SteelHead™ Deployment Guide - Protocols
Preface
About This Guide
Audience
Types of SteelHeads
Document Conventions
Documentation and Release Notes
Contacting Riverbed
What Is New
CIFS Optimization
Overview of CIFS Protocol
CIFS File Locking and Oplocks
Safe Reading and Writing
Security Signatures
Overview of SMB Versions 2, 2.1, 3, and 3.02
More Information
RiOS CIFS Optimization Techniques
Microsoft Exchange Email Optimization
MAPI Client and Server Communication
Auto-Discovery and MAPI Connections
RiOS MAPI Optimization
Encrypted MAPI Optimization
MAPI Admission Control for Microsoft Outlook
MAPI Optimization with SteelHeads in a Serial Cluster or a Parallel Deployment
MAPI Optimization with Exchange Clusters
Outlook Anywhere Optimization
Support for Common Access Card
Verifying Connection Status
Troubleshooting Outlook Anywhere Optimized Traffic
Microsoft Exchange 2013 Optimization
MAPI over HTTP
MAPI over HTTP Requirements
MAPI over HTTP Down Negotiation
MAPI Destination Port Handling
MAPI Multiple Context
Signed SMB and Encrypted MAPI Optimization
Windows Security Concepts
Domain Relationships
Choosing an Authentication Mode for the Server-Side SteelHead
Overview of Configuring SMB Signing and Encrypted MAPI
SMB3 Optimization with Windows 8 Clients and Windows 2012 Server
Joining a SteelHead to a Domain
One-Way Trust Configuration
Enabling Kerberos in a Restricted Trust Environment
Kerberos
Overview of Kerberos
Multiple Domain Environments and Referral Tickets
Optimization in a Native Kerberos Environment
Domain User with Replication Privileges
Configuring Traffic Optimization for HTTP (SharePoint), Encrypted MAPI, and Signed SMB/SMB2/SMB3
Configuring the Server-Side SteelHead for Active Directory Integrated (Windows 2003/2008)
Best Practices for the SteelHead in a Secure Windows Deployment
Domain Authentication Scaling
When to Use Domain Authentication Scaling
General Improvements in RiOS v8.6
Domain Controller Load Balancing
Domain Health Check and Domain Authentication Automatic Configuration
Domain Health Check
Using the SteelHead Management Console to Test Domain Health Check
Using the RiOS CLI Commands to Test Domain Health Check
Domain Authentication Automatic Configuration
Single Domain Example Configuration
HTTP Optimization
HTTP and Browser Behavior
Multiple TCP Connections and Pipelining
HTTP Authentication
Connection Jumping
HTTP Proxy Servers
Configuring HTTP SSL Proxy Interception
RiOS HTTP Optimization Techniques
Primary Content Optimization Methods
HTTP Vary Headers
Connection Pooling
HTTP Authentication Optimization
HTTP Automatic Configuration
HTTP Settings for Common Applications
HTTP Optimization for SharePoint
HTTP Optimization Module and Internet-Bound Traffic
HTTP and IPv6
Overview of the Web Proxy Feature
Tuning Microsoft IIS Server
Determining the Current Authentication Scheme on IIS
Determining the Current Authentication Mode on IIS
Per-Connection or Per-Request NTLM Authentication
Per-Connection or Per-Request Kerberos Authentication
Changing the Authentication Scheme
Changing the Per-Connection/Per-Request NTLM Authentication Mode
Changing the Per-Connection/Per-Request Kerberos Authentication Mode
HTTP Authentication Settings
HTTP Optimization Module and Proxy Servers
Determining the Effectiveness of the HTTP Optimization Module
Info-Level Logging
Use Case
Citrix ICA Optimization
Overview of Citrix ICA
Citrix Version Support
Citrix ICA Traffic Optimization with SteelHeads
Citrix SecureICA Encryption
Citrix Drive-Mapping Optimizations
Citrix Multi-Stream ICA Traffic Optimization with SteelHeads
Citrix Virtual Channels and Traffic Priorities
Single-Stream and Multi-Stream ICA
QoS Classification for Citrix Traffic
Automatic Negotiation of Multi-Stream ICA Traffic for QoS Enforcement
Reduction for Citrix Small Packet Real-Time Traffic
Citrix ICA Optimization over SSL
Secure SMTP Optimization
Configuring Microsoft Exchange Servers for Secure SMTP
Configuring the SteelHead for START-TLS Support
FTP Optimization
Overview of FTP
Active Mode
Passive Mode
Configuring In-Path Rules
Optimizing FTP
Passing Through FTP
QoS Classification for the FTP Data Channel
Active FTP Classification
Passive FTP Classification
FTP Optimization Considerations
SteelCentral Controller for SteelHead Mobile FTP Considerations
Other Protocol Optimization
Oracle Forms Optimization
Determining the Deployment Mode
NFS Optimization
Implementing NFS Optimization
Basic Steps
Configuring IP Aliasing
Lotus Notes Optimization
Optimizing Encrypted Lotus Notes
Lotus Notes Authentication
Optimization Architecture
Configuring Optimized Encrypted Lotus Notes
Troubleshooting
Video Optimization
Overview of Video Optimization
HTTP Stream Splitting
Video On-Demand with HTTP Prepopulation
CIFS and HTTP Prepopulation
CIFS Prepopulation
Design Considerations
HTTP Prepopulation
Microsoft Silverlight, Apple HLS, and Adobe Flash
SSL Deployments
The Riverbed SSL Solution
Overview of SSL
How SteelHeads Terminate an Optimized SSL Connection
Configuring SSL Optimization on SteelHeads
SSL Optimization Required Components
Enhanced Cryptography License Key
Proxy Certificate and Private Key
Certificate Chain Discovery
Certificate Authority Certificates
Peer Certificates
Setting Up a Simple SSL Optimization Deployment
Generating the Proxy Certificate and Private Key Pair
SteelHead Secure Peering Scenarios
Secure Peering Using the Self-Signed Peer White, Gray, and Black Lists
Secure Peering with CA-Signed Certificates
Managing SteelHead Secure Peering Trusts with an SCC
Deploying Secure Peering for All Optimized Traffic
Advanced SSL Features
Client Certificate Support
Verification
Proxy Server Support
Mid-Session SSL Support
Server Name Indication
SSL Optimization with SteelHead Mobile
Troubleshooting and Verification
Interacting with SSL-Enabled Web Servers
Obtaining the Server Certificate and Private Key
Apache Certificates and Private Keys
IIS Certificates and Private Keys
Generating Self-Signed Certificates
Generating Self-Signed Certificates with Apache
Generating Self-Signed Certificates with IIS
Configuring SCEP and Managing CRLs
Using SCEP to Configure On-Demand and Automatic Reenrollment
Configuring On-Demand Enrollment
Configuring Automatic Reenrollment
Viewing SCEP Settings and Alarms
Managing Certificate Revocation Lists
Managing CRLs
Viewing CRL Alarm Status
RiOS Version Compatibility with Domains and Domain Relationships
User Domain Is the Same as Server Domain—Delegation Mode
User Domain Is the Same as Server Domain—Transparent Mode
User Domain Is the Different from Server Domain (Bidirectional)—Delegation Mode
User Domain Is Different from Server Domain (Bidirectional)—Transparent Mode
Server-Side SteelHead is in a Different Domain to the Server with One-Way Trust
Legacy Delegate User Configurations
Delegation Mode (Depreciated Feature)
Configuring Constrained Delegation for Delegation Mode
SteelHead™ Deployment Guide - Protocols
Configuring Constrained Delegation for Delegation Mode