Optimally, the SteelHead must be architecturally placed at the perimeter of the network in front of the perimeter router and in-line. Thus, traffic must be directed for firewall and Intrusion Detection and Prevention System (IDPS) inspection for inbound and outbound traffic in compliance with DoD policy. Additionally, from an operational perspective, this architecture avoids the need to open many ports and services in the firewall to accommodate TCP options 76 and 78 and ports 7800, 7810, and 7870. Some other configurations might involve even more ports and services.

When the solution is implemented using a SteelHead hardware appliance consisting of RiOS installed on the SteelHead, administrators are not able to install any software that is not part of a Riverbed upgrade. RiOS enforces this feature by performing a validity check when an upgrade is attempted.

However, the RiOS application suite is available in a virtual appliance version, which can be installed on an organization-provided host. This type of implementation adds risk because more ports might need to be opened in the firewall if placed in the recommended logical position in the architecture after the router and before the firewall and IDPS. The traffic should then be routed for inspection after traversing the WAN optimizer.