Managing SaaS Accelerator

Client Accelerator endpoints can accelerate SaaS traffic by working with SaaS Accelerator Manager (SAM). Through SAM, you can configure SaaS applications for acceleration, and then register Client Accelerator Controller with SAM to accelerate their SaaS traffic.

When you configure a SaaS application for acceleration, SAM deploys a SaaS service cluster in a public cloud to accelerate SaaS traffic. (You do not need a cloud account, and Riverbed configures and manages the SaaS service cluster.) Each SaaS application is accelerated by a dedicated service cluster. For best performance, you need to deploy the SaaS service cluster in the same region as the SaaS application servers.

Client Accelerator supports SaaS acceleration based on applications or application bundles. An application bundle enables you to set rules for a family of applications (such as Office 365) instead of configuring each application separately.

When you configure an in-path rule in a policy, you select SaaS Acceleration as the Destination Subnet and an application or application bundle for acceleration. This setting allows the client-side appliance to connect to the service endpoint of the SaaS service cluster that is deployed for the selected application.

You can enable client-side load balancing when you enable SaaS Acceleration. This suboption is only available when Enable SaaS Acceleration is enabled in the SaaS Acceleration page.

Load balancing provides even load distribution across virtual machines (VMs) in SaaS clusters, even with NATing and backhauling. Load balancing also allows larger SaaS deployments while keeping client affinity intact and provides faster recovery if a peer goes down.

You can view the service ports and ports opened on the server side in the SaaS Application table on the SaaS Accelerator page.

SaaS Accelerator is a Riverbed-managed cloud-based application optimization service.

Proxy chaining enables you to connect to third-party cloud access security broker (CASB) services. CASB services can enhance data security over cloud applications by providing you with a level of control and visibility similar to on-premises solutions. For details, see the SaaS Accelerator Manager User Guide.

Make sure you configure proxy chaining after you have enabled SaaS Acceleration. If you configure proxy chaining before you haven enabled SaaS Acceleration, you will receive an error message.

1. Follow SaaS acceleration procedures on the SaaS Accelerator Manager (SAM). For details see the SaaS Accelerator Manager User Guide.

Make sure you configure proxy chaining after you have enabled SaaS Acceleration. If you configure proxy chaining before you haven enabled SaaS Acceleration, you will receive an error message.

2. Enable CASB chaining on the SaaS Accelerator Manager (SAM). For details see the SaaS Accelerator Manager User Guide.

3. Enable SSL proxy chaining in Client Accelerator Controller SSL policies. Choose Manage > Policies > Create New Policy > SSL > Enable SSL Proxy Support.

4. Enable CASB chaining on the Client Accelerator Controller in SaaS Acceleration policies. Choose Manage > Policies > Create New Policy > SaaS Acceleration > Proxy Chaining Interoperability.

Before you can accelerate SaaS traffic, you need to perform these steps on SAM:

1. Enable automatic signing and certificate management capabilities. For details see the SaaS Accelerator Manager User Guide.

2. Configure SaaS applications for acceleration. For details see the SaaS Accelerator Manager User Guide.

When you have configured SAM for SaaS acceleration, you can configure the Client Accelerator Controller and create a client policy to accelerate Client Accelerator endpoint SaaS traffic.

You can also register the controller with SAM using the CLI. For more information, see the Riverbed Command-Line Interface Reference Manual.

2. On the controller, choose Administration > SaaS: SaaS Accelerator and add these values:

– SaaS Accelerator Manager Port. The controller uses port 3900 to communicate with the SAM and the port needs to be open on the branch firewall. The field for the port number is editable but we do not recommend changing the value.

– Registration Token. Paste the registration token you copied in Step 1 to this field.

4. In SAM, move this controller to the whitelist. For details see the SaaS Accelerator Manager User Guide.

You cannot enable SaaS acceleration without moving the controller to the whitelist. In SAM, if a controller is moved from the whitelist to the blacklist, SaaS acceleration stops working.

5. Enable SaaS acceleration on the controller. Choose Administration > SaaS: SaaS Accelerator and in the Configure SaaS Acceleration section, select Enable Acceleration and click Apply.

When you click Apply, be patient. It can take several minutes to start acceleration.

6. Enable SSL optimization on the Client Accelerator policies that include SaaS acceleration.

– Choose Manage: Services > Policies and open the policy and select the SSL tab. Then select the Enable SSL Optimization check box and the Enable SSL Proxy Support check box. You cannot enable SaaS acceleration without enabling SSL. If SSL was disabled after SaaS acceleration was enabled, SaaS acceleration will stop working.

7. On the controller, add an in-path rule to each policy for which you want SaaS acceleration enabled. The in-path rule is based on an application or application bundle, which allows the client-side appliance to connect to the service endpoint of the SaaS service cluster that is deployed for the selected application.

– Choose Manage > Services: Policies and select the In-Path Rules tab and click Add a New In-Path Rule.

– For the Destination Subnet, select SaaS Application. A second menu appears to the right.

– In the second menu, select a SaaS application or an application bundle for acceleration. Only applications and application bundles set up for SaaS acceleration appear in the list.

8. Enable SaaS acceleration in a policy to configure SaaS acceleration for groups of Client Accelerator endpoints. Choose Manage > Services: Policies and open a policy to configure and select the SaaS Acceleration tab. A helpful list of remaining configuration tasks appears on the page. Completed tasks are prefaced by a check mark.

– Optionally, select Enable Client Load Balancing. For details, see Configuring client-side load balancing.

– Optionally, select Proxy Chaining interoperability. Proxy chaining enables you to connect to third-party cloud access security broker (CASB) services. For details, see Configuring client-side proxy chaining.

Make sure you configure proxy chaining after you have enabled SaaS acceleration. If you configure proxy chaining before you haven enabled SaaS acceleration, you will receive an error message.

You cannot enable SaaS acceleration in a policy without enabling SaaS acceleration in the controller.

To verify, generate SaaS traffic. For details about monitoring the first connections, see Monitoring SaaS acceleration.

From the controller, you can use the SaaS Acceleration Status pane to monitor activity. This pane shows all SaaS applications configured for acceleration and the list of policies for which in-path rules have been set up for SaaS acceleration.

• On the Client Accelerator Controller, choose Administration > SaaS: SaaS Accelerator.

The controller gets data from SteelConnect Manager every five minutes and shows the time for the displayed data. Click Refresh Data Now to get the latest data.

If you want to pause SaaS acceleration, from the Administration > SaaS: SaaS Accelerator page on the Client Accelerator clear Enable Acceleration and click Apply. When cleared, all related in-path rules are ignored.

If you want to permanently cancel SaaS acceleration for this appliance and remove the settings, click Deregister. This also removes all related in-path rules.

As another option, you can move the controller to the blacklist on SAM. When you move an appliance to the blacklist, SAM removes the peering CA that it uploaded from the appliance and stops acceleration.