About Best Practices
  
About Best Practices
Use these best practices when working with SCC versions 9.9 and later. This section provides a brief overview and links to more detailed information.
For best practices related to earlier versions, refer to the documentation specific to those releases.
About latency detection
When peer SteelHead appliances are geographically close — such as in full-mesh topologies — network latency can be very low. In these cases, simply passing traffic through may be faster than optimizing it.
Previously, you had to manually create in-path rules for each connection you wanted to bypass optimization, which was difficult in large networks. Now, latency detection policies let you globally control whether peer SteelHeads pass through or optimize traffic based on latency. You can still override this behavior for specific connections by creating an in-path rule and selecting the option to ignore latency detection.For more information, see these topics:
About policy types
Peering rules
In-path rules
About the Appliance Details report
About peering mode for client authentication
Introduced in SCC 9.8 (CLI only), peering mode for client authentication can now be configured in the GUI. When using peering mode client authentication, the SteelHead acts as a trusted “man‑in-the-middle.” When a client certificate request arrives from the server:
1. The server-side SteelHead replies to server’s client certificate request with its own peering certificate.
2. The client-side SteelHead requests a client certificate in response to the client hello.
3. The client-side SteelHead authenticates the client certificate using the existing trusted CA repository.
This mode supports the Ephemeral Diffie-Hellman key exchange.
When upgrading to SCC 9.9, the client authentication setting of any appliance managed by SCC will be overwritten.
For more information, see Advanced settings (SSL).
About Riverbed software image verification
Riverbed software images are now digitally signed, ensuring the integrity and authenticity of the image. Verifying an image is performed by comparing a public key, or image signing certificate, with the image signature. The public key for Riverbed images can be found at https://support.riverbed.com.
Image verification is enabled by default. We strongly recommend that it remain enabled at all times. Disable this feature only when absolutely necessary.
About enhanced host proxy settings
In SCC 9.9 and later, you can configure proxy addresses for web or FTP proxy access to managed SteelHead appliances. Additionally, you can create a whitelist of domains to allow direct SteelHead to SCC communication. For more information, see Configuring proxy settings.