Other Protocol Optimization
In addition to the protocols previously discussed, this chapter describes the basic steps for configuring SteelHead protocol optimization for the following protocols:
Oracle Forms Optimization
You can display and modify Oracle Forms optimization settings in the Configure > Optimization > Oracle Forms page.
Oracle Forms is a platform for developing user interface applications to interact with an Oracle database. It uses a Java applet to interact with the database in either native, HTTP, or HTTPS mode. The SteelHead decrypts, optimizes, and then reencrypts the Oracle Forms traffic.
You can configure Oracle Forms optimization in these modes:
• Native - The Java applet communicates with the backend server, typically over port 9000. Native mode is also known as socket mode.
• HTTP - The Java applet tunnels the traffic to the Oracle Forms server over HTTP, typically over port 8000.
• HTTPS - The Java applet tunnels the traffic to the Oracle Forms server over HTTPS, typically over port 443. HTTPS mode is also known as SSL mode.
Use Oracle Forms optimization to improve Oracle Forms traffic performance. RiOS 5.5.x and later support 6i, which comes with Oracle Applications 11i. RiOS 6.0 and later support 10gR2, which comes with Oracle E-Business Suite R12.
This feature does not need a separate license and is enabled by default. However, you must also set an in-path rule to enable this feature.
Note: Optionally, you can enable IPSec encryption to protect Oracle Forms traffic between two SteelHead appliances over the WAN or use the secure inner channel on all traffic.
Determining the Deployment Mode
Before enabling Oracle Forms optimization, you must know the mode in which Oracle Forms is running at your organization.
To determine the Oracle Forms deployment mode
1. Start the Oracle application that uses Oracle Forms.
2. Click a link in the base HTML page to download the Java applet to your browser.
3. On the Windows task bar, right-click the Java icon (a coffee cup) to access the Java console.
4. Choose Show Console (Initiator) or Open <version> Console (Sun JRE).
5. Locate the “connectMode=” message in the Java Console window. This message indicates the Oracle Forms deployment mode at your organization: for example,
connectMode=HTTP, native
connectMode=Socket
connectMode=HTTPS, native
For more information about configuring Oracle Forms optimization, see the SteelHead Management Console User’s Guide.
NFS Optimization
NFS optimization provides latency optimization improvements for NFS operations by prefetching data, storing it on the client SteelHead for a short amount of time, and using it to respond to client requests. You enable NFS optimization in high-latency environments.
You can configure NFS settings globally for all servers and volumes or you can configure NFS settings that are specific to particular servers or volumes. When you configure NFS settings for a server, the settings are applied to all volumes on that server unless you override settings for specific volumes.
Note: NFS optimization is not supported in an out-of-path deployment.
Note: NFS optimization is only supported for NFSv3.
For each SteelHead, you specify a policy for prefetching data from NFS servers and volumes. You can set the following policies for NFS servers and volumes:
• Global Read/Write - Choose this policy when the data on the NFS server or volume can be accessed from any client, including LAN clients and clients using other file protocols. This policy ensures data consistency but does not allow for the most aggressive data optimization. Global Read/Write is the default value.
• Custom - Create a custom policy for the NFS server.
• Read-only - Any client can read the data on the NFS server or volume but cannot make changes.
After you add a server, the Management Console includes options to configure volume policies.
For detailed information, see the SteelHead Management Console User’s Guide.
Implementing NFS Optimization
This section describes the basic steps for using the Management Console to implement NFS. For detailed information, see the SteelHead Management Console User’s Guide.
Basic Steps
Perform the following basic steps to configure NFS optimization.
To configure NFS optimized connections
1. Enable NFS in the Optimization > Protocols: NFS page.
Enable NFS on all desired client and server SteelHeads.
2. For each client SteelHead, configure NFS settings that apply by default to all NFS servers and volumes. For details, see the SteelHead Management Console User’s Guide.
Configure these settings on all desired client SteelHeads. These settings are ignored on server-side SteelHeads. If you have enabled NFS optimization (as described in the previous step) on a server-side SteelHead, NFS configuration information for a connection is uploaded from the client-side SteelHead to the server SteelHead when the connection is established.
Note: If NFS is disabled on a server-side SteelHead, the appliance does not perform NFS optimization.
3. For each client-side SteelHead, override global NFS settings for a server or volume that you specify. You do not need to configure these settings on server-side SteelHeads. If you have enabled NFS optimization on a server-side SteelHead, NFS configuration information for a connection is uploaded from the client-side SteelHead to the server-side SteelHead when the connection is established.
If you do not override settings for a server or volume, the global NFS settings are used. If you do not configure NFS settings for a volume, the server-specific settings, if configured, are applied to the volume. If server‑specific settings are not configured, the global settings are applied to the server and its volumes.
When you configure a prefetch policy for an NFS volume, you specify the desired volume by an FSID number. An FSID is a number NFS uses to distinguish mount points on the same physical file system. Because two mount points on the same physical file system have the same FSID, more than one volume can have the same FSID.
For details, see the SteelHead Management Console User’s Guide.
4. If you have configured IP aliasing for an NFS server, specify all of the server IP addresses in the SteelHead NFS-protocol settings.
5. View and monitor NFS statistics in the Management Console Reports > Optimization: NFS Statistics.
Configuring IP Aliasing
If you have configured IP aliasing (multiple IP addresses) for an NFS server, you must specify all of the server IP addresses in the SteelHead NFS protocol settings for NFS optimization to work properly.
To configure IP aliasing on a SteelHead
1. In the Management Console, choose Optimization > Protocols: NFS.
2. Select Add New NFS Server to expand the page.
3. In the Name box, specify the name of the NFS server.
4. Enter each server IP address in a comma-separated list in the Server IP box.
5. Click Add.
Lotus Notes Optimization
You can enable and modify Lotus Notes optimization settings in the Configure > Optimization > Lotus Notes page.
Lotus Notes is a client-server collaborative application that provides email, instant messaging, calendar, resource, and file sharing. RiOS provides latency and bandwidth optimization for Lotus Notes 6.0 and later traffic across the WAN, accelerating email attachment transfers and server-to-server or client-to-server replications.
RiOS saves bandwidth by automatically disabling socket compression, which makes SDR more effective. RiOS also saves bandwidth by decompressing Huffman-compressed attachments and LZ-compressed attachments when they are sent or received and recompressing them on the other side. This process allows SDR to recognize attachments that have previously been sent in other ways (such as over CIFS, HTTP, or other protocols), and also allows SDR to optimize the sending and receiving of attachments that are slightly changed from previous sends and receives.
To use this feature, both the client-side and server-side SteelHeads must be running RiOS 5.5.x or later. To enable optimization of encrypted Lotus Notes connections, both the client-side and server-side SteelHeads must be running RiOS 7.0.
Enabling Lotus Notes provides latency optimization regardless of the compression type (Huffman, LZ, or none).
Before enabling Lotus Notes optimization, be aware that it automatically disables socket-level compression for connections going through SteelHeads that have this feature enabled.
For information about configuring Lotus Notes optimization, see the SteelHead Management Console User’s Guide.
Optimizing Encrypted Lotus Notes
You can optimize encrypted Lotus Notes traffic in RiOS 7.0 or later. When you enable the encrypted Lotus Notes feature, traffic between SteelHeads is decrypted and the current Lotus Notes protocol optimization (RiOS 5.5) is applied.
Lotus Notes Authentication
The Lotus Notes and the Domino server relies on a the Notes ID file for proper authentication. This file contains information for authentication and encryption between the client and the server in the Lotus Notes and Domino system. The Notes ID file is usually stored on the client. You must have a password to decrypt the ID file and use its contents, but you do not need a password to authenticate with the server (for example, MS-Exchange or other systems).
This section requires that you be familiar with Lotus Notes and Domino servers.
Optimization Architecture
To optimize an encrypted connection between a Notes client and a Domino server, you must import the Domino servers ID file into the server-side SteelHead, because the SteelHeads in the path of the connection need to be able to decrypt and reencrypt the sent data. Next, configure the Domino server with a port on which it accepts unencrypted connections. This port can be either the standard port or an auxiliary port. Now, when a Notes client connects to the Domino server, the server-side SteelHead forwards the connection to the auxiliary port of the server.
After the connection is authenticated, the server-side SteelHead resets the connection of the Notes client but maintains the unencrypted connection with the Domino server on the auxiliary port. The Notes client now tries to establish a new encrypted connection, which the server-side SteelHead intercepts and handles as if it were the Domino server.
The server-side SteelHead (acting as the Domino server) generates the information necessary to encrypt the connection to the Notes client. The result is a connection that is encrypted between the Notes client and server-side SteelHead but unencrypted between the server-side SteelHead and the Domino server.
Configuring Optimized Encrypted Lotus Notes
This section describes how to configure optimized encrypted Lotus Notes.
To import the server ID file of Domino servers that require optimization into the server-side SteelHead
1. Log in to the respective Domino servers and identify the location of the server ID file in the notes.ini file. This file is usually is located on a Windows server in C:\Program Files\IBM\Lotus\Domino\data.
2. Open the notes.ini file with a text editor.
Figure: Example notes.ini File
3. Import all server ID files into the server-side SteelHead. You do not need to do this on the client-side SteelHead).
• From the Management Console, choose Optimization > Protocols: Lotus Notes. You can also use the protocol notes encrypt import server-id <url> [password <password>] command.
• Select Add Server.
• Specify the server ID file URL (or use the Browse button) and password.
Server IDs might not have passwords.
• Click Add.
Figure: 
Import the Server ID File
To configure Domino servers to accept unencrypted connections on an auxiliary port
1. Connect to the Domino server.
2. Open the Domino Administrator and connect to the desired Domino server.
Figure: Domino Server Administrator
3. From the Domino Administrator, choose Configure > Server > Setup Ports to open the Setup Ports page.
Figure: Setup Ports Page
4. In the Setup Ports page, click New to create a new port.
5. Name the port.
This example shows the port named TCPIP_RVBD and has the TCP selected in the Driver drop-down menu.
6. Click OK.
Figure: 
Creating a New Port
7. To enable the newly created port, select the new port in the Setup Ports page.
Make sure that Port enabled is selected and Encrypt network data is not selected.
8. Click OK.
Figure: 
The New Port on the Setup Ports Page
To set a new TCP port number and restart the port
1. Open the Domino server's notes.ini file.
The file is usually located in C:\Program Files\IBM\Lotus\Domino.
2. Add a line using the format <port-name>_TCPIPAddress=0,<ip-address>:<port>.
Use the IP address 0.0.0.0; Domino listens on all server IP addresses.
Figure: Line Added to the notes.ini File
3. Restart the new port.
The Domino server starts to listen on the new port after a restart of the port or the server.
4. Select the Server tab.
5. Choose Server Console in the left tree structure.
6. In the drop-down menu at the bottom of the page, choose restart port TCPIP_RVBD.
Figure: 
Restart the Port
To enable Notes Encryption Optimization on both SteelHeads and set the appropriate alternate unencrypted port number on the server-side SteelHead
1. From the Management Console, choose Optimization > Protocols: Lotus Notes.
2. Select Enable Lotus Notes Optimization.
3. Select Optimize Encrypted Lotus Notes Connections.
4. Specify the configured unencrypted port number.
5. Click Apply.
Figure: Lotus Notes Page
When the Notes client has connected to the Domino server, you see an optimized encrypted Notes connection in the current connections table. An example client-side SteelHead is shown in
Figure: Client-Side SteelHead Current Connections Page with Optimized Encrypted Lotus Notes.
Figure: Client-Side SteelHead Current Connections Page with Optimized Encrypted Lotus Notes
Riverbed recommends that you also enable secure peering on the SteelHeads. The optimized encrypted Notes connection between the client-side and the server-side SteelHeads is unencrypted. To secure this connection, you can enable secure peering on the SteelHeads. For more details, see
Deploying Secure Peering for All Optimized Traffic.
Troubleshooting
If the SteelHead encounters an error with the Domino server, the IP address of the Domino server might be added to a blacklist at the server-side SteelHead to avoid disruption to the traffic. This includes configuration errors. New connections to or from the IP address are not optimized.
You can view blacklist entries with the show protocol notes encrypt blacklist command. You can clear the entire blacklist or a single entry with the protocol notes encrypt blacklist remove-ip <ip-address> command.
The best practice is to check the system logs of the SteelHead to see if something about your Lotus Notes optimization is not working properly: for example, there are messages if the wrong server ID file is imported or the unencrypted port is not configured on the Domino server.
Important notes:
• When you enable encrypted Lotus Notes optimization, you force all connections between a Notes client and a Domino server to be encrypted.
• Enabling Encrypted Notes optimization forces the client to always perform slow authentication.
• The Notes client might try to reuse a previously assigned ticket during authentication by sending an Auth request after the server's Hello response. This is called fast authentication because it saves several round trips. Fast authentication does not work when you enable Encrypted Notes optimization.