-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the optimization policies, which determine the types of application traffic that is accelerated over your WAN on your Cisco WAAS system.
Note Throughout this chapter, the term Cisco WAAS device is used to refer collectively to the Cisco Wide Area Application Services (Cisco WAAS) Central Managers and Cisco Wide Area Application Engines (WAEs) in your network. The term Cisco WAE refers to Cisco WAE and Cisco Wide Area Virtualization Engine (Cisco WAVE) appliances, and Cisco Virtual WAAS (Cisco vWAAS) instances.
The Cisco WAAS software comes with more than 150 predefined optimization policies that determine the type of application traffic your Cisco WAAS system optimizes and accelerates. These predefined policies cover the most common type of application traffic on your network. For a list of the predefined policies, see Appendix A, “Predefined Optimization Policy.”
Each optimization policy contains the elements shown in Table 12-1 .
Table 12-1 Optimization Policy Elements
You can use the Cisco WAAS Central Manager GUI to modify the predefined policies and to create additional policies for other applications. For more information on creating optimization policies, see Creating a New Traffic Optimization Policy. For more information on viewing reports, restoring policies, monitoring applications, and other functions, see Managing Application Acceleration.
Note All application definitions configured in the Cisco WAAS Central Manager are globally applied to all the Cisco WAAS devices that register with the Cisco WAAS Central Manager, regardless of the device group membership configuration.
Cisco WAAS policies can apply two kinds of optimizations to matched traffic:
For a specified optimization policy, for Cisco WAAS Version 4.4.1 and later, the DRE feature can use different caching modes, shown in Table 12-2 .
The predefined optimization policies are configured to use the optimal DRE caching mode, depending on the typical application traffic, although you can change the mode if you want.
This section contains the following topics:
The global optimization features determine if traffic flow optimization (TFO), data redundancy elimination (DRE), and persistent compression are enabled on a device or device group. By default, all of these features are enabled. If you choose to disable one of these features, the device will be unable to apply the full Cisco WAAS optimization techniques to the traffic that it intercepts.
In addition, the global optimization features include each of the following application accelerators:
By default, all of the application accelerators are enabled except SMB, SSL Interposer and Encrypted MAPI.
Note The application accelerators require specific types of licenses to operate: a Transport license for TFO, DRE, and LZ optimization, and an Enterprise license for all other application accelerators. For more information on installing and managing licenses, see Managing Cisco WAAS Software Licenses in the chapter “Configuring Other System Settings”.
To enable or disable a global optimization feature, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears (Figure 12-1).
Figure 12-1 Enabled Features Window
For Cisco WAAS Express Devices
In the Enabled Features window for a device group, two SMB Accelerator options are shown, one for Cisco ISR-WAAS devices and one for all other kinds of Cisco WAEs.
– HTTP accelerator express (see Configuring HTTP Acceleration)
– SSL accelerator express (see Configuring SSL Acceleration)
1. Navigate to Device Groups > DeviceGroupName > Configure > Enabled Features.
2. Select the SSL Accelerator Express Peering Service.
3. From the SSL Version: dropdown list, select TLS1.
5. Upgrade the Cisco WAAS Express.
Step 3 Check the check boxes adjacent to the optimization features that you want to enable, and uncheck the check boxes adjacent to the features that you want to disable.
For a description of each of the optimization features, see Key Services of Cisco WAAS in the chapter “Introduction to Cisco WAAS” .
Some features have additional settings that you can configure by clicking the link next to the setting name. Hover your cursor over the small target icon next to the link to see a dialog box that shows the current settings.
Note When you check the MAPI Accelerator check box, Encrypted MAPI Traffic Optimization is enabled by default.
Note You must enable MAPI acceleration first for Encrypted MAPI acceleration to be enabled.
By default, the SSL Interposer is by default SMART-SSL enabled on a fresh installation: on new Cisco WAAS OVA deployments, Cisco WAAS ENCS 5400-W platforms, and Cisco WAAS Version 5.5.7 to Cisco WAAS Version 6.4.1 upgrades. This is disabled when you upgrade the devices from Cisco WAAS Version 6.2.3 to Cisco WAAS Version 6.4.1. For more information, see Configuring SMART-SSL Acceleration.
Note Both SSL accelerator and SMART-SSL can co-exist on a device.
Step 4 To enable the object cache, at the Object Cache Settings pane, check the Object Cache check box.
Cisco WAAS performs object caching to increase client application performance for SMB file access. Object caching also minimizes bandwidth and latency over the WAN, by avoiding the repeated transfer of data over the WAN.
Note Object Cache is not supported on Cisco vWAAS-200 and Cisco vWAAS-150 platforms.
– Each application accelerator object cache can be enabled or disabled independent of whether or not the global object cache is enabled or disabled.
– Enabling the object cache does not automatically enable individual application accelerator object caches.
– You can enable or disable an individual application accelerator object cache whether or not the associated application accelerator is enabled or disabled.
– Verify that disk assignments have been made to object cache before you enable object cache.
– The object cache has a limit of 15 GB. A request of a size larger than this limit will not cache the complete file. For example, for a file size of 25 GB, only 15 GB of this file would be cached.
Note To ensure that the object cache and SMB application accelerator work successfully, enable the object cache before you enable the SMB application accelerator.
Step 5 In the Advanced Settings pane, uncheck the Blacklist Operation check box if you want to disable it.
This behavior can result from network devices (such as firewalls) that block TCP setup packets that have options, and from asymmetric routes. The Cisco WAE can keep track of origin servers (such as those behind firewalls) that cannot receive optioned TCP packets, and learns not to send out TCP packets with options to these blacklisted servers.
Note Cisco WAAS is able to accelerate traffic between Cisco branch WAEs and Cisco data center WAEs in situations where optioned TCP packets are dropped. We recommend that you leave the blacklist operation feature enabled.
Step 6 To change the default Blacklist Server Address Hold Time of 60 minutes, enter the new time in minutes in the Blacklist Server Address Hold Time field. The valid range is 1 minute to 10080 minutes (1 week).
When a server IP address is added to the blacklist, it remains there for the configured hold time. After that time, subsequent connection attempts will again include TCP options so that the Cisco WAE can redetermine if the server can receive them. It is useful to retry sending TCP options periodically because network packet loss may cause a server to be erroneously blacklisted.
You can shorten or lengthen the blacklist time by changing the Blacklist Server Address Hold Time field.
The changes are saved to the device or device group.
Table 12-3 shows the Cisco WAAS CLI global configuration commands used to configure optimization and acceleration.
Table 12-3 Cisco WAAS CLI Commands Used to Configure Optimization and Acceleration
|
|
|
---|---|---|
Configure TFO optimization, DRE, and persistent compression. |
||
– Disk assignments have been made to object cache before you run this command.
– Run this command before you run the accelerator smb global configuration command.
– Each application accelerator object cache can be enabled or disabled independent of whether or not the global object cache is enabled or disabled.
– Before you run the no object-cache enable global configuration command to disable the global object cache, you must disable all individual application accelerator object caches.
– The object-cache enable global configuration command does not automatically enable individual application accelerator object caches.
– You can enable or disable an individual application accelerator object cache whether or not the associated application accelerator is enabled or disabled.
This section contains the following topics:
Data Redundancy Elimination (DRE) is one of the critical technologies used to identify redundant data patterns in application traffic, replacing them with signatures that Cisco WAAS devices transfer across the WAN to regenerate the original data. The result is optimal usage of WAN bandwidth and improved end-user response time.
To enable general DRE settings, check the Data Redundancy Elimination check box in the Enabled Features window.
To configure the DRE auto bypass and load monitor settings, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > DRE Settings.
The DRE Settings window appears.
Step 3 Check the Enable DRE auto bypass check box to generate an alarm and automatically DRE bypass application traffic.
Note If you do not enable DRE auto bypass, the Device Status alarm displays yellow and the traffic gets bypassed without forwarding to the Service Node (SN). We recommend that you do not disable DRE through the configuration. Instead, configure individual policies to bypass DRE functionality.
Step 4 Check the Enable DRE Load Monitor check box to enable load report.
The changes are saved to the device or device group.
Consider the following guidelines for configuring DRE settings using the Cisco WAAS CLI:
The HTTP application accelerator accelerates HTTP traffic. To optimize HTTPS, you must enable both SSL and HTTP and also have protocol chaining enabled.
The default Web Optimization policy is defined to send traffic to the HTTP accelerator. The Web optimization policy uses the HTTP class map, which matches traffic on ports 80, 8080, 8000, 8001, and 3128. If you expect HTTP traffic on other ports, add the other ports to the HTTP class map.
To configure the HTTP acceleration settings, follow these steps:
Step 1 To enable the HTTP accelerator, choose Configure > Acceleration > Enabled Features window.
Step 2 The Enabled Features window appears.
a. At the Accelerator Optimization pane, check the HTTP Accelerator check box.
Step 3 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 4 Choose Configure > Acceleration > HTTP/HTTPS Settings.
The HTTP/HTTPS Acceleration Settings window appears (Figure 12-2).
Note For Cisco WAAS Express, the HTTP acceleration settings are the same, but the fields are laid out differently in the HTTP/HTTPS Settings window.
Figure 12-2 HTTP/HTTPS Settings Window
Step 5 Configure the metadata cache settings. At the Metadata Cache Settings pane:
a. To enable the Cisco WAE to cache each HTTP header (metadata) information, check the Enable HTTP metadatacache caching check box. The default setting is checked.
This check box must be checked to enable any of the other settings in the Metadata Cache Settings area. If this box is not checked, no header caching is done.
For details on HTTP metadata caching, see HTTP Metadata Caching.
b. To enable the Cisco WAE to cache HTTPS header (metadata) information (HTTP as payload in SSL traffic), check the Enable HTTPS metadatacache caching check box. The default setting is checked.
For details on HTTP metadata caching, see HTTP Metadata Caching.
c. In the Maximum age of a cache entry field, enter the maximum number of seconds to retain HTTP header information in the cache. The default is 86,400 seconds (24 hours). Valid time periods range from 5–2,592,000 seconds (30 days).
d. In the Minimum age of a cache entry field, enter the minimum number of seconds for which to retain HTTP header information in the cache. The default is 60 seconds. Valid time periods range from 5 to 86,400 seconds (24 hours).
e. To enable the Cisco WAE to cache and to locally serve HTTP 301 messages, check the Enable local HTTP 301 redirect messages check box. The default setting is checked.
f. To enable the Cisco WAE to cache and locally serve HTTP 401 messages, check the Enable local HTTP 401 Authentication-required messages check box. The default setting is checked.
g. To enable the Cisco WAE to cache HTTP 200 and HTTP 304 messages and locally serve HTTP 304 messages, check the Enable local HTTP 304 Not-Modified messages check box. The default setting is checked.
h. To configure specific file extensions to which metadata caching is to be applied, enter the file extensions in the File extension filters field at the far right of the window. Separate multiple extensions with a comma, for example, jpeg, gif, png, and do not include the dot at the beginning of the file extension.
By default, no file extension filters are defined and therefore, metadata caching applies to all file types.
Step 6 To allow the Cisco WAAS Edge WAE to prefetch data, at the Sharepoint Settings pane, check the Enable Pre-fetch Optimization check box. The default for this setting is unchecked.
Note SharePoint prefetch optimization works with view in browser mode only.
Step 7 To configure the Cisco WAE to suppress server compression between the client and the server, at the Server Compression Settings pane, check the Suppress server compression for HTTP and HTTPS check box. The default setting is checked.
Step 8 To send DRE hints to the DRE module for improved DRE performance, at the DRE Hints Settings pane, check the Enable DRE Hints for HTTP and HTTPS check box. The DRE hint feature is enabled by default.
The changes are saved to the device or device group.
Consider the following guidelines for configuring HTTP acceleration using the Cisco WAAS CLI:
The metadata caching feature allows the HTTP accelerator in the Cisco Branch WAE to cache particular server responses and respond locally to clients. The following server response messages are cached:
Metadata caching is not applied in the following cases:
Note The metadata caching feature is available for Cisco WAAS Version 4.2.1 and later, where the earliest Cisco WAAS version in the Cisco Branch WAE is Cisco WAAS Version 4.2.1. The metadata caching feature can interoperate with an HTTP accelerator on a Cisco Data Center WAE that has an earlier Cisco WAAS version.
An HTTP accelerator subnet allows you to selectively enable or disable specific HTTP optimization features for specific IP subnets by using an Access Control List (ACL). This feature can be applied to the following HTTP optimizations:
To define IP subnets, run the ip access-list global configuration command. For more information on configuring subnets, refer to the ip access-list global configuration command in the Cisco Wide Area Application Services Command Reference. You can use both standard and extended ACLs.
To configure a subnet for an HTTP accelerator feature, follow these steps:
Step 1 Enable global configuration for all the HTTP accelerator features that you want to use.
Step 2 Create an IP access list to use for a subnet of traffic:
Step 3 Associate the ACL with a specific HTTP accelerator feature. For information about associating an ACL with an HTTP accelerator feature, see the accelerator http global configuration command in the Cisco Wide Area Application Services Command Reference.
In this example, the HTTP metadata cache feature applies to all the connections that match the conditions specified in the extended access list md_acl.
In the following example, the HTTP suppress-server-encoding feature applies to all the connections that match the conditions specified in the standard access list 10:
For the features (in this example, DRE hints and HTTPS metadata cache) that do not have an ACL associated with them, global configuration is used and the features are applicable to all the connections.
Consider the following MAPI acceleration features and guidelines:
– For Cisco WAAS Version 5.3.x and later, Microsoft Outlook 2000 to 2013 clients are supported.
– For Cisco WAAS Version 5.2.x and earlier, Microsoft Outlook 2000 to 2010 clients are supported.
– The EPM application accelerator must be enabled for the MAPI application accelerator to operate. EPM is enabled by default. Additionally, the system must define an optimization policy of type EPM, specify the MAPI UUID, and have an Accelerate setting of MAPI. This policy, MAPI for the Email-and-Messaging application, is defined by default.
– EPM traffic, such as MAPI, does not normally use a predefined port. If your Microsoft Outlook administrator has configured Microsoft Outlook in a nonstandard way to use a static port, you must create a new basic optimization policy that accelerates MAPI traffic with a class map that matches the static port that was configured for Microsoft Outlook.
To configure MAPI acceleration settings, follow these steps:
Step 1 To enable the MAPI accelerator, choose Configure > Acceleration > Enabled Features window.
Step 2 The Enabled Features window appears.
a. At the Accelerator Optimization pane, check the MAPI Accelerator check box.
Step 3 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 4 Choose Configure > Acceleration > MAPI Settings.
The MAPI Acceleration Settings window appears (Figure 12-3).
Figure 12-3 MAPI Acceleration Settings Window
Step 5 In the Reserved Pool Size Maximum Percent field, enter the maximum percent of connections in order to restrict the maximum number of connections reserved for MAPI optimization during TFO overload.
The changes are saved to the device or device group.
This section contains the following topics:
The Encrypted MAPI (EMAPI) acceleration feature provides WAN optimization for secure MAPI application protocols using Microsoft Kerberos security protocol and Microsoft Windows Active Directory identity for authentication of clients or servers or both in the domain.
Note You must enable MAPI acceleration first for Encrypted MAPI acceleration to be enabled. Encrypted MAPI acceleration is enabled by default.
The following terms are used with Microsoft Active Directory and Cisco Encrypted MAPI acceleration:
For more information on Microsoft Active Directory, see the “Microsoft Developer Network Active Directory” pages.
To configure Encrypted MAPI traffic acceleration, complete the tasks listed in Table 12-4 . These tasks must be performed on both Cisco data center WAEs and Cisco branch WAEs unless specified as Not Required or Optional.
|
|
---|---|
Configure DNS Settings. |
To configure DNS settings, see Configuring the DNS Server in the chapter “Configuring Network Settings” . |
Configure NTP Settings. |
To synchronize the time with Microsoft Active Directory, see Configuring NTP Settings in the chapter “Configuring Other System Settings” . |
Verify Cisco WAE devices are registered and online with the Cisco WAAS Central Manager. |
To verify Cisco WAE devices are registered and online with the Cisco WAAS Central Manager, see Devices Window in the chapter “Monitoring Your Cisco WAAS Network” . |
Configure SSL Peering Service. |
To configure SSL Peering Service, see Configuring SSL Peering Service. |
Verify WAN Secure mode is enabled. |
To verify WAN Secure mode is enabled, run the show accelerator wansecure EXEC command. |
(Optional) Configure windows domain settings and perform domain join. The domain join function automatically creates the machine account in Active Directory. |
To configure Windows Domain Server Authentication settings, see Configuring Microsoft Windows Domain Server Authentication Settings in the chapter “Configuring Administrative Login Authentication, Authorization, and Accounting” . |
Configure domain identities (for machine account and optional user accounts). |
To configure a machine account identity, see Configuring a Machine Account Identity. (Optional) To create a user account and configure a user account identity, see Creating and Configuring a User Account. Note that configuring domain identities is not required on Cisco branch WAE devices. |
Enable Microsoft Windows Domain Encrypted Service. |
To enable the Microsoft Windows Domain Encrypted Service, choose Configure > Security > Windows Domain > Encrypted Services page and check the Enable Encrypted Service check box. |
Enable Encrypted MAPI Traffic Optimization. |
To enable Encrypted MAPI Traffic, see Enabling and Disabling Global Optimization Features. |
To configure encrypted MAPI settings, follow these steps:
Step 1 Configure DNS settings.
The Cisco WAAS DNS server must be a part of the DNS system of Microsoft Windows Active Directory domains to resolve DNS queries for traffic encryption.
For more information about configuring DNS settings, see Configuring the DNS Server in the chapter “Configuring Network Settings” .
Step 2 Configure NTP settings to synchronize the time with the Active Directory.
The Cisco WAAS device has to be in synchronization with the Active Directory for Encrypted MAPI acceleration. The Cisco WAAS NTP server must share time synchronization with the Active Directory Domain Controllers’ domains for which traffic encryption is required. Out-of-sync time causes Encrypted MAPI acceleration to fail.
For more information about synchronizing time with the Active Directory, see Configuring NTP Settings in the chapter “Configuring Other System Settings” .
Step 3 Verify if Cisco WAE devices are registered and are online with the Cisco WAAS Central Manager.
For more information about verifying that Cisco WAE devices are registered and are online with the Cisco WAAS Central Manager, see Devices Window in Chapter 15, “Monitoring Your WAAS Network.”
Step 4 Configure the SSL Peering Service.
Note The SSL accelerator must be enabled and in running state.
For more information about configuring the SSL Peering Service, see Configuring SSL Peering Service.
Step 5 Verify if WAN Secure mode is enabled.
accelerator mapi wansecure-mode {always | auto | none}
Step 6 (Optional on Cisco data center WAEs if user accounts only are used for domain identity configuration in Step 7.)
Configure Microsoft Windows domain settings and perform a domain join. (A domain join automatically creates the machine account in Active Directory.)
Note Performing a domain join of the Cisco WAE is not required on Cisco branch WAE devices.
To configure Microsoft Windows Domain Server Authentication settings, see Configuring Microsoft Windows Domain Server Authentication Settings in the chapter “Configuring Administrative Login Authentication, Authorization, and Accounting” .
Note Kerberos and Microsoft Windows NT LAN Manager (Microsoft Windows NTLM) authentication are used for Encrypted MAPI acceleration. For Cisco WAAS Version 5.3.1 and later, encrypted NTLM traffic is supported for EMAPI, and the Cisco WAE device optimizes NTLM traffic for domains configured with NTLM authentication.
Step 7 Configure domain identities. This is not required for Cisco branch WAEs.
a. Configure the machine account identity (for more information, see Configuring a Machine Account Identity).
b. Create and configure optional user accounts (for more information, see Creating and Configuring a User Account).
Step 8 Enable the Windows Domain Encrypted Service. (This is enabled by default.)
a. From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
b. From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
c. Check the Enable Encrypted Service check box.
d. To save the changes, click Submit.
Step 9 Enable Encrypted MAPI Traffic Optimization.
a. Choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears (Figure 12-1).
b. In the Enabled Features window, check the Encrypted MAPI Traffic Optimization check box.
c. In the Enabled Features window, check the MAPI Accelerator check box.
Note To enable Encypted MAPI, you must also check the MAPI Accelerator check box. (Encrypted MAPI traffic optimization is enabled by default.)
For more information on the Enabled Features window, see Enabling and Disabling Global Optimization Features.
For definitions of machine account identity and other Microsoft Active Directory terms, see Terms Used with Microsoft Active Directory.
To configure an identity for a machine account, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 From the Cisco WAAS Central Manager menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3 Click the Add Domain Identity button.
The Domain Identity dialog box appears (Figure 12-4).
Note Each Cisco WAAS device to be accelerated must have a domain identity.
Figure 12-4 Domain Identity Dialog Box
a. From the Account Type drop-down list, choose Machine Account.
Note You must complete the Microsoft Windows domain join before you create the machine account domain identity. For more information, see Configuring Microsoft Windows Domain Server Settings on a Cisco WAAS Device in the chapter “Configuring Administrative Login Authentication, Authorization, and Accounting”.
b. In the Identity Name field, enter the Identity Name. Use only alphanumeric characters, up to a maximum of 32 characters.
Note The domain identity must have sufficient privileges in the Windows Domain Active Directory to replicate the desired domain information to optimize encrypted traffic. To configure privileges, see Configuring Microsoft Active Directory.
Step 4 To add the child domains of the domain (with which the device is registered) for which the Domain Identity should optimize the encrypted traffic, click the Add Match Domain button.
You can add up to 32 child domains. If you do not want the Domain Identity to optimize the traffic for any of the child domains, you can delete the selected match domain items.
Note The child domains feature is available on devices running Cisco WAAS Version 5.4 and later.
The domain identity appears in the Encrypted Services Domain Identities list (Figure 12-5).
Figure 12-5 Encrypted Services—Domain Identity
For definitions of user account, user account identity and other Microsoft Active Directory terms, see Terms Used with Microsoft Active Directory.
To create a user account and configure a user account identity, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 From the Cisco WAAS Central Manager menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears (Figure 12-6).
Figure 12-6 Encrypted Services
Step 3 To add a user account domain identity, in the Encrypted Service Domain Identity(s) table listing area, click Add Domain Identity.
The Domain Identity window appears (Figure 12-7).
Figure 12-7 Add Domain Identity—User Account
a. From the Account Type drop-down list, choose User Account.
b. In the Identity Name field, enter the identity name. Use only alphanumeric characters, up to a maximum of 32 characters.
c. Enter a username and password.
f. To add the child domains of the domain (with which the device is registered) for which the Domain Identity should optimize the encrypted traffic, click the Add Match Domain button.
You can add up to 32 child domains. If you do not want the Domain Identity to optimize the traffic for any of the child domains, you can delete the selected match domain items.
Note The domain identity must have sufficient privileges in the Windows Domain Active Directory to replicate the desired domain information to optimize encrypted traffic. For information about configuring privileges, see Configuring Microsoft Active Directory.
The domain identity appears in the Encrypted Services Domain Identities list.
Note Secure Store encryption is used for the user account domain identity password. If Secure Store cannot be opened, an alarm is raised indicating that the configuration updates could not be stored on the device. After Secure Store can be opened and the configuration updates are successfully stored on the device, the alarm is cleared.
To grant Cisco WAAS permission to accelerate Microsoft Exchange-encrypted email sessions, follow these steps:
Step 1 Using an account with Domain Administrator privileges, launch the Active Directory Users and Computers application.
Note This group is for accounts that Cisco WAAS will use to optimize Microsoft Exchange traffic. Regular users and computers should not be added to this group.
a. Right-click the Unit to contain the new group and choose New > Group (Figure 12-8).
Figure 12-8 Active Directory—Add Group
b. In the Group field, enter a name and select the following attributes:
Step 3 Configure the permissions required by Cisco WAAS.
a. From the menu bar in the Active Directory Users and Computers application window, choose View > Advanced Features.
b. Right-click the root of the domain and choose Properties.
c. Click the Security tab (Figure 12-9).
Figure 12-9 Active Directory—Security Tab
d. In the Group or User Names section, click Add.
e. In the Enter the object names to select field, enter the name of the new group.
f. To add the new group to the list, click OK.
g. Check the check box adjacent to the new group in the Group or user names list and set the following permissions to Allow:
– Replicating Directory Changes
– Replicating Directory Changes All
Step 4 Add an account to the group.
User or workstation (computer) accounts must be added to the new group for WAAS Exchange Encrypted email optimization.
a. Right-click on the account you want to add and select the Member Of tab.
c. Choose the new group you created and click OK.
The configuration of Active Directory permissions is complete.
Note If the password for a user account has been changed in the Active Directory, you must edit the user account domain identity on the Cisco WAAS device to match the new Active Directory password.
– For a machine account identity, only the state of the domain identity (enabled or disabled) can be modified from a Cisco WAAS device.
– For a user account identity, only the state of the domain identity (enabled or disabled) and the password can be modified from a Cisco WAAS device.
To change the password for a user account domain identity on a Cisco WAAS device if the password for the account in the Active Directory has changed, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 From the Cisco WAAS Central Manager menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3 Select the user account domain identity to modify and click the Edit icon.
The Domain Identity window appears.
Step 4 In the Password field, change the password. The password should be the same as the password for the account in Active Directory.
To delete a domain identity on a WAAS device, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 From the Cisco WAAS Central Manager menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3 Select one or more domain identities to delete, and then click the Delete icon to remove the domain identity configured on the Cisco WAAS device.
If the domain identity is being used for optimizing encrypted traffic, a warning message appears.
Step 4 To accept the procedure, click OK.
To cancel the procedure, click Cancel.
To disable Encrypted MAPI, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Disable Encrypted Service.
a. From the Cisco WAAS Central Manager menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
b. Uncheck the Enable Encrypted Service check box.
c. To save the changes, click Submit.
Step 3 Disable Encrypted MAPI Traffic Optimization.
a. From the Cisco WAAS Central Manager menu, choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears.
b. Uncheck the Encrypted MAPI Traffic Optimization check box.
c. To save the changes, click Submit.
To view the statistics for Encrypted MAPI connections, see the Messaging Application Programming Interface (MAPI) Acceleration Charts in the chapter “Monitoring Your Cisco WAAS Network” .
Remote Procedure Call over HTTP (RPC over HTTP) allows Microsoft Outlook clients to access Microsoft Exchange servers from outside the enterprise network using HTTP or HTTPS as a transport for the RPC protocol. It allows a client on the Internet to connect securely to a Microsoft Exchange Server without having to log into a virtual private network (VPN) first.
An RPC-HTTP (RPC-H) module in Cisco WAAS, integrated into the existing Cisco WAAS MAPI optimizer, will provide Cisco WAAS the ability to optimize MAPI over RPC-HTTP(S) traffic.
Cisco WAAS Version 6.2.x and later supports L7 optimization for RPC-HTTP(S) traffic.
Table 12-5 shows the clients and servers that support Cisco WAAS MAPI RPC over HTTP(S).
Table 12-5 Clients and Servers Supporting Cisco WAAS MAPI RPC over HTTP(S)
Microsoft Exchange 2013 and Microsoft Exchange 2016 can be configured for MAPI over HTTP support. MAPI over HTTP traffic will not be optimized by MAPI accelerator. However, MAPI over HTTP traffic will get L4 optimization benefits from Cisco WAAS.
To complete prerequisites for configuring optimization of MAPI RPC over HTTP(S), follow these steps:
Step 1 Ensure that the SSL, HTTP and MAPI accelerators are enabled. If you have enabled SSL Interposer (SSL Accelerator V2) on both branch and data center devices, MAPI over RPC HTTPS will use Smart-SSL and not SSL Accelerator V1.
Step 2 Configure SSL acceleration. For more information on configuring SSL acceleration, see Configuring SSL Acceleration. If you enable SSL Interposer (SSL Accelerator V2) on both Cisco branch and Cisco data center devices, MAPI over RPC HTTPS will use Smart-SSL and not SSL Accelerator V1.
Step 3 When you configure SSL acceleration, be sure to enable protocol chaining, by checking the Enable protocol chaining check box in the SSL Accelerated Services window.
Note If protocol chaining is not enabled, the Cisco WAAS device will only optimize SSL traffic on the specified IP address and port.
Step 4 Configure a Microsoft Windows domain identity on the core device, for Encrypted MAPI connections.
Step 5 Verify that encryption is enabled in the MAPI accelerator. For more information on Encrypted MAPI settings, refer to Configuring Encrypted MAPI Settings
The MAPI Acceleration report displays MAPI acceleration statistics. For Cisco WAAS Version 5.5.3 and later, the following MAPI acceleration charts are added or modified:
MAPI over HTTP provides the ability for Messaging API (MAPI) clients and servers to communicate across HTTP connection that no longer use RPC technology. This provides faster re-connects and improved reliability.
Release 6.4.3 provides optimization support for MAPI over HTTP traffic. This is enabled by default and uses SMART-SSL acceleration and protocol chaining to intercept and accelerate the MAPI over HTTP traffic. To ensure this optimization, you need to enable the SMART-SSL (SSL Accelerator v2) accelerator.
For more information on how to set up the exchange service, see, Using SSL Accelerated Services.
The MAPI Acceleration report displays MAPI acceleration statistics. For more information, see MAPI: Handled Traffic Pattern and MAPI: Connection Details in the chapter “Monitoring Your Cisco WAAS Network” .
Table 12-6 shows the clients and servers supporting Cisco WAAS MAPI over HTTP:
Table 12-6 Clients and Servers Supported for Cisco WAAS MAPI over HTTP
The Service Message Block (SMB) application accelerator handles optimizations of file server operations. These optimizations apply to SMBv1, SMBv2 and SMBv3. You can configure the SMB application accelerator to perform the file server optimizations shown in Table 12-7 .
Table 12-7 SMB Application Accelerator File Server Optimizations
To configure the SMB Accelerator settings, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears (Figure 12-1).
a. At the Accelerator Optimization pane, check the SMB Accelerator check box.
Step 3 From the Cisco WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name).
Step 4 Choose Configure > Acceleration > SMB Settings.
The SMB Settings window appears (Figure 12-10).
Figure 12-10 SMB Accelerator Configuration Window
Step 5 From the Highest Dialect Optimized drop-down list, choose the highest dialect to optimize. The available options are:
Step 6 From the Highest Dialect Optimized Exceed Action drop-down list, choose the action for the dialects that are higher than the one chosen as the highest dialect to optimize:
Note The Mute option of SMB AO is deprecated in dialects 3.x and 2.0 of SMB; muting within these versions has been found to be unsuccessful in terms of optimization.
Note For SMB 2.1 only, you must use the Cisco WAAS CLI to configure the Handoff parameter, using the accelerator smb smb2-1 exceed-action handoff global configuration command. If you use the Cisco WAAS Central Manager to select the Handoff parameter for SMB 2.1, the Highest Dialect Optimized Exceed Action will not take effect, and Handoff will not be displayed in commands like the show running-configuration command or the show accelerator smb command.
Step 7 In the Bypass File Name Pattern field, enter the patterns for the file names that you want the SMB accelerator to bypass optimization for. The files whose names match the specified expressions are not optimized.
Step 8 To enable disk caching for SMB traffic, check the SMB Object Cache check box.
Step 9 To enable optimization of signed SMB v2 and v3 traffic, check the Signing Optimization check box. This check box is checked by default.
An SMB connection request can originate from the Branch office to the Data Center or vice-versa. For every connection, the Cisco WAE near the requester take the Cisco Edge WAE’s role, and the Cisco WAE near the SMB server takes the Cisco Core WAE’s role.
The following prerequisites, at the Cisco Core WAE and Cisco Edge WAE, are necessary to ensure that a signed connection is optimized:
a. On the Cisco Core WAE, configure a valid user-identity with administrator privileges to enable secret-retrieval to fetch and cache the longterm service key of the SMB server by running the following global configuration command.
windows-domain encryption-service identity [identity] user-account name
[admin-username] domain [your.domain] realm [your.domain] password
To verify the identity configuration, run the following EXEC Command.
show windows-domain encryption-service identity detail
(Optional) To configure a machine identity, instead of using user identity, you can also follow the steps in the procedure Configuring a Machine Account Identity.
b. For Kerberos Authentication to work correctly, ensure time synchronization between Client, Server, Cisco Core WAE and the Domain Controller.
These configurations are similar to the EMAPI configuration. For more information, see Step 6 of the procedure Configuring Encrypted MAPI Settings.
c. Verify that the WAN Secure mode is enabled. WAN Secure’s secure connection enables the key to be transported to the Edge WAE.
The default recommended mode is Auto. To verify the state of WAN Secure mode, run the following EXEC command:
To change the state of WAN Secure, run the following global configuration command:
accelerator smb wansecure-mode {always | auto | none}
d. Verify that the Cisco WAE devices are registered and are online with the Cisco WAAS Central Manager.
Step 10 To perform the following tasks, click the SMBV1 Optimization Settings tab.
The SMB accelerator does not perform read-ahead, write, and lock-ahead optimizations for Microsoft Office if this optimization is disabled. This check box is checked by default.
Step 11 To perform the following tasks, click the SMBV2 Optimization Settings tab.
Step 12 To perform the following tasks, click the SMBV3 Optimization Settings tab.
Step 13 To save the changes, click Submit.
To configure SMB acceleration using the Cisco WAAS CLI, run the accelerator smb global configuration command.
Use the following operating guidelines for the accelerator smb global configuration command.
The Independent Computing Architecture (ICA) application accelerator provides WAN optimization on a Cisco WAAS device for ICA traffic that is used to access a virtual desktop infrastructure (VDI). This is done through a process that is both automatic and transparent to the client and server.
ICA acceleration is enabled on a Cisco WAAS device by default.
To configure ICA acceleration, follow these steps:
Step 1 To enable the ICA accelerator, choose Configure > Acceleration > Enabled Features window.
Step 2 The Enabled Features window appears (Figure 12-1).
a. At the Accelerator Optimization pane, check the ICA Accelerator check box.
Step 3 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 4 Choose Configure > Acceleration > ICA Settings.
The ICA Acceleration Configuration window appears.
Figure 12-11 ICA Acceleration Configuration Window
Step 5 Check the Enable Multi Stream ICA check box to allow the client and server up to three additional TCP connections that optimize multistream ICA traffic.
Step 6 From the WAN Secure Mode drop-down list, choose the mode. The options are:
Note The state of WAN Secure mode in both Cisco Branch WAE and Cisco Data Center WAE must match for connections to get optimized with the ICA accelerator.
Step 7 To configure DSCP values for MSI priority levels: In the DSCP Settings (QoS) under ICA Streams section, check the Enable DSCP Tagging check box. These values override the defaults.
Consider the following ranges and guidelines:
– Very High-Priority MSI (default of 41): Typically real-time traffic, such as audio.
– High-Priority MSI (default of 41): Typically interactive traffic.
– Medium-Priority MSI (default of 21): Typically bulk data.
– Low-Priority MSI (default of 0, best effort): Typically background traffic, such as printing.
The changes are saved to the device or device group.
Consider the following guidelines for configuring ICA acceleration using the Cisco WAAS CLI:
Consider the following operating guidelines for configuring ICA over Socket Secure (SOCKS):
– Non-default ports configured with Multi-Port Policy on XenApp for Multi-Stream ICA (MSI) are not supported.
– SOCKS with ICA over SSL is not supported.
– SOCKS Version 4 is not supported. ICA over SOCKS Version 5 is supported for the NetScaler gateway.
To configure ICA over SOCKS, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Class-Map.
Step 3 Edit the class-map named Citrix and add the required port number using the Add Match Condition option.
The port number added in the class-map should be the same as the one configured for the SOCKS proxy, on the NetScaler gateway.
Note If the SOCKS proxy port is running on ICA or CGP ports, 1494 or 2498, then you do not need to modify the existing configuration.
Step 4 Select the branch device and make the necessary changes for the port number.
Alternately, run the class-map type match-any citrix global configuration command to make these changes.
The Cisco WAAS software supports optimizing ICA over SSL. This allows the client and server to use the ICA protocol over an encrypted connection. To support optimizing ICA over SSL, perform the following steps:
Note When you are configuring SSL acceleration, be sure to enable protocol chaining. If protocol chaining is not enabled, the Cisco WAAS device will only optimize SSL traffic on the specified IP address and port.
This section contains the following topics:
The SSL (Secure Sockets Layer) application accelerator optimizes traffic on SSL encrypted connections. If SSL acceleration is not enabled, the Cisco WAAS software DRE optimizations are not very effective on SSL-encrypted traffic. The SSL application acceleration enables Cisco WAAS to decrypt and apply optimizations while maintaining the security of the connection.
Consider the following operating guidelines for SSL acceleration:
The SSL application accelerator supports SSL Version 3 (SSLv3) and Transport Layer Security Version 1 (TLSv1) protocols. If a TLSv1.1 or TLSV1.2 client request is received, negotiation will not occur. Manual bypass of TLSv1.1 or TLSv1.2 packets is required in order to make these client and server connections.
Table 12-8 provides an overview of the steps you must complete to set up and enable SSL acceleration.
|
|
---|---|
Prepare for configuring SSL acceleration. |
Identify the information that you need to gather before configuring SSL acceleration on your Cisco WAAS devices. For more information, see Prerequisites for Configuring SSL Acceleration. |
Enable secure store, the Enterprise License, and SSL acceleration. |
Enable Secure Store on the Cisco WAAS Central Manager, which is required for secure handling of the SSL encryption certificates and keys. For more information, see Enabling Secure Store Encryption on the Cisco WAAS Central Manager Enable the Enterprise License. For more information, see Enabling Enterprise Licenses on the Cisco WAAS Central Manager and Cisco WAEs Enable SSL acceleration. For more information, see Using SSL Accelerated Services. |
Enable SSL application optimization. |
For more information, see Enabling and Disabling Global Optimization Features. |
Configure SSL acceleration settings. |
(Optional) Configure the basic setup of SSL acceleration. For more information, see Configuring SSL Global Settings. |
Create and manage cipher lists. |
(Optional) Select and set up the cryptographic algorithms used on your Cisco WAAS devices. For more information, see Working with Cipher Lists. |
Set up Certificate Authority certificates. |
(Optional) Select, import, and manage certificate authority (CA) certificates. For more information, see Working with CA Certificates. |
Configure SSL management services. |
(Optional) Configure the SSL connections used between the Cisco WAAS Central Manager and Cisco WAE devices. For more information, see Configuring SSL Management Services. |
Configure SSL peering service. |
(Optional) Configure the SSL connections used between peer Cisco WAE devices for carrying optimized SSL traffic. For more information, see the Configuring SSL Peering Service. |
Configure and enable SSL-accelerated services. |
Add, configure, and enable services to be accelerated by the SSL application optimization feature. For more information, see Using SSL Accelerated Services. |
Before you configure SSL acceleration, verify the following information about your network:
Figure 12-12 shows how the Cisco WAAS software handles SSL application optimization.
Figure 12-12 SSL Acceleration Block Diagram
When you configure SSL acceleration, you must configure SSL-accelerated service on the Cisco server-side (Data Center) WAE devices. The Cisco client-side (Branch) WAE should have its Secure Store initialized and unlocked or opened, but does not need to have the SSL-accelerated service configured. However, for SSL acceleration services to work, the SSL accelerator must be enabled on both Cisco Data Center WAEs and Cisco Branch WAEs. The Cisco WAAS Central Manager provides SSL management services and maintains the encryption certificates and keys.
Before you can use SSL acceleration on your Cisco WAAS system, you must enable Secure Store encryption on the Cisco WAAS Central Manager. For more information on this procedure, see Configuring Secure Store Encryption Settings in the chapter “Configuring Other System Settings” .
Before you can use SSL acceleration on your Cisco WAAS system, you must enable the Enterprise license. For more information on this procedure, see Managing Cisco WAAS Software Licenses in the chapter “Configuring Other System Settings” .
Before you can use SSL acceleration on your Cisco WAAS system, you must enable SSL acceleration on Cisco WAAS devices. For more information on this procedure, see Enabling and Disabling Global Optimization Features.
Note If the SSL accelerator is already running, you must wait for two datafeed poll cycles to be completed when registering a new Cisco WAE with a Cisco WAAS Central Manager before making any configuration changes. Otherwise, the changes may not take effect.
To configure the SSL acceleration global settings, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (Figure 12-13).
Figure 12-13 SSL Global Settings Window
Step 3 To configure a device to use SSL settings from a particular device group: From the Select a Device Group drop-down list in the SSL global settings toolbar, choose a device group.
Step 4 From the SSL version drop-down list, choose the type of SSL protocol to use:
Step 5 (Optional) Set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation:
– To use the OCSP responder specified in the OCSP Responder URL field, choose the ocsp-url.
– To use the OCSP responder URL specified in the Certificate Authority, choose ocsp-cert-url.
If the Ignore OCSP failures check box is checked, the SSL accelerator will treat the OCSP revocation check as successful if it does not get a definite response from the OCSP responder.
Step 6 From the Cipher List drop-down list, choose a list of cipher suites to be used for SSL acceleration. For more information, see Working with Cipher Lists.
Step 7 Choose a certificate and key pair method (Figure 12-14).
Figure 12-14 Configuring Service Certificate and Private Key
Note The file that you import or export must be in either a PKCS12 format or a Privacy Enhanced Mail (PEM) format.
For information about service certificate and private key configuration, see Generating and Managing a Service Certificate and Private Key.
To generate a service certificate and private key, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (Figure 12-13).
Step 3 To generate a self-signed certificate and private key, at the Certificate and private key pane, click Generate self-signed certificate and private key. The Generate self-signed certificate and private key window appears (Figure 12-15).
Figure 12-15 Self-Signed Certificate and Private Key
a. To export this certificate and key in the Cisco WAAS Central Manager and the Cisco WAAS device CLI later, check the Mark private key as exportable check box.
b. Fill in the certificate and private key fields.
Consider the following operating guidelines for the Key Size field shown in Table 12-9 :
Table 12-9 Key Size Field Guidelines
To import an existing service certificate and private key, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (Figure 12-13).
Step 3 At the Certificate and private key pane, click Import existing certificate and optionally private key.
The Import existing certificate and optionally private key window appears (Figure 12-16):
Note The Cisco WAAS SSL feature only supports RSA signing/encryption algorithm and keys.
Figure 12-16 Importing Existing Certificate or Certificate Chain
Step 4 To export this certificate and key into the Cisco WAAS Central Manager and Cisco WAAS device CLI later, check the Mark private key as exportable check box.
Step 5 Choose an import format for the certificate and private key to be imported:
Consider the following operating guidelines for importing an existing certificate or certificate chain and private key:
Step 6 At the Upload field, use the Browse button to browse to the file and then select it.
Step 7 In the Passphrase to decrypt private key field, enter a passphrase to decrypt the private key. If the private key is not encrypted, leave this field blank.
To export an existing certificate and private key, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (Figure 12-13).
Step 3 At the Certificate and private key pane, click Export certificate and key.
The Export certificate and key window appears (Figure 12-17).
Figure 12-17 Export Certificate and Key Window
Step 4 In the Encryption pass-phrase field, enter the encryption passphrase.
Step 5 Choose an export format for the certificate:
For PEM format, both the certificate and private key are included in a single PEM file.
Note The Cisco WAAS Central Manager does not allow the export of certificate and private key if the certificate and key were marked as nonexportable when they were generated or imported.
To generate a Certificate Signing Request (CSR), follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (Figure 12-13).
Step 3 At the Certificate and private key pane, click Generate certificate signing request.
The Certificate signing request window appears (Figure 12-18).
Figure 12-18 Generate Certificate Signing Request Window
Step 4 Configure the CSR settings:
Step 5 To generate the CSR, click Generate CSR.
Step 6 To update the current certificate with one signed by the Certificate Authority:
a. Generate PKCS#10 certificate signing request.
b. Send the generated certificate signing request to the Certificate Authority to generate and sign certificate.
c. To import the certificate received from the Certificate Authority, click Importing existing certificate and optionally private key.
The Import existing client certificate and optionally private key window is displayed (Figure 12-19).
Note The size of the key for a generated certificate request is the same as the size of the key in the current certificate.
Figure 12-19 Import Existing Client Certificate and Optionally Private Key Window
a. To export this certificate and key into the Cisco WAAS Central Manager and Cisco WAAS device CLI later, check the Mark private key as exportable check box
b. To import an existing client certificate and private key, choose one of the following:
Consider the following guidelines for importing an existing client certificate and private key:
c. Enter a pass-phrase to decrypt the private key, or leave this field empty if the private key is not encrypted.
d. To navigate to the client-configured certificate and to successfully import the above specified certificate, choose Click Choose File > Import Client Cert.
Cipher lists are sets of cipher suites that you can assign to your SSL acceleration configuration. A cipher suite is an SSL encryption method that includes the key exchange algorithm, the encryption algorithm, and the secure hash algorithm.
For dual-sided deployments that use SMART-SSL acceleration, only rsa-with-aes-256-cbc-sha is supported.
To configure a cipher list, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Cipher Lists.
The SSL Cipher Lists window appears (Figure 12-20).
Note For a Cisco WAAS Express device, the SSL Cipher Lists window shows the same name and cipher fields, but in a slightly different format.
Figure 12-20 SSL Cipher Lists Window
Step 3 To add a new cipher list, click Create.
The Creating New SSL Cipher List window appears (Figure 12-21).
Note For a Cisco WAAS Express device, click Add Cipher List to add a new cipher list.
Figure 12-21 Creating New SSL Cipher List Window
Step 4 In the Cipher List Name field, enter a name for your cipher list.
Step 5 To add cipher suites to your cipher list, click Add Cipher.
Note For a Cisco WAAS Express device, select the ciphers you wish to add, and go to Step 12.
Step 6 From the Ciphers drop-down list, choose the cipher suite to add.
Note If you are establishing an SSL connection to a Microsoft IIS server, do not select a DHE-based cipher suite.
Step 7 From the Priority drop-down list, choose the priority number for the selected cipher suite.
Note When SSL peering service is configured, the priority associated with a cipher list on a core device takes precedence over the priority associated with a cipher list on an edge device.
Step 8 To include the selected cipher suite on your cipher list, click Add. To leave the list as it is, click Cancel.
Step 9 To add more cipher suites to your list, repeat Step 5 through Step 8.
Step 10 (Optional) To change the priority of a cipher suite, check the Cipher Suite check box, and then use the up or down arrow buttons located below the cipher list to change priority.
Note The client-specified order for ciphers overrides the cipher list priority assigned here if the cipher list is applied to an accelerated service. The priorities assigned in this cipher list are only applicable if the cipher list is applied to SSL peering and management services.
Step 11 (Optional) To remove a cipher suite from the list, check the cipher suite’s box and then click Delete.
Step 12 After you have completed configuring the cipher list, click Submit.
Note To save the cipher list configuration for a Cisco WAAS Express device, click OK. SSL configuration changes are not applied on the device until the security license has been enabled on the device.
Use the Cisco WAAS SSL acceleration feature to configure the Certificate Authority (CA) certificates used by your system. You can use one of the many CA certificates included with Cisco WAAS, or import your own CA certificate.
To configure and manage your CA certificates, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Certificate Authorities.
The SSL CA Certificate List window appears (Figure 12-22).
There is also an Aggregate Settings field configurable as Yes or No. To complete the procedure for Cisco WAAS Express, move to Step 4.
Figure 12-22 SSL CA Certificate List Window
Step 3 To add one of the preloaded CA certificates that is included with Cisco WAAS:
b. Choose the pre-existing CA certificate you want to add and click Import.
The selected CA certificate is added to the list in the SSL CA Certificate List area.
Step 4 To add your own CA certificate:
The Creating New CA Certificate window appears (Figure 12-23).
Note To add your own CA certificate to a Cisco WAAS Express device, click Add CA. Enter the name and the URL, and then click Get CA Certificate. After this, move to Step 6.
Figure 12-23 Creating New CA Certificate Window
b. In the Certificate Name field, type a name for the certificate.
c. (Optional) In the Description field, type a description of the CA certificate.
d. From the Revocation check drop-down list, choose Disable to disable OCSP revocation of certificates signed by this CA.
e. To add the certificate information, choose one of the following:
If you are uploading a file, it must be in a PEM format. Browse to the file that you want to use and click Upload.
If you are pasting the CA certificate information, paste the text of the PEM format certificate into the Paste PEM-encoded certificate field.
This option automatically configures the certificate authority using Simple Certificate Enrollment Protocol (SCEP). If you are using the automated certificate enrollment procedure, enter the CA URL and click Get Certificate. The contents of the certificate are displayed in text and PEM formats.
To complete the automated certificate enrollment procedure, configure the SSL auto enrollment settings in Configuring SSL Auto Enrollment.
f. To save the changes, click Submit.
Step 5 (Optional) To remove a CA from the list, select it and then click the Delete icon located in the toolbar.
Step 6 After you have completed configuring the CA certificate list, click Submit.
Note For a Cisco WAAS Express device, click OK to save the CA certificate configuration.
The Cisco WAAS SSL acceleration feature allows you to enroll certificates automatically for a device (or device group) using Simple Certificate Enrollment Protocol (SCEP). After the CA certificate is obtained, configure the SSL auto enrollment settings.
You must configure the CA authority before configuring auto enrollment settings.
To configure SSL auto enrollment settings, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Security > SSL > Auto Enrollment.
The SSL Auto Enrollment Settings window appears (Figure 12-24).
Figure 12-24 SSL Auto Enrollment Settings Window
Step 3 At the CA Settings pane, configure the CA settings:
Note The CA, CA URL, and Challenge Password are required to enable SSL auto enrollment.
Step 4 At the Certificate Signing Request pane, configure the Certificate Signing Request settings:
Step 5 From the Key Size drop-down list, choose the key size. Valid values are 512, 768, 1024, 1536, or 2048.
Step 6 Check the Enable Enroll box.
After you have submitted the settings, you can check the enrollment status in the Machine Certificate section in the SSL Global Settings window and in the Alerts window.
SSL management services are the SSL configuration parameters that affect secure communications between the Cisco WAAS Central Manager and the Cisco WAE devices (Figure 12-12). The certificate and key pairs used are unique for each Cisco WAAS device. Therefore, SSL management services can only be configured for individual devices, not device groups.
To configure SSL management services, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name.
Step 2 Choose Configure > Security > Management Service.
The Management Services window appears (Figure 12-25).
Figure 12-25 SSL Management Services Window
Step 3 From the SSL version drop-down list, choose the type of SSL protocol to use:
Consider the following configuration guidelines for SSL connections:
The following cipher lists are supported in SSL Acceleration (Legacy SSL Acceleration).
Consider the following configuration guidelines for ciphers:
Some browsers, such as Internet Explorer, do not correctly handle a change of SSL version and cipher settings on the Cisco WAAS Central Manager, which can result in the browser showing an error page after you submit the changes. If this occurs, reload the page.
Step 4 In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration.
For more information, see Working with Cipher Lists.
To enable trusted SSL communication between the Cisco WAAS Central Manager the web browser, export the SSL CA signed certificate. The default certificate for enabling SSL communication is the Cisco WAAS Central Manager self signed certificate. To use a different certificate, you must configure it.
To configure the SSL certificate, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > CM > Configure > Security > SSL Admin Service.
The default certificate is displayed.
Step 2 Select the PKI operation:
a. To upload or paste an existing certificate and key pair, click Import Existing Certificate Key.
b. To export the current certificate and key pair, click Export Certificate Key.
c. The file that you import or export must be in either a PKCS12 format or a Privacy Enhanced Mail (PEM) format.
d. To configure the Cisco WAAS Central Manager and Cisco WAAS device to use a self-signed certificate and key pair for SSL, click Generate Self-signed Certificate Key.
Consider the following operating guidelines for the Key Size field, shown in Table 12-10 :
Table 12-10 Key Size Field Guidelines
Step 3 To register the certificate, click Submit.
The Cisco WAAS Central Manager now uses the specified certificate for SSL communication.
SSL peering service configuration parameters control the secure communications established by the SSL accelerator between Cisco WAE devices while optimizing SSL connections (Figure 12-12). The peering service certificate and private key is unique for each Cisco WAAS device and can be configured for individual devices only, not device groups.
To configure SSL peering service, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name.
Step 2 Choose Configure > Security > Peering Service.
The Peering Service window appears (Figure 12-26).
Figure 12-26 SSL Peering Service Window
Step 3 From the SSL Version drop-down list, choose the type of SSL protocol to use:
Consider the following SSL guidelines:
Step 4 To enable verification of peer certificates, check the Enable Certificate Verification check box.
Step 5 To disable OCSP certificate revocation checking, check the Disable revocation check for this service check box.
This option is not available for Cisco WAAS Express devices.
Step 6 At the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration between the WAE device peers.
For a Cisco WAAS Express device, SSL configuration changes will not be applied on the device until the security license has been enabled on the device.
After you have enabled and configured SSL acceleration on your WAAS system, you must define at least one service to be accelerated on the SSL path.
For Cisco WAAS Version 6.4.3 and later, the SMART- SSL feature is enhanced to allow you more control of SSL traffic:
After configuration is complete, it is reflected in Devices > device-name ( or Device Groups > device-group-name) > Configure > Acceleration > SSL Accelerated Services.
– You must mark a service as Secondary to proceed with IP Any and same port. After a service is marked as secondary, no other IP Any is allowed, but you can add different IP with ports, server, name and domain name to the secondary service.
– You cannot mark a service as Secondary without Any address configuration.
– You cannot remove the Secondary settings if the SSL accelerated service is enabled.
To configure SSL-accelerated services, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > SSL Accelerated Services.
Step 3 To delete an accelerated service, select the service and click Delete.
Step 4 To define a new accelerated service, click Create. A maximum of 512 accelerated services are allowed.
The Basic SSL Accelerated Services Configuration window appears (Figure 12-27).
Figure 12-27 SSL-Accelerated Services - Basic Window
Step 5 At the SSL Accelerated Service pane:
a. In the Service Name field, enter a name for the service.
b. To enable this accelerated service, check the In service check box.
c. To enable client version rollback check, check the Client version rollback check check box.
Enabling the client version rollback check does not allow connections with an incorrect client version to be optimized.
d. To match subject alternative names, check the Match Server Name Indication check box.
For more information, see Configuring SSL Acceleration for SaaS Applications.
e. To enable protocol chaining, check the Enable protocol chaining check box.
Enabling protocol chaining allows other protocols to be optimized over SSL.
f. From the Application drop-down list, choose the SAAS application that needs to be optimized.
This field is displayed only on the devices running Cisco WAAS Version 6.4.3 or later.
g. Check the Enable DSCP Remarking and enter values in the DSCP LAN and DSCP WAN fields. The available values are 0 to 63.
h. To configure the accelerated service to use multiple IP addresses, check the Secondary checkbox.
This is applicable only for Cisco WAAS devices running Cisco WAAS Version 6.4.3 or later.
Checking the Secondary check box ensures the following actions for this accelerated service:
Step 6 At the Server addresses pane:
a. From the Server drop-down list, choose IP Address, Hostname, or Domain as the SSL service endpoint type.
b. In the associated Server field, enter one of the following:
c. At the Server Port field, enter the port associated with the service to be accelerated.
Step 7 Click Add to add each address. If you specify a server hostname, the Cisco WAAS Central Manager resolves the hostname to the IP address and adds it to the Server IP/Ports table.
Step 8 To remove an IP address from the list, click Delete.
Step 9 Configure a certificate and key pair method (Figure 12-28).
Figure 12-28 Configuring Service Certificate and Private Key
– To configure the Cisco WAAS devices to use a self-signed certificate and key pair for SSL, click Generate self-signed certificate key.
– To upload or paste an existing certificate and key pair, click Import Existing Certificate Key.
For SaaS applications, the certificate must have the Subject Alternative Name (SAN) information.
– To export the current certificate and key pair, click Export Certificate Key.
– To renew or replace the existing certificate and key pair, click Generate Certificate Signing Request. The certificate signing request is used by the CA to generate a new certificate.
The file to be imported or exported must be in either PKCS12 format or PEM format.
– To use the client configured certificate, click Import existing client certificate and optionally private key.
Step 10 (Optional) To change the service certificate or private key for an existing SSL-accelerated service, follow these guidelines:
a. At the SSL Accelerated Service pane, uncheck the In service check box.
b. To disable the service, click Submit, and then wait five minutes.
c. Check the In service check box.
d. To re-enable the service, click Submit.
e. Alternatively, in the Cisco WAE CLI:
– Run the no inservice SSL-accelerated service configuration command.
– Run the inservice SSL-accelerated service configuration command.
To change the service certificate or private key for multiple SSL-accelerated services, restart all the accelerated services by disabling and then re-enabling the SSL accelerator.
Step 11 To configure SSL parameters for the service, click Advanced Settings tab.
The Advanced SSL Accelerated Services Configuration window appears (Figure 12-29).
Figure 12-29 SSL Accelerated Services—Advanced Window
a. (Optional) At the SSL Settings pane, from the SSL version drop-down list, choose the type of SSL protocol to use:
b. (Optional) At the SSL Settings pane, from the Cipher List drop-down list, choose a list of cipher suites to be used for SSL acceleration between the Cisco WAE device peers, or choose Inherited to use the cipher list configured in SSL global settings. For more information, see Working with Cipher Lists.
c. (Optional) To set the OCSP parameters for certificate revocation, follow these steps:
Note If the server and client devices are using self-signed certificates and certificate verification is enabled, Cisco WAAS devices will not be able to accelerate SSL traffic.
d. After you have completed the configuration of the SSL accelerated service, click Submit.
To update a service certificate or private key in an SSL Accelerated Service, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > SSL Accelerated Services.
Step 3 In the in the Name column for the specified service, click Edit SSL Accelerated Service.
Step 4 Choose a certificate and key pair method (Figure 12-28) to either re-generate a self-signed certificate and private key, or to import an updated certificate and/or key.
a. Enter the required details.
b. Depending on the chosen method, click Generate or Import.
This step is required because the existing certificate and key are stored in memory on the accelerators. Updating the certificate and key via the steps described above is insufficient because it does not update the certificate and key in memory.
Step 5 In the in the Name column for the specified service, click Edit SSL Accelerated Service button.
Step 6 Remove the check mark for In service, then click Submit.
Step 7 Click the Edit SSL Accelerated Service button in the Name column for the service in question for one last time.
Step 8 Enable the check mark for In service.
SaaS applications are typically served from multiple SSL server farms, with multiple hosts spanning several data centers.
To configure the SSL-accelerated services for SaaS applications, follow these steps:
Step 1 To create an SSL-accelerated service for a SaaS application, follow Step 1 through Step 8 in Using SSL Accelerated Services.
Step 2 To match subject alternative names, check the Match Server Name Indication check box, or run the match sni command on the core WAAS device.
Step 3 Consider the following guidelines to match subject alternative names:
We recommend this setting for optimizing cloud-based SaaS applications to avoid namespace/certificate mismatch errors that are caused due to the changing nature of the SaaS server domains and IP addresses.
Step 4 To specify the server IP address of the accelerated server, use the keyword Any.
Step 5 Direct all SSL traffic for SaaS applications to port 443.
Step 6 Consider the following guidelines for directing all SSL traffic for SaaS applications to port 443:
Step 7 To to upload or paste a certificate and key pair, click Import Existing Certificate Key.
To identify the server domains that need to be added for optimizing SaaS applications, follow the steps described in Determining Server Domains Used by SaaS Applications.
Step 8 To complete the configuration of the SSL-accelerated service for the SaaS application, click Submit.
This section describes how determine server domains used by SaaS applications, and (optionally) how to optimize these server domains.
To view the list of server domain names that do not match the existing SSL certificate, and therefore are not optimized:
1. Check the Match Server Name Indication check box.
2. Log in to the core Cisco WAAS device
3. Run the sh crypto ssl services accelerated-service service-name command.
4. If you want to optimize any of these server domain names, select and add them to your certificate by performing the following steps below.
The server domain names list contains a maximum of 128 server names.
To select and add server domain names to your certificate for optimization, follow these steps:
Step 1 Identify the relevant servers to be added.
Step 2 Run the sh crypto ssl services accelerated-service service-name command to see additional details regarding the count and last seen information of the server name.
Step 3 To enable SNI debugs, to view additional information regarding IP address and hostnames, run the debug accelerator ssl sni command.
Step 4 To create a new Certificate Signing Request (CSR) with the relevant server domain names of the SaaS applications in the subject alternative names extension of the certificate, log in to the Microsoft Management Console (MMC), or OpenSSL, or other available customer tool.
Step 5 Submit the certificate to the Enterpise CA.
Step 6 Import the signed certificate from the Enterprise CA to the Trusted Root Certification Authorities store.
The Enterprise root CA must be present in the browser as trusted root CA.
Step 7 To disable the accelerated service, uncheck the In service checkbox and click Submit.
Step 8 Upload the new certificate and re-enable the service.
Note The server names vary as per the accelerated service that you have configured. Refer to the names below that need to be included in the certificate for the respective accelerated service.
This section contains the following topics:
SMART-SSL is an encryption service that enables Layer 7 application network services, such as FTP, HTTP, DNS, to optimize traffic on SSL and TLS encrypted applications. SMART-SSL enables content caching for SSL and TLS applications (HTTP object cache for HTTPS traffic) in both single-sided and dual-sided deployment.
With the evolution of cloud services, there is a critical need to provide application optimization. For Cisco WAAS Version 6.4.1 and later, SMART-SSL optimization is enabled using both single-sided and dual-sided mode.
Dual-sided deployments for SMART-SSL (or SSL Accelerator V2), use TLS1.2 as the SSL version and rsa-with-aes-256-cbc-sha as the cipher suit.
Table 12-11 Checklist for Configuring SSLv2 Acceleration
|
|
---|---|
Prepare to configure SMART-SSL acceleration. |
Identify the information you need to gather before configuring SMART-SSL acceleration on your Cisco WAAS devices. For more information, see Preparing to Use SMART-SSL Acceleration. |
Set up to use existing Enterprise Root CA certificates |
(Optional) Create, import, and manage existing Enterprise Root certificate authority (CA) certificates. For more information, see Using a Root CA Certificate to Sign Cisco WAAS Accelerated Service Exported Certificate. |
Enable SMART-SSL application optimization. |
Activate the SMART-SSL acceleration feature. For more information, see Enabling and Disabling Global Optimization Features. |
Set up accelerated service certificates. |
Create, import, and use certificates for SMART-SSL acceleration. For more information, see Creating Single-Sided SMART-SSL Accelerated Service Certificate. |
Configure and enable SSL-accelerated services. |
Add, configure, and enable services to be accelerated by the SMART-SSL application optimization feature. For more information, see Configuring and Managing SMART-SSL Accelerated Services on a Single-Sided Device Group. |
Before configuring SMART-SSL acceleration, consider these specifications:
TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,/* 0x0016 */ TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* 0x0033 */ TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x002F */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* 0x0039 */ TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */ TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,/* 0x0041 */ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, /* 0x0045 */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, /* 0x0067 */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, /* 0x006B */ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, /* 0x0084 */ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, /* 0x0088 */ TLS_RSA_WITH_SEED_CBC_SHA, /* 0x0096 */ TLS_DHE_RSA_WITH_SEED_CBC_SHA, /* 0x009A */ TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */ TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, /* 0x009E */ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, /* 0x009F */ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 /* 0xC030 */
Note For SMART-SSL to work, the default SSL policy must be in place. If the policy is modified, for example, if accelerate http policy is applied for an SSL class map, the SSL accelerator starts optimizing, but the SMART-SSL accelerator does not optimize.
A root Certificate Authority (CA) certificate is a certificate issued by a trusted certificate authority and is in turn trusted by domain clients. A root CA certificate is used to sign all the certificates that will be used by the Cisco WAAS for SSL interposing during client and server SSL handshake for optimizing the applications or the URLs.
The root CA certificate must be able to accept Certificate Signing Requests (CSRs) that include subject alternative names and generate certificates that include subject alternative names.
If your organization already has a well-known root CA certificate, you can use it. You can also import a new CA certificate using the Cisco WAAS Central Manager GUI.
For more information, see Working with CA Certificates.
To create a new root CA certificate, follow these steps:
Step 1 To create a new root CA certificate, use a Linux machine with an OpenSSL version of 1.0.1e or later.
Step 2 Create the root CA certificate key. This signs all issued certificates.
Step 3 Create the self-signed root CA certificate, with the key generated in Step 2.
Step 4 Verify the root CA certificate.
Step 5 Import the certificate from the Enterprise CA to the Trusted Root Certification Authorities store in the client browser.
Step 6 Install the root CA certificate and intermediate CA certificate.
To create the certificate to be used with the single-sided SMART-SSL accelerated service certificate, follow these steps:
Step 1 To create a new encryption key pair, use OpenSSL as shown below:
Step 2 For the application to be optimized, create a Certificate Signing Request (CSR), key pair, and other needed attributes, such as Common Name, Company and SubjAltName.
For example, for YouTube, ensure that the subjectAltNames have all URLs that YouTube servers include in their certificate, which you want to optimize.
Alternately, to create a CSR from the Cisco WAAS Central Manager GUI, follow the steps described in Generating and Managing a Service Certificate and Private Key.
Step 3 To create a new proxy server certificate, sign the above generated CSR with your existing Enterprise Root CA, or the one created above.
This will generate a.crt or.pem certifcate file.
To ensure that the created accelerated service proxy certificate will be authenticated and accepted by the client browser, the CA certificate used to sign this accelerated service certificate must be present in the client browser root CA certificate store.
a. Refer to your browser’s Settings or Options menu for that browser’s Certificates and Import locations.
d. Reload the browser for the cloud application.
The browser will pick up the new certificate.
Step 4 Cisco WAAS allows importing certificates with PKCS12 format. To generate the PKCS12 format from the certificate file and your private key, run the open ssl command.
Step 5 To import this certificate into the Cisco WAAS device group, run the crypto import EXEC command and thereafter be used in the accelerated server configuration as server-cert-key.
Follow these guidelines for importing the certificate:
To enable the SMART-SSL settings on the specified device group, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Device Groups > device-group-name.
Step 2 Select the device group to enable for SMART-SSL settings.
Note Add only branch devices to this group.These devices will optimize the SSL traffic as it passes through them.
Step 3 From the Cisco WAAS Central Manager menu, choose Configure > Acceleration > Enabled Features.
Step 4 To enable SMART SSL acceleration, at the Accelerator Optimization pane, check the SSL Interposer (SSL Accelerator V2) check box.
Step 5 To create an SSL accelerated service for the device group, choose Acceleration > SSL Accelerated Services.
The Creating new SSL Accelerated Service window appears.
Step 7 At the SSL Accelerated Service pane, enter the name of your service, and check the In service box.
(Optional) Enter a short description for the SSL accelerated service.
Step 8 At the Server Addresses pane:
a. In the IP Address field, enter Any.
b. In the Server Port field, enter 443.
Step 9 At the Certificate and Private Key pane:
a. Click Import Existing Certificate and Optionally Private Key.
b. Click Upload File in PKCS#12 Format.
c. In the Password field, enter the password to be used to export the certificate.
d. Use the Browse button to locate the certificate to be imported.
e. Click Import to import the certificate.
A confirmation screen appears, with the certificate information.
Step 10 To complete the configuration of the SSL-accelerated service to use single sided optimization, click Submit.
(Optional) Alternatively, to automate the entire process using a script, contact the Cisco Technical Assistance Center (TAC). For further information on contacting TAC, see the Cisco Support and Downloads page, Contacts/Support Cases section.
Step 11 To monitor the SMART-SSL accelerated service optimization statistics:
To configure and manage SMART-SSL accelerated services on a single-sided device group using the Cisco WAAS CLI, use these command guidelines:
Table 12-12 Cisco WAAS CLI Command Keywords Supported for SMART-SSL Acceleration
|
|
|
|
---|---|---|---|
Microsoft Office365 supports business-critical applications such as Outlook, SharePoint, Excel and PowerPoint, and use of Microsoft Office 365 as SaaS has also increased. As enterprises move toward SaaS applications such as Microsoft Office 365, performance and user experience of these applications has also become more important.
Cisco WAAS support for Microsoft Office 365 traffic acceleration and optimization was introduced in Cisco WAAS Version 5.3.5 (for optimization between the on-premise data center and the customer branch, only). For Cisco WAAS Version 6.2.1 and later, traffic to Microsoft Office 365 is optimized until it reaches the cloud, by implementing a solution that includes:
Table 12-13 shows the steps needed to set up and enable Microsoft Office 365 using the Cisco WAAS Central Manager.
Table 12-13 Checklist for Configuring Microsoft Office 365 Using the Cisco WAAS Central Manager
|
|
---|---|
Prepare to configure SSL acceleration. |
Identify the information that you need to gather before configuring SSL acceleration on your Cisco WAAS devices For more information, see Prerequisites for Configuring SSL Acceleration. |
Set up root CA certificates |
(Optional) Create, import, and manage certificate authority (CA) certificates. For more information, see Using a Root CA Certificate to Sign Cisco WAAS Accelerated Service Exported Certificate. |
Enable SSL application optimization. |
Enable the SSL acceleration feature. For more information, see Enabling and Disabling Global Optimization Features and Configuring SSL Acceleration. |
Set up accelerated service certificates. |
Create, import, and use certificates for Microsoft Office 365 acceleration. For more information, see Creating a Microsoft 365 Accelerated Service Certificate. |
Configure and enable Microsoft 365 acceleration. |
Add, configure, and enable Microsoft 365 acceleration using the Cisco WAAS Central Manager. For more information, see Configuring Microsoft 365 Acceleration for Cisco WAAS. |
Before you create a Microsoft Office 365 accelerated service using the Cisco WAAS Central Manger, you must have completed the following:
You must create a root CA certificate before you create a Microsoft 365 accelerated service certificate. For more information, see:
To create the certificate to be used with Microsoft 365 acceleration, follow these steps:
Step 1 To create a new Certificate Signing Request (CSR) with the relevant server domain names of the Microsoft Office 365 application in the subject alternative names extension of the certificate, log in to the Microsoft Management Console (MMC), OpenSSL, or other available customer tool
Step 2 In the following example certificate, refer to the highlighted area.
Step 3 Submit the certificate to the Enterprise CA.
Step 4 Import the signed certificate from the Enterprise CA to the Trusted Root Certification Authorities store.\
Note The Enterprise root CA must be present in browser as trusted root CA.
Step 5 To ensure that the created accelerated service proxy certificate will be authenticated and accepted by the client browser, the CA certificate used to sign this accelerated service certificate must be present in the client browser root CA certificate store.
a. Refer to your browser’s Settings or Options menu for that browser’s Certificates and Import locations.
d. Reload the browser for the cloud application.
The browser will pick up the new certificate.
To configure Microsoft Office 365 acceleration for Cisco WAAS using the Cisco WAAS Central Manager, follow these steps:
Step 1 Register your Microsoft Azure Cisco vWAAS device with the Cisco WAAS Central Manager. If the Cisco WAAS Central Manager is in a different network add routes for reachability.
Step 2 Create a Microsoft Office 365 accelerated service for the device group:
a. Choose Acceleration > SSL Accelerated Services.
The Creating New SSL Accelerated Service window appears.
Step 3 At the SSL Accelerated Service pane:
a. In the Service Name field, enter the name of the service o365,
b. To enable this service, check the In Service check box.
c. To match subject alternative names, check the Match Server Name Indication check box or run the match sni command on the core WAAS device.
Consider the following guidelines to match subject alternative names:
d. (Optional) Provide a short description.
Step 4 At the Server addresses pane:
a. To specify the server IP address of the accelerated server, in the Server Port field, enter the keyword Any.
b. To direct traffic to port 443, in the Server Port field enter 443.
Step 5 At the Certificate and Private Key pane:
a. Click Import Existing Certificate and Optionally Private Key.
b. Click Upload File in PKCS#12 Format.
c. In the Password field, enter the password to be used to export the certificate.
d. Use the Browse button to locate the certificate to be imported.
e. Click Import to import the certificate.
A confirmation screen appears, with the certificate information.
Step 6 To complete the configuration of the Microsoft Office 365, click Submit.
Step 7 To monitor accelerated service optimization statistics, see the Secure Sockets Layer (SSL) Acceleration Charts in the chapter “Monitoring Your Cisco WAAS Network” .
Consider the following guidelines for configuring Microsoft Office 365 acceleration for Cisco WAAS using the Cisco WAAS CLI:
crypto import pkcs12 Azure_o365.p12 pkcs12 disk office365.pfx
Instead of importing multi-domain certificates from the device, you can use remote methods to import the certificate from servers, including the methods FTP and HTTP.
Cisco support for Microsoft Windows Update enables caching of objects used in Microsoft Windows operating system (OS) and application updates. Cisco support for Microsoft Windows Update is enabled by default, and enabled only for specific sites.
This section contains the following topics:
The Microsoft Windows OS and application updates are managed by update clients such as Microsoft Windows Update. Microsoft Windows Update downloads the updates via HTTP, often in combination with Background Intelligent Transfer Service (BITS) to help facilitate the downloads. Clients use HTTP range request to fetch updates.
The objects that comprise the updates, such as.cab files, are typically cacheable, so that HTTP object cache is a significant benefit for this process.
For example, for Microsoft Windows 7 and Microsoft Windows 8 OS updates, via direct Internet or Windows Server Update Services (WSUS), Version 2012 and 2012 R2, more than 98% of the update files, such as.cab,.exe, and.psf files, are served from cache on subsequent updates. Cisco support for Microsoft Windows Update reduces the volume of WAN offload bytes and reduces response time for subsequent Windows updates.
There are two ways to view data generated by Cisco support for Microsoft Windows Update.
– rm-w (range miss, wait): The main transaction, a cache miss, which waited for the sub-transaction to fetch the needed bytes.
– rm-f (range miss, full): The sub-transaction, a cache write of the entire document.
In this example, there are two log lines: the main transaction and the sub-transaction, when a range is requested on an object that is not in cache:
This example shows a cache hit when a range is requested on an object that is either completely in cache, or in the process of being downloaded. If the object is in the process of being downloaded, then the main transaction has latched onto a sub-transaction like the one shown in Example 1.
Cisco support for Microsoft Windows Update enables Akamai Cache Engine to support Microsoft Windows Update caching in two ways:
There is a limit, set by OTT metadata during the Akamai Connect registration process, from the start of the object (the number of bytes or the percent of file length) where the download functionality is triggered. A request of a size above the set limit does not initiate a full object download, and the request is forwarded to the origin as is.
For more information on the Akamai Connect registration process, see Activating the Akamai Connect License in the chapter “Configuring Cisco WAAS with Akamai Connect” .
Table 12-14 provides an overview of the steps you must complete to create a new traffic optimization policy.
|
|
---|---|
Prepare to create an optimization policy. |
Complete prerequisite tasks before creating a new optimization policy on your Cisco WAAS devices. For more information, see Preparing to Create an Optimization Policy. |
Create an application definition. |
Identify general information about the application to be optimized, such as the application name and whether or not the Cisco WAAS Central Manager will collect statistics about this application. For more information, see Creating an Application Definition. |
Create an optimization policy. |
Determine the type of action your Cisco WAAS device or device group performs on specific application traffic. This step includes the following required tasks:
For more information, see Creating an Optimization Policy. |
Before you create a new optimization policy, complete the following tasks:
The first step in creating an optimization policy is to set up an application definition that identifies general information about the application, such as the application name, and whether or not you want the Cisco WAAS Central Manager to collect statistics about the application. You can create up to 255 application definitions on your Cisco WAAS system.
To create an application definition, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Configure > Acceleration > Applications.
The Applications window appears, which displays a list of all the applications on the Cisco WAAS system, and the device or device group from which each gets the settings.
Step 2 At the Applications window, perform the following tasks:
If the statistics are being collected for the application, the Enable Statistics column displays Yes.
Step 3 Create a new application:
a. Click the Add Application icon in the taskbar.
The Applications window appears.
b. In the Name field, enter a name for this application. Use only alphanumeric characters; the application name cannot contain spaces and special characters.
c. (Optional) In the Comments field, enter a comment.
The entered comment appears in the Applications window.
d. To allow the Cisco WAAS Central Manager to collect data for this application, check the Enable Statistics check box. To disable data collection for this application, uncheck the Enable Statistics check box.
The historical data is retained from when the statistics collection was first enabled, and when it was re-enabled, but a gap in data will exist for the period when statistics collection was disabled.
An application cannot be deleted if there is an optimization policy using it. However, if you delete an application for which statistics were collected, and then later recreate the application, the historical data for the application is lost. Only data collected since the re-creation of the application is displayed.
Note The WAAS Central Manager does not start collecting data for this application until you finish creating the entire optimization policy.
The application definition is saved and is displayed in the application list.
After you create an application definition, create an optimization policy that determines the action a Cisco WAAS device takes on the specified traffic.
You can create up to 512 optimization policies on your Cisco WAAS system.
To create an optimization policy, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears (Figure 12-30).
Consider the following guidelines for optimization policies for Cisco WAAS Express:
The Enable Service Policy option, the DSCP option, and the Protocol column in the list of policy rules are not applicable to Cisco WAAS Express.
To ensure that FTP data is optimized when Cisco WAAS Express is used with the Cisco ISR G2, use the ISR G2's IOS crypto map software.
Figure 12-30 Optimization Policies Window
The Optimization Policies window displays information about all the optimization policies that reside on the selected device or device group, as well as the position of each policy.
Consider the following guidelines for configuring optimization policies:
– After these devices are assigned to device groups, the Force Device Group Settings icon appears in the Optimization Policies window in device group level. To correct this, use the Force Group Settings to ensure that all devices in the specified group have the same configuration.
– For more information on Force Group Settings, see Procedure for Forcing Device Group Settings in the chapter “Using Device Groups and Device Locations” .
At the Optimization Policies window, you can perform the following tasks:
Note The device uses this policy setting to determine what optimizations are performed only if the Enable Service Policy is set.
Step 3 To create a new optimization policy, click the Add Policy Rule icon in the taskbar.
The Optimization Policy Rule pop-up window appears (Figure 12-31).
Figure 12-31 Add Optimization Policy Rule Window
Step 4 From the Class-Map Name drop-down list, do one of the following:
For information on creating a new class map, see Creating an Optimization Class Map for an Optimization Policy.
Step 5 From the Action drop-down list, choose the action that the specified Cisco WAAS device should take on the defined traffic. For a description of each action, see Table 12-15 .
Step 6 Consider the following guidelines for class map actions:
– If the device group contains devices running a Cisco WAAS version earlier than 4.4.1 and you are configuring an action that includes Unidirectional or Adaptive caching, the caching mode is converted to Bidirectional.
– When devices running a Cisco WAAS version earlier than 4.4.1 join a device group that is configured with optimization policies that use Unidirectional or Adaptive caching, the caching mode is converted to Bidirectional.
In both of these cases, we recommend that you upgrade all the devices to the same software version or create different device groups for devices with incompatible versions.
Table 12-15 Class Map Action Descriptions
|
|
---|---|
Prevents the Cisco WAAS device from optimizing the application traffic defined in this policy by using TFO, DRE, or compression. Traffic that matches this policy can still be accelerated if an accelerator is chosen from the Accelerate drop-down list. |
|
Applies a different TFO techniques to matching traffic. TFO techniques include BIC-TCP, window size maximization and scaling, and selective acknowledgment. For more information on the TFO feature, see Transport Flow Optimization in the chapter “Introduction to Cisco WAAS” . |
|
Applies both TFO and DRE with adaptive caching to matching traffic. |
|
Applies both TFO and DRE with unidirectional caching to matching traffic. |
|
Applies both TFO and DRE with bidirectional caching to matching traffic. |
|
Applies both TFO and the LZ compression algorithm to matching traffic. LZ compression functions similarly to DRE, but uses a different compression algorithm to compress smaller data streams and maintains a limited compression history. |
|
Applies TFO, DRE with adaptive caching, and LZ compression to matching traffic. |
|
Applies TFO, DRE with unidirectional caching, and LZ compression to matching traffic. |
|
Applies TFO, DRE with bidirectional caching, and LZ compression to matching traffic. |
Step 7 From the Accelerate drop-down list, choose one of the following additional acceleration actions that your WAAS device should take on the defined traffic:
Step 8 Specify the application that you want to associate with this policy by performing either of the following:
a. Specify the application name.
b. Enable statistics collection.
c. To save the new application and return to the Optimization Policy window, click OK.
The new application is automatically assigned to this device or device group.
Step 9 (Optional) From the DSCP Marking drop-down list, choose one of the following:
– DSCP is the combination of IP Precedence and Type of Service (ToS) fields. DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic. Levels of service are assigned by marking each packet on the network with a DSCP code and associating a corresponding level of service. For more information, see RFC 2474.
– DSCP marking does not apply to pass-through traffic.
– In a Cisco WAAS Express device, the DSCP Marking drop-down list is not shown.
– For the DSCP marking value, you can choose to use the global default values (see Defining Default DSCP Marking Values) or select one of the other defined values. Or, you can use copy, as described above.
The new policy appears in the Optimization Policies window (Figure 12-30).
You can create an optimization class map for an optimization policy in two ways:
To create an optimization class map for an optimization policy, follow these steps:
Step 1 Enter a name for this application class map. The name cannot contain spaces or special characters.
Note You must create a unique class map name across all types. For example, you cannot use the same name for an optimization class map and an AppNav class map.
Note For Cisco WAAS Express, the class map name cannot contain the following prefixes, which are case sensitive: class, optimize, passthrough, application, accelerate, tfo, dre, lz, or sequence-interval. You must manually change existing class map names containing any of these prefixes.
Step 2 (Optional) Enter a description.
Step 3 From the Type drop-down list, choose the class map type.
Step 4 After you have chosen the class map type, enter the match conditions. Click the Add Match Condition icon.
Step 5 The Adding a New Match Condition window appears (Figure 12-32).
Figure 12-32 Adding a New Match Condition Window
Note For a Cisco WAAS Express device, Protocol and EPM Custom UUID settings are not applicable.
Step 6 To create a condition for a specific type of traffic, enter a value in a Destination or Source field.
For example, to match all the traffic going to IP address 10.10.10.2, enter that IP address in the Destination IP Address field.
Consider the following guidelines for creating conditions:
For example, to match Microsoft Exchange Server traffic that uses the MAPI protocol, choose mapi. To enter a custom EPM UUID, choose epm-uuid and enter the UUID in the EPM Custom UUID field.
Step 7 Add additional match conditions, as needed. If any one of the conditions is matched, the class is considered as matched.
Step 8 To save the class map, click OK.
This section contains the following topics:
High CPU utilization can adversely affect current optimized connections. To avoid CPU overload, you can enable CPU load monitoring and set the load monitoring threshold.
To modify the accelerator load indicator threshold and CPU load monitoring for a Cisco WAE device, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Accelerator Threshold.
The Accelerator Threshold window appears.
Step 3 To enable CPU Load Monitoring, check the Enable check box. (The default is enabled.)
Step 4 In the Accelerator Load Indicator Threshold field, enter a percent value between 80 and 100. The default is 95.
Step 5 In the CPU Load Higher Monitoring Threshold field, enter a percent value between 1 and 100. The default is 98.
Step 6 In the In the CPU Load Lower Monitoring Threshold field, enter a percent value between 1 and 100. The default is 90.
Step 7 In the Window Size field, enter a value between 1 to 16. The default value is 4.
Step 8 In the Sampling Intervals Avg Time field, enter a value between 1 and 120. The default is 10.
Step 9 In the Overloaded State Time field, enter a value between 1 to 120. The default value is 10.
If the device group is running Cisco WAAS Version 6.x or later, you can configure additional settings to monitor the CPU load for the device group.
Step 11 To enable CPU Load Monitoring, check the Enable check box. (The default is enabled.)
Step 12 To enable Linux softirq monitoring, check the Enable softirq Monitoring checkbox.
Step 13 In the Accelerator Load Indicator Threshold field, enter a percent value between 80 and 100. The default is 95.
Step 14 In the CPU Load Monitoring Threshold field, enter a percent value between 80 and 100. The default is 95.
Step 15 In the CPU Load Higher Monitoring Threshold field, enter a percent value between 1 and 100. The default is 98.
Step 16 In the In the CPU Load Lower Monitoring Threshold field, enter a percent value between 1 and 100. The default is 90.
Step 17 In the Window Size field enter a value between 1 to 16. The default value is 4.
Step 18 In the Sampling Intervals Avg Time field enter a value between 1 and 120. The default is 10.
Step 19 In the Overloaded State Time field, enter a value between 1 to 120. The default value is 10.
To view a list of applications that reside on a Cisco WAE device or device group, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears.
Step 3 To sort the column by application name so that you can locate a specific application more easily, click the Application column header.
Step 4 Consider the following guidelines for viewing a list of applications on a Cisco WAE device or device group:
To view a report of a policy residing on each WAE device or device group, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Configure > Acceleration > Optimization Policy Report (Figure 12-33).
The Optimization Policy Report window appears, with the Policy Report for Devices tab displayed.
Consider the following guidelines for viewing a policy report.
Figure 12-33 Optimization Policy Report
Step 2 To view the number of devices per device group and the number of active policies in the device group, click the Policy Report for Device-Groups tab.
Step 3 To see the optimization policies that are defined on a particular device or group, click the corresponding device or device group. The policies are displayed in the Optimization Policies window.
Step 4 For information about viewing a class map report, see Viewing a Class Map Report for a Device or Device Group.
To view a report of the class maps that reside on each Cisco WAE device or device group, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Configure > Acceleration > Optimization Policy Report.
The Policy Report for Devices tab appears.
Step 2 To view a report of the devices and device groups on which the class map is configured, click the Class-Map Report tab.
Step 3 To see the devices or device groups on which the class maps reside, select the class map and then click the View icon.
The Cisco WAAS system allows you to restore the predefined policies and class maps that shipped with the Cisco WAAS system. For a list of the predefined policies, see Appendix A, “Predefined Optimization Policy.”
If you made changes to the predefined policies that have negatively impacted how a Cisco WAAS device handles application traffic, you can override your changes by restoring the predefined policy settings.
To restore predefined policies and class maps, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears.
Step 3 To restore more than 150 policies and class maps that shipped with the Cisoc WAAS software, and to remove new policies that were created on the system, click the Restore Default taskbar icon.
If a predefined policy has been changed, these changes are lost and the original settings are restored.
After you create an optimization policy, monitor the associated application to verify that your Cisco WAAS system is handling the application traffic as expected.
Before you monitor an application, you must have enabled statistics collection for that application. For more information, see Creating an Application Definition.
To monitor an application, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Configure > Acceleration > Monitor Classmaps.
Step 2 Select the class map on which to enable statistics and then click Enable.
Consider the following guidelines for monitoring applications and class maps:
– To monitor a specific application, run the TCP Summary report. For more information, see the TCP Summary Report in the chapter “Monitoring Your Cisco WAAS Network” .
– If you try to display more than 25 statistics for either applications or class maps, an error message is displayed.
Step 3 To configure Cisco WAAS charts to display Class Map data:
b. Choose the Classifier series.
This configuration option applies to most Cisco WAAS charts.
According to policies that you define in an application definition and an optimization policy, the Cisco WAAS software allows you to set a DSCP value on packets that it processes.
To define the default DSCP marking value, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears.
Step 3 Choose a value from the DSCP drop-down list. The default setting is copy, which copies the DSCP value from the incoming packet and uses it for the outgoing packet.
Step 4 Click OK to save the settings.
Considering the following configuration guidelines for optimization policy positions:
For example, when a Cisco WAAS device intercepts traffic, it refers to the first policy in the list to try to match the traffic to an application. If the first policy does not provide a match, the Cisco WAAS device moves on to the next policy in the list.
For example, If you have two optimization policies that match traffic going to IP address 10.10.10.2, and one policy optimizes this traffic and a second policy in a higher position passes through this traffic, then all traffic going to 10.10.10.2 will go through the Cisco WAAS system unoptimized.
For this reason, ensure that your policies do not have overlapping matching conditions, and monitor the applications you create to make sure that WAAS is handling the traffic as expected.
To modify the position of an optimization policy, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears (Figure 12-34).
Note For a Cisco WAAS Express device, all policies are grouped under the waas_global category.
For a list of predefined policies, see Appendix A, “Predefined Optimization Policy.”
Figure 12-34 Optimization Policies Window
Step 3 To modify the position of an optimization policy, use one of the following methods:
Step 4 To save the new policy position(s), click Save Moved Rows.
Step 5 (Optional) To create a new optimization policy at a particular position:
a. Select the policy above the location.
Step 6 If a device goes through all the policies in the list without making a match, the Cisco WAAS device passes the traffic through unoptimized.
Note For a Cisco WAAS Express device, the class default policy must be last. This policy cannot be modified or deleted.
Step 7 To save changes, click the Save Moved Rows.
Step 8 If you determine that a policy is not needed, follow these steps to delete the policy:
a. Select the policy you want to delete.
b. Click the Delete icon in the taskbar.
A default policy that maps to a default class map matching any traffic cannot be deleted.
Step 9 If you determine that a new policy is needed, click the Add Policy taskbar icon to create the policy.
For more information, see Creating an Optimization Policy.
In most cases, you do not need to modify the acceleration TCP settings, because your Cisco WAAS system automatically configures the acceleration TCP settings based on the hardware platform of the Cisco WAE device.
– When you first install the Cisco WAE device in your network.
– When you enter the restore factory-default command on the Cisco WAAS device.
For more information about this command, see the Cisco Wide Area Application Services Command Reference.
To modify the acceleration TCP settings, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > TCP Settings.
The Acceleration TCP Settings window appears.
Step 3 Check the Send TCP Keepalive check box. (By default, this check box is checked.)
Step 4 Checking the Send TCP Keepalive check box allows this Cisco WAE device or group to disconnect the TCP connection from its peer device if no response is received from the TCP keepalive exchange.
– In this case, the two peer WAE devices will exchange TCP keepalives on a TCP connection, and if no response is received for the keepalives for a specific period, the TCP connection will be torn down.
– When the keepalive option is enabled, any short network disruption in the WAN will cause the TCP connection between peer WAE devices to be disconnected.
Step 5 Modify the TCP acceleration settings as needed.
Step 6 If you are deploying the Cisco WAE across a high BDP link, you can set recommended values for the send and receive buffer sizes by clicking Set High BDP recommended values.
For more information about calculating TCP buffers for high BDP links, see Calculating the TCP Buffers for High BDP Links.
Step 7 Considering the following guidelines for segment sizes and configuring jumbo MTU settings:
Use the following commands to configure TCP keepalives:
– tfo tcp optimized-receive-buffer
– tfo tcp optimized-send-buffer
You can deploy Cisco WAAS software in different network environments, involving multiple link characteristics such as bandwidth, latency, and packet loss. All Cisco WAAS devices are configured to accommodate networks with maximum Bandwidth-Delay-Product (BDP), up to the values listed below:
Consider the following operating guidelines for BDP:
BDP [Kbytes] = (link BW [Kbytes/sec] * Round-trip latency [Sec])
MaxBDP = Max (BDP(link 1),..,BDP(link N))
Note These manually configured buffer sizes are applicable only if TCP adaptive buffering is disabled. TCP adaptive buffering is normally enabled, and allows the Cisco WAAS system to dynamically vary the buffer sizes. For more information on TCP adaptive buffering, see Modifying the TCP Adaptive Buffering Settings Using the Cisco WAAS Central Manager.
In most cases you do not need to modify the adaptive TCP adaptive buffering settings, because your Cisco WAAS system automatically configures the TCP adaptive buffering settings based on the network bandwidth and delay experienced by each connection. Adaptive buffering allows the Cisco WAAS software to dynamically vary the size of the send and receive buffers to increase performance and more efficiently use the available network bandwidth.
To modify the acceleration TCP adaptive buffering settings, follow these steps:
Step 1 From the Cisco WAAS Central Manager menu, choose Devices > device-name ( or Device Groups > device-group-name).
Step 2 Choose Configure > Acceleration > TCP Adaptive Buffering Settings.
The TCP Adaptive Buffering Settings window appears.
Step 3 To enable TCP adaptive buffering, check the Enable check box. (By default, this is enabled.)
Step 4 In the Send Buffer Size and Receive Buffer Size fields, enter the maximum size, in kilobytes, of the send and receive buffers.
Use the following commands to configure the TCP adaptive buffer settings: