Control | Description |
Traffic Type | Select one of the following traffic types from the drop-down list: • SSL Only - The peer client-side appliance and the server-side SCC authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting. • SSL and Secure Protocols - The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic traveling over the following secure protocols: SSL, SMB signed, and encrypted MAPI. When you select this traffic type, SMB-signing and MAPI encryption must be enabled. Enabling this option requires an optimization service restart. SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the client-side and server-side appliances when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic (RiOS 7.0). Enabling this option requires an optimization service restart. • All - The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart. Selecting All can cause up to a 10 percent performance decline in higher-capacity appliances. Take this performance metric into account when sizing a complete secure appliance peering environment. |
Fallback to No Encryption | Specifies that the appliance optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart. Important: Riverbed strongly recommends enabling this setting on both the client-side and the server-side appliances, especially in mixed deployments where one appliance is running RiOS 6.0 or later and the other SteelHead is running an earlier RiOS version. This option applies only to non-SSL traffic and is unavailable when you select SSL Only as the traffic type. Clear the check box to pass through connections that do not have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly do not want traffic optimized between non-secure SCC. Consequently, configurations with this setting disabled risk the possibility of dropped connections. For example, consider a configuration with a client-side SCC running RiOS 5.5.x or earlier and a server-side SteelHead running RiOS 6.0 or later. When this setting is disabled on the server-side SCC and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and can drop it. |
Control | Description |
Add a New Trusted Entity | Displays the controls for adding trusted entities. |
Trust Existing CA | Select an existing CA from the drop-down list. |
Trust New Certificate | Adds a new CA or peer certificate. The appliance supports RSA and DSA for peering trust entities. |
Optional Local Name | Optionally, specify a local name for the entity (for example, the fully qualified domain name). |
Local File | Browse to the local file. |
Cert Text | Paste the content of the certificate text file into the text box. |
Add | Adds the trusted entity (or peer) to the trusted peers list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
Control | Description |
Add a New Mobile Entity | Displays the controls for adding a trusted SteelHead Mobile entity. |
Optional Local Name | Optionally, specify a local name for the entity (for example, the fully qualified domain name). |
Local File | Browse to the local file. |
Cert Text | Paste the content of the certificate text file into the text box. |
Add | Adds the trusted entity (or peer) to the trusted peers list. |
Control | Description |
Trust Selected Peers (only SSL-capable or disconnected appliances are shown) | Specify this option to trust only SSL-capable or disconnected appliances. |
Trust All Peers | Specify this option trust all peers. |
Update | Updates the policy to reflect the new settings. |