SteelHead accelerates several application-specific protocols. Acceleration of secure traffic may require communication between the server-side SteelHead and domain controllers.

Enabling acceleration or adjusting protocol settings usually requires a service restart. For some models and protocols, a separate license may be needed. With feature-tier licensing, you can configure and enable acceleration even if it's not licensed, but it will only work once both the feature is enabled and licensed.

Several protocols support secure traffic acceleration. When enabling secure traffic optimization, you must choose an authentication method: NTLM or Kerberos. SteelHead handles end-to-end authentication between peers, as well as between the server-side appliance and the Windows domain controller. Disabled by default. Configured on server-side appliances. Service restart required.

NTLM authentication has two modes: transparent and delegation. Transparent mode optimizes signed or encrypted packets with transparent authentication. Transparent mode requires that you either configure service accounts for the user domains on the server-side appliance or you join the server-side appliance to relevant Windows domains. We recommend using Transparent Mode.

Delegation mode re-signs packets using Kerberos delegation. Delegation mode requires that you join the server-side appliance to relevant Windows domains.

NTML authentication supports all Windows clients and servers with NTLM enabled.

SMB2/3 acceleration optimizes file sharing between Windows clients and servers. For encrypted traffic, SMB signing must be enabled on the server-side SteelHead. This allows for latency and bandwidth optimization, even for encrypted, SMB-signed traffic.

SMB 3.02 is qualified for use with signed, unsigned, and encrypted traffic over both IPv4 and IPv6. However, authenticated connections between a server-side SteelHead and a domain controller are only supported over IPv4.

Delegation mode signing has been deprecated.

For details on SMB specifications, go to http://msdn.microsoft.com/en-us/library/cc246482.aspx.

SMB2 and SMB3 settings are under Optimization > Protocols: SMB2/3.

Improves both latency and bandwidth for file transfers. These optimizations include techniques such as cross-connection caching, read-ahead, write-behind, and batch prediction, which help ensure low-latency transfers. The appliance maintains data integrity, ensuring that the client always receives data directly from the servers.

SMB2 and SMB3 optimization are enabled by default. Both SMB2 and SMB3 optimizations should be configured on both the client-side and server-side appliances.

Enables optimization for Distributed File System (DFS) file shares. Configure on the client-side appliances.

Enables optimization of signed or encrypted traffic. Kerberos and NTLM authentication options are supported.

SMB signing is a security feature in Windows that ensures the integrity of messages, preventing man-in-the-middle attacks by adding a unique signature to each message. This signature ensures the messages cannot be tampered with during file sharing.

When secure traffic optimization is enabled on a server-side appliance, SteelHead reduces latency in file access while maintaining these security signatures. It still provides bandwidth optimizations like SDR, LZ compression, and TCP optimizations, even with signed messages.

However, SMB signing can significantly reduce performance gains since it prevents the appliance from applying full optimization on connections. While SMB signing does offer security, many enterprises already rely on other security measures, such as firewalls and internal servers, which means SMB signing might add minimal extra security but at a high performance cost.

You should enable secure traffic optimization when Windows clients or servers have one of the these settings:

The secure traffic optimization is compliant with Microsoft’s SMB signing protocols. It works with Windows domain security, supporting both native and mixed mode domains, and allows the server-side appliance to join the Windows trust domain. This trust relationship can be between parent-child, grandparent-child, or sibling domains.

Even if the client system and target server are in different domains, as long as there’s a trust relationship between them, appliances can accelerate signed traffic. For maximum security, we recommend you configure appliances as SSL peers, ensuring encrypted, signed traffic over the WAN.

SMB signing requires that the Windows domain functionality be at the Windows 2003 level or higher.

SMB connections appear in the Current Connections report with these labels:

HTTP settings are under Optimization > Protocols: HTTP. Configure the settings on client-side appliances.

SteelHead accelerates most HTTP and HTTPS applications, including customer relationship management, enterprise resource planning, financial, document management, and intranet portals.

Globally enables specific optimizations and features related to HTTP/HTTPS traffic.

Enables the display of user names for connections going to Office 365, typically when users are authenticated with single sign-on using ADFS. Additional configuration is required for SSL.

Globally enables the object caching feature, which parses the base HTML page and prefetches any embedded objects to the client-side appliance. When the browser requests an embedded object, the appliance serves the request from the cached results, eliminating the round-trip delay to the server. Cached objects can be images, style sheets, or any Java scripts associated with the base page and located on the same host as the base URL. Requires cookies.

Enables the transparent interception of internet-bound traffic using a single-ended web proxy.

For HTTPS (HTTP over SSL) acceleration, you must configure a specific in-path rule that enables both SSL optimization and HTTP optimization.

These settings allow you to define static acceleration schemes for specific subnets and hosts. Automatically configured subnets and hosts are also shown in the same table. You can filter the list to display static, automatic, or items currently under evaluation. For items being evaluated automatically, the default evaluation period is 1000 transactions. These configurations should be set on client-side appliances.

These settings apply when HTTP optimization is enabled, regardless of entries in the Subnet or Host list. In the case of overlapping subnets, specific list entries take precedence over the default settings. If no specific rule matches, the default rule is applied.

Removes compression headers to increase appliance data reduction performance.

Enables parsing of HTTP2 traffic. Disable for SDR-only.

Enables a lookup table of prefetched objects so that they can be more efficiently retrieved the data store.

SteelHead uses the secure inner channel between peer appliances to securely send MAPI traffic. To accelerate MAPI, you’ll also need to set up secure peering between the client-side and server-side appliance peers, setting the traffic type to All.

MAPI settings are under Optimization > Protocols: MAPI.

Enables bandwidth and latency optimization for the MAPI over HTTP transport protocol. You must also create an in-path rule using the Exchange Autodetect latency optimization policy to differentiate and optimize MAPI over HTTP traffic. Configure on client-side appliances.

MAPI connections appear in the Current Connections report using these labels:

NFS acceleration improves performance in high-latency environments by prefetching data and temporarily storing it on the client-side SteelHead. This stored data is then used to quickly respond to client requests, reducing perceived delay. Starting with RiOS version 9.16.0, NFS optimization supports both IPv6 and IPv4. Earlier versions support only IPv4.

On the server-side SteelHead, NFS settings remain inactive until the appliance connects to an NFS server. Once connected, it receives the NFS configuration from the client-side appliance for that specific connection.

NFS settings are applied globally to all NFS servers and volumes by default. However, you can set overrides for individual servers or volumes as needed. If you configure a server-specific override, it applies to all volumes on that server—unless you also configure volume-specific settings.

NFS acceleration does not support out-of-path deployments. Additionally, latency optimization is not available for NFS versions 2 and 4. However, features like bandwidth optimization, Scalable Data Referencing (SDR), and Lempel-Ziv (LZ) compression are still supported.

NFS settings are under Optimization > Protocols: NFS.

Provides latency optimization for NFS in high latency environments. Enabled by default.

Enables an alarm that triggers when the appliance detects NFSv2 and NFSv4 traffic. The triggered alarm changes the appliance’s health status to Needs Attention until you reset the alarm. The option to reset the alarm appears only after it has been triggered.

Specifies policies used to configure connections to servers or volumes that don’t already have one.

Specifies a custom policy.

Provides data consistency rather than performance. All of the data can be accessed from any client, including LAN-based NFS clients (which don’t go through SteelHeads) and clients using other file protocols such as CIFS. This option severely restricts the optimization that can be applied without introducing consistency problems. This is the default value.

Specifies that clients can read data from NFS servers or volumes but can’t make changes.

Add specific servers to the override table, and then edit their settings to create server and volume-specific configurations that override the default settings. The appliance uses the global settings or all other NFS servers and volumes.

Specifies a display label for the server.

Specifies the IP addresses of the server, separated by commas. If you have configured IP aliasing (multiple IP addresses) for an NFS server, specify all of the server IP addresses.

Are the same as for the global settings.

Enables the default volume configuration for the server.

Volume override settings appear after you add a server. For convenience while configuring volume-specific settings, an uneditable list of volumes available on the selected NFS server also appears.

Specifies the volume File System ID. An FSID is a number NFS uses to distinguish mount points on the same physical file system. Because two mount points on the same physical file system have the same FSID, more than one volume can have the same FSID.

Specifies the policy used for the volume. Options are functionally the same as those in the global settings.

Turns off acceleration for the root user on NFS clients. When the root user accesses an NFS share, its ID is squashed (mapped) to another user (most commonly “nobody”) on the server. Root squash improves security because it prevents clients from giving themselves access to the server file system.

Enables the permission cache, where the SteelHead stores file read data and uses it to respond to client requests. For example, if a user downloads data and another user tries to access that data, the appliance ensures that the second user has permission to read the data before releasing it.

Enables the default volume configuration for this server.

For cloud appliances, you can setup NAT IP address mapping. These settings are located under Optimization > Cloud > NAT IP Address Mapping.

NAT address mapping enables you to map private IP addresses to public IP addresses. You can enable and disable the mapping feature, and you can create multiple mappings. This feature is useful to enhance security as private IP addresses are hidden behind the public one, and to streamline configuration as you can map multiple private IP addresses to a single public one.

SteelHead SaaS settings are under Optimization > SaaS: SteelHead SaaS. Not available in cloud appliances.

SteelHead SaaS improves performance for several SaaS applications. Accelerating SaaS applications requires configuration on @the SteelHead SaaS Manager (SSM). You’ll also need to:

SteelHead SaaS requires an additional license, which is installed on the SSM. Using SteelHead SaaS with SteelHead CX model 3080 requires the Standard license tier or higher on the appliance.

We strongly recommend that you configure and push SaaS acceleration policies from a controller appliance to managed, client-side appliances, particularly with large scale deployments and production networks with many appliances. You’ll need to register the controller appliance with SSM and whitelist it there. On the controller, create policies that enable SaaS acceleration and SSL/TLS optimization, and include in-path rules for your SaaS applications.

To register the SSM on an appliance, you’ll first need to obtain a registration token from the SSM. Apply the token to the appliance, and enter the hostname and port number for the SSM.

Enabling secure traffic optimization requires communication between server-side SteelHeads and domain controllers. When properly configured, SteelHead can accelerate secure connections in Microsoft environments where:

Active Directory automatic configuration provides a set of Management Console widgets that help simplify the SteelHead configuration necessary to accelerate traffic in a secure environment, and a set of domain health status commands help to troubleshoot and report possible problems with an appliance within a Windows domain environment.

Easy Config configures the appliance to join the Windows Active Directory Domain.

Auto Config configures the following accounts and privileges:

Configures the deployed delegation account with AD delegation privileges. This is a legacy configuration that has been deprecated.

Configures a list of Exchange and CIFS servers with permission to delegate AD access privileges.

Removes Exchange and CIFS servers from the list. This is a legacy configuration that has been deprecated.

Before you join SteelHead to a domain, verify these items:

After you raise the domain level, you may not be able to lower it.

When joining an appliance to a domain, it is vital to set the correct time zone. The most common reason for failing to join a domain is a significant difference in the system time between the Windows domain controller and the SteelHead. When the time on the domain controller and the appliance don’t match, this error message appears:

We recommend using Network Time Protocol (NTP) servers for synchronization.

For details, go to Knowledge Base article S25759.

Easy configuration automatic domain authentication configuration simplifies the server-side SteelHead configuration for enabling acceleration in a secure environment. Using this widget automates the majority of the required configuration tasks, avoiding the need to perform step-by-step operations in different configuration tools and using the command line on Windows Active Directory platforms.

After successfully running the easy configuration module, you can enable the secure traffic optimization feature. Easy configuration configures the appliance's domain authentication in the simplest yet widest supported settings. It performs these tasks:

If any of the steps fail during the configuration, the system automatically rolls back to the previous configuration.

When you integrate the server-side appliance in this way, it doesn’t provide any Windows domain controller functionality to any other machines in the domain and doesn’t advertise itself as a domain controller or register any SRV records (service records). In addition, the appliance doesn’t perform any replication nor hold any Active Directory objects. The appliance has just enough privileges so that it can communicate with the domain controller and then use transparent mode for NTLM authentication.

Easy Config settings are under Optimization > Active Directory: Auto Config. Configure on server-side appliances.

Enables Kerberos authentication.

Deprecated. We recommend you do not enable this feature.

Specifies the username for the credentials used to join the domain. These must have domain join privileges. For Kerberos support, use any ordinary user account that has permission to join a workstation to the domain. For NTLM support, use any user account that has permission to join a domain controller to the domain. Domain administrator credentials are not strictly required but recommended. The appliance doesn’t cache credentials after it joins.

Specifies the password for the domain administrator account. Case sensitive.

Specifies the fully qualified domain name (FQDN) of the domain controller. Typically, this is your company domain name. Windows 2000 or later domains are supported.

Specifies the hosts that provide user login service in the domain, separated by commas. Typically with Active Directory Service domains, the system automatically retrieves the domain controller name when given a domain name.

Specifies the short (NETBIOS) domain name. You can identify the short domain name by pressing Ctrl+Alt+Delete on any member server listed in the domain controller. You must explicitly specify the short domain name if it doesn’t match the leftmost portion of the FQDN.

Enables optimization on SMB2/3-signed connections.

After running easy configuration, the status indicates one of these states:

A status of Not Started indicates the operation has never been executed on this appliance.

Last Run displays the amount of time elapsed since the last execution and then the time and date the operation completed. The time is meaningful only if the status is success or failed.

Logging Data displays log output for the operation, useful for troubleshooting a failed attempt. Errors are highlighted red, warnings yellow. Two log files follow an operation:

Select the Summary and Full Log tabs to view the logging data. The system displays a line count for the number of lines in the logging data. The system omits the tab if the log file is empty.

For the summary and full log tabs, an abbreviated form of the time stamp appears in the left margin of each line. Mouse over a time stamp and view the entire time stamp in a tooltip. Not all log lines have time stamps, because some of the logging data is generated by third-party (non-Riverbed) applications.