Welcome to SaaS Accelerator 1.5.2

The following is an overview of the changes in this release.

New features in 1.5.1

New TLS Blade

This release introduces an updated TLS Blade for interoperability with SteelHead RiOS 9.14 and later, assuring continued optimization of HTTPS traffic.

This enhancement uses one additional TCP port (7881) for communication between client-side SteelHead appliances and the SaaS Accelerator service. Customers may need to add or update firewall rules to enable TCP port 7881 outbound from their client-side SteelHeads to the SaaS Accelerator endpoint IP address for each deployed application.

Support added for new CASB provider: Microsoft Defender

Microsoft Defender for Cloud Application has been added to the CASB supported list.

Improved interoperability with Microsoft AIP

This release improves interoperability with Microsoft AIP for Office 365 applications and Exchange.

Introduced a user feedback form

This release introduces a feedback form that customers can use to provide easy and direct product feedback to the Riverbed product team.

General report enhancements were made

Report enhancements provide a better and more intuitive user experience.

Enhanced security with JIT privileged access for support

Improved security posture by allowing customers to set auto-expiring privileged access for the support team.

New features in 1.5.0

Removal of Teams and Stream Application

As of release 1.5.0, optimization for Teams and Stream is no longer offered through Riverbed SaaS Accelerator Manager. Optimization for Teams and Stream is now provided through Riverbed eCDN Accelerator.

Enhanced security by adding TOTP as an MFA method

Time-based One-Time Password (TOTP) is introduced as a newly supported method for multi-factor authentication (MFA).

Added support for the X-Forwarded-For (XFF) header for Netskope

X-Forwarded-For header support is extended to Netskope to enhance cloud access security broker (CASB) visibility.

Smaller Additions, Improvements, and Bugfixes

    1.5.2

  • ZAK-2846 -

    Symptom: A SaaS Accelerator instance may stop accelerating SaaS connections one year after it was deployed or last upgraded. Client-side SteelHead logs include error messages showing that they do not trust the peering certificate of the affected SaaS Accelerator instance.

    Condition: The peering certificate for each SaaS accelerator instance is valid for one year from when it is deployed or last updated. If some other condition prevents an instance from successfully upgrading, then its peering certificate may expire before the next upgrade cycle.

    1.5.1

  • ZAK-3107 -

    Symptom: An email is sent every hour to SAM admins.

    Condition: Multiple emails could be sent to SAM admins if overlapping licenses expire at the same time.

    1.5.0

  • ZAK-2452 -

    Symptom: The production deployment is deprovisioned when an evaluation license expires that is stacked on top of a production license.

    Condition: Currently, SAM administrators can stack an evaluation license on top of a production license for a deployment. When the evaluation license expires, the production cluster is deprovisioned even if the production license is still valid.

    Solution: SAM administrators can now selectively choose and apply one or more active licenses for a specific deployment. The new release also improves the detection and notification to the SAM administrator of any deployment that is at risk of being deprovisioned due to any kind of license expiration. Notifications include emails, UI notifications, and alerts.

Known Issues

  • ZAK-2674 - SaaS optimization fails when traffic is load balanced across multiple public IP addresses.

    • Detailed Description:

    Symptom: SaaS optimization fails.

    Condition: This issue occurs when traffic is load balanced across multiple public IP addresses for a single branch appliance (SteelHead or Client Accelerator).

    Suggested Workaround: Only use a single public IP address for traffic originating from a branch device (SteelHead or Client Accelerator).

  • ZAK-3176 - SaaS Accelerator may bypass traffic in deployments with NAT overload.

    • Detailed Description:

    Symptom: SaaS Accelerator may bypass traffic in deployments with NAT overload.

    Condition: NAT overload occurs when there is a NAT device or proxy between the client machines and the client-side SteelHead. In this situation, the SteelHead is unable to distinguish between different clients based on IP address. If any errors occur that require IP-based bypass (such as missing proxy certificate trust), then all clients sharing that IP will be affected. This can cause all TLS traffic to be bypassed for SaaS Accelerator if any clients have errors.

    Suggested Workaround: Position the client-side SteelHead before any NAT devices in the network.

  • ZAK-3243 - No external alerts are received for expiring peering CA.

    • Detailed Description:

    Symptom: Administrators may not receive an external email notification when the peering Certificate Authority certificate for an organization is expiring. They may only become aware of this condition from a banner message displayed the next time they log in.

    Condition: The SaaS Accelerator Manager (SAM) maintains a Certificate Authority certificate that is used internally to establish the peering trust between SaaS Accelerator instances and authorized client appliances. Since this is an internal function managed by Riverbed, no email message is sent to the administrators.

    Suggested Workaround: The SaaS Accelerator Manager (SAM) provides banner alerts to keep administrators informed of potential future issues.

  • ZAK-3246 - The SaaS deployment is removed without a reason.

    • Detailed Description:

    Symptom: The SaaS deployment is removed without a reason.

    Condition: This issue occurs even when the SaaS deployment has a valid license. This is a corner case that needs further investigation.

    Suggested Workaround: None.

  • ZAK-3254 - A SaaS Accelerator instance does not replace certificates after a Certificate Authority change.

    • Detailed Description:

    Symptom: A SaaS Accelerator instance may not replace the existing proxy certificates after a new Certificate Authority (CA) is activated in the SaaS Accelerator Manager (SAM). Acceleration of new connections to SaaS sites will stop if the original CA certificate expires or is no longer trusted by clients.

    Condition: The communication channel that manages the configuration of individual SaaS Accelerator instances may lose synchronization with the SAM, preventing the instance from automatically responding to a CA change in the expected time frame.

    Suggested Workaround: Contact Riverbed Support to resynchronize the affected SaaS Accelerator instance with the SaaS Accelerator Manager.

To view the release notes for previous versions, visit SaaS Accelerator support and select the software version.

If you have questions regarding this update, contact Riverbed Support for assistance.