Configuring SaaS acceleration on multiple appliances using SCC
In SCC 9.9.1 and later, you can configure SaaS acceleration on managed appliances. SaaS Accelerator requires a license, which is installed on SAM.
We strongly recommend that you configure and push SaaS acceleration policies from an SCC to the managed appliances, particularly in large-scale deployments and production networks with multiple appliances.
To accelerate SaaS application traffic using your managed appliances, register your SCC with an SAM that is set up for SaaS acceleration. After registering the SCC with SAM, register selected appliances or a group of appliances with SAM.
To configure multiple appliances for SaaS acceleration using SCC
1. On SAM, choose Configure > Client Appliances and copy the registration token.
2. On the SCC, choose Administration > SaaS: SaaS Accelerator Manager Registration and add these values:
– SaaS Accelerator Manager Hostname.
– SaaS Accelerator Manager Port. The SCC uses port 3900 to communicate with SAM, and the port needs to be open on the firewall. The field for the port number is editable but we do not recommend changing the value.
– Registration Token. Paste t he registration token you copied in
Step 1 to this field.
3. Click Register.
When the registration process completes, the registration details appear on the page.
A new SaaS Acceleration Status section also appears on the page where you can view the current access list status and a list of applications set up for SaaS acceleration on SAM.
4. On SAM, move this SCC to the whitelist.
Newly added appliances always appear on the graylist in the Access List column. You need to change their status to the whitelist to allow acceleration.
You can safely ignore the “No certificates uploaded” error message appearing in the Peering Certificates Status column for the SCC appliance. To accelerate SaaS application traffic, only peering certificates for managed appliances are uploaded to SAM when the appliances register with SAM. Peering certificates allow a client-side appliance to establish trust relationship and peer with a SaaS service cluster to accelerate the SaaS traffic.
– Choose Configure > Client Appliances and click the appliance serial number to display the details panel.
– Under Access List, select Whitelist from the Access List drop-down menu and click Submit.
Without moving the SCC to the whitelist on SAM, you cannot push a policy with in-path rules for SaaS applications from the SCC to the managed appliances. For more details about the access lists, see
Controlling appliance access.
5. On the SCC, choose Administration > SaaS: SaaS Accelerator Manager Registration and click Refresh Data under the SaaS Acceleration Status section. Make sure the access list status of the SCC is Whitelist. You can also view a list of applications set up for SaaS acceleration on SAM and their respective service endpoints.
If you set up new applications for SaaS acceleration on SAM, perform
Step 5 on the
SCC to view the latest list of SaaS applications set up for acceleration.
6. Register client-side appliances with SAM.
If you plan to use SCC policies to accelerate SaaS application traffic, make sure the SCC and the managed appliances are registered with the same SAM. After registering the SCC with SAM, register the selected appliances or a group of appliances with SAM.
– Choose Manage > Topology: Appliances and select appliances, or a group of appliances, you plan to register with SAM.
– Click Appliance Operations, and select SaaS Accelerator Manager Registration from the Choose an operation to perform on the selected groups and appliances drop-down list.
– Select Register, make sure you have the latest registration token from SAM in the Registration Token text field and click Apply.
The client-side appliances use port 3900 to communicate with SAM and the port needs to be open on the branch firewall. The field for the port number is editable but we do not recommend changing the value.
For more details about registering appliances with SAM using SCC, see the SteelCentral Controller for SteelHead User Guide.
7. Move the appliances to the whitelist on SAM.
Newly added appliances always appear on the graylist in the Access List column. You need to change their status to the whitelist to allow acceleration. For details about moving an appliance to the whitelist, see
Step 4. For more information about the access lists, see
Controlling appliance access.
8. Enable SSL optimization in the SCC policies that include SaaS acceleration.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select SSL Main Settings and click Apply.
– In the Editing Policy page, click SSL Main Settings, click Include to include the policy, select Enable SSL optimization, and click Apply.
For more details, see the SteelCentral Controller for SteelHead User Guide.
9. Enable SaaS acceleration in the SCC policies to configure SaaS acceleration for groups of appliances.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select SaaS Accelerator and click Apply.
– In the Editing Policy page, click SaaS Accelerator, click Include to include the policy, select Enable Acceleration, and click Apply.
10. Add an in-path rule to each policy for which you want SaaS acceleration enabled.
In RiOS 9.9.1, you need to configure a unique in-path rule for each application. In RiOS 9.9.2 and later, related applications are grouped into application bundles and you configure just one in-path rule for the bundle.
The in-path rule associates the IP address of the SaaS service cluster in the cloud (supplied by SAM) with the accelerated application or application bundle.
– Choose Manage > Services: Policies, open the policy, and click + Add/Remove Pages.
– Under Optimization, select In-Path Rules and click Apply.
– In the Editing Policy page, click In-Path Rules, click Include to include the policy, and click Add a New In-Path Rule to expand the page.
– For the Source Subnet, select IPv4 or All IPv4.
– For the Destination Subnet, select SaaS Application.
– A second drop-down list appears to the right. In the second drop-down list, select a SaaS application for acceleration and click Add.
Only applications set up for SaaS acceleration on SAM appear in the list.
For more details, see the SteelCentral Controller for SteelHead User Guide.
11. Click Save to Disk to save your settings permanently.
Pausing and Canceling SaaS acceleration on SCC
Canceling SaaS acceleration for an appliance entails deregistering the appliance from SAM, which removes appliance-related peering certificates and in-path rules. Pausing acceleration does not remove configuration settings, so you can easily restore the service when you want.
To pause SaaS acceleration on managed appliances on SCC
1. On the SCC, choose Manage > Services: Policies and open the policy.
2. In the Editing Policy page, click SaaS Accelerator, clear the Enable Acceleration check box, and click Apply.
3. Apply the updated policy to the respective appliances.
When paused, all related in-path rules are ignored.
To cancel SaaS acceleration on selected appliances on SCC
1. On the SCC, choose Manage > Topology: Appliances and select appliances, or a group of appliances, you plan to deregister with SAM.
2. Click Appliance Operations, and select SaaS Accelerator Manager Registration from the Choose an operation to perform on the selected groups and appliances drop-down list.
3. Click Deregister.
SaaS acceleration is canceled for the selected appliances and acceleration-related settings, including in-path rules, are removed.
As another option, you can move the appliances to the blacklist on SAM. When you move an appliance to the blacklist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration. For details, see
Controlling appliance access.