for SaaS acceleration. SAM simplifies the process of configuring applications for acceleration by grouping related applications, such as those in Microsoft Office 365, into bundles. You configure one in-path rule for the bundle, and the rule applies to all applications in the bundle.
This chapter includes these sections:
Before you begin
Before you begin, ensure you have a license for the SaaS Accelerator and your environment meets these requirements:
• SteelHead requires version 9.8.1a software or later.
• SteelFusion Edge requires version 6.0.2 or later.
• Client Accelerator Controller (Client Accelerator) requires version 6.1.1a or later.
• SteelCentral Controller for SteelHead (SCC) requires version 9.9.1 or later.
Licensing SaaS Accelerator Manager for SaaS Accelerator
When you purchase SaaS Accelerator, Riverbed emails you a license token that you need to redeem through SaaS Accelerator Manager (SAM).
To install your licenses for SaaS acceleration
1. Log in to the SAM that will manage the SaaS acceleration.
2. Choose Configure > Licenses and click Redeem Token.
The Redeem Token dialog box appears.
3. Enter the token and click Submit.
The SaaS Accelerator pages are now available, and you can review your license details on the Configure > Licenses page. Click the license serial number to show the details.
Configuring SSL optimization
SSL optimization is required for SaaS acceleration, and you need to generate a certificate authority (CA) certificate before you can configure applications for SaaS acceleration.
SAM uses the CA certificate to automatically generate proxy certificates, which SAM pushes to the SaaS service cluster. Your client systems must establish a trust relationship with the proxy certificates.
You can configure two types of CA certificates:
• Riverbed managed - Use the Riverbed-managed CA to generate a root certificate authority (RCA) certificate. You must download or copy the certificate and deploy it to the Trusted Root Certification Authorities certificate store on your client systems. After the RCA certificate is deployed, the RCA then automatically generates trusted certificates to sign optimized TLS/SSL traffic.
This is the default configuration.
• Customer managed - Use SAM to generate a certificate signing request (CSR), which you use to obtain an intermediate certificate authority (ICA) certificate. After the ICA is signed by your organization’s CA, upload it to SAM. Your client systems should already have an established trust relationship with your CA.
We recommend this configuration if your organization has its own internal CA.
SAM users with read-only permissions are not allowed to generate certificates or configure SaaS acceleration.
Only one certificate can be active at any given time. If you have multiple certificates, however, you can switch between them.
To generate an RCA certificate using the Riverbed-managed CA
1. In SAM, choose Configure > SSL Optimization and select the Certificate Authority tab.
2. Select the Riverbed Managed tab and then click Generate Root CA.
The Generate Root CA Certificate dialog box appears.
3. Provide the following information.
Field | Description |
Common name | Specify a common name for the root CA certificate. |
Organization | Optionally, specify the organization name (for example, the company). |
Organizational unit | Optionally, specify the organizational unit name (for example, the section or department). |
Locality | Optionally, specify the city. |
State | Optionally, specify the state. |
Country | Optionally, specify the country (2-letter code only). |
Email address | Optionally, specify the email address of the contact person. |
RSA cipher bits | Select the key length from the drop-down list. The default value is 2048. |
Validity period (RCA only) | Specify how many days the root CA certificate is valid. The default value is 730 days (two years). |
4. Click Submit.
SAM creates the root CA certificate.
If there are no active certificates, then it automatically becomes the active certificate. If you want to switch from one certificate to another, see
To change certificates.
5. Copy or download the root CA certificate from SAM and install it in end-user client systems.
An active root certificate authority (RCA) enables clients to accelerate SaaS traffic when SaaS applications are configured on the SaaS Accelerator page. The root CA certificate needs to be deployed into the Trusted Root Certification Authority certificate store on your clients and then your clients can automatically use certificates issued by this trusted root CA to accelerate encrypted SaaS traffic.
To generate an ICA certificate using your organization’s CA
1. In SAM, choose Configure > SSL Optimization and select the Certificate Authority tab.
2. Select the Customer Managed tab and then click Generate CSR Certificate.
The Generate CSR dialog box appears.
4. Click Submit.
5. SAM creates the CSR.
6. Select the CSR to view its details.
7. Copy or download the CSR.
8. Submit the CSR to your organization’s certificate authority (CA) to obtain an intermediate certificate authority (ICA) certificate.
The ICA certificate requires the basic constraint CA:true.
9. In SAM, choose Configure > SSL Optimization and select the Certificate Authority tab and then select the Customer Managed tab.
10. Click Click here to upload the signed CA.
The Upload ICA dialog box appears.
11. Choose an upload method:
– Upload Certificate File (PEM format only)
– Paste Certificate Text (PEM format only)
12. Click Upload.
To change certificates
1. Ensure that you have deployed the RCA from SAM to end-user client systems.
2. In SAM, choose Configure > SSL Optimization and select the Certificate Authority tab and then select the tab with the currently active certificate (Riverbed Managed or Customer Managed).
3. Select the active certificate and click Off under Status.
4. Select the tab (Riverbed Managed or Customer Managed) with the certificate you want to activate and click On under Status.
To delete a certificate
1. In SAM, choose Configure > SSL Optimization.
2. Select the certificate or CSR and select Actions > Delete CA/CSR.
You are prompted to confirm this action.
3. Click Confirm.
The root CA certificate or CSR is removed from the system and new SaaS connections will not be accelerated.
Configuring SaaS applications for acceleration
After you have licensed the SaaS Accelerator and configured SSL optimization, you can set up acceleration for SaaS applications.
To configure individual SaaS applications for acceleration
1. In SAM, choose Configure > SaaS Accelerator and click Accelerate Application.
The Accelerate Application pane appears.
2. Select the application you want to accelerate.
3. Select the region from the drop-down list.
For best performance, select the region closest to the data for the SaaS application. Once you deploy to a specific region, you cannot change it unless you delete the deployed application and set it up again with a different region.
Some applications do not require you to select a region.
4. Enter the number of users for this application.
Each application has a minimum and maximum number of users. SAM provides guidelines for the limits as you type numbers in the field.
SAM uses the number of users to calculate the capacity of service instances in the SaaS service cluster based on the type of application.
SAM calculates the user limit based on the number of users, the application, and the available AppUnits.
We recommend that you carefully select the number of users for your business needs. Once deployed, you can change the number of users; however, when you change the number of users, the acceleration feature is unavailable for up to 30 minutes while the service cluster updates.
5. Click Submit.
This creates the SaaS service cluster dedicated to accelerating traffic for this application.
Deployment can take up to 20 minutes, and you cannot edit the configuration while the configuration is in process.
When deployed, you see the SaaS application, the service endpoint, the service TCP Ports, and service status. The service status appears as a green check mark when deployed and ready for acceleration.
6. As needed, open ports 7810 through 7830 for the service endpoint IP address on your firewall.
The SaaS service cluster and client-side appliances need to be able to connect to this location.
To configure an application bundle for acceleration
For Microsoft applications, you may need to perform some additional steps. See
Configuring Microsoft Teams and Microsoft Stream.1. In SAM, choose Configure > SaaS Accelerator and click Accelerate Application.
The Accelerate Application pane appears.
2. Scroll down to the Bundle Applications section and select an application bundle.
A deployment wizard appears.
3. Select applications to add to the bundle and click Next.
4. Specify application details such as the region where you want it deployed. If the application has already been deployed as a standalone application, you can add its allocated users to the bundle by using the slider.
5. Click Next to advance to the details for next application.
6. Click Next and specify the number of users you want to allocate to each application.
7. Click Next and review the bundle deployment summary.
8. Click Submit to deploy the bundle.
When deployed, the bundle appears under the Deployed bundles section of the SaaS Accelerator page. Details such as number of users, applications in the bundle, and status are visible. The service status appears as a green check mark when deployed and ready for acceleration.
To stop SaaS acceleration for an application or an application bundle
When you terminate SaaS acceleration for an application or bundle, you remove the SaaS service cluster that was deployed in the cloud to support the acceleration.
1. Choose Configure > SaaS Accelerator and click the application you want to stop accelerating.
2. From the Actions drop-down list, select Terminate SaaS (bundle) acceleration.
3. When prompted, click Confirm.
Configuring Microsoft Teams and Microsoft Stream
Configuring SaaS acceleration for Microsoft Teams and Microsoft Stream requires some additional steps. You will need to authorize Riverbed as an enterprise content delivery network (eCDN) provider through your Microsoft O365 account. To do that, your O365 account must have administrator privileges.
When first deployed, this application has a one-month minimum lock-in period. During the lock-in period, you cannot undeploy the application or decrease the number of users; however, you can increase the number of users.
To configure Microsoft Teams and Microsoft Stream for acceleration
1. In your firewall settings, whitelist these two static Microsoft Teams and Microsoft Stream IP addresses: 162.159.135.83 and 162.159.136.83.
2. In SAM, choose Advanced Config > Riverbed eCDN tab.
3. Click Log in to Microsoft Office 365.
Ensure that the O365 account you use to log in has administrator privileges.
4. After you have authorized Riverbed as an eCDN, return to the SaaS Accelerator page in SAM.
6. After the Microsoft Teams and Microsoft Stream is listed on the SaaS Accelerator page with a green check mark under Service Status, select the application.
The application details screen is displayed.
7. In the application details screen, select the Settings tab.
8. For each application that you want to activate, click View.
Setup instructions are displayed for the selected application.
9. Follow the setup instructions.
10. To verify your configuration, generate SaaS traffic and view the results in the Reports section in SAM.
Configuring SaaS acceleration on the client-side appliance
When you have configured SAM for SaaS acceleration, you can configure client-side appliances.
To configure a client-side appliance for acceleration
1. In SAM, choose Configure > SaaS Client Appliances and copy the registration token.
2. On the appliance, choose Optimization > SaaS: SaaS Accelerator and add these values:
– SaaS Accelerator Manager Hostname.
– SaaS Accelerator Manager Port. The client-side appliance uses port 3900 from the primary interface to communicate with SAM and the port needs to be open on the branch firewall. The field for the port number is editable but we recommend not changing the value.
– Registration Token. Paste the registration token you copied in the previous step into this field.
3. Click Register.
When the registration process completes, the registration details and a helpful list of remaining configuration tasks appear on the page. Completed tasks are prefaced by a check mark.
A new SaaS Acceleration section appears on the page, and you can view the current status and monitor acceleration status.
4. Enable SSL optimization on the appliance.
Choose Optimization > SSL Main Settings, and in the General SSL Settings area select Enable SSL Optimization and click Apply.
5. In SAM, move this appliance to the whitelist.
Newly added appliances always appear on the graylist in the Access List column. You need to move their status to the whitelist to allow acceleration.
– Choose Configure > Client Appliances and select the appliance serial number to display the details pane.
– Under Access List, select Whitelist from the Access list drop-down list and click
Submit. For more information, see
Controlling appliance access.
6. Enable SaaS acceleration on this client-side appliance. Choose Optimization > SaaS: SaaS Accelerator, select Enable Acceleration, and click Apply.
7. Add an in-path rule to accelerate SaaS applications.
The in-path rule is application, or application bundle, based and lets the client-side appliance connect to the service endpoint of the SaaS service cluster deployed for the selected application.
For more information about in-path rules, see the SteelHead User Guide.
8. Click Save to Disk.
9. Verify the configuration by generating SaaS traffic.
To add an in-path rule on a client-side appliance
1. In the client-side appliance GUI, choose Optimization > Network Services: In-Path Rules.
2. Click Add a New In-Path Rule.
3. For the Source subnet, select All IPv4.
4. For the Destination Subnet, select SaaS Application.
A second menu appears to the right.
5. In the second menu, select a SaaS application, or application bundle, for acceleration.
Only applications and application bundles set up for SaaS acceleration on SAM appear in the list.
6. Click Add.
Pausing and Canceling SaaS acceleration on client-side appliances
Canceling SaaS acceleration for an appliance entails deregistering the appliance from SAM, which removes appliance-related peering certificates and in-path rules. Pausing acceleration does not remove configuration settings, so you can easily restore the service when you want.
To pause SaaS acceleration on client-side appliances
1. On the appliance, choose Optimization > SaaS: SaaS Accelerator.
2. Clear the Enable Acceleration check box and click Apply.
When paused, all related in-path rules are ignored.
To cancel SaaS acceleration on client-side appliances
1. On the appliance, choose Optimization > SaaS: SaaS Accelerator.
2. Click Deregister.
SaaS acceleration is canceled for this appliance and acceleration-related settings, including in-path rules, are removed.
As another option, you can move the appliance to the blacklist on SAM. When you move an appliance to the blacklist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration. For details, see
Controlling appliance access.Configuring SaaS acceleration on multiple appliances using SCC
In SCC 9.9.1 and later, you can configure SaaS acceleration on managed appliances. SaaS Accelerator requires a license, which is installed on SAM.
We strongly recommend that you configure and push SaaS acceleration policies from an SCC to the managed appliances, particularly in large-scale deployments and production networks with multiple appliances.
To accelerate SaaS application traffic using your managed appliances, register your SCC with an SAM that is set up for SaaS acceleration. After registering the SCC with SAM, register selected appliances or a group of appliances with SAM.
To configure multiple appliances for SaaS acceleration using SCC
1. On SAM, choose Configure > Client Appliances and copy the registration token.
2. On the SCC, choose Administration > SaaS: SaaS Accelerator Manager Registration and add these values:
– SaaS Accelerator Manager Hostname.
– SaaS Accelerator Manager Port. The SCC uses port 3900 to communicate with SAM, and the port needs to be open on the firewall. The field for the port number is editable but we do not recommend changing the value.
– Registration Token. Paste t he registration token you copied in
Step 1 to this field.
3. Click Register.
When the registration process completes, the registration details appear on the page.
A new SaaS Acceleration Status section also appears on the page where you can view the current access list status and a list of applications set up for SaaS acceleration on SAM.
4. On SAM, move this SCC to the whitelist.
Newly added appliances always appear on the graylist in the Access List column. You need to change their status to the whitelist to allow acceleration.
You can safely ignore the “No certificates uploaded” error message appearing in the Peering Certificates Status column for the SCC appliance. To accelerate SaaS application traffic, only peering certificates for managed appliances are uploaded to SAM when the appliances register with SAM. Peering certificates allow a client-side appliance to establish trust relationship and peer with a SaaS service cluster to accelerate the SaaS traffic.
– Choose Configure > Client Appliances and click the appliance serial number to display the details panel.
– Under Access List, select Whitelist from the Access List drop-down menu and click Submit.
Without moving the SCC to the whitelist on SAM, you cannot push a policy with in-path rules for SaaS applications from the SCC to the managed appliances. For more details about the access lists, see
Controlling appliance access.
Figure 3‑1. Moving an appliance to the whitelist on SAM
5. On the SCC, choose Administration > SaaS: SaaS Accelerator Manager Registration and click Refresh Data under the SaaS Acceleration Status section. Make sure the access list status of the SCC is Whitelist. You can also view a list of applications set up for SaaS acceleration on SAM and their respective service endpoints.
If you set up new applications for SaaS acceleration on SAM, perform
Step 5 on the
SCC to view the latest list of SaaS applications set up for acceleration.
6. Register client-side appliances with SAM.
If you plan to use SCC policies to accelerate SaaS application traffic, make sure the SCC and the managed appliances are registered with the same SAM. After registering the SCC with SAM, register the selected appliances or a group of appliances with SAM.
– Choose Manage > Topology: Appliances and select appliances, or a group of appliances, you plan to register with SAM.
– Click Appliance Operations, and select SaaS Accelerator Manager Registration from the Choose an operation to perform on the selected groups and appliances drop-down list.
– Select Register, make sure you have the latest registration token from SAM in the Registration Token text field and click Apply.
The client-side appliances use port 3900 to communicate with SAM and the port needs to be open on the branch firewall. The field for the port number is editable but we do not recommend changing the value.
For more details about registering appliances with SAM using SCC, see the SteelCentral Controller for SteelHead User Guide.
7. Move the appliances to the whitelist on SAM.
Newly added appliances always appear on the graylist in the Access List column. You need to change their status to the whitelist to allow acceleration. For details about moving an appliance to the whitelist, see
Step 4. For more information about the access lists, see
Controlling appliance access.
8. Enable SSL optimization in the SCC policies that include SaaS acceleration.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select SSL Main Settings and click Apply.
– In the Editing Policy page, click SSL Main Settings, click Include to include the policy, select Enable SSL optimization, and click Apply.
For more details, see the SteelCentral Controller for SteelHead User Guide.
9. Enable SaaS acceleration in the SCC policies to configure SaaS acceleration for groups of appliances.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select SaaS Accelerator and click Apply.
– In the Editing Policy page, click SaaS Accelerator, click Include to include the policy, select Enable Acceleration, and click Apply.
10. Add an in-path rule to each policy for which you want SaaS acceleration enabled.
In RiOS 9.9.1, you need to configure a unique in-path rule for each application. In RiOS 9.9.2 and later, related applications are grouped into application bundles and you configure just one in-path rule for the bundle.
The in-path rule associates the IP address of the SaaS service cluster in the cloud (supplied by SAM) with the accelerated application or application bundle.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select In-Path Rules and click Apply.
– In the Editing Policy page, click In-Path Rules, click Include to include the policy, and click Add a New In-Path Rule to expand the page.
– For the Source Subnet, select IPv4 or All IPv4.
– For the Destination Subnet, select SaaS Application.
– A second drop-down list appears to the right. In the second drop-down list, select a SaaS application for acceleration and click Add.
Only applications set up for SaaS acceleration on SAM appear in the list.
For more details, see the SteelCentral Controller for SteelHead User Guide.
11. Click Save to Disk to save your settings permanently.
Pausing and Canceling SaaS acceleration on SCC
Canceling SaaS acceleration for an appliance entails deregistering the appliance from SAM, which removes appliance-related peering certificates and in-path rules. Pausing acceleration does not remove configuration settings, so you can easily restore the service when you want.
To pause SaaS acceleration on managed appliances on SCC
1. On the SCC, choose Manage > Services: Policies and open the policy.
2. In the Editing Policy page, click SaaS Accelerator, clear the Enable Acceleration check box, and click Apply.
3. Apply the updated policy to the respective appliances.
When paused, all related in-path rules are ignored.
To cancel SaaS acceleration on selected appliances on SCC
1. On the SCC, choose Manage > Topology: Appliances and select appliances, or a group of appliances, you plan to deregister with SAM.
2. Click Appliance Operations, and select SaaS Accelerator Manager Registration from the Choose an operation to perform on the selected groups and appliances drop-down list.
3. Click Deregister.
SaaS acceleration is canceled for the selected appliances and acceleration-related settings, including in-path rules, are removed.
As another option, you can move the appliances to the blacklist on SAM. When you move an appliance to the blacklist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration. For details, see
Controlling appliance access.Configuring SaaS acceleration on Client Accelerator
When you have configured SAM for SaaS acceleration, you can configure the Client Accelerator and create an endpoint policy to accelerate Client Accelerator endpoint SaaS traffic.
To configure the Client Accelerator Controller for SaaS acceleration
1. In SAM, choose Configure > Client Appliances and copy the registration token.
2. On the Client Accelerator Controller, choose Configure > SaaS Accelerator and add these values:
– SaaS Accelerator Manager Hostname or IP Address.
– SaaS Accelerator Manager Port. The Client Accelerator uses port 3900 from the primary interface to communicate with SAM, and the port needs to be open on the branch firewall. The field for the port number is editable but we do not recommend changing the value.
– Registration Token. Paste the registration token you copied in Step 1 into this field.
3. Click Register.
4. In SAM, move this Client Accelerator Controller to the whitelist.
Newly added appliances appear on the graylist in the Access List column.
Figure 3‑2. Moving an appliance to the whitelist
– Choose Configure > Client Appliances and click the serial number of the Client Accelerator Controller to display the details pane.
– Under Access List, select Whitelist from the Access list drop-down list and click Submit.
You cannot enable SaaS acceleration without moving the Client Accelerator Controller to the whitelist. In SAM, if a Client Accelerator Controller is moved from the whitelist to the blacklist, SaaS acceleration stops working. For more information about the access lists, see
Controlling appliance access.
5. Enable SaaS acceleration on the Client Accelerator Controller. Choose Configure > SaaS Accelerator and in the Configure SaaS Acceleration section, select Enable Acceleration and click Apply.
When you click Apply, be patient. It can take several minutes to start acceleration.
6. Enable SSL optimization on the Client Accelerator Controller policies that include SaaS acceleration.
Choose Manage > Policies and open the policy and select the SSL tab. Then select Enable SSL Optimization.
You cannot enable SaaS acceleration without enabling SSL. If SSL was disabled after SaaS acceleration was enabled, SaaS acceleration will stop working.
For details, see the Client Accelerator User Guide.
7. On the Client Accelerator Controller, add an in-path rule to each policy for which you want SaaS acceleration enabled.
The in-path rule is application based and lets the Client Accelerator Controller connect to the service endpoint of the SaaS service cluster deployed for the selected application.
– Choose Manage > Policies and select the In-Path Rules tab and click Add a New In-Path Rule.
– For the Destination Subnet, select SaaS Application.
– A second menu appears to the right. In the second menu, select a SaaS application for acceleration. Only applications set up for SaaS acceleration on SAM appear in the list.
– Click Add.
See the Client Accelerator User Guide for more information.
8. Enable SaaS acceleration in a policy to configure SaaS acceleration for groups of Client Accelerator endpoints. Choose Manage > Policies and open a policy to configure and select the SaaS Acceleration tab.
A helpful list of remaining configuration tasks appears on the page. Completed tasks are prefaced by a check mark.
Select Enable SaaS Acceleration and click Update Policy.
You cannot enable SaaS acceleration in a policy without enabling SaaS acceleration in the Client Accelerator Controller.
9. Click Save to Disk to save your settings permanently.
To verify, generate SaaS traffic. For details about monitoring the first connections, see
Monitoring initial SaaS traffic.Pausing and Canceling SaaS acceleration on the Client Accelerator
Canceling SaaS acceleration on endpoints on the Client Accelerator Controller entails deregistering the Client Accelerator Controller from SAM, which removes Client Accelerator Controller-related peering certificates and in-path rules. Pausing acceleration does not remove configuration settings, so you can easily restore the service when you want.
To pause acceleration on managed endpoints on the Client Accelerator Controller
1. On the Client Accelerator Controller, choose Configure > SaaS Accelerator.
2. Clear the Enable Acceleration check box and click Apply.
When cleared, all related in-path rules are ignored.
To cancel acceleration on managed endpoints on the Client Accelerator Controller
1. On the Client Accelerator Controller, choose Configure > SaaS Accelerator.
2. Click Deregister. This deregisters the appliance from SAM and removes all related in-path rules.
SaaS acceleration is canceled and acceleration-related settings, including in-path rules, are removed.
As another option, you can move the Client Accelerator to the blacklist on SAM. When you move an appliance to the blacklist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration. For details, see
Controlling appliance access.Controlling appliance access
When a client-side appliance registers with SAM, the appliance is added to the access list on the SaaS Accelerator Client Appliances page. An entry appears in the peering list with the appliance serial number, access list status, peering certificate status, date of last contact, and notes. The access lists are designated by these categories:
• Graylist - Indicates an appliance of unknown status. This list serves as a temporary holding place for all registered appliances that are attempting to establish SaaS acceleration. You can move these appliances to the whitelist or blacklist, but you cannot move appliances to the graylist.
• Whitelist - Indicates a trusted appliance. When you move an appliance to the whitelist, the appliance’s peering certificate is copied to the SaaS service cluster and other peer appliances. Once an appliance has been whitelisted, subsequent peering CA uploads automatically replace the older peering CA and changes are pushed out to the SaaS service cluster and SAM managed appliances.
• Blacklist - Indicates untrusted appliances. When you select blacklist for a peer in a whitelist or graylist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration. You can move appliances between the whitelist and the blacklist. (Note: Connections are expected to fail for approximately an hour when moved from the blacklist to the whitelist.)
When you have configured appliances to use the SaaS acceleration service, you need to move those systems to the whitelist on SAM to indicate trust and allow acceleration.
To change the access list status for an appliance
1. In SAM, choose Configure > Client Appliances.
2. Select the row for the appliance to change.
The appliance settings pane appears.
Figure 3‑3. Changing access list status
3. From the Access list drop-down list, select the type of list for the appliance.
4. Click Submit.
Resizing a SaaS service cluster
In SAM, you can add user capacity to a SaaS service cluster. The service endpoint remains unchanged when you resize the cluster. However, resizing does clear the cache, and proxy and peer certificates are automatically resigned.
A resize operation can take up to 30 minutes. SaaS traffic continues to be accelerated during this time.
To resize a SaaS service cluster
1. Choose Configure > SaaS Accelerator and select the application row.
The application settings pane appears.
2. In the application settings, change the number of users.
Deleting appliances from SAM
If you no longer want an appliance to be part of your SaaS acceleration service, you can permanently remove an appliance from the SAM configuration. This is a permanent alternative to blacklisting.
The preferred method is to deregister from the client appliance. When you do this, SAM automatically removes the appliance and updates its configuration.
To delete an appliance from SAM
1. Choose Configure > Client Appliances and select the appliance row.
The appliance pane appears.
2. From the Actions drop-down list, select Delete this appliance.
3. When prompted, click Confirm.
You should also deregister this appliance (using the client’s web interface) after deleting the appliance from SAM.
Configuration through the CLI
You can configure SaaS acceleration through the CLI as well as the web interface. These are the primary commands:
• show service saas-accel
• show service saas-accel applications
• service saas-accel acs
Configure App Control Server options
– cache-size <entries>
Configures the maximum number of entries for the app cache (1000 to 100000).
– cache-timeout <hours>
Configures the duration in hours entries are held in the app cache (1 to 24).
– syn
Classifies connections on syn packet.
• service saas-accel acs syn enable
Enables classification based on syn packet.
• service saas-accel enable
Enables SaaS acceleration.
• service saas-accel register
Registers SaaS Accelerator.
– sam <sam-domain-name>
– token <token-value>
• service saas-accel sam
Configures SaaS Accelerator Manager access.
• service saas-accel sam refresh
• in-path rule auto-discover dst-app <app-name> rulenum start
• no service saas-accel register
Examples:
• service saas-accel acs syn enable
• service saas-accel acs cache-size <num> (1000 to 100000)
• service saas-accel acs cache-timeout <hours> (1 to 24)
The Client Accelerator supports these additional commands:
• policy id <id> in-path rule auto-discover dst-app <app-name>
• policy id <id> ssl enable
• policy id <id> saas-accel enable
For more information, see the Riverbed Command-Line Interface Reference Manual.