Saturday, November 17, 2012

Cisco WAAS with SSL Acceleration and RDP

Hi Guys!

Another blog post on my favorite Cisco Product, Cisco WAAS.  We are going to go through how to accelerate SSL and RDP Traffic with the full levels of optimization (TFO, LZ and DRE)

By default, SSL and RDP are only TCP Flow Optimized, this is because SSL is obviously encrypted, so compression and DRE is not going to work on encrypted traffic flow, and RDP is also encrypted and compressed by Microsoft.

Both SSL and RDP have many things to gain by being accelerated by Cisco WAAS: SSL is just HTTP traffic that is encrypted, and HTTP Traffic is accelerated extremely well. Therefore it makes total sense to take advantage of this. Microsoft RDP is a bit more complicated as it already has some compression being done by Microsoft, but the Cisco Compression algorithims are superior so you are better off using it.

First let's discuss SSL acceleration

The way the WAAS works with SSL is rather than presenting it's own certificate to your end user applications when they visit https webpages etc, it requires the private key from the conversation so that it can intercept the traffic and perform acceleration in this way. This means that you need to tell WAAS what TCP Conversations are using SSL encryption.

RDP requires you to configure some settings on the Microsoft server to disable certain encryption and to disable compression on the client side.


Let's get to it!

SSL Acceleration
Important Note: When using SSL Acceleration, Disk-Based encryption for your WAAS is highly recommended but not mandatory.  It is highly recommended due to the fact that you may potentially be storing secure information on the unencrypted DRE cache, so if your a security-sensitive organization you should keep this in mind. Disk Based Encryption will be covered in another blog post.


First Step: find a service running https, in my example I am going to use my vCENTER server which runs on port 443.

Second Step: you need to export the private and public certificate from the server, in my case for VMWARE it was very easy, I simply navigated to the following directory:

"C:\Users\All Users\VMware\VMware VirtualCenter\SSL"

In this directory i found the .crt file and also the .key file that made up my certificate.


-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIEIE5yBDANBgkqhkiG9w0BAQUFADBrMRUwEwYDVQQKEwxW
 <--- -="-" ommited="ommited" output="output">
CBFADwAvKWhk5FUXxRzlvstq4gldvHZJcXiBLOI=
-----END CERTIFICATE-----




Certificates come in a variety of formats, and so too do the private keys, I found that as long as my private key began with:

----- BEGIN RSA PRIVATE KEY ----

That this certificate worked for me, so let's go ahead and import the certificates


Third Step:
Login to WAAS. then go to Device Groups, I like to configure everything from device groups ALLWAASGROUP because it configures all devices at the same time (Depending on your group membership configuration)


Click on configure - SSL Accelerated Services, then click create:

Go ahead and give the service a name, Click the In service button and most importantly, enter in a list of servers and Ports (either as IP Addresses or hostnames) that use the certificate your about to import, if you have multiple servers using the same certificate (such as a web server farm) then you can enter in multiple addresses here to save time on your configuration.

So you basically need 1 SSL Service for every seperate certificate you might have.





Here is an example of multiple servers entered in:






You can also see that the port numbers are entered, so be sure to include any ports your server might use.


Next, you import the certificates, I find it easiest to simply open the certificates in notepad and copy/paste the contents of the private key and the certificate, as per the example below:

Click on "import existing certificate and optionally private key"  then select "Paste certificate and key in PEM-format"

From here you can copy-paste in your certificates:






 Remember that you want the key to begin with:

--- BEGIN RSA PRIVATE KEY ----



Otherwise you may receive this error message:







When you try and import the key.

Click import to import the certificate, if you have a valid cert you will see its detailed reflected as per the example below:



Now click Submit in the right hand corner to save your settings.

Only one more easy step to go!


Under ALLWAASGROUP (where you are at the moment), go to configure - Peering Service



Ensure that "Enable Certificate Verification" is UNCHECKED, and SSL Version is set to ALL (just incase your certificates use a particular type of SSL).

The enable certificate verification is used when two WAAS peers attempt to talk to each other via SSL. Unchecking this box ensures that the self-signed certs that each of the WAAS peers has by default is accepted as valid. If you wanted to you could configure a proper SSL trust relationship between the actual WAAS peers but this is beyond the scope of this article. Thus for now to get SSL Acceleration working great we simply un-check this option.

Now if you browse to your SSL Webpage we added as an SSL accelerated service in our WAAS, and go to a WAAS and view the "connection statistics" you should notice the traffic is accelerated:





Success! We can see that SSL Traffic is accelerated! Hooray!

 The next step is now RDP traffic.



RDP Traffic


For RDP Traffic, the first thing we need to do is disable encryption of everything but the login traffic on the RDP Server, to do this, you can edit the registery setting manually or you can copy-paste the below into a .reg file and run it on your Windows Terminal Server


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SecurityLayer"=dword:00000000


Once this is done, you will need to restart the terminal server.

Next, go to your RDP Client and enter in the details but DON'T connect just yet.

Expand the options section and click "save" to save the connection as an RDP File.




Open the file in notepad and change the line:
compression:i:1

to

compression:i:0

This will disable the inbuilt compression on RDP.

Next, we need to go back to WAAS to enable the Remote Desktop Service to have full optimization.

Login to Cisco WAAS and go to ALLWAASGROUP again under "Device groups"

Click on Configure - Optimization Policies

This will present a heck of a lot of options, so use the quick filter button on the right to narrow down the policies

Enter in the port 3389 and you will see the policies narrowed down






click the checkbox next to the policy and click edit.

Change the action to full optimization (TFO with DRE Bidirectional and LZ)




Click OK


Go to your connection statistics page under monitor for one of your WAAS Devices and you will notice that the acceleration has now taken affect!








That is all there is to it!

I hope you found this useful guys, Cisco WAAS is my favorite Cisco product along with Cisco UCS and I can't recommend it enough.

For a great book on Cisco WAAS, check out:


Please use this link to purchase the book if you enjoyed my tutorial :).


Just one more thing guys, this is really more for me but you might find it useful, if for some reason you accidently connect to a server without turning compression off, or you don't turn the encryption off, the WAN accelerator still tries to accelerate but it is not effective because the traffic is encrypted/compressed. But you won't have any adverse effects.



4 comments:

  1. Thanks for posting. I have been wanting do do this.

    ReplyDelete
  2. khoá học kế toán thuế
    học kế toán tại long biên
    trung tâm đào tạo kế toán tại nghệ an
    học kế toán tại cầu giấy
    học kế toán tại cầu giấy
    học kế toán thực hành
    trung tâm kế toán tại bình dương

    học kế toán tổng hợp tại đà nẵng
    học kế toán thực hành ở đồng nai
    http://kylin1st.com
    http://cattleyavn.com
    http://kenyseo.com
    http://ngoduong89.com
    trung tâm dạy kế toán

    "Ai, địa vị cảu mình trong gia tộc, xem ra càng ngày càng thấp a, ngày xưa còn tốt, nhưng hiện tại lại làm ta trước mặt khách nhân khó xử, ba cái lão bất tử này…"
    Trong lòng tự giễu cười, Tiêu Viêm thầm nhủ lắc đầu.
    Nhìn Tiêu Viêm đứng tại chỗ, người tuổi trẻ trong gia tộc đều nhịn không được cười châm chọc, hiển nhiên đều rất thích xem hắn mất mặt bộ dáng.
    Lúc này, Tiêu Chiến phía trên cũng phát hiện Tiêu Viêm xấu hổ, khuôn mặt hiện lên tức giận, đối với bên cạnh lão giả nhíu mày nói: "Nhị trưởng lão, ngươi…"
    "Khái, thật xin lỗi, thế nhưng đem Tam thiếu gia quên mất, a a, ta lập tức gọi người chuẩn bị" Hoàng bào lão giả bị Tiêu Chiến trừng mắt chỉ nhàn nhạt cười, "Tự trách" vỗ vỗ trán, nhưng trong mắt châm chọc không có che giấu bao nhiêu
    "Tiêu Viêm ca ca, ngồi ở đây đi!" Thiếu nữ nhàn nhạt tiếng cười, bỗng nhiên tại đại sảnh vang lên.
    Ba vị trưởng lão ngẩn người, ánh mắt nhìn về phía trong góc im lặng Tiêu Huân Nhi, miệng nhuyễn nhuyễn, thế nhưng đều không dám nói nữa…
    Tại trong góc đại sảnh, Tiêu Huân Nhi mỉm cười khép lại bộ sách rất dày, khí chất đạm nhã thong dong, đối với Tiêu Viêm đáng yêu chớp chớp mắt.
    Nhìn Tiêu Huân Nhi mỉm cười khuôn mặt, Tiêu Viêm chần chừ một chút, vuốt mũi gật gật đầu, sau đó tại đông đảo thiếu niên ghen tỵ ánh mắt, đi đến bên cạnh ngồi xuống. Bạn đang đọc
    http://meomeo007.com
    học kế toán tại huế
    trung tâm kế toán tại bình dương
    http://01embesexy.com
    http://tradaboho.com
    http://nguoicodanh.net
    http://chotruongyen.com
    http://caubesieunhan.com

    ReplyDelete

  3. Danh sách 22 cầu thủ hấp dẫn nhất châu Âu

    1. Gerard Pique (Tây Ban Nha)

    2. Olivier Giroud (Pháp)

    3. Cristiano Ronaldo (Bồ Đào Nha)

    4. Mats Hummels (Đức)

    5. Claudio Marchisio (Italy) (chấn thương)

    6. Sergio Ramos (Tây Ban Nha)

    7. Jesus Navas (Tây Ban Nha) (không được gọi)

    8. Graziano Pelle (Italy)
    học kế toán thực hành

    công ty kế toán hà nội

    dịch vụ kế toán

    trung tâm đào tạo kế toán hà nội

    trung tâm kế toán hà nội

    kế toán hà nội

    9. Lorenzo Insigne (Italy)

    10. Raphael Varane (Pháp) (chấn thương)

    11. Aaron Ramsey (Wales)

    12. Fabio Coentrao (Bồ Đào Nha) (chấn thương)

    13. Iker Casillas (Tây Ban Nha)

    14. Mathieu Debuchy (Pháp) (chấn thương)

    15. Gary Cahill (Anh)

    16. Robert Lewandowski (Ba Lan)

    17. Alexandre Lacazette (Pháp) (chấn thương)

    18. Antoine Griezmann (Pháp)

    19. Leonardo Bonucci (Italy)

    20. Joe Hart (Anh)

    21. Gareth Bale (Wales)

    22. Gianluigi Buffon (Italy)

    ReplyDelete