About SMB signing

When sharing files, Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks. Each CIFS message has a unique signature that prevents the message from being tampered with. This security feature is called SMB signing.

You can enable the RiOS SMB signing feature on a server-side SteelHead to alleviate latency in file access with CIFS acceleration while maintaining message security signatures. With SMB signing on, the SteelHead optimizes CIFS traffic by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations—even when the CIFS messages are signed.

RiOS includes support for optimizing SMB3-signed traffic for native SMB3 clients and servers. You must enable SMB3 signing if the client or server uses any of these settings:

• SMB2/SMB3 signing set to required. SMB3 signing is enabled by default.

• SMB3 secure dialect negotiation (enabled by default on the Windows 8 client).

• SMB3 encryption.

RiOS includes support for optimizing SMB2-signed traffic for native SMB2 clients and servers. SMB2 signing support includes:

• Windows domain integration, including domain join and domain-level support.

• Authentication using transparent mode and delegation mode. Delegation mode is the default for SMB2. Transparent mode works out of the box with Windows Vista (but not Windows 7). To use transparent mode with Windows 7, you must join the server-side SteelHead as an Active Directory integrated (Windows 2003) or an Active Directory integrated (Windows 2008 and later).

• Secure inner-channel SSL support.

The RiOS SMB signing feature works with Windows domain security and is fully compliant with the Microsoft SMB signing v1, v2, and v3 protocols. RiOS supports domain security in both native and mixed modes for:

The server-side SteelHead in the path of the signed CIFS traffic becomes part of the Windows trust domain. The Windows domain is either the same as the domain of the user or has a trust relationship with the domain of the user. The trust relationship can be either a parent-child relationship or an unrelated trust relationship.

RiOS optimizes signed CIFS traffic even when the logged-in user or client machine and the target server belong to different domains, provided these domains have a trust relationship with the domain the appliance has joined. RiOS supports delegation for users that are in domains trusted by the server's domain. The trust relationships include:

• a basic parent and child domain relationship. Users from the child domain access CIFS/MAPI servers in the parent domain. For example, users in ENG.RVBD.COM accessing servers in RVBD.COM.

• a grandparent and child domain relationship. Users from the grandparent domain access resources from the child domain. For example, users from RVBD.COM accessing resources in DEV.ENG.RVBD.COM.

• a sibling domain relationship. For example, users from ENG.RVBD.COM access resources in MARKETING.RVBD.COM.

• NTLM delegation mode—Uses Kerberos delegation architecture to authenticate signed packets between the server-side SteelHead and any configured servers participating in the signed session. NTLM is used between the client-side appliance and server-side SteelHead. This is the default mode for SMB2. SMB2 delegation mode supports Windows 7 and Samba 4 clients. Delegation mode requires additional configuration of Windows domain authentication.

• NTLM transparent mode—Uses NTLM authentication end to end between the client-side and server- side appliances and the server-side SteelHead and the server. This is the default mode for SMB1. Transparent mode supports all Windows servers, including Windows 2008 R2, that have NTLM enabled. It is easier to configure.

• Kerberos authentication support—Uses Kerberos authentication end to end between the client-side appliance and the server-side SteelHead and the server-side SteelHead and the server. Kerberos authentication requires additional configuration of Windows domain authentication.

• Windows 7 clients. RiOS supports transparent mode when you join the server-side SteelHead as an Active Directory integrated (Windows 2008) or an Active Directory integrated (Windows 2008).

• Windows 2008 R2 domains that have NTLM disabled.

• Windows servers that are in domains with NTLM disabled.

• Windows 7 clients that have NTLM disabled.

You can enable extra security using the secure inner channel. The peer appliances using the secure channel encrypt signed CIFS traffic over the WAN.

• With RiOS SMB signing enabled, RiOS appliances sign the traffic between the client and the client-side appliance and between the server and the server-side SteelHead. The traffic is not signed between the appliances, but the appliances implement their own integrity mechanisms. Whether RiOS appliances are used or not, SMB-signed traffic is only signed, not encrypted. For maximum security, we recommend that you configure the appliances as SSL peers and use the secure inner channel to secure the traffic between them.

• If you already have a delegate user and are joined to a domain, enabling SMB2 signing will work when enabled with no additional configuration.

• SMB signing requires joining a Windows domain. It is vital to set the correct time zone for joining a domain. The most common reason for failing to join a domain is a significant difference in the system time on the Windows domain controller and the RiOS appliance. When the time on the domain controller and the RiOS appliance do not match, this error message appears:

We recommend using NTP time synchronization to synchronize the client and server clocks. It is critical that the RiOS appliance time is the same as on the Active Directory controller. Sometimes an NTP server is down or inaccessible, in which case there can be a time difference. You can also disable NTP if it is not being used and manually set the time. You must also verify that the time zone is correct.

• Both the client and the server must support SMB2 and SMB3 to use RiOS SMB2 and SMB3 signing.

Verify the domain and DNS settings before joining the Windows domain and enabling SMB signing for delegation mode and replication mode.

1. If you are using delegation mode or configuring replication users, verify that the Windows domain functionality is at the Windows 2003 level or higher. In Windows, open Active Directory Users and Computers on the domain controller, choose Domain Name, right-click, and select Raise Domain functionality level. If the domain is not already at the Windows 2003 level or higher, manually raise the domain functionality.

If replication users are configured to use password replication policy (PRP), the domain functional level must be Windows 2008 or higher.

2. Identify the full domain name, which must be the same as DNS. You must specify this name when you join the server-side SteelHead to the domain.

3. Identify the short (NetBIOS) domain name by pressing Ctrl+Alt+Del on any member server. You must explicitly specify the short domain name when the RiOS appliance joins the domain if it does not match the leftmost portion of the fully qualified domain name.

4. Make sure that the primary or auxiliary interface for the server-side SteelHead is routable to the DNS and the domain controller.

You must be able to ping the server-side SteelHead, by name, from a CIFS server joined to the same domain that the server-side SteelHead joins. If you cannot, you must manually create an entry in the DNS server for the server-side SteelHead and perform a DNS replication prior to joining the Windows domain. The appliance does not automatically register the required DNS entry with the Windows domain controller.

You must be able to ping the domain controller, by name, whose domain the server-side SteelHead joins. If you cannot, choose Networking > Networking: Host Settings to configure the DNS settings.

When SMB signing is set to Enabled for both the client and server-side SMB component (but not set to Required), and the RiOS Optimize Connections with Security Signatures feature is enabled, it takes priority and prevents SMB signing. You can resolve this by disabling the Optimize Connections with Security Signatures feature and restarting the SteelHead before enabling this feature.

The RiOS Optimize Connections with Security Signatures feature can lead to unintended consequences in the scenario when SMB signing is required on the client but set to Enabled on the server. With this feature enabled, the client concludes that the server does not support signing and might terminate the connection with the server as a result. You can resolve this by using one of these procedures before enabling this feature:

• Disable the Optimize Connections with Security Signatures feature and restart the SteelHead.

• Apply a Microsoft Service pack update to the clients (recommended). You can download the update from the Microsoft Download Center:

You enable SMB1 signing on the server-side SteelHead under Optimization > Protocols: CIFS (SMB1). Under SMB Signing, these configuration options are available:

Enables CIFS traffic optimization by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations, even when the CIFS messages are signed. By default, this control is disabled. You must enable this control on the server-side SteelHead.

If you enable this control without first joining a Windows domain, a message tells you that the SteelHead must join a domain before it can support SMB signing.

Provides SMB1 signing with transparent authentication. The server-side SteelHead uses NTLM to authenticate users. Select transparent mode with Vista for the simplest configuration. You can also use transparent mode with Windows 7, provided that you join the server-side SteelHead as an Active Directory integration.

Re-signs SMB signed packets using the Kerberos delegation facility. This setting is enabled by default when you enable SMB signing. Delegation mode is required for Windows 7, but works with all clients (unless the client has NTLM disabled).

Delegation mode requires additional configuration. Choose Optimization > Active Directory: Service Accounts or click the link provided in the CIFS Optimization page.

Provides SMB signing with end-to-end authentication using Kerberos. The server-side SteelHead uses Kerberos to authenticate users.

In addition to enabling this feature, you must also join the server-side SteelHead to a Windows domain and add replication users under Optimization > Active Directory: Auto Config.

The server-side SteelHead must be running RiOS 7.0.x or later. The client-side SteelHead must be running RiOS 5.5 or later.

If you want to use password replication policy (PRP) with replication users, Kerberos authentication requires additional replication user configuration on the Windows 2008 Domain Controller.

You enable SMB2/3 signing on the server-side SteelHead under Optimization > Protocols: SMB2/3. Under Signing, these configuration options are available:

Enables SMB2/3 traffic optimization by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and SMB2/3 latency optimizations, even when the SMB2/3 messages are signed. By default, this control is disabled. You must enable this control on the server-side SteelHead.

If you are upgrading and already have a delegate user, and the SteelHead is already joined to a domain, enabling SMB2/3 signing works when enabled with no additional configuration.

If you enable this control without first joining a Windows domain, a message tells you that the SteelHead must join a domain before it can support SMB2/3 signing.

You must enable SMB2/3 latency optimization before enabling SMB2/3 signing. To enable SMB2/3 latency optimization, choose Optimization > Protocols: SMB2/3.

Provides SMB2/3 signing with transparent authentication. The server-side SteelHead uses NTLM to authenticate users. Select transparent mode with Vista for the simplest configuration. You can also use transparent mode with Windows 7, provided that you join the server-side SteelHead using Active Directory integration with Windows 2003 or 2008.

Re-signs SMB2/3 signed packets using the delegation facility. This setting is enabled by default when you enable SMB2/3 signing. Delegation mode is required for Windows 7 but works with all clients (unless the client has NTLM disabled).

Delegation mode requires additional configuration. Choose Optimization > Active Directory: Service Accounts or click the link in the CIFS Optimization page.

Provides SMB2/3 signing with end-to-end authentication using Kerberos. The server-side SteelHead uses Kerberos to authenticate users.

In addition to enabling enable SMB signing, you must also join the server-side SteelHead to a Windows domain and add replication users:

1. Choose Optimization > Active Directory: Domain Join to join the server-side SteelHead to a Windows domain.

For SMB3, the server-side SteelHead must be running RiOS 8.5 or later. The client-side SteelHead must be running RiOS 6.5 or later.

For SMB2, the server-side SteelHead must be running RiOS 7.0 or later. The client-side SteelHead must be running RiOS 6.5 or later.

If you want to use password replication policy (PRP) with replication users, Kerberos authentication requires additional replication user configuration on the Windows 2008 domain controller.