SteelHead™ Deployment Guide - Protocols : RiOS Version Compatibility with Domains and Domain Relationships
RiOS Version Compatibility with Domains and Domain Relationships
Support for full optimization of signed SMB and encrypted MAPI first started in RiOS v5.5. With more recent developments of the configuration and diagnostic features included in RiOS, Riverbed recommends that you use RiOS v9.0 and later. Riverbed has greatly improved the error handling in RiOS for SMB and MAPI and, as a result, increased the error handling capabilities of the primary optimization processes. Any faults in CIFS, SMB, SMB2, and SMB3 are gracefully recovered with no net effect on the remaining optimization features. You must use RiOS v9.0 and later for all implementation using SMB v3.03, which includes Windows 8.1 and Windows Server 2012R2.
In RiOS v9.0, Delegation mode is deprecated, unless you explicitly require Kerberos-constrained delegation to reduce authentication pressure on Exchange servers. However, consider this a stop-gap measure, prior to configuring end-to-end Kerberos on the SteelHead. The use of native Kerberos greatly decreases the pressure from authenticating clients on the Exchange server through NTLM.
With RiOS v8.5 or later, you can use the Domain Auth Auto Config widget (Choose Optimization > Active Directory: Auto Config). The widget automates the majority of the required configuration tasks, avoiding the need to perform step-by-step operations in different configuration tools and using the command line on the Windows Active Directory platforms.
However, Riverbed understands that sometimes, for reasons of policy and change management, there might be a requirement to retain SteelHeads on earlier versions of RiOS.
This section explains how to establish the earliest version of RiOS required for optimizing signed SMBv1 or encrypted MAPI traffic. The following list describes factors affecting the earliest version of RiOS:
  • Determining the required server-side SteelHead RiOS version depends on a variety of factors:
  • Whether you require Transparent mode, Delegation mode, or support for end-to-end Kerberos
  • The domain functional level and operation system version of the domain controllers in the domain that is being joined by the SteelHead
  • The operating system version of client machines
  • The type of trust relationship between the server domain and the user domain
  • The following configurations help you determine the RiOS version you want to use on the server-side SteelHead:
  • User Domain Is the Same as Server Domain—Delegation Mode
  • User Domain Is the Same as Server Domain—Transparent Mode
  • User Domain Is the Different from Server Domain (Bidirectional)—Delegation Mode
  • User Domain Is Different from Server Domain (Bidirectional)—Transparent Mode
  • Server-Side SteelHead is in a Different Domain to the Server with One-Way Trust
  • Legacy Delegate User Configurations
  • Delegation Mode (Depreciated Feature)
  • Configuring Constrained Delegation for Delegation Mode
  • You must use RiOS v7.0 or later if your configuration requires end-to-end Kerberos authentication between the client and server.
    The Domain(Server) listing in the following tables refers to the domain functional level in use by the domain that the server-side SteelHead joins, or the operating system version of the domain controllers used by that domain—whichever is most recent. For example, if the server-side SteelHead is joined to a domain where the domain controllers use Windows 2008, but the domain functional level is Windows 2003, you can reference the Windows 2008 entries in the appropriate table.
    There are some configurations where signed SMB communication between two servers running Windows 2008 or Windows 2008-R2 can occur. In this instance, one of the servers is effectively acting as a client to the other server. The same rules apply for the required version of RiOS.
    The following tables include two Windows server versions in the client listings. However, you must remember that the default SMB communication between these types of server is SMBv2—either configure the server-side SteelHead with SMBv1 Backward Compatibility enabled, or configure the SteelHeads with RiOS v6.5 or later with SMB2 optimization enabled.
    Communication between Windows 8 and Windows Server 2012 (SMBv3) requires the use of RiOS v8.6 or later. Windows 8.1 and Windows Server 2012R2 (SMBv3.02) requires RiOS v9.0 or later. These RiOS versions are requisite regardless of domain join or trust type.