Accelerating SaaS Traffic
This topic provides an overview of the SaaS Accelerator service. It includes these sections:
This topic focuses on SaaS Accelerator on the SCM. For complete end-to-end instructions for configuring SaaS acceleration on the SCM, SteelHead, and SteelHead Mobile, see the SaaS Accelerator User Guide.
About SaaS Accelerator
SteelHeads and SteelHead Mobile clients can accelerate SaaS traffic by working with SteelConnect. Through SteelConnect Manager (SCM), you can configure SaaS applications for acceleration, and then register SteelHeads or Mobile Controllers with SCM to accelerate their SaaS traffic.
SaaS Accelerator is a service that consists of these components:
• SaaS Application - The application delivered as Software as a Service.
• SteelConnect Manager (SCM) - SteelConnect Manager provides the management interface for SaaS acceleration and manages the acceleration for registered SteelHeads and SteelHead Mobile clients. SCM also configures and manages the SaaS service cluster.
• Organization - SCM allows logical separation and segmentation of resources into organizations to support multi-tenant deployments. You can have different organizations to support deployments in different regions. You deploy SaaS Accelerator within an organization.
• Client-side SteelHead - The SteelHead (SteelHead SD and RiOS-based appliances) located in the customer branch office that intercept any connections destined for the SaaS platform to be accelerated.
• SaaS service cluster - A cluster of service instances behind a service endpoint that peers with client-side SteelHeads. Application acceleration occurs between the client-side SteelHead and the SaaS service cluster. SCM configures and manages the SaaS service cluster.
• Service instance - application optimization service node deployed in a SaaS service cluster.
• SteelHead Mobile clients - SteelHead Mobile clients can accelerate SaaS traffic by connecting directly to the SaaS service cluster. SteelHead Mobile clients get their SaaS acceleration configuration through the policy defined in the SteelCentral Controller for SteelHead Mobile.
When you configure a SaaS application for acceleration, SCM deploys a SaaS service cluster in a public cloud to accelerate SaaS traffic. (You do not need a cloud account, and Riverbed configures and manages the SaaS service cluster.) Each SaaS application is accelerated by a dedicated service cluster. For best performance, you need to deploy the SaaS service cluster in the same region as the SaaS application servers.
The service endpoint is the IP address and port where client-side SteelHeads connect to the SaaS service cluster, and you need to open port 7810 on the firewall to allow for this communication.
With SaaS acceleration configured in SCM, the end-user traffic meant for the SaaS server goes to the client-side SteelHead. The client-side SteelHead has in-path rules configured that direct the traffic to the SaaS service cluster, and the SaaS service cluster forwards the traffic to the SaaS server. The traffic between the client-side SteelHead and the SaaS service cluster is accelerated.
SaaS acceleration overview
The SaaS Accelerator automatically manages SSL certificates and proxy peering.
Supported SaaS applications
The SCM 2.12 release supports accelerating these applications:
• Box
• Microsoft Office 365 (including Exchange, SharePoint, Office WebApps, and Authentication and Identify Services)
• Salesforce
• ServiceNow
• Veeva
Riverbed periodically adds support for SaaS providers.
SaaS Accelerator licensing
SaaS Accelerator is a service, and the license defines the parameters of the service. A SaaS Accelerator license applies to an SCM organization for a specific time period and includes these components:
• AppUnits - This component defines how many users can accelerate SaaS traffic for an application. You specify the number of users to support when you configure acceleration for an application. The number of users allowed is determined based on the number of available AppUnits, as well as the minimum and maximum size number supported by the application. When configured, SCM allocates the AppUnits to the application.
AppUnits provide flexibility so you can easily change which applications to accelerate, or resize your configuration based on usage.
This table provides guidance for AppUnits for each currently supported SaaS application.
SaaS applications | Minimum/maximum number of users | AppUnits per user |
Box | 400 – 10,000 | 5 |
Microsoft Office 365 | 200 – 5000 | 10 |
Salesforce | 200 – 5000 | 10 |
ServiceNow | 200 – 5000 | 10 |
Veeva | 200 – 5000 | 20 |
As you configure SaaS acceleration in the SCM, tooltips provide recommendations specific to each application.
• AppData - This component defines the amount of egress data (in GiB) allowed through the SaaS service cluster. You can track the amount of data used on the Optimization > SaaS Data usage page.
Each AppUnit includes 0.3 GiB of AppData. For example, if you buy 10,000 AppUnits, you can deploy 1000 users for Office 365, and you would get a total of 3000 GiB per month for those users. With a yearly subscription, that provides a pool of 36,000 GiB (12 months x 3000 GiB per month).
AppData is pooled for all applications and all users. AppData allows monthly carryovers through the end of the subscription, providing flexibility for usage variations.
You can purchase additional AppUnits or AppData through add-on licenses.
The SaaS Accelerator license is specific to your SCM organization, not per SteelHead appliance. You can register any number of SteelHead appliances in your organization with the SCM managing the SaaS Accelerator service.
Before you activate SaaS Accelerator on a client-side SteelHead appliance, ensure that you account for the added connection and throughput usage in the same way you would when introducing any other additional application for optimization on the SteelHead appliance. Registering a SteelHead appliance with the SaaS Accelerator service does not change the optimized session limit for that appliance.
User and data limits are enforced based on the available license.
Service cluster limits
The SaaS service cluster has the following deployment characteristics:
• A SaaS service cluster for any application can handle a maximum of 50,000 connections.
• The minimum size of the service cluster depends on the license. The minimum license is 2000 AppUnits and the minimum number of users is 200 for Microsoft Office 365, Salesforce, ServiceNow, and Veeva and 400 for Box.
• SaaS service clusters deployed in different SCM organizations are independent of each other.
• Each SCM organization can deploy only one cluster per SaaS application.
SaaS Accelerator connection and user definition
This table provides some guidance to help size a SteelHead for use with SaaS Accelerator.
SaaS applications | Minimum/maximum number of users | Connections per user |
Box | 400 – 10,000 | 5 connections |
Microsoft Office 365 | 200 – 5000 | 10 connections |
Salesforce | 200 – 5000 | 10 connections |
ServiceNow | 200 – 5000 | 10 connections |
Veeva | 200 – 5000 | 10 connections |
SaaS Accelerator lets individual users consume more TCP connections per user than those allocated, but does not allow the total number of TCP connections for the SaaS Acceleration cluster to exceed the limit. If you exceed the total number available connections for the cluster, or if the number of active users is significantly higher than the configured value, SaaS Accelerator enters admission control and new connections matching the SaaS application defined in the client-side appliance in-path rule will not be accelerated.
Compatibility with SteelHead models
SaaS Accelerator is supported on SteelHead models CX255, CX570, CX770, CX3070, CX5070, CX7070, CX5080, CX7080, and GX10000. All SteelHead SD and SteelHead (virtual edition) models also support SaaS Accelerator.
The SteelHead requires RiOS software 9.8.1 or later.
Configuring SaaS acceleration
You configure SaaS acceleration through the SteelConnect Manager (SCM) as well as the client-side SteelHead and/or the Mobile Controller. After you configure the environment, you configure SaaS acceleration on a per-application basis.
This section includes these topics:
Before you begin
Before you begin, ensure you have a license for the SaaS Accelerator and your environment meets these requirements:
• SteelHead appliances require version 9.8.1 software or later.
• SCM requires version 2.12 or later.
• SteelCentral Controller for SteelHead Mobile requires version 6.1.0 or later.
Licensing the SCM for SaaS acceleration
When you purchase SaaS Accelerator, Riverbed emails you a license token that you need to redeem through SCM.
To install your licenses for SaaS acceleration
1. Sign in to the SCM that will manage the SaaS acceleration.
2. Choose Organization > Licenses and click Redeem Token.
The Redeem Token dialog box appears.
Redeem token dialog box
3. Enter the token and click Submit.
The SaaS Accelerator pages are now available, and you can review your license details on the Organization > Licenses page. Click the license serial number to show the details.
License details
Configuring SSL optimization
SSL optimization is required for SaaS acceleration and you need to generate a root CA certificate before you can configure SaaS acceleration. A root CA certificate automatically generates trusted certificates to sign optimized TLS/SSL traffic.
The SCM uses the root CA certificate to sign peering and proxy certificates, which it pushes to the SaaS service cluster. When a client-side SteelHead is moved to the SCM whitelist, the SCM pushes the peering certificate signed by its root CA to the client-side SteelHead and the client-side SteelHead uploads its peering certificate to the SCM which the SCM pushes to the service cluster. This establishes the trust relationship between the client-side SteelHead and the SaaS service cluster.
You also need to install the certificate from the SCM on each client system to complete the trust relationship.
SSL optimization with peering certificates
If there are any changes to the root CA certificate, SCM automatically updates the client-side SteelHead and the SaaS service cluster to maintain the trust relationship.
SCM users with read-only permissions are not allowed to generate certificates or configure SaaS acceleration.
To enable automatic signing and generate a root CA certificate
1. In SCM, choose Optimization > SSL Optimization and click Generate Root CA Certificate.
The Generate Self Signed Certificate dialog box appears.
Generate Self Signed Certificate dialog box
2. Provide the following information.
Field | Description |
Common name | Specify the common name of the root CA certificate. |
Organization | Optionally, specify the organization name (for example, the company). |
Organization unit | Optionally, specify the organization unit name (for example, the section or department). |
Locality | Optionally, specify the city. |
State | Optionally, specify the state. |
Country | Optionally, specify the country (2-letter code only). |
Email address | Optionally, specify the email address of the contact person. |
RSA cipher bits | Select the key length from the drop-down list. The default value is 2048. |
Validity period (days) | Specify how many days the root CA certificate is valid. The default value is 730 days (two years). |
3. Click Submit.
SCM creates the root CA certificate.
4. Copy or download the root CA certificate from SCM and install it in end-user client systems.
Copy or download the signing certificate
An active Root Certificate Authority (CA) enables clients to accelerate SaaS traffic when SaaS applications are configured on the SaaS Accelerator page. The root CA certificate needs to be deployed into the Trusted Root Certification Authority certificate store on your clients and then your clients can automatically use certificates issued by this trusted root CA to accelerate encrypted SaaS traffic.
To delete the certificate
1. In SCM, choose Optimization > SSL Optimization.
2. Click Delete Root CA Certificate.
You are prompted to confirm this action.
3. Click Confirm.
The root CA certificate is removed from the system and new SaaS connections will not be accelerated.
Configuring SaaS applications for acceleration
After you have licensed the SaaS Accelerator and configured SSL optimization, you can set up acceleration for SaaS applications.
To configure SaaS applications for acceleration
1. In SCM, choose Optimization > SaaS Accelerator and click Accelerate Application.
The Accelerate Application pane appears.
Configuring applications for SaaS acceleration
2. Select the application from the drop-down list.
3. Select the region from the drop-down list.
For best performance select the region closest to the data for the SaaS application. Once you deploy to a specific region, you cannot change it unless you delete the deployed application and set it up again with a different region.
4. Enter the number of Active Users.
Each application has a minimum and maximum number of users. The SCM provides guidelines for the limits as you type numbers in the field.
SCM uses the number of users to calculate the capacity of service instances in the SaaS service cluster based on the type of application.
SCM calculates the user limit based on the number of users, the application, and the available AppUnits.
We recommend that you select number of users carefully for your business needs. Once deployed, you can change the number of users, however, when you change the number of users, the acceleration feature is unavailable for up to 30 minutes while the service cluster updates.
5. Click Submit.
This creates the SaaS service cluster dedicated to accelerating traffic for this application.
Deployment can take up to 20 minutes, and you cannot edit the configuration while the configuration is in process.
When deployed, you see the SaaS application, the service endpoint, and service status. The service status appears as a green check mark when deployed and ready for optimization.
Status for deployed application
6. As needed, open port 7810 for the service endpoint IP address on your firewall.
The SaaS service cluster and client-side SteelHeads need to be able to connect to this location.
To stop SaaS acceleration for an application
1. Choose Optimization > SaaS Accelerator and click the application to stop accelerating.
2. From the Actions drop-down list, select Terminate SaaS acceleration.
3. When prompted, click Confirm.
When you terminate SaaS acceleration for an application, you remove the SaaS service cluster that was deployed in the cloud to support the acceleration.
Configuring SaaS acceleration on the client-side SteelHead
When you have configured SteelConnect Manager for SaaS acceleration, you can configure client-side SteelHead appliances. For more information and detailed steps, see the SaaS Accelerator User Guide or the SteelHead User Guide.
Configuring SaaS acceleration on SteelHead Mobile
When you have configured SteelConnect Manager for SaaS acceleration, you can configure the Mobile Controller and create a client policy to accelerate Mobile Client SaaS traffic. For more information and detailed steps, see the SaaS Accelerator User Guide or the SteelCentral Controller for SteelHead Mobile User Guide.
Controlling appliance access
When a client-side SteelHead registers with SCM, the SteelHead is added to the access list on the SaaS Client Appliances page. An entry appears in the peering list with the appliance serial number, access list status, peering certificate status, date of last contact, and notes. The access lists are designated by these categories:
• Graylist - Indicates a SteelHead of unknown status. This list serves as a temporary holding place for all registered SteelHeads that are attempting to establish SaaS acceleration. You can move these appliances to the whitelist or blacklist, but you cannot move appliances to the graylist.
• Whitelist - Indicates a trusted SteelHead or Mobile Controller. When you move an appliance to the whitelist, the appliance’s peering certificate is copied to the SaaS service cluster and other peer appliances. Once an appliance has been whitelisted, subsequent peering CA uploads automatically replace the older peering CA and changes are pushed out to the SaaS service cluster and SCM managed SteelHeads.
• Blacklist - Indicates untrusted SteelHeads and Mobile Controllers. When you select blacklist for a peer in a whitelist or graylist, SCM removes the peering CA that it uploaded from the appliance and stops acceleration. You can move appliances between the whitelist and the blacklist. (Note: Connections are expected to fail for approximately an hour when moved from the blacklist to the whitelist.)
When you have configured SteelHead appliances and Mobile Controllers to use the SaaS acceleration service, you need to move those systems to the whitelist on the SCM to indicate trust and allow acceleration.
To change the access list status for an appliance
1. In SCM, choose Optimization > SaaS Client Appliances.
2. Select the row for the appliance to change.
The appliance settings pane appears.
Changing access list status
3. From the Access list drop-down list, select the type of list for the appliance.
4. Click Submit.
Resizing a SaaS service cluster
You can resize a SaaS service cluster from SCM.
To resize a SaaS service cluster
1. Choose Optimization > SaaS Accelerator and select the application row.
The application settings pane appears.
2. In the application settings, change the number of users.
This adjusts the capacity of the cluster without changing the service endpoint. This operation can take up to 30 minutes.
When you resize a service cluster, the cache is cleared (all traffic will be cold) and proxy and peer certificates will be auto-signed again.
Deleting appliances from the SCM
If you no longer want an appliance to be part of your SaaS acceleration service, you can permanently remove an appliance from the SCM configuration. This is a permanent alternative to blacklisting.
The preferred method is to deregister from the client appliance. When you do this, SCM automatically removes the appliance and updates its configuration.
To delete an appliance from SCM SaaS acceleration
1. Choose Optimization > SaaS Client Appliances and select the appliance row.
The appliance pane appears.
2. From the Actions drop-down list, select Delete this appliance.
3. When prompted, click Confirm.
You should also deregister this appliance (using the client’s web interface) after deleting the appliance from SCM.
Monitoring SaaS Acceleration
This section describes how to monitor SaaS Accelerator components and usage. It includes these topics:
Monitoring AppUnit usage
AppUnits are required for SaaS acceleration, and you need available AppUnits to configure applications for SaaS acceleration.
To view AppUnit usage
1. Choose Optimization > SaaS Accelerator.
2. From the Accelerate Application drop-down list, choose AppUnits Usage.
AppUnits Usage from Accelerate Application drop-down list
The AppUnits Usage dialog box shows the AppUnits purchased, the AppUnits assigned, and the available AppUnits.
AppUnit usage
This dialog box also shows the current assignments for configured SaaS applications.
Monitoring SaaS connections
The SaaS Accelerator Connection Count report shows information about SSL/TLS connections for accelerated applications. Monitor this page to ensure your connection count remains below your connection limit.
To view connection usage
1. Choose Optimization > SaaS Connection Count.
The SaaS Accelerator Connection Count page appears.
SaaS Accelerator Connection Count report
2. From the SaaS Application drop-down list, select to view all application connections or select a specific application.
3. Specify a time period for the report.
This can range from the last hour to the last year.
The report shows the concurrent SSL/TLS connections count for the selected application. Click the Connection Limit link at the bottom of the chart to display the connection limit based on the user limit specified on the SaaS Accelerator page when you configured the acceleration for the application.
Monitoring SaaS data usage
The SaaS Data Usage report shows the amount of SaaS service data used since the SaaS Accelerator feature was licensed.
To view data usage
1. Choose Optimization > SaaS Data Usage.
The SaaS Accelerator Cumulative Egress Data Usage page shows the usage history.
SaaS total data usage
2. Select the Data Usage Trend tab to view application-specific data usage and see how application usage compares to overall usage.
Select Data Purchased (under the graph) to show how your data usage compares to the data limit provided by your license.
SaaS data usage trend
Monitoring data reduction for accelerated SaaS traffic
The SaaS Traffic Summary reports shows the total data reduction provided by SaaS Accelerator since it was configured and lets you filter it by time period. The report also shows the data reduction for each configured SaaS application.
To view data reduction
• Choose Optimization > SaaS Traffic Summary.
The SaaS Traffic Summary page shows the overall data reduction and application details.
SaaS Data Reduction report
You can filter the results by time period ranging from the last hour to the last year.
The LAN Data column displays the amount of data transferred between the SaaS service cluster and the SaaS servers. The LAN data includes ingress and egress traffic on the SaaS LAN side.
The WAN Data column displays the amount of data transferred between the SaaS service cluster and the SteelHead clients. The WAN data includes ingress and egress traffic on the WAN side.
Data Reduction is a percentage based on LAN data compared to WAN data.
Monitoring certificate signing activity
From the SCM, you can download a compressed archive of log files that shows the history and details of the certificate signing operations for SaaS acceleration. The log includes information for root CA, proxy, and peering certificates.
To review the certificate activity and log
1. In SCM, choose Optimization > SSL Optimization.
2. Click the arrow to the right of Delete Root CA Certificate and click Download CA audit log.
Downloading the CA audit log
Your browser downloads a ZIP-format archive file to your computer. Depending on your browser configuration, it might prompt you for a location to store the file or simply store the file in your default Downloads folder. The default name for this file is Organization_SteelConnect_CA_Audit_Log.zip where Organization is the short name of your organization.
Opening the archive displays a text file with a name in the format:
SteelSecure_org-Organization-xxxxxxxxxxxxxxxx_audit.txt
where Organization-xxxxxxxxxxxxxxxx identifies your organization. This is the most recent audit log of certificate activity. There might be additional files with a date/time string appended. Each of these files contains audit log records for a previous period up to the date and time in the filename.
Each audit log consists of multiple lines of text that provide you the following details:
• A log line that includes:
– The date and time (in UTC) that the operation occurred.
– The Certificate Authority operation that was performed (create a CA, delete a CA, sign a peering certificate, or sign a proxy certificate).
– The organization or SaaS Accelerator service instance for the operation.
– The common name (CN=) of the certificate.
• The full text of the certificate in base-64 (PEM) format.
When signing certificates for a SaaS Accelerator service instance, the log line includes the Service Endpoint IP address. This enables you to easily correlate proxy certificates with the accelerated SaaS service in case the common name is not self-explanatory.
Monitoring SaaS service cluster status
From SCM, you can monitor the status of the SaaS service cluster for each accelerated application. Choose Optimization > SaaS Accelerator page to display the status.
SaaS service cluster status
The service status can be one of these values:
• Healthy (Green) - The service cluster is operating normally and is capable of acceleration.
• Degraded (Yellow) - The service cluster is not functioning at full capacity.
• Critical (Red) - The service cluster is unavailable and is not accelerating SaaS traffic.