Certeon’s wide area networking (WAN) devices, with embedded software, reduce the amount of HTTP/S data transmitted over the network, enabling greater application delivery speed, security, and scalability.
An Application Acceleration Blueprint, as utilized by the S-Series, is a description of the ways that a specific application identifies and encapsulates data objects that it transmits over the network. Application Blueprints are based upon intimate knowledge of the application semantics and object forms. It functions at layer 7, intelligently accelerating the application. The Blueprint’s intelligence is designed in a way that the same or similar content is transmitted over the WAN a single time.
For specific traffic, the S-Series’ embedded ODE performs as an application layer proxy. This allows the device to identify specific application level interactions and to isolate discrete data objects in transit between the client and the server application components. This application awareness and "data object visibility" is simply not possible when operating at the lower session or IP layers.
By isolating the in-transit data objects, the S-Series is then in a position to:
The S-Series can learn and remember millions of data objects by utilizing local disk storage. These objects may go back weeks or months in age. Ram based approaches can’t store anywhere near as much information.
For packet or session based acceleration technologies that use disks for storage, because data is not organized in its native object form (rather, is stored as scattered packet payload data), search and encoding algorithms are fundamentally limited in their data reduction rates.
While data reduction plays a large role in acceleration, the S-Series doesn’t stop there. It incorporates other technologies to further improve application performance over a WAN. These are:
If you have real-time data (such as voice and video) on your network with DSCP markings that you don’t want masked the S-Series can bridge this traffic immediately through the appliance without affecting the header or changing the marking. The S-Series configuration uses match rules to provide a mechanism for identifying and categorizing traffic entering the Acceleration Tunnels. Once traffic is identified, it is either:
No, presently you cannot disable IPSEC on the S-SERIES acceleration tunnels. You can however enable null encryption, but packets will still contain an ESP header.
Yes, the S-Series can map an unlimited number of PKI certificates to different IP addresses. You are not bound to a single certificate per system.
Yes, the S-Series maps PKI certificates to Origin Server IP addresses. However if there is no certificate for an Origin Server IP address then HTTP is used.
No, only one S-Series is needed at each branch location. It is not dependent on the number of HTTP applications your organization is running.
The history on the S-Series is dependent on the rate that traffic is traversing the appliance and the remote office user patterns. Devices that have heavier traffic loads will have shorter histories because documents are being updated more frequently. Since the S-Series stores the objects in their native form it is safe to say it can store at least a month’s worth of history. Please note that since the S-Series is focused on collaborative applications the history that is being removed would most likely be stale information being updated by new acceleration token data.
When a remote client issues a request for an object that has previously traversed S-Series devices, the remote office S-Series will reference that request to the previous history store and pre-build the expected server response. It will then compress and send that request to the data center S-Series which forwards that request to the server. Upon receiving the response, it recognizes that the content of the response has changed from the previous history store. It then takes only the changes to this data and updates its history store. At the same time, it compresses only that changed data and sends them back, via acceleration tokens, to the remote office S-Series, which in turns updates its history store, rebuilds the response to reflect the updated information and forwards this response to the client.
The S-Series is very easy to configure and deploy. The following base commands are required to establish connectivity and begin acceleration on the branch office and data center sides:
Branch Office Side - 1
S-Series$ set Address x.x.x.x
S-Series$ set SubnetMask x.x.x.x
S-Series$ set Gateway x.x.x.x
S-Series$ set DomainName xyz.com
S-Series$ set DnsAddress x.x.x.x
S-Series$ set HostName Branch
S-Series$ set con[nection] 0 Role Initiator
S-Series$ set con[nection] 0 PrimaryRemoteAddress x.x.x.x
Data Center Side
S-Series$ set Address x.x.x.x
S-Series$ set SubnetMask x.x.x.x
S-Series$ set Gateway x.x.x.x
S-Series$ set DomainName xyz.com
S-Series$ set DnsAddress x.x.x.x
S-Series$ set HostName Data Center
To Branch Location - 1
S-Series$ set con[nection] 0 Role Listener
S-Series$ set con[nection] 0 PrimaryRemoteSN 00000000xxxx
S-Series$ set con[nection] 0 PrimaryRemoteAddress x.x.x.x
Match rules in the S-Series are used to filter incoming traffic for acceleration. These rules specify traffic characteristics such as protocol, port number, QoS settings, etc, and based upon the configured rules, traffic matching a particular characteristic will be mapped to the appropriate service and accelerated.
No, match rules are only configured on the upstream (data center) S-Series device. These rules are then pushed out to the downstream (branch office) device associated with a particular connection.
Resetting stored object history is very simple. All that is required is to disable all connections on the S-Series, then enter 'historyclear' at the command line. Once the connections are enabled the S-Series will relearn all application objects.
Yes you can. There are no restrictions to the issuing authority for SSL certificates. The S-Series will accept certificates issued from Verisign, Entrust, Comodo, or any certificate issuing authorities.
Yes, the S-Series can accept intermediate certificates, and there is no limit to the number of these types of certificates that can be accepted.
The S-Series uses forward error correction (FEC) when wide area networks have high packet loss. FEC is a system of error control for data transmission, whereby the S-Series adds redundant data to its messages, which allows the receiving S-Series to detect and correct errors without the need to ask the sending S-Series and source client for additional data. The advantage of forward error correction is that retransmission of data can often be avoided, at the cost of higher bandwidth requirements on average, and is therefore applied in situations where retransmissions are relatively costly or impossible. By its use of FEC, the S-Series avoids data transmissions which can greatly degrade application response time and performance.
In-line deployment places the device directly on the network path between the edge router and a switch. In the event of a device failure, a fail-to-wire relay allows traffic to bypass the S-Series and flow unimpeded between the switch and router.
Out-of-Line deployment places the S-Series device off the main data path, usually off a switch or router and traffic is redirected to the S-Series via the WCCPv2 protocol. The device is not in-line for this mode of operation and all traffic can enter and exit on a single network port (a.k.a. one-armed operation). This redirected traffic is delivered to the device either in a GRE tunnel or via an L2 MAC address. The device inspects this redirected traffic and intercepts the traffic it is managing. Any non-intercepted traffic is returned back to the switch or router, either through the tunnel (if it was delivered in a GRE tunnel) or by forwarding it to the default gateway.
Certeon devices configured with the fail-over option provide accessibility of data and availability of acceleration services. If a device is not functioning on one end of a connection, another device will assume the role of the non-functioning device so that traffic continues to accelerate between the connections. A failover condition may be triggered by any of the following reasons:
Once the devices are configured with failover, a TCP connection is established for both the primary and secondary devices but only a full peer-to-per connection (consisting of configured connection settings) is established with the primary device.
Data starts flowing between the primary device and the device on the other end of the connection. The secondary device enters a standby mode but keeps a TCP connection open with the device on the other end. In the event that the primary device is no longer available, the secondary device becomes activated and the data will be forwarded through the secondary device using the settings configured for the connection.
The S-Series uses FTP to retrieve the new software. Once the software is downloaded to an FTP server in the network, simply typing at the command line: "update get ftp://user@ftpserver/directorypath/s-series.upg" will retrieve the software from the FTP server and place it on the S-Series. The next command run would be an "update install s-series.upg" and the new image is then verified and applied to complete the process.
