0% found this document useful (0 votes)

454 views51 pages

Riverbed Windows Security Guide

SMB

Uploaded by

Robert Uap

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

454 views51 pages

Riverbed Windows Security Guide

SMB

Uploaded by

Robert Uap

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

WHITE PAPER

Optimization in a Secure Windows Environment

A guide to the preparation, configuration and
troubleshooting of Riverbed Steelhead
appliances for Signed SMB and Encrypted MAPI

September 2013

Optimization in a Secure Windows Environment

September 2013

OPTIMIZATION IN A SECURE WINDOWS ENVIRONMENT

Introduction
This guide is designed to help the reader create a plan and prepare for all the steps required to configure Riverbed Steelhead
appliances to optimize in an environment where there are;
Microsoft Windows Fileservers using Signed SMB, Signed SMB2 and Signed or Encrypted SMB3 for file sharing to
Microsoft Windows clients
Microsoft Exchange Servers providing an Encrypted MAPI communication to Microsoft Outlook clients
Microsoft Web Servers requiring per request Kerberos authentication
Even though the majority of the configuration for these requirements need only be performed on the server-side Steelhead
appliance, there are some settings which must also be performed on the client-side Steelhead appliance(s). It is therefore strongly
advised to have all the Steelhead appliances operating with a minimum of Riverbed Optimization System (RiOS) v6.1.x but
preferably RiOS v6.5.x or later. For any environment where there is a requirement for Kerberos authentication between the client
and server, a minimum of RiOS v7.0 is needed. For any requirement where there is Signed SMB3 optimization, a minimum of
RiOS v8.5 is needed.
As part of your preparation, reference should also be made to the most recent versions of the Riverbed Deployment Guide (both
the Appliance and Protocols editions) and the Riverbed Steelhead Management Console Users Guide. These manuals contain
sections giving further detail and advice on design and configuration for Windows Domain Authentication as well as further
explanation of Windows Domain architectures, trust relationships and the reasons for the use of Delegate User and Replication
User accounts. These manuals are available for download via the Riverbed Technology support website ([Link]).
This document does not cover the settings required for optimization of Outlook Anywhere.

Structure of this Guide

This guide begins with a brief overview of the possible configuration options and is then organized into four main sections which
explain the steps for configuration.
Section 1 is designed to cover all the configuration tasks needed when client-server authentication can be performed via
delegation using a Delegate User account.
Section 2 covers all the configuration tasks, when the client-server authentication requires Kerberos from end to end.
Section 3 covers all the configuration tasks that enable the server-side Steelhead appliance to integrate with the Windows Active
Directory (AD) environment and provide NTLM pass-through authentication.
The final section is a series of appendices that contain additional information which may be of use generally.
Therefore it is strongly recommended to read through the entire document including the appendices before starting the overall
configuration.
Please note that this document includes screenshots of example configuration steps. While every attempt has been made to
ensure accuracy, different versions of RiOS may have slightly different page layouts in the Management Console Graphical User
Interface (GUI) to those shown in this guide.

What configuration options are available and how do I choose?

There are several components within a secure Windows environment and the combinations of these components often dictate
what configuration options are available.
The main components that need to be considered are;
Windows client operating system for example: WinXP, Vista, Windows 7, Windows 8
Windows domain level for example: 2003, 2008, 2008-R2 native, mixed-mode
Authentication mechanism for example; NTLM only, Kerberos only, auto-negotiation NTLM or Kerberos
RiOS version of client-side and server-side Steelhead
While the permutations of these components, and others, can lead to a number of configuration options, it is quite often the case
that one of three basic configurations will stand out as the better choice.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Kerberos Constrained Delegation

Historically, the first option is to use a Delegate User account and authenticate using Kerberos Constrained Delegation. This
option requires the most administrative effort on behalf of both the Steelhead appliance and Windows AD administrators. In the
past, this option has been the most frequently used because it is suitable for a wide variety and combination of client and server
OS versions. But following the release of RiOS v7.0 one or both of the next two options are recommended due to their simplicity.
Replication User
If the authentication mechanism is required to be Kerberos end to end between the clients and servers then the only option
available is to configure the server-side Steelhead appliance to use a Replication User account. End to end Kerberos
authentication is the default choice for Windows 7 or Windows 8 clients and Windows 2008 servers or later. But for backwards
compatibility, it is quite often the case that clients and servers automatically negotiate to use either NTLM or Kerberos. Because of
this reason, it is usually a good idea to configure a replication user and also have the server-side Steelhead appliance join the
domain and integrate with Windows AD as described below.
Windows Active Directory Integrated Mode
Generally speaking if the Steelhead appliances are running RiOS v7.0 or later the easiest configuration is to have the server-side
Steelhead appliance join the Windows Domain. Depending on the functional level of the Windows domain, the Steelhead
appliance joins in one of two modes; Active Directory integrated Windows 2003, or Active Directory integrated Windows 2008.
Once joined to the domain, the Steelhead appliance has sufficient privileges to be able to safely and securely communicate with
the domain controllers2. This communication only occurs to determine the session key in use between the client and server for a
connection of signed or encrypted traffic that is to be optimised. The authentication mechanism used in this case is NTLM and is
generally described by Microsoft as Pass-Through Authentication. NTLM authentication is still the most prevalent authentication
mechanism in use in production networks for reasons of backwards compatibility with older Windows clients and servers. If this
option satisfies the authentication requirements there is no need to configure a replication user or delegation user.
If one of the above three options is suitable for your needs, then simply follow the guidelines provided in the relevant section.
Section 1 Authentication via Kerberos Constrained Delegation
Section 2 End to end Kerberos authentication
Section 3 Integrating the server-side Steelhead with Active Directory
Remember that combinations of these three options may be possible. For example, it is possible to have the server-side
Steelhead appliance integrate with AD and also be configured with a replication user account. In this way, the server-side
Steelhead appliance would be able to work with both end-to-end Kerberos and NTLM authentication automatically choosing the
correct method as needed. It is the combination of these two options which is strongly recommended since they cover the majority
of deployment scenarios in production use today. To put it another way, sections 2 and 3 are most likely the ones you will need.

Automatic configuration
Starting with RiOS v8.5, there is the ability to configure a lot of the settings described in this document by using the Domain Auth
Easy Config and Auto Config widgets. The Domain Auth Easy Config widget is a single point of configuration allowing the
Steelhead appliance administrator to enter some Active Directory details along with desired optimization requirements. Then by
pressing a button, the widget completes the join domain, customizes the delegate user or replication user account settings in AD
and selects the correct Steelhead appliance optimization settings for relevant signed/encrypted SMB versions and encrypted
MAPI.
It is still the Steelhead appliance administrators responsibility to decide which settings are required. The Domain Auth Easy
Config widget will not automatically choose the correct settings, but once the settings are selected, the widget will do all the
configuration tasks automatically. This can significantly reduce the number of manual tasks required thereby minimizing the
potential for typographical errors. The Domain Auth Easy Config widget provides feedback in the form of an activity log as the
tasks progress to completion.
2 If you configure the Steelhead appliance to join with Windows 2003 mode or Windows 2008 mode, it does not provide any
Windows domain controller functionality to any machines in the domain, does not respond to requests, does not advertise itself as a
domain controller and does not register any SRV records. In addition, the Steelhead appliance does not perform any replication nor
hold any AD objects. For more details, consult the relevant section of the Riverbed Deployment Guide Protocols edition.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

In each of the configuration sections (sections 1, 2 and 3) of this document, all the manual tasks are described. If you are planning
to use the Domain Auth Easy Config widget, a few manual tasks are still needed to ensure the widget is successful. At the
beginning of each section is a list of the tasks needed before using Domain Auth Easy Config.
For the reader who would like to take a quick look at the graphical interface of the widget, there is an example screenshot in the
appendix of this document. Detailed information on how to use the widget is described in the Riverbed Steelhead Management
Console User Guide for RiOS v8.5.

Section 1 Authentication via Kerberos Constrained Delegation

Overview of required configuration tasks for authentication via delegation
There are a number of tasks to be performed and parameters to be configured. They are listed here;
1.1 Create a Delegate User account
1.2 Associate the Delegate User with CIFS/Exchange service(s) and enable delegation for the user
1.3 Configure Delegate User permissions to operate only with the chosen services
1.4 Join server-side Steelhead appliance to Windows Domain
1.5 Add Delegate User name to server-side Steelhead appliance configuration
1.6 Configure the Steelhead appliance to optimize Signed SMB and Encrypted MAPI
Some of these steps will require either administrator group level access to a Windows Domain controller or admin level access to
a Riverbed Steelhead appliance. Therefore the appropriate personnel with the relevant access privileges will need to be on hand
to perform the tasks. Administrator credentials are not stored on any Steelhead appliance. While these six steps are considered
mandatory for the success of an install, there may be other steps required for particular requirements like, one-way trusts,
alternative Organizational Units, password expiration, etc. Information on these additional items is to be found in the appendices
of this document.
If you are planning to use the Domain Auth widgets, complete the following tasks first..
1.1 Create Delegate User account
1.4 Join the server-side Steelhead appliance to the Windows Domain
1.5 Add Delegate User name to server-side Steelhead appliance.
1.6 Configuration of client-side and server-side Steelhead appliance(s) for signed SMB and encrypted MAPI.
DNS and NTP configuration as outlined in Table 1-4-1
Once the above tasks are successfully completed, use the Configure Delegation Account and Add Delegation Servers widgets.
Using these two widgets will automatically complete tasks 1.2 and 1.3.

Performing the configuration tasks

1.1 - Create a Delegate User account
In the Windows Active Directory environment, (for example, using Windows administration tools on the Domain Controller) create
a user in the same domain that the Exchange server, or File Server, is a member of.
Choose, Active Directory Users and Computers > Domain Name > Users and create the user (for example, with the name
delegate_rvbd). Alternatively, you can select an existing user account.
______________________________________________________________________________________________________
Note: The same Delegate User account can be used for any Exchange servers and File servers in the domain.
_______________________________________________________________________________________________________
Just like any other Windows resource, the server-side Steelhead appliance can only join one domain. If there are other application
servers in other Windows Domains at the same location it is possible for the same Steelhead appliance to optimize traffic to/from
these other servers. To enable this, a separate Delegate User will need to be created in each of the domains. All of the domains

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

involved will need to be linked by 2-way, bi-directional trust relationships.

All of these Delegate Users will then be entered into the server-side Steelhead appliance configuration as part of this exercise.

1.2 - Associate the Delegate User with the CIFS or Exchange service and enable delegation for the user
Still on the Windows Domain Controller, create a Service Principal Name (SPN) for the delegate user using the [Link]
command-line tool. Once the setspn command has been executed for the delegate user, it makes the Delegation configuration
tab available in the user account properties. It is via this configuration tab that delegation is enabled for the delegate user. The
Windows support tools must be installed on the Domain Controller in order for the [Link] utility to be available. The Windows
Server 2003 SP1 Support Tools product CD includes this tool, or you can download it from the Microsoft Download Center. With
Windows Server 2008 or later, the [Link] tool is installed by default.
To access the [Link] tool, open a command window (cmd) on the Domain Controller. Then use the following command
syntax to add an SPN for the Delegate User
C:\> setspn A <service name>/delegate <delegate user name>

Where <service name> is either cifs for signed SMB, or exchangeMDB for encrypted MAPI, and <delegate user
name> is the name of the Delegate User created in the previous step for example delegate_rvbd.
Figure 1-2-1 shows an example screenshot of running the setspn command for both types of service.

Figure 1-2-1: setspn screenshot

1.2.1

Returning to the Active Directory Users and Computers > Domain Name > Users admin tool that was used in
task 1.1, open the Properties for the user and select the Delegation tab

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-2-2: Delegate User properties

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-2-3: Delegation tab

1.2.2

Enable the two settings; Trust this user for delegation services to specified services only and Use any
authentication protocol

At this point the Delegate User is ready to be used. If the requirement is for Manual Delegation, the Service field in the lower half
of this Delegation tab needs to be populated with a list of all the signed SMB, signed SMB2, signed SMB3 and encrypted
Exchange servers for this domain. This can be done using the Add button.
If Auto Delegation is to be used, this list does not need to be populated, however, due to the way that this Windows admin tool
works, it is not possible to select Apply and OK to close this Properties tool without adding at least one service. Therefore the
next steps must be performed at least once to add a service regardless of whether Manual or Auto delegation is to be used.
1.2.3

For Auto delegation, the easiest thing to do is choose any one of the servers. In this example, we will select a
signed SMB (cifs) server called BW-W2K8EXDC1.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-2-4 Selecting server

1.2.4
1.2.5

As shown in Figure 1-2-4, select Add in the Delegation tab, then Users or Computers.
Enter the hostname of the server, in this example it is called BW_W2K8EXDC1

Figure 1-2-5: selecting cifs service

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

1.2.6

September 2013

Select the cifs service (Figure 1-2-5), click OK, and the task is complete as shown in Figure 1-2-6.

Figure 1-2-6: Service added to Delegation tab

1.3 - Configure Delegate User permissions to automatically delegate only with the chosen services
Still on the Windows Domain Controller, use the Group Policy Management tool to add the Delegate user to the Group Policy
Object (GPO) for the domain.
1.3.1
Navigate to Start Menu > Administrative Tools > Group Policy Management Editor
1.3.2
Navigate to the Domain Controllers Policy.
1.3.3
Open the Default Domain Controller Policy or your policy for the domain controllers.
1.3.4
Navigate down through Computer Configuration > Policies > Windows Settings > Security Settings > Local
Policies
1.3.5
Select User Rights Assignment
1.3.6
In the right-hand window, select and right-click on Enable computer and user accounts to be trusted for
delegation to open the properties dialogue box.
1.3.7
In the Security Policy Setting tab, select Add User or Group
1.3.8
Enter the Delegate User name into the User and group names field.
1.3.9
Click OK out of the Group Policy Management tool.
Figures 1-3-1, 1-3-2a and 1-3-2b below show an example series of screenshots for the above sequence of steps.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-3-1: Group Policy Management tool screenshot

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-3-2a: Group Policy Management tool screenshots. Add User, in progress

Figure 1-3-2b: Group Policy Management tool screenshots. Add User, completed

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Continuing the Delegate User configuration, the Delegate User now needs to be granted Allow access to modify the Active
Directory attribute msDS-AllowedToDelegateTo. Use the Active Directory Service Interfaces (ADSI) edit utility to achieve this.
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7

Choose Start > Run, and open [Link].

Select Default naming context > Domain DN > CN=Users > CN=<Delegate User>.
Right-click and go to Properties on CN=<Delegate User>.
Choose the Security tab, click Advanced and then click Add.
Type the delegate user name and click OK.
Click the Properties tab in the Permission Entry dialog box.
Add Allow access for:
Read msDS-AllowedToDelegateTo
Write msDS-AllowedToDelegateTo

Figures 1-3-3 and 1-3-4 show an example series of screenshots for the above sequence of steps.

Figure 1-3-3: ADSI edit screenshot

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-3-4: ADSI edit screenshot

If you need help troubleshooting, please also refer to the Troubleshooting Delegate Users section in the latest version of the
Steelhead Management Console Users Guide.
_______________________________________________________________________________________________________
Note: Section 1.2 and section 1.3 above will need to be completed for each Delegate User created in each domain.
_______________________________________________________________________________________________________

1.4 - Join the Server-side Steelhead appliance to the Windows Domain

When joining a Steelhead appliance to the Windows Domain, several prerequisites need to be configured to ensure smooth
integration. The server-side Steelhead appliance must be able to successfully lookup its hostname in the DNS architecture.
Ensure proper DNS entries are created in the DNS server(s) (only an "A record" is required) and the proper DNS servers are
configured in the Steelhead appliance. The date and time of the server-side Steelhead appliance must be synchronized with the
Windows Domain Controller. This is best accomplished by configuring the Steelhead to use the same NTP server as all the other
servers in the domain. You must know the fully-qualified domain name. Table 1-4-1 is provided to collect this information for your
environment.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

Setting

September 2013

Value

Step conpleted

DNS entry for Steelhead appliance

DNS server IP address(es)
NTP server IPs added to Steelhead configuration
Steelhead appliance Computer object created in
Domain Controller
Fully-qualified Domain Name

Table 1-4-1: Steelhead appliance prerequisites

Once the prerequisites are completed, join the server-side Steelhead to the AD domain.
To complete this step you will need a Windows user account with rights to join a host to the AD domain. NOTE: This account has
nothing to do with the Delegate User account set up in the previous sections. The credentials of the account used to join the
domain are not stored on any Steelhead appliance and are only used for the purposes of joining the Steelhead appliance to the
domain.
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5

On the server-side Steelhead(s) navigate to Configure > Networking > Windows Domain.
Enter the Active Directory Domain name, user id (of the user account with Join Domain
privileges), password and optionally the DC name and Short Domain Name.
Select the Join Account Type. Depending on the version of RiOS running on the Steelhead appliance there may be
several options available. When configuring for constrained delegation, any join type is suitable.
Next click the Join button at the bottom of the page and wait for feedback. If an error appears, take appropriate
action.
Once successfully joined you will see the statement In Domain Mode, status: In a domain in the top frame of the
page.

Figure 1-4-1 shows a successful domain join.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-4-1: Example screenshot, Windows Domain page of Steelhead appliance GUI

Further details on joining a Windows Domain are available in the Steelhead Management Console Users Guide in the chapter
Configuring Network Integration Features.
More recent versions of RiOS include tools to test the configuration settings and ensure a join is successful as well as a status log
to show progress and any errors encountered during the join process.

1.5 - Add the Delegate User to the server-side Steelhead appliance

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------NOTE: More recent versions of RiOS include both a collection of command line and graphical tools to help automate these
remaining steps. Whether or not the tools are available on the Steelhead appliances you are configuring, the individual steps are
shown here.
To add the delegate user to the server-side Steelhead you will need the AD domain name, delegate user name, and password for
each delegate user that has been created in each domain. These should have already been created as described in sections 1.1,
1.2 and 1.3 above. Assuming the user(s) have been created, the following steps should then be performed.
1.5.1

On the server-side Steelhead(s) navigate to Configure > Optimization > Windows Domain Auth.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-5-1: Windows Domain Auth page of Steelhead appliance GUI

1.5.2

Click the Add a New User tab. Enter the AD domain, delegate user account name, and password.

Figure 1-5-2: Add New Delegate User section on Windows Domain Auth page of Steelhead appliance GUI

1.5.3

Then click Add.

Figure 1-5-3: Add New Delegate User section on Windows Domain Auth page of Steelhead appliance GUI

1.5.4
1.5.5

Repeat steps 1.5.2 and 1.5.3 for each delegate user that has been created ensuring that the correct domain name
is included in each case.
In the Server Rules section, select the Auto Delegation Mode radio button and enter any server names that
should not allow delegated authentication. This field can be left blank unless there is an explicit need to prevent the
use of delegation to some servers.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 1-5-4: Delegation Mode setting on Windows Domain Auth page of Steelhead appliance GUI

1.5.6

Click the Apply button.

1.6 - Configure the Steelhead appliance to optimize Signed SMB and Encrypted MAPI
1.6.1

- Configuration steps for Signed SMB, Signed SMB2 and Signed SMB3

On the server-side Steelhead appliance, navigate to Configure > Optimization > CIFS (SMB1).
For RiOS versions prior to v6.5 if there are connections between Vista/Win7 clients and Windows 2008 R2 servers,
select the Enable SMBv1 Backward Compatibility check box. This will revert SMBv2 connections between
Vista/Win7 clients and Windows 2008 R2 servers back to SMBv1 allowing the Steelhead appliances to provide full
application layer acceleration for CIFS. This will provide a better experience for remote users compared to native
SMBv2 without optimization.
_______________________________________________________________________________________________________
[Link]
[Link]

Note: Consider upgrading to RiOS v6.5 for native optimization of SMB2. It is also worth noting that SMB2 provides extra security
for signing as it uses HMAC SHA-256 instead of MD5.
_______________________________________________________________________________________________________
[Link]

[Link]
[Link]

If the Steelhead appliance is running RiOS v6.5 or later, there is a separate SMB2 configuration page located at
Configure > Optimization > SMB2. With optimization for SMB2 enabled there is no need to select the Backward
Compatibility option indicated in step [Link] above. If the Steelhead is running RiOS v8.5 or later, there is the
option to enable SMB3 optimization. This setting is included on the SMB2 configuration page of the GUI.
Under the SMB Signing, check the Enable SMB Signing checkbox.
Next select the Delegation Mode radio button.

Figure 1.6.1-1: Enable SMB Signing section on CIFS Optimization page of Steelhead appliance GUI

[Link]
[Link]

Click the Apply button.

No changes are needed on the client-side Steelhead appliance(s) unless SMB3 optimization is required. If SMB3
optimization is required, repeat steps [Link] through to [Link] on the client-side Steelhead appliance(s).

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

1.6.2 - Configuration steps for Encrypted MAPI

[Link]

On all Steelhead appliances (client-side and server-side) navigate to Configure > Optimization > MAPI.

Figure 1.6.2-1: MAPI Optimization page of Steelhead appliance GUI

On Steelhead appliances running RiOS earlier than v6.5, select Enable MAPI Exchange 2000 Optimization
Enable MAPI Exchange 2003 Optimization and Enable MAPI Exchange 2007+ Optimization checkboxes.
_______________________________________________________________________________________________________
[Link]

NOTE: On Steelhead appliances running RiOS 7.0 or later, these individual checkboxes have been replaced with a single Enable
MAPI Exchange Optimization checkbox.
_______________________________________________________________________________________________________
[Link]
[Link]
[Link]
[Link]

Check the Enable Encrypted Optimization checkbox.

Select the Delegation Mode radio button.
Click the Apply button.
Optionally you can configure secure peering between the client-side and server-side Steelhead appliances.
Refer to Appendix A.4 of this document for outline guidance. For details, reference the Steelhead Management
Console Users Guide section, Configure Secure Peers.

1.6.3 Saving the configuration and restarting the Optimization Service

Finally, save the configuration and restart the optimization service. Do this by clicking Save and Restart in the navigation
header. Or, proceed to the Configure > Configurations GUI page to save the configuration with a specific name and then
restart the optimization service.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

The integration with the Windows domain is now complete.

Once deployed successfully, monitor performance and health of the Steelhead appliance(s) to ensure proper optimization is
occurring and full acceleration is being achieved for the appropriate clients and servers. Keep in mind AD and Windows
administrators may make changes without notifying the networking team, so remain vigilant. Consider incorporating some of this
configuration information into a Change Control Process that enables both the Windows Server Administration team and the
Networking team to coordinate future updates and changes.
Appendix B in this document has some outline guidance for troubleshooting as well as pointers to other sources of help.

Section 2 End to end Kerberos authentication

NOTE: A detailed overview of end to end Kerberos authentication involving Steelhead appliances is provided in the Riverbed
Deployment Guide (Protocols edition).

Overview of required configuration tasks for end to end Kerberos authentication

There are a number of tasks to be performed and parameters to be configured. They are listed here;
2.1 Create a Replication User account
2.2 Configure the Replication User with limited privileges for replication
2.3 Optional - Configure Password Replication Policy (PRP) settings
2.4 Join server-side Steelhead appliance to Windows Domain
2.5 Add Replication User name to server-side Steelhead appliance configuration
2.6 Configure the Steelhead appliance to optimize Signed SMB Signed SMB2, Signed SMB3, HTTP and Encrypted MAPI
Some of these steps will require either administrator group level access to a Windows Domain controller or admin level access to
a Riverbed Steelhead appliance. Therefore the appropriate personnel with the relevant access privileges will need to be on hand
to perform the tasks. Administrator credentials are not stored on any Steelhead appliance. While these six steps are considered
mandatory for the success of an install, there may be other steps required for particular requirements like, one-way trusts,
alternative Organizational Units, password expiration, etc. Information on these additional items is to be found in the appendices
of this document.
_______________________________________________________________________________________________________
NOTE: End to end Kerberos authentication requires the Steelhead appliances to be running a minimum of RiOS v7.0.x
For signed SMB and signed SMB2 using Kerberos, only the server-side Steelhead appliance(s) need RiOS v7.0.x but both clientside and server-side Steelheads need this version if encrypted MAPI is in use with Kerberos. Full optimization of signed/encrypted
SMB3 requires a minimum of RiOS v8.5 on both client-side and server-side Steelhead appliances.
_______________________________________________________________________________________________________
If you are planning to use the Domain Auth Easy Config widget, complete the following tasks first..
2.1 Create a Replication User account,
2.5 Add Replication User name to server-side Steelhead appliance.
DNS and NTP configuration as outlined in Table 2-4-1
The Domain Auth Easy Config widget will complete tasks 2.2, 2.4 and 2.6 with the exception of any client-side Steelhead
appliance configuration. Any configuration on the client-side Steelhead appliance(s), for example enabling encrypted MAPI, will
need to be done as a separate task.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Performing the configuration tasks

2.1 - Create a Replication User account
In the Windows Active Directory environment, (for example, using Windows administration tools on the Domain Controller) create
a user in the same forest that the application server (Exchange, File-sharing, HTTP) is a member of.
Choose, Active Directory Users and Computers > Domain Name > Users and create the user (for example, with the name
replicate_rvbd). Alternatively, you can select an existing user account.
Although the server-side Steelhead appliance will only be joining one domain, if there are other application servers in other
Windows Domains at the same location which the same Steelhead appliance will be optimizing, then the same replication user
account can be used across all domains. All of the domains involved will need to be linked by 2-way, bi-directional trust
relationships or a suitable 1-way trust.

2.2 - Configure the Replication User with limited privileges for replication
Once the replication user account has been created, it can then be assigned the limited privileges needed to perform replication.
This task is performed on the Domain Controller using the Delegation of Control Wizard. The steps are illustrated in this next
section using example screenshots.
2.2.1 On the Domain Controller, navigate to Start Menu > Administrative Tools > Active Directory Users and Computers
then select the domain name where the replicate user account resides.
2.2.2 - Right-click on the domain name and select Delegate Control. This launches the Delegation of Control Wizard.

Figure 2-2-1: Delegate Control

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-2-2: Delegation of Control Wizard

2.2.3 Click Next and Add to add the replication account user name as shown in the next three screenshots. Note that the
example below includes the replication user account name replicate_rvbd in the domain [Link]. These values may be
different for your specific configuration.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

.
Figure 2-2-3: Delegation of Control Wizard, Users or Groups

Figure 2-2-4: Delegation of Control Wizard, add replication user account

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-2-5: Delegation of Control Wizard, add replication user account

2.2.4 Click Next to be able to configure the replication user account with the limited privileges needed to perform its task.
Notice by default that the wizard offers a list of common tasks. These are too generic for the requirements of the replication user
account and therefore as shown in figure 2-2-6 select Create a custom task to delegate.

Figure 2-2-6: Delegation of Control Wizard, create custom task

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

2.2.5 Click Next to be able to select the delegation control. Keep the default option; Delegate control of: This folder, existing...

Figure 2-2-7: Delegation of Control Wizard, create custom task

2.2.6 Click Next to select the delegation permissions. By default, the wizard shows the General permissions. Scroll down the
Permissions: window and select Replicating Directory Changes and Replicating Directory Changes All as indicated in the next
two screenshots, figures 2-2-8 and 2-2-9.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-2-8: Delegation of Control Wizard, permissions, Replicating Directory Changes

Figure 2-2-9: Delegation of Control Wizard, permissions, Replicating Directory Changes All

2.2.7 Click Next to complete the replication user account configuration and display a summary. The screenshot in figure 2-2-10
shows the final stage of the Delegation of Control Wizard. It displays the user account name and the permissions allocated to it.
There should only be two permissions. This restricts the replication user to a very limited range of capability but is sufficient for the
Steelhead appliance to perform its functions.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-2-10: Delegation of Control Wizard, summary

Notice in the above screenshot that the replication user account and domain name are for illustration purposes only. Your account
name and domain will be different, but the permissions will be the same as shown here.
2.2.8 Click Finish to close the wizard.

2.3 Optional - Configure Password Replication Policy (PRP) settings

Although the replication user account has a very restricted set of permissions, further limitations can be applied by making use of
a Password Replication Policy (PRP). This type of policy is only available in Windows 2008 and 2008-R2 domains, it is not
available with Windows 2003 domains.
Creating such a policy restricts the replication user so that it can only replicate for specified groups or users. While this may seem
like a further security benefit, it does mean that the policy needs to be carefully managed and maintained. Therefore it can result
in additional administrative overhead.
2.3.1 On the Domain Controller, navigate to Start Menu > Administrative Tools > Active Directory Users and Computers
then select the domain followed by Users. The right hand side shows the users and groups for the domain. In the list are two
groups called Allowed RODC Password Replication Group and Denied RODC Password Replication Group. An example
screenshot is shown in figure 2-3-1 with both groups highlighted to help illustrate.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-3-1: PRP groups

2.3.2 Depending on the type of PRP you wish to create, select either the Allowed or Denied group and right-click to open up
the group properties.
Then click Add and enter in the user(s) or computer(s) that you wish to exclude or include. When you have completed the list
click OK to complete the task.
See example screenshots in figure 2-3-2.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-3-2: Add user/computer to PRP

2.4 - Join the Server-side Steelhead appliance to Windows Domain

When joining a Steelhead appliance to the Windows Domain, several prerequisites need to be configured to ensure smooth
integration. The server-side Steelhead appliance must be able to successfully lookup its hostname in the DNS architecture.
Ensure proper DNS entries are created in the DNS server(s) (only an "A record" is required) and the proper DNS servers are
configured in the Steelhead appliance. The date and time of the server-side Steelhead appliance must be synchronized with the
Windows Domain Controller. This is best accomplished by configuring the Steelhead to use the same NTP server as all the other
servers in the domain. You must know the fully-qualified domain name. Table 2-3-1 is provided to collect this information for your
environment.

Setting

Value

Step conpleted

DNS entry for Steelhead appliance

DNS server IP address(es)
NTP server IPs added to Steelhead configuration
Steelhead appliance Computer object created in
Domain Controller
Fully-qualified Domain Name

Table 2-4-1: Steelhead appliance prerequisites

Once the prerequisites are completed, join the server-side Steelhead to the AD domain.
To complete this step you will need a Windows user account with rights to join a host to the AD domain. NOTE: This account has
nothing to do with the Replication User account set up in the previous sections. The credentials of the account used to join the
domain are not stored on any Steelhead appliance and are only used for the purposes of joining the Steelhead appliance to the
domain
2.4.1
2.4.2

On the server-side Steelhead(s) navigate to Configure > Networking > Windows Domain.
Enter the Active Directory Domain name, user id (of the user account with Join Domain

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

2.4.3
2.4.4
2.4.5

September 2013

privileges), password and optionally the DC name and Short Domain Name.
Select the Join Account Type as either Workstation, Active Directory Integrated Windows 2003, or Active
Directory Integrated Windows 2008. Whether you choose 2003 or 2008 mode depends on the domain functional
level. If you choose Workstation it will not be possible to perform NTLM pass-through authentication.
Next click the Join button at the bottom of the page and wait for feedback. If an error appears, take appropriate
action.
Once successfully joined you will see the statement In Domain Mode, status: In a domain in the top frame of the
page.

Figure 2-4-5 shows a successful domain join.

Figure 2-4-5: Example screenshot, Windows Domain page of Steelhead appliance GUI

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

2.5 - Add the Replication User to the server-side Steelhead appliance

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------NOTE: More recent versions of RiOS include both a collection of command line and graphical tools to help automate these
remaining steps. Whether or not the tools are available on the Steelhead appliances you are configuring, the individual steps are
shown here.
To add the replication user to the server-side Steelhead you will need the AD domain name, replication user name, and password
for the replication user that has been created. This should have already been created as described in sections 2.1 and 2.2 above.
Assuming the user has been created, the following steps should then be performed.
2.5.1

On the server-side Steelhead(s) navigate to Configure > Optimization > Windows Domain Auth.

2.5.2

In the Kerberos Replication Users section, click the Add a New User tab. Enter the AD domain, User Domain,
replication user account name, and password.

Figure 2-5-2: Add New Replication User section on Windows Domain Auth page of Steelhead appliance GUI

2.5.3

Then click [Link] replication user name will be displayed.

Figure 2-5-3: Add New Delegate User section on Windows Domain Auth page of Steelhead appliance GUI

2.6

- Configure the Steelhead appliance to optimize Secure Windows traffic

Configuration steps for Signed SMB, Signed SMB2 and Signed SMB3
2.6.1
2.6.2
2.6.3

On the server-side Steelhead navigate to Configure > Optimization > CIFS (SMB1).
Under the SMB Signing section, check the Enable SMB Signing checkbox.
Next check the Enable Kerberos Authentication checkbox.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-6-3: Enable SMB Signing section on CIFS Optimization page of Steelhead appliance GUI

2.6.4
2.6.5
2.6.6
2.6.7

Click the Apply button.

No changes are required on the client-side Steelhead appliances.
On the server-side Steelhead appliance navigate to Configure > Optimization > SMB2.
Under the SMB2 Signing section, check the Enable SMB2 Signing checkbox. If your Steelhead appliance is running
RiOS v8.5 then this checkbox will be labeled Enable SMB2 and SMB3 Signing and, so long as SMB3 optimization
has been enabled, signed SMB3 will also be optimized.
2.6.8 Next check the Enable Kerberos Authentication checkbox.

Figure 2-6-8: Enable SMB2 Signing section on SMB2 Optimization page of Steelhead appliance GUI

2.6.9 Click the Apply button.

2.6.10 No changes are required on the client-side Steelhead appliances unless SMB3 optimization is required. If SMB3
optimization is required then repeat steps [Link] through to [Link] on the client-side Steelhead appliances.

Configuration steps for Encrypted MAPI

_______________________________________________________________________________________________________
NOTE: For encrypted MAPI support, all Steelhead appliances must be running RiOS v7.0.0 or later and must be configured with
the settings described here. The client-side Steelhead appliance does not need to join the Windows domain.
_______________________________________________________________________________________________________
2.6.11 On all Steelhead appliances navigate to Configure > Optimization > MAPI.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-6-11: MAPI Optimization page of Steelhead appliance GUI

2.6.12 Check the Enable Encrypted Optimization checkbox.

2.6.13 Check the Enable Kerberos Authentication Support checkbox.
2.6.14 Click the Apply button.
Configuration steps for HTTP
_______________________________________________________________________________________________________
NOTE: For Kerberos Authentication with HTTP, all Steelhead appliances must be running RiOS v7.0.0 or later but only the serverside Steelhead appliance needs to be configured with the settings described here.
_______________________________________________________________________________________________________
2.6.15 On the Steelhead appliance navigate to Configure > Optimization > HTTP

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 2-6-15: HTTP Optimization page of Steelhead appliance GUI

2.6.16 Check the Enable Kerberos Authentication Support checkbox.

2.6.17 Click the Apply button.
Configuration steps for Secure Peering
2.6.18 Optionally you can also configure secure peering between the client-side and server-side Steelhead appliances.
Refer to Appendix A.4 of this document for outline guidance. For more details, reference the Steelhead Management
Console Users Guide section, Configure Secure Peers.

2.7 - Saving the configuration and restarting the Optimization Service

Finally, save the configuration and restart the optimization service. Do this by clicking Save and Restart in the GUI navigation
header. Or, proceed to the Configure > Configurations GUI page to save the configuration with a specific name and then restart
the optimization service.

The integration with the Windows domain is now complete.

Once deployed successfully, monitor performance and health of the Steelhead appliance(s) to ensure proper optimization is
occurring and full acceleration is being achieved for the appropriate clients and servers. Keep in mind AD and Windows
administrators may make changes without notifying the networking team so remain vigilant. Consider incorporating some of this
configuration information into a Change Control Process that enables both the Windows Server Administration team and the
Networking team to coordinate future updates and changes.
Appendix B in this document has some outline guidance for troubleshooting as well as pointers to other sources of help.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Section 3 Configuring the server-side Steelhead with limited domain controller privileges
Overview of required configuration tasks for providing limited domain controller privileges
There are a number of tasks to be performed and parameters to be configured. They are listed here;
3.1 Join server-side Steelhead appliance to Windows Domain
3.2 Configure the Steelhead appliance to optimize Signed SMB and Encrypted MAPI
If you are planning to use the Domain Auth Easy Config widget, complete the following tasks first..
DNS and NTP configuration as outlined in Table 3-1
The Domain Auth Easy Config widget will complete tasks 3.1 and 3.2 with the exception of any client-side Steelhead appliance
configuration. Any configuration on the client-side Steelhead appliance(s), for example enabling encrypted MAPI, will need to be
done as a separate task.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------NOTE: If you have already completed the configuration tasks in Section 2 (End to end Kerberos authentication) and, when
performing the join domain task, you joined as Active Directory integrated you do not need to complete any of the steps in this
section.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3.1 - Join the Server-side Steelhead appliance to Windows Domain

When joining a Steelhead appliance to the Windows Domain, several prerequisites need to be configured to ensure smooth
integration. The server-side Steelhead appliance must be able to successfully lookup its hostname in the DNS architecture.
Ensure proper DNS entries are created in the DNS server(s) (only an "A record" is required) and the proper DNS servers are
configured in the Steelhead appliance. The date and time of the server-side Steelhead appliance must be synchronized with the
Windows Domain Controller. This is best accomplished by configuring the Steelhead to use the same NTP server as all the other
servers in the domain. You must know the fully-qualified domain name. Table 3-1 is provided to collect this information for your
environment.

Setting

Value

Step conpleted

DNS entry for Steelhead appliance

DNS server IP address(es)
NTP server IPs added to Steelhead configuration
Fully-qualified Domain Name
IP addresses or DNS names of Domain Controllers in
the domain the Steelhead will join
Domain functional level (2003, mixed or 2008)

Table 3-1: Steelhead appliance prerequisites

Once the prerequisites are completed, join the server-side Steelhead to the AD domain.
This task will require administrator level access (an account that is a member of the Domain Admins group, or a preconfigured
account with sufficient privileges) to a Windows Domain controller and admin level access to the Riverbed Steelhead appliance.
Therefore the appropriate personnel with the relevant access privileges will need to be on hand to perform the task. Administrator
credentials are not stored on any Steelhead appliance. While this task is all that is needed to meet the basic requirements, there
may be other steps to enable proper functionality with, for example; one-way trusts, organisational unit, password expiration, etc.
Information on these additional items is to be found in the appendices of this document.
For more details on what capabilities the server-side Steelhead has when joined in this role, please consult the section at the

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

beginning of this guide entitled What configuration options are available and how do I choose?.

On the server-side Steelhead(s) navigate to Configure > Networking > Windows Domain.
Enter the Active Directory Domain name, user id [for the user account with Join Domain
Privileges] and its password.
3.1.3
Select the Join Account Type as either Active Directory Integrated Windows 2003, or Active Directory Integrated
Windows 2008. Whether you choose 2003 or 2008 mode depends on the domain functional level . Figure 3.1.3 below
shows an example screenshot.
3.1.1
3.1.2

Figure 3-1-3: Example screenshot, Windows Domain page of Steelhead appliance GUI

3.1.4

3.1.5
3.1.6

Enter the Domain Controller names or IP addresses of the nearest DCs. This ensures a quicker join especially in
high latency networks. For 2008 or greater, and mixed domain types, the DCs must be the 2008(-R2) instances in
the domain. When joining in 2008 mode it is strongly advised to provide one or more DCs in this field. If the
domain is a mix of 2003 and 2008, then the Domain Controllers specified must be the 2008 type and not 2003 type.
-------------------------------------------------------------------------------------------------------------------------------------------------------NOTE: Although, the Steelhead will probably perform a successful join without having the domain controllers
specified (a discovery is used), it is very strongly recommended that the correct details are entered in this field.
Failure to do so can lead to intermittent but persistent authentication failures, especially in large domain structures.
-------------------------------------------------------------------------------------------------------------------------------------------------------Next click the Join button at the bottom of the page and wait for feedback. If an error appears, take appropriate
action.
Once successfully joined you will see the statement In Domain Mode, status: In a domain in the top frame of the
page.

Figure 3-1-6 shows a successful domain join.

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 3-1-6: Example screenshot, Windows Domain page of Steelhead appliance GUI

3.2 Configure the Steelhead appliance to optimize Secure Windows traffic

On the server-side Steelhead navigate to Configure > Optimization > CIFS (SMB1).
Under the SMB Signing section, check the Enable SMB Signing checkbox
Ensure the NTLM Transparent Mode option is selected

2013 Riverbed Technology. All rights reserved.

Optimization in a Secure Windows Environment

September 2013

Figure 3-2-3: Enable SMB Signing section on CIFS Optimization page of Steelhead appliance GUI

3.2.4
3.2.5
3.2.6
3.2.7
3.2.8

Click the Apply button.

No changes are required on the client-side Steelhead appliances.
On the server-side Steelhead appliance navigate to Configure > Optimization > SMB2
Under the SMB2 Signing section, check the Enable SMB2 Signing checkbox. If your Steelhead appliance is
running RiOS v8.5 then this checkbox will be labeled Enable SMB2 and SMB3 Signing and, so long as
SMB3 optimization has been enabled, signed SMB3 will also be optimized.
Ensure the NTLM Transparent Mode option is selected

Figure 3-2-8: Enable SMB2 Signing section on SMB2 Optimization page of Steelhead appliance GUI

3.2.9
3.2.10

Click the Apply button.

No changes are required on the client-side Steelhead appliances unless SMB3 optimization is required. If
SMB3 optimization is required then repeat steps 3.2.6 through to 3.2.9 on the client-side Steelhead
appliances..

Configuration steps for Encrypted MAPI

_______________________________________________________________________________________________________
NOTE: For encrypted MAPI support, all Steelhead appliances must be running RiOS v7.0.0 or later and must be configured with
the settings described here below. The client-side Steelhead appliance does not need to join the Windows domain.
_______________________________________________________________________________________________________
3.2.11

On all Steelhead appliances navigate to Configure > Optimization > MAPI.

Optimization in a Secure Windows Environment

September 2013

Figure 3-2-11: MAPI Optimization page of Steelhead appliance GUI

3.2.12
3.2.13

Check the Enable Encrypted Optimization checkbox.

Click the Apply button.

3.3 - Saving the configuration and restarting the Optimization Service

The integration with the Windows domain is now complete.

Optimization in a Secure Windows Environment

September 2013

Appendix A Additional information and guidance

A.1 - Useful commands
There are some additional configuration tasks that can be performed on the server-side Steelhead appliance for specific
requirements. In the majority of cases, the only way to perform these tasks is via the RiOS cli of the Steelhead appliance.
A.1.1 Have the Steelhead appliance join the Windows Domain in a different Organizational Unit
When the server-side Steelhead is joined to the Windows Domain, it will automatically be placed the Organizational Unit (OU)
called Computers. While this is standard behaviour for a Member Server when joining a Windows Domain, some Windows
administrators prefer the Steelhead appliance to be placed into a different OU.
There are at least two ways to achieve this. The first one is simply to use an appropriate Windows admin tool, wizard or
command, to move the server-side Steelhead appliance from the Computers OU to the desired OU. This can only be done after
the server-side Steelhead appliance has joined the Windows Domain.
Another way is to have the server-side Steelhead appliance to join the domain and get placed directly into the desired OU as part
of the join domain process. This can be achieved by using the RiOS command line to specify the required OU as part of the join
domain command. The syntax is as follows;

# domain join domain-name <domain> login <username> password <********> org-unit <OU>

Where <domain> is the domain name for the Steelhead to join, <username> is the user with joindomain privileges,
<********> is the users password and <OU> is the name of the Organisational Unit.
For example, the following command would have the Steelhead join the [Link] domain and be placed into the WAN-opt
Organisational Unit.
# domain join domain-name [Link] login Administrator password ****** org-unit WAN-opt

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------Note: Joining to a specific organizational unit when the server-side Steelhead is joined in Active Directory integrated mode is not
supported.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A.1.2 - Support the Domain Controller request for password refresh on the Steelhead appliance Machine Account
Some Windows administrators require that Machine Accounts are refreshed at regular intervals, for example, every 30 days. By
default the Steelhead appliance doesnt have this setting enabled. To have the Steelhead appliance respond to the password
refresh request, execute the following command via the RiOS cli on the Steelhead appliance;
# domain settings pwd-refresh-int <number of days>

Where <number of days> is the interval in days between password refresh requests.
For example, the following command would be suitable for a 30-day refresh interval;
# domain settings pwd-refresh-int 30

Optimization in a Secure Windows Environment

September 2013

A.2 - Exchange clusters

A.2.1 - Single Exchange server
Before we look at what happens with Exchange clusters, its important to first understand in simple terms what happens in a basic
Exchange configuration when Steelheads are providing optimization.

Figure A.2-1 Basic Exchange server configuration

Referring to figure A.2-1 we can see the initial connection setup between the Outlook client and the Exchange server when there
are Steelhead appliances attempting to optimize the connection.
The five steps shown begin with the Outlook client sending a request to the Exchange server End Point Mapper (EPM) on wellknown port 135.
The second step is the EPM response back to the client with a dynamic port number to use for the MAPI session. This reply is
picked up by the C-SH (client-side Steelhead applaince). The C-SH remaps the dynamic port and responds to the client with port
7830. The client finishes the setup with the C-SH, the C-SH and S-SH (server-side Steelhead appliance) setup an optimized
connection between themselves and finally, the S-SH talks to the Exchange server using the dynamic port that was supplied in the
original EPM response.
This ensures the S-SH and C-SH can optimize the MAPI connection at the same time as maintaining transparency to the
Exchange server (by using the dynamic port assigned for the client).
Its the job of the Steelhead appliance to maintain a list that includes the IP addresses and dynamic ports for each client and
which Exchange servers are being used.
A.2.2 - Exchange cluster
With an Exchange cluster that comprises of multiple nodes the process is essentially the same as before except that the client
initially sends the EPM request to the Exchange server cluster name. The EPM response to the client is supplied by one of the
nodes in the cluster and includes the IP address of the node.

Optimization in a Secure Windows Environment

September 2013

Figure A.2-2 Exchange cluster

Because of this, the S-SH is able to establish the server-side connection with the correct Exchange server node in the cluster. The
same node in the cluster is used for the entire duration of the connection with the client. This Exchange node to client mapping is
just the same as would occur in an un-optimized configuration. Once again, the Steelhead is able to maintain a list of the relevant
MAPI connections between clients and server nodes.
For the server-side Steelhead appliance to correctly perform its optimization using the Delegate User account and the
exchangeMDB SPN, it needs to be able to contact each node specifically rather than using the cluster name.
This requires that each node in the Exchange cluster is associated with the exchangeMDB Service Principal Name. Over time, as
more capacity is required, more nodes are added to the cluster. But sometimes the configuration tasks may not be fully performed
leaving some nodes in a cluster without have this setting configured. As a result, this can lead to Outlook users with an optimized
connection occasionally being prompted for their account name and password when connecting to the Exchange cluster.
This is particularly relevant with Exchange clusters running Exchange 2003 and Exchange 2007.
Using the Windows command setspn L <node_name> on the Domain Controller [in the domain where the Exchange
server is located] will show a list of the SPNs for each node and whether exchangeMDB is included.
To add an SPN for a node of the Exchange cluster simply use the following command;
C:\> setspn A exchangeMDB/<node_name> <node_name>

Where <node_name> is the name of the node in the Exchange cluster. For example, in an Exchange cluster of three nodes called
exnode1, exnode2 and exnode3 the following commands are needed;
C:\> setspn A exchangeMDB/exnode1 exnode1
C:\> setspn A exchangeMDB/exnode2 exnode2
C:\> setspn A exchangeMDB/exnode3 exnode3

Be careful to ensure that these commands are executed with the correct syntax using the same node name for each part of the
command. Running the command incorrectly, for example setspn A exchangeMDB/exnode1 exnode3 will cause

Optimization in a Secure Windows Environment

September 2013

the optimization of encrypted MAPI to fail.

If you suspect this is the case, refer to this useful KnowledgeBase article on the Riverbed support site.
[Link] for further
guidance.
A.2.3 - Exchange Cluster with Load-balancer
In a configuration where the Exchange server is behind a Load Balancer, the process is very similar to a standard Exchange
cluster. The subtle difference is that the client, and therefore the server-side Steelhead appliance when there is an optimized
connection, is communicating to the Exchange cluster through the Load Balancer. In this situation, the EPM response to the client
contains the relevant server IP, but the client requests all begin with the same IP of the load balancer. Again, the Steelhead
appliance tracks the EPM response to ensure the address mapping is correct.
The key thing in this situation is to ensure that each connection request can be uniquely identified and as such requires either Port
or Full Transparency to be enabled for MAPI traffic, or, for MAPI port remapping to be disabled on the client side Steelhead
appliance(s) using the CLI command:
no protocol mapi port-remap enable

Figure A.2-3 Exchange cluster with Load Balancer

A.2.4 - Exchange 2010 architecture

Exchange 2010 takes the architecture of an Exchange server to a much more distributed design. Many of the functions that were
handled by the Exchange server as a whole in previous versions of MS Exchange are now split across different roles within the
Exchange 2010 Architecture. These roles may share the same physical hardware platform, but could also be distributed across
multiple platforms for resiliency and scalability.
There are many roles and a complete high-level view in the form of a poster can be downloaded from this location:
[Link]

Optimization in a Secure Windows Environment

September 2013

So the use of the name Exchange Server can now quite often mean a configuration that contains many separate components
often running on separate server instances. For the purposes of this overview explanation we are just going to look at two roles
within the Exchange Server, the Client Access Server Array and the Mailbox Server.
A.2.5 - Client Access Server Array
The Client Access Server (CAS) Array serves as a single point of contact for all client connections within an Active Directory
location. Although called an Array and usually configured as two or more servers for resiliency and scalability, it can comprise of
just a single server. The CAS Array does not provide load balancing itself, so a separate load balancing solution would be
needed. This is quite often taken care of by installing Microsoft Network Load Balancer (NLB) on the CAS Array but could be
provided by separate 3rd party load balancing products.
A.2.6 - Mailbox Server
The Mailbox server is simply the back-end server used for hosting Mailboxes and public folders. Any client requiring access to
email messages located on the Mailbox server connects to the CAS Array and it is the service in the CAS Array which
communicates with the Mailbox server.
A.2.7 - Basic architectures
As mentioned above, there are other functions in the Exchange 2010 architecture as well as the CAS Array and Mailbox server,
but the following diagrams are to help illustrate the basic combinations of these two roles as part of an Exchange server.

Figure A.2-4
CAS and Mailbox
sharing same hardware

Figure A.2-5
CAS and Mailbox
using separate hardware

Figure A.2-6
Multiple CAS and Mailbox servers as part
of one Exchange 2010 server configuration

A.2.8 - Client to CAS Array communication

When an Outlook client tries to establish a connection to an Exchange 2010 server the request needs to go to the CAS Array. In
the case that there are multiple servers in the Array, some form of load balancing is required.

Optimization in a Secure Windows Environment

September 2013

Figure A.2-7 Client EPM request to VIP of Exchange server CAS Array

For the purposes of illustration this example (shown in Figure A.2-7) makes use of Microsoft Network Load Balancer (NLB).
NLB software is installed on all members of the CAS Array and one Virtual IP (VIP) is presented for clients. Clients open a
connection to the VIP and send an EPM request which is responded to by one of the servers in the CAS Array.
Similarly, when Steelhead appliances are used to optimize MAPI traffic between the clients and Exchange server in this type of
configuration, the server-side Steelhead appliance is communicating with the VIP and needs to ensure it keeps track of each
individual EPM request per client and the CAS that responds. As described in section A.2.3 (Exchange Cluster with Load
Balancer) this is achieved by the server-side Steelhead appliance tracking the IP address in the EPM response. Failure to do so
can result in the Outlook client showing random and intermittent disconnection events with the Exchange server. Note that the
server-side Steelhead appliance is not communicating with the Mailbox server(s), just the CAS.

Figure A.2-8 Server-side Steelhead communication with VIP

Figure A.2-8 shows an example of an Exchange server with multiple CAS and Mailbox servers, with the Steelhead appliances
providing optimization. Support for optimized connections in this type of configuration is included with later versions of RiOS
starting with v6.1.4 and v6.5.1.
As previously mentioned, NLB is used as an example, but the principle is the same if other 3 rd party load-balancers are used.

Optimization in a Secure Windows Environment

September 2013

One final point on this type of deployment scenario. There is sometimes the question about optimizing traffic between the CAS
array and the Mailbox server. Normally these two components are network connected via LAN-latency rather than across a WAN
so the thought of optimizing the traffic using Steelhead appliances isnt a factor. However, even if the CAS array and Mailbox
server were separated by a WAN link, optimizing with Steelhead appliances is a configuration that is currently un-tested.

A.3 - Configurations for 1-way trust relationships

In some Windows domains there are only 1-way trusts between domains. This is usually due to a combination of security and
management requirements configured by the Windows administrator. In this situation it is useful to know that the RiOS
Delegation Mode is not supported. Instead, the server-side Steelhead appliance needs to be configured to use Transparent
Mode for signed SMB, signed SMB2, signed SMB3 and encrypted MAPI. Kerberos authentication is also supported.
Simply set the radio button on the relevant optimization page of the Steelhead appliance GUI to Transparent Mode.
See example screenshots (figure A.3-1 and A.3-2) below.

Figure A.3-1: Transparent Mode setting on SMB page of Steelhead appliance GUI

Optimization in a Secure Windows Environment

September 2013

Figure A.3-2: Transparent Mode setting on MAPI page of Steelhead appliance GUI

When Transparent Mode is used, the server-side Steelhead appliance still needs to join a Windows Domain that has the 1-way
trust to the Resource Domain where the server(s) are located. However, there is no need to create Delegate Users.
In addition to setting up Transparent Mode, the server-side Steelhead appliance needs to know the resource domain(s) that have
the 1-way trust where the server(s) are located.
This setting is performed via the cli using the following command;
# protocol domain-auth oneway-trust dns-name <FQDN> netbios-name <NetBIOS>

Where <FQDN> is the Fully Qualified Domain Name of the delegation domain and <NetBIOS> is the NetBIOS name of the
delegation domain.
The settings can be displayed using the command;
# show protocol domain-auth oneway-trust

The only other requirement for a server-side Steelhead appliance running a RiOS version prior to v7.0 is that any Windows7
clients will need to have LmCompatibility level set to 2 or lower (this is via a registry setting). Additional details can be found at this
location [Link]
For server-side Steelhead appliance(s) that are running RiOS v7.0 or later, the Steelhead appliance should join the Windows
domain using Active Directory Integrated Windows 2003 Mode or Windows 2008 Mode (depending on the domain functional
level). Although the resource domains with the one-way trusts still need to be added to the Steelhead appliance configuration,

Optimization in a Secure Windows Environment

September 2013

there is no need to make registry changes to Windows 7 clients.

A.4 Secure Peering

It is usually advisable to ensure the optimized traffic [for signed SMB and/or encrypted MAPI] between the peer Steelhead
appliances is sent via an encrypted connection. This can easily be achieved by configuring the Secure Peering feature on the
Steelhead appliances.
To enable this feature, navigate to Configure > Optimization > Secure Peering (SSL).
Toggle Traffic type to SSL and Secure Protocols leaving the Fallback to No Encryption setting enabled. This will ensure that
encrypted MAPI and/or signed SMB is always optimized even if there is no Secure Inner channel set up between the peer
Steelhead appliances.
This setting will need to be enabled on both the client-side Steelhead and the server-side Steelhead.

Figure A.4-1: Enabling Secure Peering

A.5 Specifying Domain Controllers during a join domain process

By default, when the server-side Steelhead appliance is joining a Windows Domain, it is not necessary to specify a domain
controller (DC). The Steelhead appliance will automatically discover DCs and then select one to request the join.
If the DCs are geographically dispersed and the Steelhead appliance chooses a DC that is some distance away, this may cause
delay in the communication between server-side Steelhead appliance and DC. But it is possible to force the Steelhead appliance
to select a specific DC to communicate with that is nearby. This is done by simply including the IP address or DNS name of the
DC in the Domain Controllers Name field of the Steelhead appliance GUI page for Windows Domain configuration.
NOTE: This is strongly advised when the Steelhead appliance is joining in Active Directory integrated mode. It is also strongly
advised to specify at least two DCs [where possible] in order to provide an alternative.

A.6 Joining the Steelhead appliance to the domain without using administrator privileges
In some cases, for security reasons, it is not possible to make use of an account with administrator privileges to enable the
Steelhead appliance to join the domain. Within a Windows Active Directory environment it is possible to perform the domain join
using a pre-created account. Full details and example screenshots are provided in the following knowledgebase article available
on the Riverbed support site.
[Link]

A.7 Domain Auth Auto Config Easy Config widget

As mentioned in several sections of this document, a lot of configuration can now be automated by using the Domain Auth Easy
Config widget. The Domain Auth Easy Config widget does not choose the relevant settings but, once chosen by the Steelhead
appliance administrator, the widget performs all the configuration tasks automatically. See the example screenshot below for an
indication of the settings available.

Optimization in a Secure Windows Environment

September 2013

Figure A.6-1: Domain Auth Easy Config widget

As can be seen in figure A.6-1 the Domain Auth Easy Config widget contains a number of fields. The first five are for Active
Directory tasks (joining the domain, configuring replication user account).The next four are check-boxes for configuring the secure
Windows settings on the Steelhead appliance. The last option is a drop-down to choose the desired domain join type.
Finally, below the button to actually tell the widget to perform the tasks, there is the status window and the feedback log which are
dynamically updated as the widget proceeds through its tasks.
A full explanation of the settings and capabilities of this feature can be found in the Riverbed Steelhead Management Console
Users Guide.

Optimization in a Secure Windows Environment

September 2013

Appendix B Troubleshooting
To confirm full acceleration of the signed SMB and encrypted MAPI applications use the Reports > Networking > Current
Connections report in the Steelhead appliance GUI.
Confirm the application flow is optimized by verifying the Established (Optimized) symbol ( ) is present in the Type column of
the report. If in the Notes column the triangular symbol is grey ( ) no error is present and full acceleration is applied to the CIFS
or MAPI session. This should be further confirmed by checking that the Application column is stating CIFS-SIGNED or MAPIENCRYPT, and there should be some degree of data reduction indicated in the Reduction column. See Figure B-2 below for an
example.
If there are authentication problems with signed SMB or encrypted MAPI traffic a Protocol Error icon ( ) is displayed in the far
right hand column of the report and full acceleration is not applied. See Figure B-1 below for an example.
Confirm full acceleration for CIFS with signed SMB and encrypted MAPI:
1.

On both Steelhead appliance(s) navigate to Reports > Networking > Current Connections.

In the regular expression filter, insert the test clients IP address and click Update Display.

To test CIFS with signed SMB on the test client, map a network drive on the test server. To test encrypted MAPI open
the Outlook client. It is helpful to move files or send emails during the testing to generate more connections.

While the application sessions are open go the Steelheads and update the Current Connections report. Confirm the
application flow type is optimized, verify it is the proper host pair, verify it is the proper application and verify the Protocol
Error icons color. If grey, it is fully accelerated. If red, a protocol error is present. If red, click the details icon ( ) for the
connection to see if more information is available. Figure B-1 shows an encrypted MAPI flow with a protocol error
indicating the Steelhead was unable to decrypt the conversation. Figure B-2 shows an encrypted MAPI flow that was
properly optimized. One other item which indicates the MAPI flow was properly optimized is the designation of MAPIENCRYPT in the Application column.

Figure B-1: Encrypted MAPI flows with protocol error

Figure B-2: Encrypted MAPI flows properly optimized

If a protocol error is present and more details are not available in the details view ( ) of the connection you will need
to look at the system logs for more information. Navigate to Reports > Diagnostics > System Logs. It is also worth
changing the logging level to INFO for a period of time, but remember to restore the level to NOTICE once you have
finished.

In the regular expression filter enter the test client IP address and click Go. You may also find it helpful to filter on
keywords like; smb, cifs, cifs-auth, domain, krb or mapi.

Optimization in a Secure Windows Environment

September 2013

Figure B-3: Steelhead System Logs Report

Be on the lookout for messages indicating authentication errors, servers or clients being blacklisted, etc. if there are
any errors that cause clients or servers to become blacklisted, this can be confirmed by using the following cli
commands.
# show protocol cifs smb signing blacklist
# show protocol smb2 signing blacklist
# show protocol mapi encrypted blacklist

These commands show the current entries on the blacklist for each of the three protocols. If you have SMB3 traffic
being optimized, protocol errors will be entered into the SMB2 blacklist. This is because the SMB2 optimization feature
in RiOS is also used to optimize SMB3 traffic. If the error causing the blacklist event is transient, the entry on the list will
clear automatically after time. If the error is more persistent, or you wish to manually clear the blacklist, please make
contact with Riverbed Support via the normal process to request help and guidance.
8.

Analyze the findings and take appropriate action. If assistance is required search the Knowledge Base at
([Link] and if you have a valid support contract, you could contact Riverbed Support (877-4837233 or [Link]

With RiOS v7.0 and later, there is a new feature known as Windows Domain Health Status. This feature comprises of several cli
commands which can be used to test and display various settings and configurations on the server-side Steelhead. An overview is
included in the latest version of the Riverbed Deployment Guide (Protocols edition) and full details of the commands and their
syntax are provided in the latest version of the Riverbed Steelhead appliance cli manual.
With RiOS v8.5 and later the Windows Domain Health Status command have been brought out into the Steelhead appliance
management console as a series of graphical tools.
An example screenshot of the Domain Health Check page is shown below.

Optimization in a Secure Windows Environment

September 2013

Figure B-4: Domain Health Check page in Steelhead appliance Management Console

For more details on the use of the tests, consult the latest version of the Riverbed Steelhead Management Console Users Guide.

Riverbed Technology, Inc.

199 Fremont Street
San Francisco, CA 94105
Tel: (415) 247-8800
[Link]

Riverbed Technology Ltd.

One Thames Valley
Wokingham Road, Level 2
Bracknell. RG42 1NG
United Kingdom
Tel: +44 1344 401900

Riverbed Technology Pte. Ltd.

391A Orchard Road #22-06/10
Ngee Ann City Tower A
Singapore 238873
Tel: +65 6508-7400

Riverbed Technology K.K.

Shiba-Koen Plaza Building 9F
3-6-9, Shiba, Minato-ku
Tokyo, Japan 105-0014
Tel: +81 3 5419 1990

RiverBird SteelHead
No ratings yet
RiverBird SteelHead
88 pages
SH MgmtConsoleGuide
No ratings yet
SH MgmtConsoleGuide
526 pages
Technical Brief - Riverbed SSL Proxy Certificate Support
No ratings yet
Technical Brief - Riverbed SSL Proxy Certificate Support
2 pages
Riverbed White Paper
No ratings yet
Riverbed White Paper
49 pages
Riverbed RS Technology Presentation
No ratings yet
Riverbed RS Technology Presentation
31 pages
SADM6.x Mod07 - SysMgtReporting v02
No ratings yet
SADM6.x Mod07 - SysMgtReporting v02
38 pages
FastFacts-Data Center Scale
No ratings yet
FastFacts-Data Center Scale
2 pages
SH CX 9.0.0
No ratings yet
SH CX 9.0.0
32 pages
Virtual Steelhead Installation Guide: Version1.0 (Rios V6.1.1) September 2010
No ratings yet
Virtual Steelhead Installation Guide: Version1.0 (Rios V6.1.1) September 2010
48 pages
Steelhead® Appliance Installation and Configuration Guide
No ratings yet
Steelhead® Appliance Installation and Configuration Guide
78 pages
Riverbed Deployment
No ratings yet
Riverbed Deployment
92 pages
SteelHead - Deployment Installation Gui08
No ratings yet
SteelHead - Deployment Installation Gui08
90 pages
Central Management Console Users Guide
No ratings yet
Central Management Console Users Guide
332 pages
Riverbed Virtual Steelhead Appliance Installation Guide
No ratings yet
Riverbed Virtual Steelhead Appliance Installation Guide
90 pages
Riverbed Steelhead Appliance RiOS Version: 5.5.4 (Build 105)
No ratings yet
Riverbed Steelhead Appliance RiOS Version: 5.5.4 (Build 105)
43 pages
SF Edge 6.0 Icg
No ratings yet
SF Edge 6.0 Icg
66 pages
Windows Azure WITH ADFS - Scenerios - Imp
No ratings yet
Windows Azure WITH ADFS - Scenerios - Imp
4 pages
Riverbed
No ratings yet
Riverbed
204 pages
Network-Based Backup and Data Replication With Riverbed: Solution Brief
No ratings yet
Network-Based Backup and Data Replication With Riverbed: Solution Brief
4 pages
Optimization of Citrix ICA With Steelhead Appliances
No ratings yet
Optimization of Citrix ICA With Steelhead Appliances
12 pages
To Use Riverbed Steelhead DX Edition Appliances: Top Ten Reasons
No ratings yet
To Use Riverbed Steelhead DX Edition Appliances: Top Ten Reasons
2 pages
Steelhead Mobile Controller Installation Guide
No ratings yet
Steelhead Mobile Controller Installation Guide
68 pages
Riverbed White Paper
No ratings yet
Riverbed White Paper
10 pages
Netprofiler-Netexpress-10-20-User Guide
No ratings yet
Netprofiler-Netexpress-10-20-User Guide
369 pages
Networks Firewall Solution Guide
No ratings yet
Networks Firewall Solution Guide
25 pages
STEELHEAD APPLIANCE RIOS VERSION: 7.0.5b
No ratings yet
STEELHEAD APPLIANCE RIOS VERSION: 7.0.5b
32 pages
Steelhead Deployment Planning Guide
No ratings yet
Steelhead Deployment Planning Guide
12 pages
FeatureBrief Riverbed RSP
No ratings yet
FeatureBrief Riverbed RSP
2 pages
Riverbed Setup
No ratings yet
Riverbed Setup
84 pages
Cloudbric: Affordable WAF Security Solution
No ratings yet
Cloudbric: Affordable WAF Security Solution
8 pages
Steelhead User Guide: Steelhead Gx10000 Steelhead CX (X70), (Xx70), (Xx55) April 2019
No ratings yet
Steelhead User Guide: Steelhead Gx10000 Steelhead CX (X70), (Xx70), (Xx55) April 2019
714 pages
SAP Single Sign-On with WebSEAL & Kerberos
No ratings yet
SAP Single Sign-On with WebSEAL & Kerberos
44 pages
Feature Brief - Riverbed Steelhead Enhanced QoS
No ratings yet
Feature Brief - Riverbed Steelhead Enhanced QoS
2 pages
Extreme Savings: Cutting Costs With Wide-Area Data Services: A Riverbed Technology White Paper
No ratings yet
Extreme Savings: Cutting Costs With Wide-Area Data Services: A Riverbed Technology White Paper
7 pages
Fast Facts - Disaster Recovery
No ratings yet
Fast Facts - Disaster Recovery
2 pages
Revit Brief - V3
100% (2)
Revit Brief - V3
2 pages
SH rackInstallGuide
No ratings yet
SH rackInstallGuide
26 pages
Riverbed Support S14534 - Optimizing Microsoft Remote Desktop Protocol &#x28 RDP&#x29 Connections
No ratings yet
Riverbed Support S14534 - Optimizing Microsoft Remote Desktop Protocol &#x28 RDP&#x29 Connections
6 pages
Secure Operating Systems Overview
No ratings yet
Secure Operating Systems Overview
6 pages
Optimizing Google Apps With Riverbed Steelhead Appliances-V1a
No ratings yet
Optimizing Google Apps With Riverbed Steelhead Appliances-V1a
29 pages
SolutionBrief Riverbed SAPNetWeaver PDF
No ratings yet
SolutionBrief Riverbed SAPNetWeaver PDF
2 pages
Solution Brief Riverbed Data Domain
No ratings yet
Solution Brief Riverbed Data Domain
2 pages
SSG-6593-EN - Deployer Guide - Senhasegura Installation
No ratings yet
SSG-6593-EN - Deployer Guide - Senhasegura Installation
13 pages
Windows & Linux OS Vulnerabilities
No ratings yet
Windows & Linux OS Vulnerabilities
69 pages
Riverbed Deployment Models Overview
No ratings yet
Riverbed Deployment Models Overview
61 pages
Riverbed Command-Line Interface Reference Manual
No ratings yet
Riverbed Command-Line Interface Reference Manual
592 pages
Windows Server 2016 Security Guide
No ratings yet
Windows Server 2016 Security Guide
35 pages
How To Configure Tacacs
No ratings yet
How To Configure Tacacs
12 pages
Chapter 4 - Operation System Security - 1
No ratings yet
Chapter 4 - Operation System Security - 1
46 pages
OS Unit 8 CASE STUDY
No ratings yet
OS Unit 8 CASE STUDY
3 pages
4670 Lecture2 Os
No ratings yet
4670 Lecture2 Os
38 pages
Security Monitoring in Wireless Sensor Networks
No ratings yet
Security Monitoring in Wireless Sensor Networks
39 pages
Issap Mindmap
No ratings yet
Issap Mindmap
1 page
CISSP Vocabulary
No ratings yet
CISSP Vocabulary
4 pages
BirthCertificate1 CP
No ratings yet
BirthCertificate1 CP
1 page
Summer Internship Report PGDHM
50% (6)
Summer Internship Report PGDHM
53 pages
Blue Prism User Guide - Installing v5.0
No ratings yet
Blue Prism User Guide - Installing v5.0
7 pages
SFI Spec 3.3 Driver Accessories 10-11-06
100% (1)
SFI Spec 3.3 Driver Accessories 10-11-06
13 pages
Health Management Information System Overview
No ratings yet
Health Management Information System Overview
21 pages
Tm1 Templates Mine
No ratings yet
Tm1 Templates Mine
60 pages
Final Candidate Shortlist for RADC Analyst
No ratings yet
Final Candidate Shortlist for RADC Analyst
5 pages
Network - Issues and Communication
No ratings yet
Network - Issues and Communication
25 pages
2k Url Go - Id Access
No ratings yet
2k Url Go - Id Access
42 pages
GLI-19 Interactive Gaming Systems - Operators
No ratings yet
GLI-19 Interactive Gaming Systems - Operators
63 pages
Engineering Design Final Report
No ratings yet
Engineering Design Final Report
93 pages
Computer Security Course Intro
No ratings yet
Computer Security Course Intro
30 pages
Brij - Enrolment Certificate317 - 437
No ratings yet
Brij - Enrolment Certificate317 - 437
2 pages
Form Lra 38 Application For The Removal of The Name of A Deceased Joint Proprietor From The Register
No ratings yet
Form Lra 38 Application For The Removal of The Name of A Deceased Joint Proprietor From The Register
3 pages
Understanding Arubaos Version 6 X 1St Edition David A Westcott Latest PDF 2025
No ratings yet
Understanding Arubaos Version 6 X 1St Edition David A Westcott Latest PDF 2025
146 pages
AUTOSAR FO PRS SecOcProtocol
No ratings yet
AUTOSAR FO PRS SecOcProtocol
29 pages
Dob Update Slip
No ratings yet
Dob Update Slip
1 page
Student Login Instructions
No ratings yet
Student Login Instructions
2 pages
Casa Grande Zoning Verification Form
No ratings yet
Casa Grande Zoning Verification Form
3 pages
Crypto Trading Secrets How To Earn Big in The Cryptocurrency Market
89% (9)
Crypto Trading Secrets How To Earn Big in The Cryptocurrency Market
25 pages
ISO 27001 Foundation Exam Sample PDF
No ratings yet
ISO 27001 Foundation Exam Sample PDF
30 pages
ACTS User Manual For Sthhhtudent - V - 0.3
No ratings yet
ACTS User Manual For Sthhhtudent - V - 0.3
50 pages
Excerpt From The "Problem of Authenticity, or External Criticism"
No ratings yet
Excerpt From The "Problem of Authenticity, or External Criticism"
13 pages
Ppromlistkidsbdsgsf
No ratings yet
Ppromlistkidsbdsgsf
37 pages
Online Voting System Project Overview
No ratings yet
Online Voting System Project Overview
20 pages
Kotak Re-KYC Form For Resident Individuals - .PDF - New
No ratings yet
Kotak Re-KYC Form For Resident Individuals - .PDF - New
2 pages