protocol cifs smb signing enable

When sharing files, Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks. Each CIFS message has a unique signature which prevents the message from being tampered. This security feature is called SMB signing. Prior to the 5.5 release, RiOS did not provide latency optimization for signed traffic. For detailed information about configuring SMB signing, including the necessary steps for Windows, see the SteelHead Management Console User’s Guide.

You can enable the RiOS SMB signing feature on a server-side SteelHead to alleviate latency in file access with CIFS acceleration while maintaining message security signatures. With SMB signing on, the SteelHead optimizes CIFS traffic by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations—even when the CIFS messages are signed.

By default, RiOS SMB signing is disabled.

The RiOS SMB signing feature works with Windows 2003 and later domain security and is fully-compliant with the Microsoft SMB signing v1 protocol. The server-side SteelHead in the path of the signed CIFS traffic becomes part of the Windows trust domain. The Windows domain is either the same as the domain of the user or has a trust relationship with the domain of the user. The trust relationship can be either a parent-child relationship or an unrelated trust relationship.

Important: This feature works with Windows 2003 native mode domains and later, when in delegation mode. In transparent mode the domain restrictions do not apply. SMB signing transparent mode is not currently supported in Windows 7.

RiOS v6.0 and later optimizes signed CIFS traffic even when the logged-in user or client machine and the target server belong to different domains, provided these domains have a trust relationship with the domain the SteelHead has joined. RiOS v6.1 and later supports delegation for users that are in domains trusted by the server's domain.

The RiOS SMB-signing feature uses Kerberos between the server-side SteelHead and any configured servers participating in the signed session. The client-side SteelHead uses NTLM and will negotiate down to NTLM from Kerberos if supported. The client-side SteelHead does not use Kerberos.

• With RiOS SMB signing enabled, SteelHeads sign the traffic between the client and the client-side SteelHead and between the server and the server-side SteelHead. The traffic is not signed between the SteelHeads, but the SteelHeads implement their own integrity mechanisms. For maximum security, Riverbed recommends that you use IPSec encryption to secure the traffic between the SteelHeads.

• RiOS SMB signing requires joining a Windows domain. Setting the correct time zone is vital for joining a domain. The most common reason for failing to join a domain is a significant difference in the system time on the Windows domain controller and the SteelHead.

1. Verify that the Windows domain functionality is at the Windows 2003 level or later. For detailed information about configuring SMB signing, including the necessary steps for Windows, see the SteelHead Management Console User’s Guide.

2. Identify the full domain name, which must be the same as DNS. You need to specify this name when you join the server-side SteelHead to the domain.

3. Identify the short (NetBIOS) domain name (press Ctrl+Alt+Del on any member server). You need to specify the short name when the SteelHead joins the domain if it does not match the left-most portion of the fully-qualified domain name.

4. Make sure that the primary or auxiliary interface for the server-side SteelHead is routed to the DNS and the domain controller.

• You must be able to ping the server-side SteelHead, by name, from a CIFS server joined to the same domain that the server-side SteelHead will join. If you cannot, create an entry in the DNS server for the server-side SteelHead.

• You must be able to ping the domain controller, by name, whose domain the server-side SteelHead will join. To verify your domain run the show domain, and show dns settings.

6. Join the Windows domain running in native mode. In delegation mode, RiOS SMB-signing does not support Windows NT and Windows 2000. For detailed information about joining domains, see domain rejoin.

7. If you configured SMB signing in delegation mode, set up the domain controller and SPN. For detailed information, see the SteelHead Management Console User’s Guide.

8. If you configured SMB signing in delegation mode, grant the user access to delegate CIFS service in Windows. You must perform the following procedure for every server on which you want to enable RiOS SMB signing. For detailed information, see the SteelHead Management Console User’s Guide.