Product Documentation

CIFS Protocol Acceleration

Dec 09, 2014

CIFS acceleration is supported on all models. CIFS is a TCP based protocol and benefits from flow control. However, CIFS is implemented in a way that is highly inefficient on long-haul networks, requiring an excessive number of round trips to complete an operation. Because the protocol is very sensitive to link latency, full acceleration must be protocol-aware.

CIFS acceleration reduces the number of round-trips through a variety of techniques. The pattern of requests from the client is analyzed and its next action is predicted. In many cases, it is safe to act on the prediction even if it is wrong, and these safe operations are the basis of many optimizations.

For example, SMB1 clients issue sequential file reads in a non-overlapping fashion, waiting for each 64KB read to complete before issuing the next one. By implementing read-ahead, the appliance can safely deliver up to 10x acceleration by fetching the anticipated data in advance.

Additional techniques accelerate directory browsing and small-file operations. Acceleration is applied not only to CIFS operations, but also to the related RPC operations.

Prerequisites

If your network uses CIFS signing, the appliance must be a trusted member of the domain. To make the appliance a trusted member of the domain, see Adding a CloudBridge Appliance to the Windows Security Infrastructure.

Configuring CIFS Protocol Acceleration

CIFS acceleration is enabled by default for connections that do not use CIFS signing. If your network uses signing, it can either be disabled or the server-side appliances can join the Windows domain.

Disabling CIFS Signing

Depending on their security settings, Windows servers or domain servers might need to have their security settings adjusted.

Figure 1. Windows Server Security Options, Windows Server 2003 and Windows Server 2008.


Windows file servers have two security modes: "sealing" and "signing."

Sealing encrypts the data stream and prevents CIFS protocol acceleration altogether.

Signing adds authentication data to every data packet, without encrypting the data stream. This prevents acceleration unless you have implemented the procedures described in Adding a CloudBridge Appliance to the Windows Security Infrastructure. When this requirement is met, signing is accelerated automatically. Otherwise, signing must be disabled (if it is not disabled already) for protocol acceleration to take place.

By default, Windows file servers offer signing but do not require it, except for domain servers, which require it by default.

To achieve CIFS acceleration with systems that currently require signing, you must change the system security settings to disable this requirement. You can do so in the local security settings on the file server, or in group policies. The following examples, for Windows Server 2003 and Windows Server 2008, show the local settings. The group-policy changes are, of course, almost identical. (For an example of the Local Security Settings screen, see the figure, Windows Server Security Options, Windows Server 2003 and Windows Server 2008.)

To change the server’s setting to allow CIFS acceleration

  1. Navigate to the system’s Local Security Settings page.
  2. Set Domain member: Digitally encrypt or sign secure channel data (always) to Disabled.
  3. Set Microsoft network client: Digitally sign communications (always) to Disabled.
  4. Set Microsoft network server: Digitally sign communications (always) to Disabled.