5.19. Order of the in-path rules

By default, there are three standard pass-through in-path rules on a Steelhead appliance and one default catch-all. The best way to add new in-path rules is:

These are the default in-path rules.

Figure 5.152. Default in-path rules

No Type         From To  Ports
 1 Pass-through Any  Any Secure
 2 Pass-through Any  Any Interactive
 3 Pass-through Any  Any RBT-proto

Any new port specific rules should be added before these three. For example to pass-through all traffic on TCP port 12345, add rule 1:

Figure 5.153. In-path rules: Add a new pass-through rule

No Type         From To  Ports
 1 Pass-through Any  Any 12345
 2 Pass-through Any  Any Secure
 3 Pass-through Any  Any Interactive
 4 Pass-through Any  Any RBT-proto

Any global "Use this WAN visibility" should be added to the end as rule 5:

Figure 5.154. In-path rules: Change the default WAN visibility

No Type            From To   Ports        WAN
 1 Pass-through    Any  Any  12345
 2 Pass-through    Any  Any  Secure
 3 Pass-through    Any  Any  Interactive
 4 Pass-through    Any  Any  RBT-proto    
 5 Auto-Discovery  Any  Any  All          FT

Any specific optimization or auto-discovery features towards a specific IP subnet should be added after the standard pass-through rules as rule 6:

Figure 5.155. In-path rules: Add an all-ports auto-discovery rule

No Type            From To              Ports       WAN  
 1 Pass-through    Any  Any             12345       
 2 Pass-through    Any  Any             Secure
 3 Pass-through    Any  Any             Interactive
 4 Pass-through    Any  Any             RBT-proto    
 5 Auto-Discovery  Any  192.168.1.0/24  All         FT,FW-RST
 6 Auto-Discovery  Any  Any             All         FT

Any specific optimization features towards a specific TCP port on a specific IP subnet or host could be added after the standard pass-through rules but can be in front of the pass-through rules, for example as rule 1:

Figure 5.156. In-path rules: Add an specific TCP port auto-discovery rule

SH # show in-path rules
No Type            From To              Ports       WAN        LatOpt
 1 Auto-Discovery  Any  192.168.1.1/32  1080        FT         HTTP
 2 Pass-through    Any  Any             12345
 3 Pass-through    Any  Any             Secure
 4 Pass-through    Any  Any             Interactive
 5 Pass-through    Any  Any             RBT-proto    
 6 Auto-Discovery  Any  192.168.1.0/24  All         FT,FW-RST  Normal
 7 Auto-Discovery  Any  Any             All         FT         Normal

5.19.1. Specific in-path rules rules

5.19.1.1. MAPI latency optimization

Latency optimization of TCP sessions for the MAPI protocol gets determined by the traffic going to the port-mapper running on TCP port 135 on the Exchange server. To disable MAPI latency optimization via an in-path rule, use TCP port 135 in the in-path rule.

Figure 5.157. Disable MAPI optimization

No Type            From To              Ports       WAN        LatOpt
[...]
 5 Pass-through    Any  Any             135

Once a Exchange server has been detected, a hidden in-path rule gets added to the list which states that all traffic to that server needs to be Fixed Targeted to the Steelhead appliance in front of the Exchange server. This hidden in-path rule overrules any newly added in-path rules to not optimize traffic on TCP port 135.

This hidden in-path rule can be disabled with the CLI command in-path probe-mapi-data, which is enabled by default in RiOS versions 6.1.x and up to version 6.5.2.

5.19.1.2. Traffic on TCP port 443 is always SSL pre-optimized.

TCP port 443 is reserved for HTTPS traffic. The traffic for this port does always gets treated with a SSL pre-optimization policy, even if there is an in-path rule which doesn't have the SSL pre-optimization policy defined.