SteelHeadā„¢ Deployment Guide - Protocols : Signed SMB and Encrypted MAPI Optimization : Best Practices for the SteelHead in a Secure Windows Deployment
Best Practices for the SteelHead in a Secure Windows Deployment
There are many possible ways to configure the server-side SteelHead to support the different secure Windows application options. The following is a list of best practices to ensure that the majority, if not all, of the secure Windows traffic in your environment is fully optimized:
  • Make sure that the server-side SteelHead has a DNS entry. You need only an A record.
  • Make sure that the server-side SteelHead time-of-day is synchronized through NTP. Riverbed recommends that you synchronize to the same NTP service as the domain controllers.
  • Join the server-side SteelHead to the Windows domain of choice using the role of Active Directory integrated Windows 2008. If possible, use the domain of the user domain or the same domain as the majority of the Windows application servers on which you want optimized traffic.
  • When joining the domain, specify one or more domain controllers within the same domain that are geographically closest to the server-side SteelHead.
  • Enable native Kerberos authentication support for the relevant Layer-7 RiOS features (for example, signed CIFS, signed SMB2, signed SMB3, encrypted MAPI, and HTTP) on the server-side SteelHead.
  • For encrypted MAPI and signed SMB3, these settings are also required on the client-side SteelHead.
  • Configure a replication user within the Active Directory forest and enter the account details into the server-side SteelHead.
  • Configure a PRP within Active Directory to further restrict the replication user account (optional).
  • If the server-side SteelHead interacts with other domains through a one-way trust, use the CLI or the Management Console to enable this setting.
  • If there are no one-way trusts, then this step is not required.
  • Depending on the RiOS version you have on the server-side SteelHead, you can perform the Windows Active Directory configuration steps (domain join, user account creation, and so on) by using the domain authentication automatic configuration feature in the Management Console or through the CLI.
  • For information about the domain health and domain authentication automatic configuration features, see Domain Health Check and Domain Authentication Automatic Configuration.