SCA latency optimization works in various ways to improve performance times of cloud based Software-as-a-Service (SaaS) applications like Microsoft Office 365 and Salesforce.
The overall SCA service is delivered in conjunction with the Akamai CDN (Content Delivery Network). SCA combines the Riverbed WAN optimization technology (RiOS) with the Akamai Internet optimization technology (SureRoute) for accelerating SaaS platform performance. SCA uses Akamai SureRoute to provide a reliable transport across the fastest path through thousands of servers in many countries while dynamically adding RiOS instance at points nearest to the SaaS service provider.
SCA optimization is achieved using normal TCP, SDR and HTTP latency optimization techniques.
There are two methods of deployment at the customer premises.
Direct branch Internet deployment: The branch offices have their own Internet connectivity.
Back-hauled Internet deployment: The branch offices connect to the Internet over an internal WAN or a VPN connection to a centralized data center location that controls all Internet access.
SCA optimization uses the same HTTP and TCP optimization features to deliver performance enhancement. See the HTTP Latency Optimization section in the Latency Optimization chapter for those details.
SaaS Platform: The platform that uses Software as a Service, such as Salesforce or Microsoft Office 365.
Akamai Intelligent Platform: The Akamai distributed network of over 100 000 servers deployed in over 1 000 locations world-wide across the public Internet. The platform hosts Riverbed Steelhead technology and provides Internet-based optimization for Enterprise SaaS traffic.
Akamai SureRoute Optimization: Akamai SureRoute Optimization uses a suite of technologies to provide fast and reliable delivery between the Akamai Edge Servers. Route optimization examines multiple paths across the Internet to find the fastest path and route past any failures; the Enhanced Akamai Protocol overcomes the inefficiencies of TCP to provide the highest throughput and fastest recovery; and Packet Redundancy enables you to recreate any lost data without having the client or server to retransmit.
Akamai Edge Server: The Akamai Edge Server in the Akamai Intelligent Platform closest to the end-user is dynamically and intelligently selected (regardless of whether the end-user location has direct Internet access or the data is back-hauled to the Internet gateway at the data center). The Akamai Edge Server closest to the SaaS provider's data center runs the RiOS instances and acts as a peer to the registered ESH.
Enterprise Data Center Steelhead (DCSH): The Steelhead appliance located in the customer data center close to the customer Internet egress point. It contains the Akamai Cloud Proxy (ACP) feature.
Enterprise Branch Steelhead (BSH): The Steelhead appliance located in the customer branch office that intercepts any connections destined for the SaaS platform to be accelerated. The Enterprise Branch Steelhead can host the Akamai Cloud Proxy (ACP) feature, but does not require it. ACP is a software component that grants the Steelhead appliance access to the Akamai Intelligent Platform. The registered ESH accelerates application performance and data transfer over the private WAN and the Internet, overcoming bandwidth and geographical limitations.
Riverbed Cloud Portal: An always on, always available Web portal that enables you to log on to deploy and manage Riverbed software, ESHs and SCA in the cloud. The Riverbed Cloud Portal manages registration and deregistration of SCA; it also provides the status of SCA.
The following steps need to be taken to get a working SCA solution:
The Steelhead appliance has a valid (not expired) SSL certificate.
The Steelhead appliance has a valid SSL license installed.
SSL optimization is enabled on the Steelhead appliance.
Port 443 is removed from the "Secure" ports label list under Configure -> Networking -> Port Labels.
The Steelhead appliance's primary interface is connected.
The Host Settings is configured with valid DNS server IP addresses and these DNS servers must be able to resolve named from the public Internet, for example salesforce.com.
The Steelhead appliance has NTP configured and is synced, also the correct time zone needs to be configured on the Steelhead appliance.
An account on the Riverbed Cloud Portal is required.
The Steelhead appliance needs to be appropriately registered on the Cloud Portal and a valid SCA license needs to be configured.
Any firewall between the Steelhead appliance and the public Internet must allow for outbound access from the primary interface IP address to ports 80 and 443. If using external DNS or NTP servers, also the UDP/TCP ports 53 and UDP port 123 need to have outbound access. Ensure that the stateful feature is enabled for UDP packets.
Any firewall between the Steelhead appliance and the public Internet should allow outbound UDP port 9545 from all in-path interfaces on the Steelhead appliance. Ensure that the stateful feature is enabled on the firewall in order to allow for returning UDP packets.
You need to have an existing account with your SaaS provider.
In the Riverbed Cloud Portal, click Cloud Accelerator and select SaaS Platforms -> Office 365 | Salesforce | Google Apps.
Check that the Start Time and the End Time are valid.
The Active columns should display true and the Terminated column should display false.
The Acceleration Service should be ON.
Check the ESH is communicating with the Riverbed Cloud Portal using the following steps:
In the Riverbed Cloud Portal, click Cloud Accelerator and then select Enterprise Steelhead Appliances. Verify that the serial number of the ESH is listed in either Pending, Granted or Denied sections.
Check the output of the command
show service cloud-accel
.
The Reason field indicates the current status of the ESH. If the
reason is
Disabled by administrative action
and Enabled is
Yes
then the ESH might have been denied service by the Riverbed Cloud
Portal, or de-registered from the ESH. You must register the ESH
again.
Figure 8.56. Output of the command 'show service cloud-accel'
ESH # show service cloud-accel Enabled: Yes Status: Unregistered Reason: Disabled by administrative action (Tue Aug 21 Portal: cloudportal.riverbed.com:443 (HTTPS) Redirection: Enabled Port: 9545 State: Active Spill-over Policy: Disabled ESH #
If the reason is Disabled by administrative action and Enabled is No then the ESH might have been denied service by the Riverbed Cloud Portal, or de-registered from the ESH. Also, the SCA service was disabled on the ESH.
Figure 8.57. Output of the command 'show service cloud-accel'
ESH # show service cloud-accel Enabled: No Status: Unregistered Reason: Disabled by administrative action (Tue Aug 21 Portal: cloudportal.riverbed.com:443 (HTTPS) Redirection: Enabled Port: 9545 State: Inactive Spill-over Policy: Disabled ESH #
If the reason is Appliance is Pending Service then you must grant access to the ESH on the Riverbed Cloud Portal. If the reason is Couldn't resolve host name then check the DNS settings on the ESH. SCA uses the Steelhead appliance DNS settings. When you change DNS settings, remember to disable and re-enable the cloud acceleration service on the ESH.
Protocol errors for some of the connections is expected behavior. This is because the system does not optimize every single SSL connection. For example, in the following figure below, connections to www.salesfore.com (204.14.235.50) and login.salesforce.com (204.14.234.101) are not optimized (not SSL decrypted). However, connections to na2.salesforce.com (204.14.234.81) are optimized.
Salesforce has a whitelist security feature. Customers can permit/deny source IP ranges to their particular Salesforce instances. For the SCA feature to work successfully, specific Akamai IP ranges must be permitted to the Salesforce instances. Please see KB S18309 for further information.
From a computer behind the client-side Steelhead appliance, initiate the traceroute command to a SaaS provider server and observe the IP address of the first hop. If the first hop is NOT the IP address of your default gateway, then the packets are redirected into the SRIP network.
Figure 8.59. The first hop found by traceroute should be the SRIP-Edge host
Default gateway is 192.168.128.1 C:\>tracert ch1prd0410.outlook.com Tracing route to ch1prd0410.outlook.com [157.56.244.182] over a maximum of 30 hops: 1 23 ms 38 ms 19 ms 58.27.86.183 << [SRIP-Edge] 2 305 ms 236 ms 234 ms 198.63.231.204 << [SRIP-Gateway] 3 235 ms 235 ms 237 ms be-5.r05.chcgil09.us.bb.gin.ntt.net [131.103.136.1] 4 235 ms 265 ms 237 ms 0.xe-10-2-0.BR3.CHI13.ALTER.NET [204.255.168.69] 5 234 ms 239 ms 236 ms 0.ae3.XL4.CHI13.ALTER.NET [152.63.66.77] 6 237 ms 235 ms 236 ms TenGigE0-5-2-0.GW2.CHI13.ALTER.NET [152.63.67.106] 7 268 ms 415 ms 417 ms microsoft-gw.customer.alter.net [63.84.96.94] 8 240 ms 238 ms 239 ms xe-3-0-1-0.ch1-16c-1a.ntwk.msn.net [207.46.46.153] 9 236 ms 235 ms 238 ms xe-5-0-0-0.ch1-96c-1b.ntwk.msn.net [207.46.46.125]
If the connection details display the error message Inner channel is not secure then there is an issue with peering between the Steelhead appliance and the cloud. Check the validity of the peering certificate and ensure that the Peering Trust list contains the appropriate CA.
When accessing the SaaS provider's website, the browser displays an error message about the SSL security certificate.
Ensure that the CA (CA that signed the Proxy Certificate) root certificate is installed correctly on your computer. This could be either a Customer-hosted CA or Cloud-hosted CA depending on the configuration for the SCA service in the cloud portal. The customer has a choice, by default it is cloud hosted.