Cisco Wide Area Application Services (WAAS) Mobile: Optimize Application Performance for Cisco ASA SSL VPN Users
PDF(218.8 KB) View with Adobe Reader on a variety of devices
Updated:January 24, 2014
What You Will Learn
SSL VPNs are emerging as the standard for remote access solutions by providing improved levels of security and access control and by enabling remote users to access corporate resources from anywhere. However, as enterprises consolidate applications and users become increasingly distributed and access these applications across high-latency, limited-bandwidth connections, performance across the VPN can degrade. The solution is to combine Cisco
® Wide Area Application Services (WAAS) Mobile with the Cisco AnyConnect VPN Client, which connects remote users with Cisco ASA 5500 Series Adaptive Security Appliances using SSL, to overcome network limitations and provide secure anytime, anywhere access with lower cost, easier maintenance, and more granular control.
Cisco ASA AnyConnect SSL VPN and Cisco WAAS Mobile together provide a secure, high-performance access solution that enables organizations to simplify and consolidate VPN access while increasing end-user productivity with faster application responsive times. As discussed in this document, the combination of Cisco ASA SSL VPN and Cisco WAAS Mobile has been designed to provide an optimal solution that:
• Outperforms solutions employing third-party SSL VPNs with Cisco WAAS Mobile
• Outperforms solutions employing Cisco ASA and Cisco AnyConnect with third-party acceleration products
Figure 1 summarizes the solution.
Figure 1. Secure, Accelerated Access for Remote Workers
Organizations are increasingly consolidating applications as well as the secure access to those applications into fewer locations to reduce cost and improve security. At the same time, mobile users are accessing these applications from around the world over networks that have high latency and loss and limited bandwidth.
An optimal acceleration solution will not only enhance performance through protocol optimization and data reduction, but will also employ transport optimizations to mitigate the effects of degraded networks. As organizations transition from IP Security (IPSec) VPNs to SSL VPNs to improve security and manageability, transport optimizations become more challenging, as the bits are no longer transmitted using the Encapsulating Security Payload (ESP) protocol used by IPSec, but instead by HTTPS over TCP.
Cisco WAAS Mobile, deployed with a Cisco ASA AnyConnect client, is a powerful solution for remote access that enables employees to work remotely-and productively-from anywhere.
Cisco WAAS Mobile is part of the Cisco WAAS portfolio of application accelerators and consists of a software client purpose-built to run on end-user PCs. The Cisco WAAS Mobile client works in conjunction with a Cisco WAAS Mobile server that is located near the Cisco ASA VPN appliance.
As shown in Figure 2, Cisco ASA AnyConnect, when deployed with Cisco WAAS Mobile, reduces application response times by 3 to 30 times. Cisco WAAS Mobile achieves these application response-time improvements by:
• Mitigating latency: Application protocol optimizations for Common Internet File System (CIFS), Messaging API (MAPI), and HTTP/HTTPS enable chatty protocols to perform nearly as well over connections with moderate to high latency as they do over the LAN.
• Sending less data: Bidirectional, byte-level delta compression eliminates the transmission of redundant byte sequences and transmits only compressed differences across the WAN.
• Increasing link throughput: Transport optimizations increase the effective information rate across the link and substantially improve performance over VPN connections.
In addition, Cisco WAAS Mobile:
• Enables mobile users to transition between networks or operate through wireless dead spots by maintaining connections to applications through network outages
• Preserves the quality of soft-phone calls in the presence of data transfers
• Enables virtual desktop solutions to be successfully deployed across WAN links
Figure 2. File Upload and Download Performance over Evolution Data Optimized (EVDO) Connection (788 Kbps and 2% Packet Loss)
Cisco ASA AnyConnect and Cisco WAAS Mobile are optimized for PC support. Both clients are lightweight and can be dynamically upgraded without end-user administrative privileges.
As shown in Figure 3, Cisco ASA AnyConnect is optimally accelerated by Cisco WAAS Mobile, and this product combination outperforms other solutions.
Figure 3. Cisco ASA AnyConnect with Cisco WAAS Mobile Provides Optimal Performance
What makes the combination of Cisco ASA AnyConnect and Cisco WAAS Mobile superior? Most WAN optimization solutions do not work as well across SSL VPNs because the SSL VPN transport "wraps" the WAN optimizer's transport, eliminating any benefits that would otherwise be gained from transport optimizations.
Cisco ASA AnyConnect with Cisco WAAS Mobile avoids this limitation because:
• Cisco WAAS Mobile's transport optimization encapsulates traffic in User Datagram Protocol (UDP) datagrams.
• Cisco ASA AnyConnect supports RFC 5238 for Datagram Transport Layer Security (DTLS), which secures the Cisco WAAS Mobile datagram while enabling Cisco WAAS Mobile to deliver the benefits of transport optimization.
Cisco WAAS Mobile Performance
The Cisco WAAS Mobile Manager's analytics allows administrators to monitor performance and measure return on investment (ROI). The charts in Figure 4 provide high-level summaries of overall performance. Administrators can review information by protocol and can monitor throughput and compression over time at a system level or monitor throughput and acceleration performance for an individual end user.
Figure 4. Cisco WAAS Mobile's Centralized View of Network Traffic and Protocol Performance
Tips for Deploying Cisco ASA AnyConnect with Cisco WAAS Mobile
The Cisco WAAS Mobile server typically will be deployed behind the firewall near the Cisco ASA appliance. Here are some tips to keep in mind when deploying Cisco WAAS Mobile with Cisco ASA AnyConnect:
• Cisco ASA AnyConnect should be configured to allow clients to access the Cisco WAAS Mobile server, and the access control on the Cisco WAAS Mobile server should be used to configure access to internal resources.
• Cisco WAAS Mobile should not be configured to start automatically upon Cisco Secure Desktop startup, but should be started after the user login is complete.
• Cisco WAAS Mobile can also be deployed in the network edge in front of the Cisco ASA AnyConnect server to provide transport and compression-only optimization for clientless SSL VPN access.