SteelHead™ Deployment Guide : Application Definitions : Application Flow Engine
  
Application Flow Engine
This section includes the following topics:
  • Overview of Application Flow Engine
  • AFE and Microsoft Lync 2010 and 2013
    • Overview of Application Flow Engine
    The Riverbed Application Flow Engine (AFE), QoS can identify applications accurately using a variety of technologies. It is a powerful engine that you can use to automatically detect applications on the network. You can also use AFE in QoS and path selection rules, in application definitions, and the application visibility reporting. In RiOS v9.1 and later, AFE can identify over 1300 applications and protocols.
    Examples of technologies the AFE uses are:
  • Application signature/Pattern matching
  • Match well-known byte patterns in a flow and across multiple packets
  • Match the URL within HTTP
  • Protocol dissection/Protocol awareness
  • Layer-7 fluency to following the conversation
  • Behavioral classification/Heuristic classification
  • Analyses packet size, packet inter-arrival time, packet rate, data rate, and calculates entropy (randomness) to detect an application (for example, Skype)
  • Dynamic decode
  • Undoing obfuscation techniques (for example, base64)
    • If the AFE fails to identify the application based on the above technologies, it falls back to a TCP/UDP port-based classification.
    To view a completed global application list, see the SteelHead Management Console User’s Guide.
    In addition to the AFE supporting many well-known applications, you can add rules to identify custom applications. For example, you can identify a new HTTP application based on specific domain name or relative path (Figure 5‑7).
    Figure 5‑7. Rules to Identify Applications
    With RiOS v8.6 or later, you can use the AFE to classify unoptimized SSL traffic based on the TLS/SSL server common name in the server certificate. To do this, add an application, type SSL in the Application Layer Protocol text box, and type the common name of the server certificate (for example, www.yoursite.com/*) in the Common Name field. To make the configuration easier, you can use wildcards in the name (Figure 5‑8).
    Figure 5‑8. SSL Common Name Matching Configuration
    You cannot classify SSL optimized traffic using the common name control. For optimized or decrypted SSL traffic, the AFE uses the same techniques as nonencrypted traffic to classify the traffic.
    For information about defining an application using the AFE, see Applications. For more information about SSL, see the SteelHead Deployment Guide - Protocols.
    AFE and Microsoft Lync 2010 and 2013
    RiOS v9.1 and later enhances support for Microsoft Lync. Lync is a multiple-feature communication suite that carries traffic over an extensive selection of protocols. The AFE classification of Lync traffic covers the majority of traffic generated between Lync clients and Lync servers.
    The following table summarizes the types of traffic Lync generates and the classification the AFE provides for them:
     
    Workload
    Classified As
    Client login
    LYNC, LYNCCTRL
    Chat message
    LYNC, LYNCCTRL
    File transfer
    LYNC, LYNCSHRE
    Group voice chat
    LYNC, LYNCMDIA
    Video call
    LYNC, LYNCMDIA
    Application screen sharing
    LYNC, LYNCSHRE
    Desktop sharing
    LYNC, LYNCSHRE
    Voice call
    LYNC, LYNCMDIA
    Presentation sharing
    SSL, SIP
    White-board session
    SSL, SIP
    A Lync server uses the default SIP port of TCP 5061. You can use this information to build a custom rule to classify Lync SIP traffic.