Overview of SaaS Accelerator
  
Overview of SaaS Accelerator
This chapter provides an overview of the SaaS Accelerator. It includes these sections:
What’s new in this release
About SaaS Accelerator
Supported SaaS applications
SaaS Accelerator licensing
Compatibility with SteelHead models
SaaS Accelerator is a Riverbed managed service controlled through the SaaS Accelerator Manager that works with Riverbed client-side appliances to accelerate SaaS traffic. The SaaS Accelerator is a replacement for SteelHead Cloud Accelerator with Akamai, which has been renamed to Legacy Cloud Accelerator.
What’s new in this release
This release of SaaS Accelerator includes these improvements:
Microsoft Teams and Microsoft Stream (video only) are supported. This support enables reliable video streaming to all employees without impacting the branch network, and it provides rich analytics that measure key metrics to help you assess the results of video delivered through Microsoft Office 365 (O365) enterprise applications anywhere.
Microsoft Teams and Microsoft Stream can be used with these client devices, applications, and browsers:
Microsoft Teams Desktop Client – Windows, Mac
Microsoft Windows – Microsoft Edge (Chromium), Chrome (79 and later), Firefox (72 and later)
Mac – Safari (12 and later), Chrome (79 and later), Firefox (72 and later)
Tablet – Safari (13.2 and later), Chrome Android (79 and later), Firefox Android (68 and later)
Mobile – Chrome Android (79 and later), Firefox Android (68 and later)
Skype Meeting Broadcast is not supported.
Microsoft Dynamics CRM is supported. Dynamics CRM is a subset of the Microsoft Dynamics 365 family of applications.
SaaS Accelerator is capable of accommodating up to 500,000 connections.
United Arab Emirates (UAE) and South Korea regions are supported.
Security improvements. TLS 1.2 with ECDHE ciphers is supported. Support for TLS 1.0 and 1.1 is removed.
The SaaS application page includes an Advanced Details tab that displays the IP addresses of related service instances, making it easier to whitelist these IP addresses.
About SaaS Accelerator
Riverbed client-side appliances such as SteelHeads, SteelFusion Edges, and SteelHead Mobile clients can accelerate SaaS traffic by working with SaaS Accelerator. Through SaaS Accelerator Manager, you can configure SaaS applications for acceleration, and then register Riverbed client-side appliances with SaaS Accelerator Manager to accelerate their SaaS traffic.
For Microsoft Teams and Microsoft Stream, SaaS Accelerator requires no additional agent or appliance.
SaaS Accelerator is a service that consists of these components:
SaaS Application - The application delivered as Software as a Service.
SaaS Accelerator Manager (SAM) - SAM provides the management interface for SaaS acceleration and manages the acceleration for registered Riverbed client-side appliances. SaaS Accelerator Manager also configures and manages the SaaS service cluster.
Organization - SAM allows logical separation and segmentation of resources into organizations to support multi-tenant deployments. You can have different organizations to support deployments in different regions. You deploy SaaS Accelerator within an organization.
Client-side appliances - The client-side appliances located in the customer branch office that intercept any connections destined for the SaaS platform to be accelerated. We strongly recommend that you configure and push SaaS acceleration policies from a SteelCentral Controller for SteelHead (SCC) to managed appliances, particularly in large-scale deployments and production networks with multiple client-side appliances.
SaaS service cluster - A cluster of service instances behind a service endpoint that peers with client-side appliances. Application acceleration occurs between the client-side appliance and the SaaS service cluster. SAM configures and manages the SaaS service cluster.
Service instance - The application optimization service node deployed in a SaaS service cluster.
SteelHead Mobile clients - SteelHead Mobile clients can accelerate SaaS traffic by connecting directly to the SaaS service cluster. SteelHead Mobile clients get their SaaS acceleration configuration through the policy defined in the SteelCentral Controller for SteelHead Mobile.
When you configure a SaaS application for acceleration, SAM deploys a SaaS service cluster in a public cloud to accelerate SaaS traffic. (You do not need a cloud account, and Riverbed configures and manages the SaaS service cluster.) Each SaaS application is accelerated by a dedicated service cluster. For best performance, you need to deploy the SaaS service cluster in the same region as the SaaS application servers.
The service endpoint is the IP address and port range where client-side appliances connect to the SaaS service cluster. You must open multiple ports from 7810 through 7830 on the firewall to allow for this communication.
With SaaS acceleration configured in SAM, the end-user traffic meant for the SaaS server goes to the client-side appliance. The client-side appliance has in-path rules configured that direct the traffic to the SaaS service cluster, and the SaaS service cluster forwards the traffic to the SaaS server. The traffic between the client-side appliances and the SaaS service cluster is accelerated.
Figure 1‑1. SaaS acceleration overview
As an example of the flow, let’s consider a deployment with Microsoft Office 365 traffic. This traffic is sent to the Microsoft Office 365 SaaS server. When you configure SaaS acceleration through SAM, SAM deploys a SaaS service cluster in a cloud and traffic from the user network to the SaaS service cluster is accelerated.
In its default configuration, the SaaS Accelerator automatically manages SSL certificates for proxy and peering. You can, however, use your organization’s certificate authority (CA). In this configuration, you use SAM to generate and download a certificate signing request (CSR) and use it to obtain an intermediate certificate authority (ICA) certificate from your organization’s CA that is already trusted by your clients. After you obtain the ICA certificate, you upload it to SAM to complete the process.
Supported SaaS applications
SAM supports accelerating these applications:
Box
Microsoft Office 365 (including Exchange, SharePoint, Office WebApps, and Authentication and Identify Services)
Microsoft Teams and Microsoft Stream (video only)
Microsoft Dynamics CRM (a subset of the Microsoft Dynamics 365 family of applications)
Salesforce
ServiceNow
Veeva
We periodically add support for new SaaS providers.
SaaS Accelerator licensing
SaaS Accelerator is a service, and the license defines the parameters of the service. A SaaS Accelerator license applies to an SAM organization for a specific time period and is defined by these characteristics:
SaaS applications
Minimum/maximum number of users
AppUnits per user
Connections per user
Box
400 – 100,000
5
5 connections
Microsoft Office 365
200 – 50,000
10
10 connections
Microsoft Teams and Stream Live Event (video only)
200 – 50,000
10
N/A
Microsoft Dynamics CRM
200 – 50,000
20
10 connections
Salesforce
200 – 50,000
10
10 connections
ServiceNow
200 – 50,000
10
10 connections
Veeva
200 – 50,000
20
10 connections
AppUnits - This component defines how many users can accelerate SaaS traffic for an application. You specify the number of users to support when you configure acceleration for an application. The number of users allowed is determined based on the number of available AppUnits, as well as the minimum and maximum number supported by the application. When configured, SAM allocates the AppUnits to the application.
AppUnits provide flexibility so you can easily change which applications to accelerate, or resize your configuration based on usage. As you configure SaaS acceleration in SAM, tooltips provide recommendations specific to each application.
AppData - This component defines the amount of egress data (in GiB) allowed through the SaaS service cluster. You can track the total amount of data used and data usage trends per application on the SaaS Accelerator Cumulative Egress Data Usage page (choose Reports > Data Usage).
Each AppUnit includes 0.3 GiB of AppData. For example, if you buy 10,000 AppUnits, you can deploy 1000 users for Office 365, and you would get a total of 3000 GiB per month for those users. With a yearly subscription, that provides a pool of 36,000 GiB (12 months x 3000 GiB per month).
AppData is pooled for all applications and all users. AppData allows monthly carryovers through the end of the subscription, providing flexibility for usage variations.
You can purchase additional AppUnits or AppData through add-on licenses.
The SaaS Accelerator license is specific to your SAM organization, not per client-side appliance. You can register any number of client-side appliances in your organization with SAM managing the SaaS Accelerator service.
Before you activate SaaS Accelerator on a client-side appliance, ensure that you account for the added connection and throughput usage in the same way you would when introducing any other additional application for optimization on the appliance. Registering a client-side appliance with the SaaS Accelerator service does not change the optimized session limit for that appliance.
User and data limits are enforced based on the available license.
SaaS Accelerator service cluster limits
The SaaS service cluster has the following deployment characteristics:
A SaaS service cluster for any application can handle a maximum of 500,000 connections.
The minimum size of the service cluster depends on the license. The minimum license is 2000 AppUnits.
SaaS service clusters deployed in different SAM organizations are independent of each other.
Each SAM organization can deploy only one cluster per SaaS application.
SaaS Accelerator connection and user limits
SaaS Accelerator lets individual users consume more TCP connections per user than those allocated, but does not allow the total number of TCP connections for the SaaS acceleration cluster to exceed the limit. If you exceed the total number of available connections for the cluster, or if the number of active users is significantly higher than the configured value, SaaS Accelerator enters admission control​ and new connections matching the SaaS application defined in the client-side appliance in-path rule will not be accelerated​.
For Microsoft Teams and Microsoft Stream, you will see a notice in the SaaS Accelerator user interface and your SaaS Accelerator administrator will receive an email if you exceed the usage limits provided by your license.
Compatibility with SteelHead models
SaaS Accelerator is supported on SteelHead models CX255, CX570, CX770, CX3070, CX5070, CX7070, CX580, CX780, CX3080, CX5080, CX7080, and GX10000. All SteelHead SD and SteelHead (virtual edition) models also support SaaS Accelerator. The SteelHead requires RiOS software 9.8.1a or later.