About Best Practices
  
About Best Practices
Use these best practices with SCC versions 9.9 and later. This section includes a quick introduction to the best practices and links to more detailed information.
For information about best practices for earlier versions of the product, consult the documentation for those release versions.
About latency detection
When peer SteelHead appliances are geographically very close, which might occur in full-mesh topologies, the network latency between them can be very low. In cases where the latency between peers is low enough, simply passing traffic through would be faster than transmitting optimized traffic. Traditionally, you would need to configure in‑path rules for each connection you wanted peer appliances to pass through traffic—a daunting task for a large network.
Now, you can use latency detection policies to globally manage how peer SteelHead appliances determine whether to pass through traffic or to continue to optimize it. You can still disable the feature on specific connections by setting an in‑path rule and selecting the option to ignore latency detection. For more information, see these topics:
About policy types
Peering rules
In-path rules
About the Appliance Details report
About peering mode for client authentication
Introduced in SCC 9.8 (CLI only), peering mode for client authentication can now be configured in the GUI. When using peering mode client authentication, the SteelHead acts as a trusted “man‑in-the-middle.” When a client certificate request arrives from the server:
1. The server-side SteelHead replies to server’s client certificate request with its own peering certificate.
2. The client-side SteelHead requests a client certificate in response to the client hello.
3. The client-side SteelHead authenticates the client certificate using the existing trusted CA repository.
This mode supports the Ephemeral Diffie-Hellman key exchange.
When upgrading to SCC 9.9, the client authentication setting of any appliance managed by SCC will be overwritten.
For more information, see Advanced settings (SSL).
About Riverbed software image verification
Riverbed software images are now digitally signed, ensuring the integrity and authenticity of the image. Verifying an image is performed by comparing a public key, or image signing certificate, with the image signature. The public key for Riverbed images can be found at https://support.riverbed.com.
Image verification is enabled by default. We strongly recommend that it remain enabled at all times. Disable this feature only when absolutely necessary.
About enhanced host proxy settings
In SCC 9.9 and later, you can configure proxy addresses for web or FTP proxy access to managed SteelHead appliances. Additionally, you can create a whitelist of domains to allow direct SteelHead to SCC communication. For more information, see Configuring proxy settings.