Product Documentation

Configuring a CloudBridge Appliance to Optimize Secure Windows Traffic

Dec 23, 2014

You must add the CloudBridge appliance to the Windows security infrastructure before you can optimize the signed Windows file system and encrypted MAPI Outlook/Exchange traffic.

As a result of enhancements to the Windows security system in the recent Windows releases, clients and servers secure the traffic by authenticating and encrypting data. This requires the CloudBridge appliance be a trusted member of the Windows security infrastructure before it can optimize signed Windows file system and encrypted MAPI Outlook/Exchange traffic.

After you add the appliance to the Windows security infrastructure, the appliance has the following capabilities:
  • Acceleration of fileserver traffic for Microsoft Windows servers, NetApp servers, and Hitachi HNAS by using signed SMB and signed SMB2 protocol.
  • Acceleration of Microsoft Exchange server traffic when it is accessed by Outlook clients using encrypted MAPI or RPC over HTTPS.

How a CloudBridge Appliance Works in a Windows Security System

Joining the appliance to a Windows domain requires administrator credentials. When it joins the Windows domain, the appliance becomes a trusted member of the domain. This allows the appliance to be declared a member of the domain's security infrastructure.

After the appliance has become a part of the Windows security infrastructure, users have to be authenticated before they can access resources. To avoid the difficulty of configuring a large number of users in the domain, you can delegate the authentication responsibility to a delegate user.

You create a delegate user in the active directory. This user is similar to a normal user, but with special privileges. After creating the delegate user, you must configure this user on the CloudBridge appliance. The appliance uses the delegate user to authenticate on behalf of users when they access authenticated and encrypted data streams using Windows protocols, such as CIFS and MAPI.

For accelerating CIFS and MAPI traffic, the standard Windows delegation mechanism allows you to limit security delegation to the relevant services. This constrained delegation has been available since the release of Windows Server 2003.

After becoming a part of the domain, the appliance accelerates the secure Windows traffic. A datacenter appliance that joins a Windows domain must have a secure peer relationship with the remote appliance or CloudBridge Plug-in, but only the datacenter appliance joins the Windows domain. For purposes of CIFS or MAPI acceleration, the remote appliance acts as a slave to the datacenter appliance, being controlled over the secure SSL tunnel between the two. Therefore, the delegate user credentials do not leave the datacenter.

The following figure shows a sample topology diagram for this setup.

Figure 1. Windows domain authentication flow


In Figure 1, a branch office client accesses resources of the datacenter. The branch office client, being in another domain, uses NTLM authentication as a part of the Windows security system. As with all accelerated connections between two CloudBridge appliances in a secure peer relationship, the CIFS or MAPI connections and NTLM authentications over the WAN are encrypted. Depending on the Windows domain controller version, the user request from the datacenter CloudBridge appliance is authenticated using NTLM or Kerberos authentication protocol. After the domain authenticates the user, subsequent access requests to the Exchange server and file servers use Kerberos authentication protocol. The CloudBridge appliance then optimizes the connections established between the client and the server.

If the appliances do not have a secure peer relationship, or if the datacenter appliance has not successfully joined the domain, the connections use TCP flow-control acceleration, which performs no security operations, compression, or data transformations. The connections between the client and server are established as if the CloudBridge appliances were not there.

You can configure different client authentication modes on Windows operating systems. The types of connections that the CloudBridge appliance optimizes depend on the client authentication mode that you configure.

The following table list the Windows client-authentication modes on Windows, and the corresponding CloudBridge optimizations.

Table 1. Authentication and Optimization Supported for Windows Operating System
Client Operating System Client Authentication Mode Optimization Comments
Windows XP/Windows Vista/Windows7/Windows 8 Negotiate Authentication (SPNEGO)
  • TCP flow-control acceleration
  • Compression
  • CIFS protocol acceleration
Default setting used for all Windows releases.
Windows XP/Windows Vista/Windows 7/Windows 8 NTLM only or Kerberos only
  • TCP flow-control acceleration only
Non-default authentication modes
Note: If you use the NTLM only or Kerberos only client authentication modes, the traffic is not accelerated if it is encrypted.

Requirements for Adding a CloudBridge Appliance to the Windows Security System

To optimize traffic for secured Windows signed SMB and encrypted MAPI traffic, your CloudBridge deployment must meet the following requirements before you add the appliance to the Windows security infrastructure:
  • Both the client-side and server-side acceleration appliances must have established a secure peer relationship.
  • The appliances must use an NTP server that is closely synchronized to the time on the Windows domain server. Ideally, the appliances and the Windows domain server are all clients of the same NTP server.
  • Outlook must not be configured for the (non-default) Kerberos only or NTLM only option. The default (negotiated) option is required for acceleration.
  • The client and server can be members of any domain that has two-way trust with the server-side appliance's domain. One-way trust is not supported.
  • A Kerberos delegate user must be set up on the domain controller, to be used by the appliance participating in the domain's security infrastructure.
  • The DNS server IP addresses for the domain must be configured and reachable on the server-side appliance.
  • The domain servers must be fully reachable, with both forward and reverse lookups for all the IP addresses of the domain controllers configured on the DNS servers.
  • The server-side CloudBridge appliance's host name must be unique. Using the default host name of "hostname" is likely to cause problems.
Note: The Macintosh Outlook client does not use the MAPI (Outlook/Exchange) standard and is not accelerated by this feature.

Adding a CloudBridge Appliance to the Windows Security Infrastructure

To optimize secure Windows traffic, the CloudBridge appliance must be a part of the Windows security system and must authenticate itself with the security system or domain. As shown in Figure 2, to make the appliance a part of the Windows security system, you must make the appliance join a domain (using administrative credentials). Additionally, you need to configure a new or existing user as a delegate user by associating CIFS and Exchange services with that user. You then have to configure this delegate user on the CloudBridge appliance.

You can use the Pre Domain Check utility to find out if there are any issues with joining the appliance to a domain.

Note: The Windows security system uses the Exchange service to manage MAPI connections.
Figure 2. Configuring the setup to optimize secure Windows traffic


Joining a CloudBridge Appliance to the Windows Domain

When the appliance joins the domain, it exchanges a shared secret with the domain controller, allowing the appliance to remain part of the domain indefinitely. When joining an appliance to a domain, make sure that you have administrator credentials for the domain controller.

To make sure that the CloudBridge appliance optimizes the CIFS and MAPI traffic (including traffic encapsulated as RPC over HTTPS), you must make the appliance part of the domain that the Windows fileserver and Exchange server are a part of. You need to join the server-side appliance to the domain.

Note: The domain administration credentials are not saved on the appliance.
To join a CloudBridge appliance to a Windows domain
  1. Navigate to the Configuration > Secure Acceleration > Windows Domain tab.
  2. Click Join Windows Domain.
  3. Enter the Windows domain name in the Domain Name field.
  4. In the User Name field, enter the user name of the domain controller administrator.
  5. In the Password field, specify the domain controller administrator password.
  6. If necessary, edit the DNS servers for consistency with the Windows domain.
  7. Click OK.
  8. In the Delegate Users section, add a delegate user, as described in the procedures below.

Configuring a Delegate User
After you join the appliance to a Windows domain, you must create a user that the appliance can use to authenticate users with the domain. This user is known as the delegate user.
Note: To create a delegate user account, you need administrator access to the Windows domain controller and the appliance. If you do not have administrator access to the Windows domain controller, make sure that an authorized administrator performs the required tasks on the domain controller.

Setting up user authentication by using Kerberos delegation involves two tasks——configuring a delegate user on the domain controller and then adding this user to the CloudBridge appliance.

Configuring a Delegate User on a Domain Controller

Before you configure a delegate user on a CloudBridge appliance, you must configure a delegate user with the required properties on the domain controller. You can either create a delegate user account or use an existing user account as a delegate user account.

After creating an account or selecting an existing account, enable delegation for this user. You then associate the delegate user with the CIFS and Exchange services, so that the traffic for these services can be accelerated. After you add this user to the CloudBridge appliance, the appliance presents delegated credentials for the services associated with this account.

Creating a Delegate User Account
Create a delegate user account on the Windows domain controller so that the CloudBridge appliance can use this account on behalf of the users to authenticate them with the domain controller.
Note: If you want to configure an existing user as a delegate user, skip this procedure.
To create a delegate user account
  1. Log on to the Windows domain controller as an administrator. Make sure that the file server or Exchange server is a member of this domain.
  2. From the Start menu, open the Active Directory Users and Computers Window.
  3. Create a delegate user, as shown in the following screen shot:

Enabling Delegation for a User
So far, the user you have created is similar to any user you create on the Active Directory server. To enable delegation for the user, you must set the Service Principal Name attribute of the user to delegate and associate the delegate user with the required services. This makes the user to have special privileges attached to it and make it a delegate user.
To enable delegation for the user
  1. From the Start menu, open the Active Directory Users and Computers Window.
  2. From the View menu, select Advanced Features.
  3. Select the User node.
  4. Right-click the user that you want to make a delegate user.
  5. From the shortcut menu, select Properties and navigate to the Attribute Editor tab, as shown in the following screen shot:

  6. From the Attributes list, select servicePrincipalName, as shown in the following screen shot:

  7. Click Edit.
  8. In the Multi-valued String Editor dialog box, in the Value to add field, specify delegate/<User_Name>, as shown in the following screen shot:

  9. Click Add.
  10. Click OK.
  11. Click Apply.
  12. Click OK.
  13. Open the user's MAPI-CIFS Delegate User Properties dialog box and verify that the Delegation tab has been added to the dialog box, as shown in the following screen shot:

Associating the Delegate User with CIFS and Exchange Services
After enabling the Delegation tab for the user, you can associate the user with services for which the user can present delegated credentials. When you add this user to the CloudBridge appliance, the appliance presents delegated credentials for the services associated with this account.
Note: Windows security infrastructure uses the Exchange service to manage MAPI traffic.
To associate the delegate user with CIFS and Exchange services
  1. In the Delegation tab, select the Trust this user for delegation to specific services only option.
  2. Select the Use any authentication protocol option.
  3. Click Add, as shown in the following screen shot:

  4. In the Add Service dialog box, click Users and Computers.
  5. In the Select Users or Computers dialog box, add the local computer to be selected, as shown in the following screen shot:

  6. Click OK.
  7. In the Add Services dialog box, from the Available services list, select cifs, as shown in the following screen shot:

  8. If you have to set up MAPI acceleration on the CloudBridge appliance, press and hold the Ctrl key, and select the exchangeMDB service.
  9. Click OK. The services you have selected are added to the Services to which this account can present delegated credentials list, as shown in the following screen shot:

  10. Click OK.
  11. Close the Active Directory Users and Computers Window.
Configuring a Delegate User on a CloudBridge Appliance
After configuring the delegate user on the Active Directory server, you must configure this user on the CloudBridge appliance, so that the appliance can present this user's delegated credentials to the domain. This enables the appliance to actively optimize the network traffic for the advanced CIFS and MAPI acceleration features.
To add the delegate user to the server-side appliance
  1. Navigate to the Configuration> Secure Acceleration> Windows Domain tab.
  2. Click the Join Windows Domain button, if present.
  3. Under Delegate Users, click Add.
  4. In the Domain Name field, specify the domain name. This is typically the domain that you specified under the Windows Domain section.
  5. In the User Name field, enter the user name of the delegate user.
  6. In the Password field, specify the password of the delegate user.
  7. Click Add.

Verifying that the Appliance has Joined the Domain

If, after adding the appliance to the domain, you notice that the appliance is not optimizing secure Windows traffic, some error might have prevented the appliance from joining the domain. You can use the Pre Domain Check utility to find out if there are any issues with the appliance joining the domain. You can even run this utility to identify possible issues before you attempt to join the appliance to a domain.

To check the delegate user
  1. Log on to the server-side CloudBridge appliance.
  2. Navigate to Configuration > Secure Acceleration > Windows tab.
  3. Click the Join Windows Domain button, if present.
  4. Select a delegate user and click Edit.
  5. Click Check Delegate User.
  6. Wait for the Delegate User Domain Check to complete and examine the results.