This article can also be found in the Premium Editorial Download "Network Evolution: WAN optimization policy goes deep."
Download it now to read this article plus other related content.
The branch office used to be uncomplicated. It housed small groups of workers—sales people, for example—who all worked on similar tasks and accessed a small group of applications. That simplicity is a thing of the past.
Now branch offices often house a diverse set of workers who need access to everything from virtual desktop to basic email, delivered on a wide array of devices. The sheer number of applications sent between remote offices, their headquarters and data centers, can strain the WAN, even surpassing the limits of MPLS technologies.
So network managers and administrators are responding by applying application acceleration and WAN optimization policy that takes into account user identity and role, as well as location and even time of day. This kind of granular policy setting can be accomplished with next-generation firewalls that are often attached to WAN optimization appliances.
Implementing WAN optimization: In-band or out-of-band?
Before network managers move into setting user-based policy, they must first determine where a next-generation firewall or WAN optimization appliance would live in the network, as well as which kinds of applications actually need to be optimized or accelerated.
“You can put a WAN optimizer in-line with the network, such as behind the border router or firewall, and then it processes all traffic (either optimizing or bypassing optimization),” explains Mike Fratto, Senior Analyst, Enterprise Networking, Current Analysis.
Engineers can also place the WAN accelerator out-of-band, where it is not in-line with network traffic. This lets the IT team decide which applications to send to the WAN optimizer to be optimized. “They would do this primarily because some traffic does not benefit from WAN optimization,” Fratto explains.
Real-time voice and video, for example, wouldn’t need to be optimized since this traffic is already compressed and doesn’t repeat. Other examples include encrypted traffic, which is not predictable, and back-up data, which tends to be uniquely ordered.
“The decision to send to the WAN optimizer is made not about the user but based on the type of traffic. This is a common deployment option particularly in data centers or larger remote offices,” concludes Fratto.
Once engineers decide which applications to optimize, things can get more complex. The next step is policy setting by identity, location, time of day or application type—and this can vary by the type of technology deployed for optimization.
A bank dumps MPLS for WAN-optimized VPN
McHenry Savings Bank faced slow connections on its point-to-point MPLS network, which meant sluggish check image transactions and failed offsite backup replication.
“It worked perfectly in the test environment, but as soon as we came into production, with all the tellers signing on and all the VoIP going through, it killed the MPLS vendor’s head-end router,” says Bryan Nash, McHenry’s CIO.
But when McHenry Savings Bank switched over to the new MPLS network, it maintained its backup connections over Dell SonicWALL firewall VPNs, using service from three ISPs. “When we had the MPLS issue, we flipped over to our VPNs and realized we could still run. Our transactions were just a little slow,” explains Nash.
The McHenry IT team ultimately gave up its MPLS and discovered it could mesh its entire network through the Dell SonicWALL firewall.
The only sticking point was latency that affected the check image capture application data stream. “Our images were taking forever to come across,” says Nash. The bank must record a front and back image for every check and every ticket that goes with each check. The latency was unacceptable.
“Since we had such a cost reduction by getting rid of the MPLS, we decided to look at putting in WAN accelerators to speed check image captures,” Nash says. Nash contacted Dell SonicWALL about its new WXA WAN accelerators, asking for a product evaluation.
“They shipped me out three WXA WAN accelerators,” says Nash. “We popped them in and my branches came back and said, ‘I don’t know what you did but everything is just flowing really fast’.”
The WAN accelerators also resolved an issue McHenry Savings Bank had been having with its offsite backup replications. The bank had been using the Data Domain backup product, which EMC acquired. “EMC applied a firmware upgrade and suddenly we could not get our replications to complete. While EMC was working on the issue, the McHenry IT team added the same WAN accelerators for a trial run. “When we did the WAN accelerator testing, it fixed our backups. Now our backups are completing in less than two hours every night,” explains Nash.
WAN optimization policy that starts with a next-generation firewall
The Dell SonicWALL strategy applies application and bandwidth prioritization policy that can be based on employee and application hierarchies at branch offices.
To accomplish this, the Dell SonicWALL Next-Generation Firewall starts by fingerprinting applications as they pass through using Deep Packet Inspection (DPI) technology.
“We have 4,000 application use cases in 28 categories, representing over 1,700 individual applications in an application signature database,” says Matthew Dieckman, SonicWALL tech director. The Next-Generation Firewall ties the application signature database to user identities through single sign-on technology.
More on WAN optimization strategies
Choosing between hardware and software WAN optimizers
Understanding the basics of WAN optimization
The technology enables McHenry Savings’ WAN administrator to look at program categories such as IM, for example, and applications that run between IM clients, such as FTP transfers. “The Application Control in the Next-Generation Firewall allows the administrator to control applications at the group level,” says Dieckman. So the administrator can decide whether to allow IM use on a per-user basis depending on real business need, and whether those allowed to use IM can also facilitate FTP transfers between IM clients, for example.
The Next Generation Firewall passes application traffic that the bank permits and that the WAN accelerators can accelerate on to those WXA devices. “The WXAs don’t care; it’s however you present the traffic to them. That’s one of the nice things about it. It’s all driven by policy,” says Nash.
Going further, the bank’s WAN administrator can also use bandwidth prioritization policies to limit access to sites, such as Facebook, that unnecessarily eat capacity. At the same time, however, “the administrator can also determine that marketing employees need access to Facebook,” says Dieckman. ″You can be very granular about what you want to accelerate,” he says.
WAN Optimization-as-a-Service tackles slow Citrix and SharePoint
IT solutions provider Tavant Technologies ran into latency problems running Citrix for remote customer locations and SharePoint/Windows File Sharing between its offices in Bangalore, Delhi and Santa Clara.
Specifically, Tavant was experiencing Citrix log-on and screen refresh latency issues during peak times and the company was having challenges pulling up HR-related files from SharePoint across the WAN.
The solution to these problems was to use a WAN Optimization-as-a-Service solution that allowed the company to enforce optimization policy that takes into account user identity, time and location.
The company invested in cloud-based WAN Optimization-as-a-Service provider Aryaka, connecting customers into its WAN with varying access levels for prioritization and optimization. Tavant Technologies’ logical WAN topology connects multiple locations, including a primary data center in Santa Clara, a backup data center in Sacramento and offices in the U.S. and Bangalore. Each node of the Tavant ring network is connected directly to a node of the Aryaka ring network. Aryaka offers a combination of MPLS, VPLS and point-to-point links.
During peak times when customers are checking in software program code, they need priority access. “Policies set up in the Aryaka system give those users priority access on Citrix in terms of available bandwidth,” says Sonal Puri, vice president of Sales, Marketing and Alliances at Aryaka.
The log-in time is quicker when compared with a normal network connection and also the screen refresh time is much faster, says Anaand Papaiah, director of information systems at Tavant Technologies. The latency in the normal connect time is around three seconds, according to Papaiah, but Tavant Technologies customers see a real-time screen changeover on Citrix using Aryaka.
Tavant is also able to use Aryaka’s technology to address latency in the SharePoint applications, which had become quite pressing. Tavant Technologies’ CTO experienced challenges pulling up HR files in Excel from SharePoint across the WAN. “The CTO was in the Santa Clara office opening the Excel file from our SharePoint server, which is in Bangalore. It used to take at least 10- to 20- minutes,” says Papaiah.
Using Aryaka’s WAN Optimization-as-a-Service and Application Delivery-as-a-Service solutions, Tavant also set bandwidth prioritization policies based upon user, location, conditions and the application to speed SharePoint file sharing.
Applying Aryaka’s acceleration proxies with its own controls and policies enables quicker refresh in SharePoint and removes some of the chattiness among the network protocols that can slow SharePoint down.
“Aryaka optimized the TCP stack to ensure that data flows smoothly. File transfers that took 10 to 20 minutes [were brought] down to about a minute by opening up the entire pipe and pushing the data through,” explains Puri. Likewise, Tavant created specific policy to address latency in sensitive applications, such as multimedia using TCP optimization in addition to acceleration proxies.
In user-based WAN optimization, challenges are many
Success stories of granular WAN optimization policy setting are becoming more common, but plenty of challenges remain. In, fact most companies are still “optimizing all traffic … for all users,” Fratto says. These companies hold back from setting user-based quality policies because they haven’t gone through the difficult process of breaking down roles and defining policies. What’s more, doing so adds significant administrative overhead, as well as maintenance. Finally, administrators find it difficult to discern where to enforce role-based policy since many users of an application tend to need similar quality.
“Organizations are much more compelled to create user-based policies based on security needs. And if they have gone through that process, they are much more likely to have the roles already defined and can add quality policies on top,” says Fratto.
David Geer writes about security and enterprise technology for international trade and business publications.
This was first published in June 2013