SteelHead™ Deployment Guide - Protocols : Signed SMB and Encrypted MAPI Optimization : Overview of Configuring SMB Signing and Encrypted MAPI
Overview of Configuring SMB Signing and Encrypted MAPI
A deployment that successfully optimizes SMB signing and encrypted MAPI traffic requires gathering information about the Windows environment, configuring the SteelHeads with the appropriate RiOS version and configuration; when using Delegation mode or end-to-end Kerberos, this same deployment potentially requires more configuration in the Windows domain.
The following is a general overview on how to configure a typical SMB signing and MAPI encrypted deployment (for complete details, see the SteelHead Management Console User’s Guide):
Determine if the domain containing users to optimize is different from the server domain.
If the user domain is different from the server domain, determine the trust relationship between the domains.
Gather version information about the Windows environment:
  • Client operating system versions
  • Domain functional level of all server domains involved in the configuration (for example, Native 2003, Mixed mode, Native 2008-R2, Native 2012, and so on)
  • Typical environments allow the Windows client and server to negotiate either NTLM authentication or Kerberos authentication for SMB or MAPI traffic. In these environments, the SteelHead can force negotiation to NTLM authentication to provide latency and bandwidth optimization. Certain environments do not negotiate NTLM or Kerberos—instead they require Kerberos authentication. The Kerberos authentication is set either through settings on the client or through domain policy settings. RiOS v7.0 or later supports this type of end-to-end Kerberos authentication. If your environment is Kerberos only, see Kerberos.
    Using the information provided in RiOS Version Compatibility with Domains and Domain Relationships, determine:
  • the earliest RiOS version needed for the client-side SteelHead.
  • the earliest RiOS version needed for the server-side SteelHead.
  • if Transparent mode is sufficient for optimization (preferred), or if Delegation mode is required.
  • Upgrade the RiOS version on the client- and server-side SteelHeads, if necessary.
    If not already implemented, configure the secure inner channel feature on both the client-side and server-side SteelHead.
    Join the server-side SteelHead to the domain. The domain can be the user domain or a domain that has a trust with the user domain: for example, the server domain. For details, see Joining a SteelHead to a Domain.
    In environments where the server domain only has a one-way trust to the user domain, you need a special configuration when joining the server-side SteelHead to a domain. For details, see One-Way Trust Configuration.
    If Delegation mode is required, set up the delegation accounts in the server domains and configure Delegation mode on the server-side SteelHead. For information, see Configuring Constrained Delegation for Delegation Mode.
    Verify successful optimization of the SMB signed or encrypted MAPI traffic.