About SaaS Accelerator
Riverbed client-side appliances such as SteelHeads, SteelFusion Edges, and Client Accelerator endpoints can accelerate SaaS traffic by working with SaaS Accelerator. Through SaaS Accelerator Manager (SAM), you can configure SaaS applications for acceleration, and then register Riverbed client-side appliances with SaaS Accelerator Manager to accelerate their SaaS traffic.
SaaS Accelerator is a service that consists of these components:
• SaaS Application—The application delivered as Software as a Service.
• SaaS Accelerator Manager—SAM provides the graphical user interface (GUI) for managing the acceleration for registered Riverbed client-side appliances. SaaS Accelerator Manager also configures and manages the SaaS service cluster.
• Organization—SAM allows logical separation and segmentation of resources into organizations to support multi-tenant deployments. You can have different organizations to support deployments in different regions. You deploy SaaS Accelerator within an organization.
• Client-side appliances—The client-side appliances located in the customer branch office that intercept any connections destined for the SaaS platform to be accelerated. We strongly recommend that you configure and push SaaS acceleration policies from a SteelCentral Controller for SteelHead (SCC) to managed appliances, particularly in large-scale deployments and production networks with multiple client-side appliances.
• SaaS service cluster—A cluster of service instances behind a service endpoint that peers with client-side appliances. Application acceleration occurs between the client-side appliance and the SaaS service cluster. SAM configures and manages the SaaS service cluster.
• Service instance—The application optimization service node deployed in a SaaS service cluster.
• Client Accelerator endpoints—Client Accelerator endpoints can accelerate SaaS traffic by connecting directly to the SaaS service cluster. Client Accelerator endpoints get their SaaS acceleration configuration through the policy defined in the Client Accelerator Controller.
When you configure a SaaS application for acceleration, SAM deploys a SaaS service cluster in a public cloud to accelerate SaaS traffic. (You do not need a cloud account, and Riverbed configures and manages the SaaS service cluster.) Each SaaS application is accelerated by a dedicated service cluster. For best performance, you need to deploy the SaaS service cluster in the same region as the SaaS application servers.
The service endpoint is the IP address and port range where client-side appliances connect to the SaaS service cluster. You must open multiple ports from 7810 through 7830 on the firewall to allow for this communication.
With SaaS acceleration configured in SAM, the end-user traffic meant for the SaaS server goes to the client-side appliance. The client-side appliance has in-path rules configured that direct the traffic to the SaaS service cluster, and the SaaS service cluster forwards the traffic to the SaaS server. The traffic between the client-side appliances and the SaaS service cluster is accelerated.
As an example of the flow, let’s consider a deployment with Microsoft Office 365 traffic. This traffic is sent to the Microsoft O365 SaaS server. When you configure SaaS acceleration through SAM, SAM deploys a SaaS service cluster in a cloud, and traffic from the user network to the SaaS service cluster is accelerated.
In its default configuration, the SaaS Accelerator automatically manages SSL certificates for proxy and peering. You can, however, use your organization’s certificate authority (CA). In this configuration, you use SAM to generate and download a certificate signing request (CSR) and use it to obtain an intermediate certificate authority (ICA) certificate from your organization’s CA that is already trusted by your clients. After you obtain the ICA certificate, you upload it to SAM to complete the process.
About supported SaaS applications
SAM supports accelerating these applications:
• Box
• Microsoft Office 365 (including Exchange, SharePoint, Office WebApps, and Authentication and Identify Services)
• Microsoft Dynamics CRM (a subset of the Microsoft Dynamics 365 family of applications)
• Salesforce
• ServiceNow
• Veeva
We periodically add support for new SaaS providers.
About third-party proxy chaining
Proxy chaining enables you to connect to third-party cloud access security broker (CASB) services. CASB services can enhance data security over cloud applications by providing you with a level of control and visibility similar to on-premises solutions.
When you configure proxy chaining, you’ll need to supply information about how to connect to your third-party’s proxy service. To do this, you’ll need one of these pieces of information:
• URL to a proxy auto-configuration (PAC) file. PAC files are supplied by the CASB service and are available at public URLs. PAC files define how web browsers and other user agents automatically choose CASB proxy servers when fetching web resources.
• IP address and port number to the third-party proxy service.
• Hostname and port number to the third-party proxy service.
If SSL interception is enabled on your CASB service, you’ll also need the CASB’s CA certificate. The certificate must be in PEM format. The certificate can originate from a third-party CA or the CASB’s own internal CA. Similar to the certificate mentioned in
Configuring SSL optimization, the certificate for your CASB must be uploaded to SAM and all end-user client systems.
To ensure uninterrupted service with your CASB, we recommend that you whitelist SaaS Accelerator egress IP addresses in your third-party service configuration. See
About SaaS Accelerator egress IP addresses.Depending on your CASB, you might need to configure additional items on their side.
You can view the proxy chaining status of deployed applications in the SaaS Accelerator page and, for a selected deployed application, under the Proxy Chaining Status section of the Details tab for that application. Status can be:
• Healthy – Indicates normal operation.
• Warning – Indicates a communication issue between SAM and the third-party service.
• Critical – Indicates a configuration issue.
About SaaS Accelerator licensing
SaaS Accelerator is a service, and the license defines the parameters of the service. A SaaS Accelerator license applies to an SAM organization for a specific time period and is defined by these characteristics:
SaaS applications | Minimum/maximum number of users | AppUnits per user | Connections per user |
Box | 400–100,000 | 5 | 5 connections |
Microsoft Office 365 | 200–50,000 | 10 | 10 connections |
Microsoft Dynamics CRM | 200–50,000 | 20 | 10 connections |
Salesforce | 200–50,000 | 10 | 10 connections |
ServiceNow | 200–50,000 | 10 | 10 connections |
Veeva | 200–50,000 | 20 | 10 connections |
• AppUnits—This component defines how many users can accelerate SaaS traffic for an application. You specify the number of users to support when you configure acceleration for an application. The number of users allowed is determined based on the number of available AppUnits, as well as the minimum and maximum number supported by the application. When configured, SAM allocates the AppUnits to the application.
AppUnits provide flexibility so you can easily change which applications to accelerate, or resize your configuration based on usage. As you configure SaaS acceleration in SAM, tooltips provide recommendations specific to each application.
• AppData—This component defines the amount of egress data (in GiB) allowed through the SaaS service cluster. You can track the total amount of data used and data usage trends per application on the SaaS Accelerator Cumulative Egress Data Usage page (choose Reports > Data Usage).
Each AppUnit includes 0.3 GiB of AppData. For example, if you buy 10,000 AppUnits, you can deploy 1000 users for Office 365, and you would get a total of 3000 GiB per month for those users. With a yearly subscription, that provides a pool of 36,000 GiB (12 months x 3000 GiB per month).
AppData is pooled for all applications and all users. AppData allows monthly carryovers through the end of the subscription, providing flexibility for usage variations.
You can purchase additional AppUnits or AppData through add-on licenses.
The SaaS Accelerator license is specific to your SAM organization, not per client-side appliance. You can register any number of client-side appliances in your organization with SAM managing the SaaS Accelerator service.
Before you activate SaaS Accelerator on a client-side appliance, ensure that you account for the added connection and throughput usage in the same way you would when introducing any other additional application for optimization on the appliance. Registering a client-side appliance with the SaaS Accelerator service does not change the optimized session limit for that appliance.
User and data limits are enforced based on the available license.
SaaS Accelerator service cluster limits
The SaaS service cluster has the following deployment characteristics:
• A SaaS service cluster for any application can handle a maximum of 500,000 connections.
• The minimum size of the service cluster depends on the license. The minimum license is 2000 AppUnits.
• SaaS service clusters deployed in different SAM organizations are independent of each other.
• Each SAM organization can deploy only one cluster per SaaS application.
SaaS Accelerator connection and user limits
SaaS Accelerator lets individual users consume more TCP connections per user than those allocated, but does not allow the total number of TCP connections for the SaaS acceleration cluster to exceed the limit. If you exceed the total number of available connections for the cluster, or if the number of active users is significantly higher than the configured value, SaaS Accelerator enters admission control and new connections matching the SaaS application defined in the client-side appliance in-path rule will not be accelerated.
About compatibility with SteelHead models
SaaS Accelerator is supported on all currently available SteelHead models. The SteelHead requires RiOS software 9.8.1a or later.