By default, there are three standard pass-through in-path rules on a Steelhead appliance and one default catch-all. The best way to add new in-path rules is:
Any port specific rules go at the beginning.
Any global rules go at the end.
Any subnet specific rules go after the default rules but before the global rules.
These are the default in-path rules.
Figure 5.152. Default in-path rules
No Type From To Ports 1 Pass-through Any Any Secure 2 Pass-through Any Any Interactive 3 Pass-through Any Any RBT-proto
Any new port specific rules should be added before these three. For example to pass-through all traffic on TCP port 12345, add rule 1:
Figure 5.153. In-path rules: Add a new pass-through rule
No Type From To Ports 1 Pass-through Any Any 12345 2 Pass-through Any Any Secure 3 Pass-through Any Any Interactive 4 Pass-through Any Any RBT-proto
Any global "Use this WAN visibility" should be added to the end as rule 5:
Figure 5.154. In-path rules: Change the default WAN visibility
No Type From To Ports WAN 1 Pass-through Any Any 12345 2 Pass-through Any Any Secure 3 Pass-through Any Any Interactive 4 Pass-through Any Any RBT-proto 5 Auto-Discovery Any Any All FT
Any specific optimization or auto-discovery features towards a specific IP subnet should be added after the standard pass-through rules as rule 6:
Figure 5.155. In-path rules: Add an all-ports auto-discovery rule
No Type From To Ports WAN 1 Pass-through Any Any 12345 2 Pass-through Any Any Secure 3 Pass-through Any Any Interactive 4 Pass-through Any Any RBT-proto 5 Auto-Discovery Any 192.168.1.0/24 All FT,FW-RST 6 Auto-Discovery Any Any All FT
Any specific optimization features towards a specific TCP port on a specific IP subnet or host could be added after the standard pass-through rules but can be in front of the pass-through rules, for example as rule 1:
Figure 5.156. In-path rules: Add an specific TCP port auto-discovery rule
SH # show in-path rules No Type From To Ports WAN LatOpt 1 Auto-Discovery Any 192.168.1.1/32 1080 FT HTTP 2 Pass-through Any Any 12345 3 Pass-through Any Any Secure 4 Pass-through Any Any Interactive 5 Pass-through Any Any RBT-proto 6 Auto-Discovery Any 192.168.1.0/24 All FT,FW-RST Normal 7 Auto-Discovery Any Any All FT Normal
Latency optimization of TCP sessions for the MAPI protocol gets determined by the traffic going to the port-mapper running on TCP port 135 on the Exchange server. To disable MAPI latency optimization via an in-path rule, use TCP port 135 in the in-path rule.
Figure 5.157. Disable MAPI optimization
No Type From To Ports WAN LatOpt [...] 5 Pass-through Any Any 135
Once a Exchange server has been detected, a hidden in-path rule gets added to the list which states that all traffic to that server needs to be Fixed Targeted to the Steelhead appliance in front of the Exchange server. This hidden in-path rule overrules any newly added in-path rules to not optimize traffic on TCP port 135.
This hidden in-path rule can be disabled with the CLI command
in-path probe-mapi-data
,
which is enabled by default in RiOS versions 6.1.x and up to version
6.5.2.